Pull up following revision(s) (requested by riastradh in ticket #45):

	tests/lib/libc/gen/t_ctype.c: revision 1.12
	lib/libc/gen/ctype_.c: revision 1.24
	lib/libc/locale/rune.c: revision 1.50
	tests/lib/libc/gen/Makefile: revision 1.61
	lib/libc/gen/tolower_.c: revision 1.18
	lib/libc/gen/isctype.c: revision 1.29
	distrib/sets/lists/tests/mi: revision 1.1394
	lib/libc/gen/toupper_.c: revision 1.18
	lib/libc/gen/ctype_guard.h: revision 1.8
	lib/libc/locale/Makefile.inc: revision 1.69
	lib/libc/gen/ctype.3: revision 1.32
	lib/libc/gen/ctype.3: revision 1.33
	distrib/sets/lists/debug/mi: revision 1.486
	tests/lib/libc/gen/h_ctype_abuse.c: revision 1.1
	tests/lib/libc/gen/h_ctype_abuse.c: revision 1.2

ctype(3): New environment variable LIBC_ALLOWCTYPEABUSE.

If set, this does not force the ctype(3) functions to crash when
passed invalid inputs -- instead, they will return nonsense results,
and possibly print warnings to stderr, as is their right in
implementing undefined behaviour.

The nature of the nonsense results is unspecified.  Currently, is*()
will always return true (even if that leads to mutually contradictory
conclusions, like isalpha and isdigit, or isgraph and isblank), and
tolower/toupper() will always return EOF.  But perhaps in the future
the results may be randomized.

This way, if an application like firefox crashes on ctype abuse, you
can opt to accept the consequences of nonsense results instead by
running `env LIBC_ALLOWCTYPEABUSE= firefox' until the application is
fixed.

PR lib/58208: ctype(3) provides poor runtime feedback of abuse
ctype(3): Document LIBC_ALLOWCTYPEABUSE.

If this is pulled up to netbsd-11, we should tweak the text to make
it apply to 11 too.
PR lib/58208: ctype(3) provides poor runtime feedback of abuse

ctype(3): Fix build of tests on machines with unsigned char.
Could maybe phrase this better but this'll do for now.

PR lib/58208: ctype(3) provides poor runtime feedback of abuse

Author: MartinHusemann

distrib/sets/lists/debug/mi

@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.485 2025/07/17 19:50:39 kre Exp $
+# $NetBSD: mi,v 1.485.2.1 2025/10/01 17:41:15 martin Exp $
 #
 ./etc/mtree/set.debug                           comp-sys-root
 ./usr/lib					comp-sys-usr		compatdir
@@ -2026,6 +2026,7 @@
 ./usr/libdata/debug/usr/tests/lib/libc/db/t_db_hash_seq.debug		tests-lib-debug		debug,atf,compattestfile
 ./usr/libdata/debug/usr/tests/lib/libc/gen/exect/t_exect.debug		tests-kernel-obsolete	obsolete
 ./usr/libdata/debug/usr/tests/lib/libc/gen/execve/t_execve.debug	tests-kernel-tests	debug,atf,compattestfile
+./usr/libdata/debug/usr/tests/lib/libc/gen/h_ctype_abuse.debug		tests-kernel-tests	debug,atf,compattestfile
 ./usr/libdata/debug/usr/tests/lib/libc/gen/h_execsig.debug		tests-kernel-tests	debug,atf,compattestfile
 ./usr/libdata/debug/usr/tests/lib/libc/gen/posix_spawn/h_fileactions.debug	tests-kernel-tests	debug,atf,compattestfile
 ./usr/libdata/debug/usr/tests/lib/libc/gen/posix_spawn/h_spawn.debug		tests-kernel-tests	debug,atf,compattestfile

