2017-12-14 00:18:15 +01:00
|
|
|
# Android bionic status
|
2017-08-28 18:18:34 +02:00
|
|
|
|
2019-08-15 17:19:49 +02:00
|
|
|
This document details libc/libm/libdl additions and behavior changes.
|
|
|
|
|
|
|
|
|
|
See also
|
|
|
|
|
[Android linker changes for NDK developers](../android-changes-for-ndk-developers.md)
|
|
|
|
|
for changes related to native code loading in various Android releases.
|
|
|
|
|
|
2017-12-14 00:18:15 +01:00
|
|
|
## Bionic function availability
|
2017-11-28 02:00:16 +01:00
|
|
|
|
2017-12-14 00:18:15 +01:00
|
|
|
### POSIX
|
2017-11-28 02:00:16 +01:00
|
|
|
|
2017-12-14 00:18:15 +01:00
|
|
|
You can see the current status with respect to POSIX in the form of tests:
|
2023-10-05 01:36:14 +02:00
|
|
|
https://android.googlesource.com/platform/bionic/+/main/tests/headers/posix/
|
2017-11-28 02:00:16 +01:00
|
|
|
|
2017-12-14 00:18:15 +01:00
|
|
|
Some POSIX functionality is not supported by the Linux kernel, and
|
|
|
|
|
is guarded with tests for `__linux__`. Other functionality is not
|
|
|
|
|
supported by bionic or glibc, and guarded with tests for `__BIONIC__`
|
|
|
|
|
and `__GLIBC__`. In other cases historical accidents mean 32-bit
|
|
|
|
|
bionic diverged but 64-bit bionic matches POSIX; these are guarded with
|
|
|
|
|
`__LP64__`.
|
2017-11-28 02:00:16 +01:00
|
|
|
|
2017-12-14 00:18:15 +01:00
|
|
|
Most bionic-only diversions should be accompanied by an explanatory comment.
|
2017-11-28 02:00:16 +01:00
|
|
|
|
2017-12-14 00:18:15 +01:00
|
|
|
Missing functions are either obsolete or explicitly disallowed by SELinux:
|
|
|
|
|
* `a64l`/`l64a`
|
|
|
|
|
* `confstr`
|
|
|
|
|
* `crypt`/`encrypt`/`setkey`
|
|
|
|
|
* `gethostid`
|
|
|
|
|
* `shm_open`/`shm_unlink`
|
|
|
|
|
* `sockatmark`
|
2022-06-15 02:23:35 +02:00
|
|
|
* `ualarm`
|
2017-11-28 02:00:16 +01:00
|
|
|
|
2017-12-14 00:18:15 +01:00
|
|
|
Missing functionality:
|
|
|
|
|
* `<aio.h>`
|
2020-02-06 01:04:57 +01:00
|
|
|
* `<monetary.h>`. See
|
|
|
|
|
[discussion](https://github.com/android/ndk/issues/1182).
|
2017-12-14 00:18:15 +01:00
|
|
|
* `<wordexp.h>`
|
2022-12-02 21:15:42 +01:00
|
|
|
* Locales. Although bionic contains the various `_l()` functions, the only
|
|
|
|
|
locale supported is a UTF-8 C/POSIX locale. Most of the POSIX APIs are
|
|
|
|
|
insufficient to support the wide range of languages used by Android users,
|
|
|
|
|
and apps should use icu4c (or do their i18n work in Java) instead.
|
|
|
|
|
* Robust mutexes. See
|
|
|
|
|
[discussion](https://github.com/android/ndk/issues/1181).
|
2020-01-23 00:10:52 +01:00
|
|
|
* Thread cancellation (`pthread_cancel`). Unlikely to ever be implemented
|
|
|
|
|
because of the difficulty and cost of implementing it, and the difficulty
|
|
|
|
|
of using it correctly. See
|
|
|
|
|
[This is why we can't have safe cancellation points](https://lwn.net/Articles/683118/)
|
|
|
|
|
for more about thread cancellation.
|
2017-11-28 02:00:16 +01:00
|
|
|
|
2017-12-14 00:18:15 +01:00
|
|
|
Run `./libc/tools/check-symbols-glibc.py` in bionic/ for the current
|
|
|
|
|
list of POSIX functions implemented by glibc but not by bionic.
|
2017-11-28 02:00:16 +01:00
|
|
|
|
2017-12-14 00:18:15 +01:00
|
|
|
### libc
|
2017-08-28 18:18:34 +02:00
|
|
|
|
2023-10-05 01:36:14 +02:00
|
|
|
Current libc symbols: https://android.googlesource.com/platform/bionic/+/main/libc/libc.map.txt
|
2017-08-28 18:18:34 +02:00
|
|
|
|
2023-04-25 02:04:49 +02:00
|
|
|
New libc functions in V (API level 35):
|
2024-03-27 03:16:49 +01:00
|
|
|
* New `android_crash_detail_register`, `android_crash_detail_unregister`,
|
|
|
|
|
`android_crash_detail_replace_name`, and `android_crash_detail_replace_data`
|
|
|
|
|
functionality for adding arbitrary data to tombstones
|
|
|
|
|
(see `<android/crash_detail.h>` for full documentation).
