Release 0.9.15

• Security fix
• Other important fixes
• build-standalone was broken
• TLS handshake error in newer MbedTLS
• O(n) in size-of method
• Compatibility warnings
• Legacy argument keywords for define-cproc
• '#<undef> is used in boolean context'
• New modules & procedures
• Other bug fixes

Security fix

Only Windows version is affected.

If you ran .bat or .cmd via sys-exec (or other higher-level APIs such as run-process), certain crafted command-line argument could invoke external commands: https://kb.cert.org/vuls/id/123335

In Gauche, the effect is limited because the user need to give .bat or .cmd extensions explicitly to run those files, so the user code can check unsafe arguments as well. Nevertheless, it is better not to have holes.

Now, if you're trying to run a .bat or .cmd file and the argument contains one of "unsafe" characters, an error is thrown. (Issue:1017)

Other important fixes

build-standalone was broken

You couldn't build a standalone binary with 0.9.14, for it introduced an unintended dependency on private header files (which is only available when you have a source tree). It is addressed. Issue:1013.

TLS handshake error in newer MbedTLS

When you tried to use TLS server socket with newer MbedTLS, clients failed to connect with TLS handshake error. It is fixed.

Besides, if you configure with --with-tls=mbedtls-internal, it now uses MbedTLS 3.5.2. Issue:1018,Issue:1021.

O(n) in size-of method

The size-of method returns a size of a collection. Since the minimal requirement of collection protocol is an iterator, the default method of size-of iterates over all elements to count them. It happened that built-in hashtables and treemaps didn't specialize size-of, it caused O(n) instead of O(1). Now those methods are specialized, and documentation warns this fallback behavior. Issue:987.

Compatibility warnings

Legacy argument keywords for define-cproc

At the beginning, C interface (define-cproc) used CL-style lambda keywords such as &optional. We switched to keywords :optional loooong time ago, but we've supported the old style. We plan to drop it. If you see this warning, please update the source.

'#<undef> is used in boolean context'

This warning is off by default, but we recommend you to turn it on by setting the environment variable GAUCHE_CHECK_UNDEFINED_TEST. This warning is issued when #<undef> appears as the result of a test expression of conditional branch.

This feature has been in for a while, but we plan to turn the warning on by default in the next release or so, thus we bring this up again.

See Nasty undefined, for the details.

New modules & procedures

• srfi.215: Central log exchange
• srfi.238: Codesets
• srfi.247: Syntactic monads

• gauche-package
  • New populate subcommand can be used in the existing module directory to copy missing files for packaging.
  • The compile command now processes *.scm files with precomp. This eliminates the need of *.stub files from C interface.
  • The compile command also accepts --srcdir option to allow out-of-tree build. Examples are rewritten accordingly. Issues:990?.
• Assoc-list related procedures: Added alist-merge, and introduced a new consistent naming (alist-ref, alist-key, alist-adjoin, and alist-update-in) in place of assoc-* procedures. Issue:985.
• When an error occurs during processis -l and -e command-line options, now gosh shows more information about error, rather than a single-line summary.
• New constant procedure to get boundaries of floating point number representation: greatest-positive-flonum, least-positive-flonum, least-positive-normalized-flonum.
• CiSE now handles new and delete operators. This is for C++, but currently we don't distinguish C/C++ as targets, so the code targetting C is also affected.
• gauche.collection: Add group-collection->alist.
• data.random: New procedues finite-flonums$, reals-power-law$.
• rfc.822: Add rfc822-header-ref*, rfc822-header-put.
• rfc.url: Add url-decompose-query and url-compose-query, common query string parsing & construction.
• gauche.cgen.cise: Support asm CiSE directive.
• make install uses install-info if it's available, which updates system's dir file if necessary. Issue:988.
• file.util: build-path accepts #f as a path component; it is interpreted as ..
• unbox: Now it has an associate setter.

Other bug fixes

• text.multicolumn: Fix the edge case when the string list is empty.
• string-ref: Fix a bug that can return #<unbound> when applied to an incomplete string.
• data.range: Fix a bug in binary search. Pr:1004.
• data.random: Fix overflow and precision loss of reals-between$. Issue:1000.
• sxml.tools: Fix character escaping and namespace handling of sxml:sxml->xml and sxml:sxml->html are improved. See the discussion in this Gauche-makiki issue
• GC hasn't been using parallel markers until there's a new user thread explicitly created, due to the update in Boehm GC. This has been addressed.
• srfi.235: Fix a bug in disjoin.
• Fix ExtendedPairDescriptor alignment error that depending on a compiler.
• Fix gauche/priv/arith.h that could trigger an undefined behavior.
• + and * didn't typecheck the argument if it was called as unary operator. Issue:1012.
• Branch cuts of atan didn't follow R7RS spec.