distrib/sets/lists/tests/mi

@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.1387 2025/07/20 12:25:53 joe Exp $
+# $NetBSD: mi,v 1.1387.2.1 2025/10/01 17:41:15 martin Exp $
 #
 # Note: don't delete entries from here - mark them as "obsolete" instead.
 ./etc/mtree/set.tests					tests-sys-root
@@ -3080,6 +3080,7 @@
 ./usr/tests/lib/libc/gen/execve/Atffile			tests-kernel-tests	compattestfile,atf
 ./usr/tests/lib/libc/gen/execve/Kyuafile		tests-kernel-tests	compattestfile,atf,kyua
 ./usr/tests/lib/libc/gen/execve/t_execve		tests-kernel-tests	compattestfile,atf
+./usr/tests/lib/libc/gen/h_ctype_abuse			tests-kernel-tests	compattestfile,atf
 ./usr/tests/lib/libc/gen/h_execsig			tests-kernel-tests	compattestfile,atf
 ./usr/tests/lib/libc/gen/posix_spawn			tests-kernel-tests	compattestfile,atf
 ./usr/tests/lib/libc/gen/posix_spawn/Atffile		tests-kernel-tests	compattestfile,atf

lib/libc/gen/ctype.3

@@ -1,4 +1,4 @@
-.\"	$NetBSD: ctype.3,v 1.31 2019/01/15 07:01:01 wiz Exp $
+.\"	$NetBSD: ctype.3,v 1.31.14.1 2025/10/01 17:41:15 martin Exp $
 .\"
 .\" Copyright (c) 1991 Regents of the University of California.
 .\" All rights reserved.
@@ -30,7 +30,7 @@
 .\"
 .\"     @(#)ctype.3	6.5 (Berkeley) 4/19/91
 .\"
-.Dd January 15, 2019
+.Dd September 14, 2025
 .Dt CTYPE 3
 .Os
 .Sh NAME
@@ -60,6 +60,20 @@ The above functions perform character tests and conversions on the integer
 .Pp
 See the specific manual pages for information about the
 test or conversion performed by each function.
+.Sh ENVIRONMENT
+In
+.Nx 10 ,
+the
+.Nm
+functions will crash with a signal on certain invalid inputs as a
+diagnostic aid for applications; see
+.Sx CAVEATS .
+In
+.Nx 11 ,
+setting the environment variable
+.Ev LIBC_ALLOWCTYPEABUSE
+before starting a program will make the functions return nonsense
+answers instead of crashing.
 .Sh EXAMPLES
 To print an upper-case version of a string to stdout,
 the following code can be used:

lib/libc/gen/ctype_.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: ctype_.c,v 1.23 2025/03/30 00:07:51 riastradh Exp $	*/
+/*	$NetBSD: ctype_.c,v 1.23.2.1 2025/10/01 17:41:14 martin Exp $	*/
 
 /*
  * Copyright (c) 1989 The Regents of the University of California.
@@ -39,14 +39,15 @@
 #if 0
 /*static char *sccsid = "from: @(#)ctype_.c	5.6 (Berkeley) 6/1/90";*/
 #else
-__RCSID("$NetBSD: ctype_.c,v 1.23 2025/03/30 00:07:51 riastradh Exp $");
+__RCSID("$NetBSD: ctype_.c,v 1.23.2.1 2025/10/01 17:41:14 martin Exp $");
 #endif
 #endif /* LIBC_SCCS and not lint */
 
 #include <sys/ctype_bits.h>
 #include <sys/mman.h>
 
 #include <stdio.h>
+#include <string.h>
 
 #include "ctype_guard.h"
 #include "ctype_local.h"
@@ -69,6 +70,7 @@ __ctype_table
 static
 const unsigned char _C_compat_bsdctype_guarded[_C_COMPAT_BSDCTYPE_GUARD +
     1 + _CTYPE_NUM_CHARS] = {
+	_CTYPE_GUARD_INIT(_C_COMPAT_BSDCTYPE_GUARD, -1)
 	[_C_COMPAT_BSDCTYPE_GUARD] = 0,
 	_C,	_C,	_C,	_C,	_C,	_C,	_C,	_C,
 	_C,	_C|_S,	_C|_S,	_C|_S,	_C|_S,	_C|_S,	_C,	_C,
@@ -121,6 +123,7 @@ const unsigned char *_ctype_ = &_C_compat_bsdctype[0];
 __ctype_table
 static const unsigned short _C_ctype_tab_guarded_[_C_CTYPE_TAB_GUARD +
     1 + _CTYPE_NUM_CHARS] = {
+	_CTYPE_GUARD_INIT(_C_CTYPE_TAB_GUARD, -1)
 	[_C_CTYPE_TAB_GUARD] = 0,
 	_C,		_C,		_C,		_C,
 	_C,		_C,		_C,		_C,
@@ -172,17 +175,117 @@ __ctype_table_guarded(_C_ctype_tab_, _C_ctype_tab_guarded_,
 
 const unsigned short *_ctype_tab_ = &_C_ctype_tab_[0];
 