|
|
|
|
|
* `tcgetwinsize`, `tcsetwinsize`, `_Fork` (POSIX Issue 8 additions).
|
2023-04-25 02:04:49 +02:00
|
|
|
* `timespec_getres` (C23 addition).
|
Expose tzalloc()/localtime_rz()/mktime_z()/tzfree().
* Rationale
The question often comes up of how to use multiple time zones in C code.
If you're single-threaded, you can just use setenv() to manipulate $TZ.
toybox does this, for example. But that's not thread-safe in two
distinct ways: firstly, getenv() is not thread-safe with respect to
modifications to the environment (and between the way putenv() is
specified and the existence of environ, it's not obvious how to fully
fix that), and secondly the _caller_ needs to ensure that no other
threads are using tzset() or any function that behaves "as if" tzset()
was called (which is neither easy to determine nor easy to ensure).
This isn't a bigger problem because most of the time the right answer
is to stop pretending that libc is at all suitable for any i18n, and
switch to icu4c instead. (The NDK icu4c headers do not include ucal_*,
so this is not a realistic option for most applications.)
But what if you're somewhere in between? Like the rust chrono library,
for example? What then?
Currently their "least worst" option is to reinvent the entire wheel and
read our tzdata files. Which isn't a great solution for anyone, for
obvious maintainability reasons.
So it's probably time we broke the catch-22 here and joined NetBSD in
offering a less broken API than standard C has for the last 40 years.
Sure, any would-be caller will have to have a separate "is this
Android?" and even "is this API level >= 35?" path, but that will fix
itself sometime in the 2030s when developers can just assume "yes, it
is", whereas if we keep putting off exposing anything, this problem
never gets solved.
(No-one's bothered to try to implement the std::chrono::time_zone
functionality in libc++ yet, but they'll face a similar problem if/when
they do.)
* Implementation
The good news is that tzcode already implements these functions, so
there's relatively little here.
I've chosen not to expose `struct state` because `struct __timezone_t`
makes for clearer error messages, given that compiler diagnostics will
show the underlying type name (`struct __timezone_t*`) rather than the
typedef name (`timezone_t`) that's used in calling code.
I've moved us over to FreeBSD's wcsftime() rather than keep the OpenBSD
one building --- I've long wanted to only have one implementation here,
and FreeBSD is already doing the "convert back and forth, calling the
non-wide function in the middle" dance that I'd hoped to get round to
doing myself someday. This should mean that our strftime() and
wcsftime() behaviors can't easily diverge in future, plus macOS/iOS are
mostly FreeBSD, so any bugs will likely be interoperable with the other
major mobile operating system, so there's something nice for everyone
there!
The FreeBSD wcsftime() implementation includes a wcsftime_l()
implementation, so that's one stub we can remove. The flip side of that
is that it uses mbsrtowcs_l() and wcsrtombs_l() which we didn't
previously have. So expose those as aliases of mbsrtowcs() and
wcsrtombs().
Bug: https://github.com/chronotope/chrono/issues/499
Test: treehugger
Change-Id: Iee1b9d763ead15eef3d2c33666b3403b68940c3c
2023-06-15 22:17:08 +02:00
|
|
|
* `localtime_rz`, `mktime_z`, `tzalloc`, and `tzfree` (NetBSD
|
|
|
|
|
extensions implemented in tzcode, and the "least non-standard"
|
2023-06-21 00:36:11 +02:00
|
|
|
functions for avoiding $TZ if you need to use multiple timezones in
|
Expose tzalloc()/localtime_rz()/mktime_z()/tzfree().
* Rationale
The question often comes up of how to use multiple time zones in C code.
If you're single-threaded, you can just use setenv() to manipulate $TZ.
toybox does this, for example. But that's not thread-safe in two
distinct ways: firstly, getenv() is not thread-safe with respect to
modifications to the environment (and between the way putenv() is
specified and the existence of environ, it's not obvious how to fully
fix that), and secondly the _caller_ needs to ensure that no other
threads are using tzset() or any function that behaves "as if" tzset()
was called (which is neither easy to determine nor easy to ensure).
This isn't a bigger problem because most of the time the right answer
is to stop pretending that libc is at all suitable for any i18n, and
switch to icu4c instead. (The NDK icu4c headers do not include ucal_*,
so this is not a realistic option for most applications.)
But what if you're somewhere in between? Like the rust chrono library,
for example? What then?
Currently their "least worst" option is to reinvent the entire wheel and
read our tzdata files. Which isn't a great solution for anyone, for
obvious maintainability reasons.
So it's probably time we broke the catch-22 here and joined NetBSD in
offering a less broken API than standard C has for the last 40 years.
Sure, any would-be caller will have to have a separate "is this
Android?" and even "is this API level >= 35?" path, but that will fix
itself sometime in the 2030s when developers can just assume "yes, it
is", whereas if we keep putting off exposing anything, this problem
never gets solved.
(No-one's bothered to try to implement the std::chrono::time_zone
functionality in libc++ yet, but they'll face a similar problem if/when
they do.)
* Implementation
The good news is that tzcode already implements these functions, so
there's relatively little here.
I've chosen not to expose `struct state` because `struct __timezone_t`
makes for clearer error messages, given that compiler diagnostics will
show the underlying type name (`struct __timezone_t*`) rather than the
typedef name (`timezone_t`) that's used in calling code.
I've moved us over to FreeBSD's wcsftime() rather than keep the OpenBSD
one building --- I've long wanted to only have one implementation here,
and FreeBSD is already doing the "convert back and forth, calling the
non-wide function in the middle" dance that I'd hoped to get round to
doing myself someday. This should mean that our strftime() and
wcsftime() behaviors can't easily diverge in future, plus macOS/iOS are
mostly FreeBSD, so any bugs will likely be interoperable with the other
major mobile operating system, so there's something nice for everyone
there!
The FreeBSD wcsftime() implementation includes a wcsftime_l()
implementation, so that's one stub we can remove. The flip side of that
is that it uses mbsrtowcs_l() and wcsrtombs_l() which we didn't
previously have. So expose those as aliases of mbsrtowcs() and
wcsrtombs().
Bug: https://github.com/chronotope/chrono/issues/499
Test: treehugger
Change-Id: Iee1b9d763ead15eef3d2c33666b3403b68940c3c
2023-06-15 22:17:08 +02:00
|
|
|
multi-threaded C).
|
|
|
|
|
* `mbsrtowcs_l` and `wcsrtombs_l` aliases for `mbsrtowcs` and `wcsrtombs`.
|
2023-09-22 03:32:39 +02:00
|
|
|
* GNU extensions `strerrordesc_np` and `strerrorname_np`.
|
2023-07-28 01:53:30 +02:00
|
|
|
* New system call wrappers: `__riscv_flush_icache` (`<sys/cachectl.h>`),
|
2023-07-14 00:45:33 +02:00
|
|
|
`__riscv_hwprobe` (`<sys/hwprobe.h>`), `epoll_pwait2`/`epoll_pwait2_64` (`<sys/epoll.h>`).
|
2023-04-25 02:04:49 +02:00
|
|
|
|
2023-08-22 23:07:48 +02:00
|
|
|
New libc behavior in V (API level 35):
|
|
|
|
|
* Added `LD_SHOW_AUXV` to the dynamic linker to dump the ELF auxiliary
|
|
|
|
|
vector if the environment variable is set.
|
2023-09-22 03:32:39 +02:00
|
|
|
* The printf family now supports `%#m` to print the name of the errno
|
|
|
|
|
constant (rather than the description printed by `%m`).
|
2023-08-22 23:07:48 +02:00
|
|
|
|
2022-08-02 00:18:40 +02:00
|
|
|
New libc functions in U (API level 34):
|
|
|
|
|
* `close_range` and `copy_file_range` (Linux-specific GNU extensions).
|
2022-08-11 01:35:03 +02:00
|
|
|
* `memset_explicit` in <string.h> (C23 addition).
|
2022-09-23 01:47:42 +02:00
|
|
|
* `__freadahead` in <stdio_ext.h> (in musl but not glibc).
|
2023-04-04 22:33:28 +02:00
|
|
|
* `posix_spawn_file_actions_addchdir_np` and
|
|
|
|
|
`posix_spawn_file_actions_addfchdir_np` in <spawn.h> (in musl/glibc
|
|
|
|
|
and macOS, but not iOS).
|
2022-08-02 00:18:40 +02:00
|
|
|
|
|
|
|
|
New libc behavior in U (API level 34):
|
2022-08-06 00:51:05 +02:00
|
|
|
* Support for `%b` and `%B` in the printf/wprintf family, `%b` in the
|
|
|
|
|
scanf/wscanf family, and `0b` prefixes with base 0 in the strtol/wcstol
|
|
|
|
|
family.
|
2023-04-22 00:31:16 +02:00
|
|
|
* Support for `wN` length modifiers in the printf/wprintf family.
|
|
|
|
|
* tmpfile() now respects $TMPDIR.