+/*
+ * _allow_ctype_abuse()
+ *
+ *	Internal subroutine to interpret environ and return true if
+ *	LIBC_ALLOWCTYPEABUSE is defined, false if not.
+ *
+ *	We use environ and strcmp directly to make sure this works
+ *	inside constructors and to avoid pulling in all the
+ *	stdlib/_env.c machinery if unnecessary.  We cache it so we only
+ *	add one traversal of environ to each process startup for the
+ *	ctype, toupper, and tolower tables (not ideal -- rtld already
+ *	does another traversal -- but better than adding multiple
+ *	traversals).
+ *
+ *	This query is also used by the out-of-line ctype logic in
+ *	isctype.c outside a constructor, where it could use getenv, and
+ *	perhaps support finer-grained distinctions -- like
+ *	LIBC_ALLOWCTYPEABUSE=silent vs LIBC_ALLOWCTYPEABUSE=noisy.  But
+ *	until we feel the need to implement such finer distinctions,
+ *	let's keep the logic of interpreting LIBC_ALLOWCTYPEABUSE
+ *	together in one place.
+ */
+#ifndef RTLD_LOADER
+#include "extern.h"		/* environ */
+static bool
+_allow_ctype_abuse(void)
+{
+	const char vareq[] = "LIBC_ALLOWCTYPEABUSE=";
+	char *const *envp;
+
+	for (envp = environ; *envp != NULL; envp++) {
+		if (strncmp(*envp, vareq, strlen(vareq)) == 0) {
+			return true;
+		}
+	}
+	return false;
+}
+#endif
+
 #if _CTYPE_GUARD_PAGE
+
+static enum {
+	ABUSE_UNDETERMINED = 0,
+	ABUSE_ALLOWED,
+	ABUSE_TRAPPED,
+} allow_ctype_abuse_cache;
+
+/*
+ * allow_ctype_abuse()
+ *
+ *	True if LIBC_ALLOWCTYPEABUSE is defined in the environment,
+ *	false if not.  May reflect the environment any time between
+ *	process startup and now.
+ */
+__dso_hidden
+bool
+allow_ctype_abuse(void)
+{
+
+	if (allow_ctype_abuse_cache != ABUSE_UNDETERMINED)
+		return allow_ctype_abuse_cache == ABUSE_ALLOWED;
+	return _allow_ctype_abuse();
+}
+
+/*
+ * constructor_allow_ctype_abuse()
+ *
+ *	True if LIBC_ALLOWCTYPEABUSE is defined in the environment,
+ *	false if not.  May be used only in an ELF constructor.
+ */
+__dso_hidden
+bool
+constructor_allow_ctype_abuse(void)
+{
+
+	if (allow_ctype_abuse_cache != ABUSE_UNDETERMINED)
+		return allow_ctype_abuse_cache == ABUSE_ALLOWED;
+	if (_allow_ctype_abuse()) {
+		allow_ctype_abuse_cache = ABUSE_ALLOWED;
+		return true;
+	} else {
+		allow_ctype_abuse_cache = ABUSE_TRAPPED;
+		return false;
+	}
+}
+
 __attribute__((constructor))
 static void
 _C_ctype_tab_guard_init(void)
 {
 
+	if (constructor_allow_ctype_abuse())
+		return;
 #ifdef __BUILD_LEGACY
 	(void)mprotect(__UNCONST(_C_compat_bsdctype_guarded),
 	    _CTYPE_GUARD_SIZE, PROT_NONE);
 #endif	/* __BUILD_LEGACY */
 	(void)mprotect(__UNCONST(_C_ctype_tab_guarded_),
 	    _CTYPE_GUARD_SIZE, PROT_NONE);
 }
+
+#else
+
+#ifndef RTLD_LOADER
+__dso_hidden
+bool
+allow_ctype_abuse(void)
+{
+
+	return _allow_ctype_abuse();
+}
+#endif
+
 #endif	/* _CTYPE_GUARD_PAGE */

lib/libc/gen/ctype_guard.h

@@ -1,4 +1,4 @@
-/*	$NetBSD: ctype_guard.h,v 1.7 2025/03/31 23:48:06 riastradh Exp $	*/
+/*	$NetBSD: ctype_guard.h,v 1.7.2.1 2025/10/01 17:41:15 martin Exp $	*/
 
 /*-
  * Copyright (c) 2025 The NetBSD Foundation, Inc.
@@ -31,6 +31,8 @@
 
 #include <sys/cdefs.h>
 
+#include <stdbool.h>
+
 #include "ctype_local.h"
 
 /*
@@ -116,10 +118,14 @@
 	__asm(".size " _C_LABEL_STRING(#name) ","			      \
 	    ___STRING((nelem) * (elemsize)))
 
+__dso_hidden bool allow_ctype_abuse(void);
+
 #if _CTYPE_GUARD_PAGE
 
 #  include <machine/vmparam.h>
 
+__dso_hidden bool constructor_allow_ctype_abuse(void);
+
 /*
  * _CTYPE_GUARD_SIZE must be a macro so it will work through ___STRING
  * to produce a string for symbol arithmetic in __asm.
@@ -130,6 +136,8 @@
 #    define	_CTYPE_GUARD_SIZE	PAGE_SIZE
 #  endif
 
+#  define	_CTYPE_GUARD_INIT(n, x)	[0 ... (n) - 1] = (x),
+
 enum {
 	_C_CTYPE_TAB_GUARD = _CTYPE_GUARD_SIZE/sizeof(_C_ctype_tab_[0]),
 #  ifdef __BUILD_LEGACY
@@ -152,6 +160,8 @@ enum {
 
 #  define	_CTYPE_GUARD_SIZE	0
 
+#  define	_CTYPE_GUARD_INIT(n, x)	/* empty */
+
 enum {
 	_C_CTYPE_TAB_GUARD = 0,
 #  ifdef __BUILD_LEGACY

lib/libc/gen/isctype.c

@@ -1,4 +1,4 @@
-/* $NetBSD: isctype.c,v 1.28 2025/03/29 21:45:08 riastradh Exp $ */
+/* $NetBSD: isctype.c,v 1.28.2.1 2025/10/01 17:41:15 martin Exp $ */
 
 /*-
  * Copyright (c)2008 Citrus Project,
@@ -28,7 +28,7 @@
 
 #include <sys/cdefs.h>
 #if defined(LIBC_SCCS) && !defined(lint)
-__RCSID("$NetBSD: isctype.c,v 1.28 2025/03/29 21:45:08 riastradh Exp $");
+__RCSID("$NetBSD: isctype.c,v 1.28.2.1 2025/10/01 17:41:15 martin Exp $");
 #endif /* LIBC_SCCS and not lint */
 
 #include "namespace.h"
@@ -48,32 +48,31 @@ __RCSID("$NetBSD: isctype.c,v 1.28 2025/03/29 21:45:08 riastradh Exp $");
 #error "EOF != -1"
 #endif
 
+#include "ctype_guard.h"
 #include "runetype_local.h"
 #include "setlocale_local.h"
 
 #define _RUNE_LOCALE(loc) \
     ((_RuneLocale *)((loc)->part_impl[LC_CTYPE]))
 
-static void __noinline __dead
+static int __noinline
 ctype_nasaldemon(const char *func, int c)
 {
 	char buf[128];
 
 	snprintf_ss(buf, sizeof(buf), "ctype(3) %s: invalid input: %d\n", func,
 	    c);
 	(void)write(STDERR_FILENO, buf, strlen(buf));
+	if (allow_ctype_abuse())
+		return -1;
 	abort();
 }
 
-static inline void
-ctype_check(const char *func, int c)
-{
-
-	if (__predict_false((c != EOF && c < 0) || c > UCHAR_MAX))
-		ctype_nasaldemon(func, c);
-}
-
-#define	CTYPE_CHECK(c)	ctype_check(__func__, c)
+#define	CTYPE_CHECK(c) do						      \
+{									      \
+	if (__predict_false(((c) != EOF && (c) < 0) || (c) > UCHAR_MAX))      \
+		return ctype_nasaldemon(__func__, c);			      \
+} while (0)
 
 #define _ISCTYPE_FUNC(name, bit) \
 int \

lib/libc/gen/tolower_.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: tolower_.c,v 1.17 2025/03/30 00:07:51 riastradh Exp $	*/
+/*	$NetBSD: tolower_.c,v 1.17.2.1 2025/10/01 17:41:14 martin Exp $	*/
 
 /*
  * Written by J.T. Conklin <jtc@NetBSD.org>.
@@ -7,7 +7,7 @@
 
 #include <sys/cdefs.h>
 #if defined(LIBC_RCS) && !defined(lint)
-__RCSID("$NetBSD: tolower_.c,v 1.17 2025/03/30 00:07:51 riastradh Exp $");
+__RCSID("$NetBSD: tolower_.c,v 1.17.2.1 2025/10/01 17:41:14 martin Exp $");
 #endif /* LIBC_RCS and not lint */
 
 #include <sys/ctype_bits.h>
@@ -25,6 +25,7 @@ __RCSID("$NetBSD: tolower_.c,v 1.17 2025/03/30 00:07:51 riastradh Exp $");
 __ctype_table
 static const short _C_tolower_tab_guarded_[_C_TOLOWER_TAB_GUARD +
     1 + _CTYPE_NUM_CHARS] = {
+	_CTYPE_GUARD_INIT(_C_TOLOWER_TAB_GUARD, EOF)
 	[_C_TOLOWER_TAB_GUARD] = EOF,
 	0x00,	0x01,	0x02,	0x03,	0x04,	0x05,	0x06,	0x07,
 	0x08,	0x09,	0x0a,	0x0b,	0x0c,	0x0d,	0x0e,	0x0f,
@@ -76,6 +77,8 @@ static void
 _C_tolower_tab_guard_init(void)
 {
 
+	if (constructor_allow_ctype_abuse())
+		return;
 	(void)mprotect(__UNCONST(_C_tolower_tab_guarded_), _CTYPE_GUARD_SIZE,
 	    PROT_NONE);
 }

lib/libc/gen/toupper_.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: toupper_.c,v 1.17 2025/03/30 00:07:51 riastradh Exp $	*/
+/*	$NetBSD: toupper_.c,v 1.17.2.1 2025/10/01 17:41:15 martin Exp $	*/
 
 /*
  * Written by J.T. Conklin <jtc@NetBSD.org>.
@@ -7,7 +7,7 @@
 
 #include <sys/cdefs.h>
 #if defined(LIBC_RCS) && !defined(lint)
-__RCSID("$NetBSD: toupper_.c,v 1.17 2025/03/30 00:07:51 riastradh Exp $");
+__RCSID("$NetBSD: toupper_.c,v 1.17.2.1 2025/10/01 17:41:15 martin Exp $");
 #endif /* LIBC_RCS and not lint */
 
 #include <sys/ctype_bits.h>
@@ -25,6 +25,7 @@ __RCSID("$NetBSD: toupper_.c,v 1.17 2025/03/30 00:07:51 riastradh Exp $");
 __ctype_table
 static const short _C_toupper_tab_guarded_[_C_TOUPPER_TAB_GUARD +
     1 + _CTYPE_NUM_CHARS] = {
+	_CTYPE_GUARD_INIT(_C_TOUPPER_TAB_GUARD, EOF)
 	[_C_TOUPPER_TAB_GUARD] = EOF,
 	0x00,	0x01,	0x02,	0x03,	0x04,	0x05,	0x06,	0x07,
 	0x08,	0x09,	0x0a,	0x0b,	0x0c,	0x0d,	0x0e,	0x0f,
@@ -76,6 +77,8 @@ static void
 _C_toupper_tab_guard_init(void)
 {
 
+	if (constructor_allow_ctype_abuse())
+		return;
 	(void)mprotect(__UNCONST(_C_toupper_tab_guarded_), _CTYPE_GUARD_SIZE,
 	    PROT_NONE);
 }