|
2022-08-02 00:18:40 +02:00
|
|
|
|
2022-02-16 23:41:09 +01:00
|
|
|
New libc functions in T (API level 33):
|
2022-01-15 01:26:25 +01:00
|
|
|
* `backtrace`, `backtrace_symbols`, `backtrace_symbols_fd` (`<execinfo.h>`).
|
|
|
|
|
* New system call wrappers: `preadv2`, `preadv64v2`, `pwritev2`,
|
|
|
|
|
`pwritev64v2`.
|
|
|
|
|
|
|
|
|
|
New libc functions in S (API level 31):
|
|
|
|
|
* New hooks for sanitizers for TLS access: `__libc_get_static_tls_bounds`,
|
|
|
|
|
`__libc_register_thread_exit_callback`, `__libc_iterate_dynamic_tls`,
|
|
|
|
|
`__libc_register_dynamic_tls_listeners`.
|
|
|
|
|
* New helper to allow the zygote to give each zygote child its own stack
|
|
|
|
|
cookie (currently unused): `android_reset_stack_guards`.
|
|
|
|
|
* Non-inline symbols for `ffsl`, `ffsll`.
|
|
|
|
|
* New system call wrappers: `pidfd_getfd`, `pidfd_open`, `pidfd_send_signal`,
|
|
|
|
|
`process_madvise`.
|
|
|
|
|
|
2019-04-18 23:27:24 +02:00
|
|
|
New libc functions in R (API level 30):
|
|
|
|
|
* Full C11 `<threads.h>` (available as inlines for older API levels).
|
2020-02-22 08:21:28 +01:00
|
|
|
* `memfd_create` and `mlock2` (Linux-specific GNU extensions).
|
|
|
|
|
* `renameat2` and `statx` (Linux-specific GNU extensions).
|
2019-08-05 23:10:17 +02:00
|
|
|
* `pthread_cond_clockwait`/`pthread_mutex_clocklock`/`pthread_rwlock_clockrdlock`/`pthread_rwlock_clockwrlock`/`sem_clockwait`
|
2019-04-18 23:27:24 +02:00
|
|
|
|
2020-01-17 00:23:58 +01:00
|
|
|
New libc behavior in R (API level 30):
|
|
|
|
|
* [fdsan](fdsan.md) now aborts when it detects common file descriptor errors,
|
|
|
|
|
rather than just logging.
|
|
|
|
|
|
2018-08-30 23:25:32 +02:00
|
|
|
New libc functions in Q (API level 29):
|
2018-07-17 22:26:14 +02:00
|
|
|
* `timespec_get` (C11 `<time.h>` addition)
|
2018-09-18 21:52:42 +02:00
|
|
|
* `reallocarray` (BSD/GNU extension in `<malloc.h>` and `<stdlib.h>`)
|
2018-07-17 22:26:14 +02:00
|
|
|
* `res_randomid` (in `<resolv.h>`)
|
2018-09-05 21:00:55 +02:00
|
|
|
* `pthread_sigqueue` (GNU extension)
|
2018-10-23 20:23:00 +02:00
|
|
|
* `getloadavg` (BSD/GNU extension in <stdlib.h>)
|
2018-09-05 21:00:55 +02:00
|
|
|
|
|
|
|
|
New libc behavior in Q (API level 29):
|
2019-03-27 03:07:40 +01:00
|
|
|
* Whole printf family now supports the GNU `%m` extension, rather than a
|
|
|
|
|
special-case hack in `syslog`.
|
|
|
|
|
* `popen` now always uses `O_CLOEXEC`, not just with the `e` extension.
|
|
|
|
|
* Bug fixes to handling of UTF-8 U+fffe/U+ffff and code points above U+10ffff.
|
|
|
|
|
* `aligned_alloc` correctly verifies that `size` is a multiple of `alignment`.
|
2019-03-20 19:21:46 +01:00
|
|
|
* Using `%n` with the printf family is now reported as a FORTIFY failure.
|
|
|
|
|
Previous versions of Android would ignore the `%n` but not consume the
|
|
|
|
|
corresponding pointer argument, leading to obscure errors. The scanf family
|
|
|
|
|
is unchanged.
|
2019-03-27 03:07:40 +01:00
|
|
|
* Support in strptime for `%F`, `%G`, `%g`, `%P`, `%u`, `%V`, and `%v`.
|
|
|
|
|
(strftime already supported them all.)
|
2020-01-17 00:23:58 +01:00
|
|
|
* [fdsan](fdsan.md) detects and logs common file descriptor errors at runtime.
|
2018-07-17 22:26:14 +02:00
|
|
|
|
2018-08-30 23:25:32 +02:00
|
|
|
New libc functions in P (API level 28):
|
2019-03-02 01:40:59 +01:00
|
|
|
* `aligned_alloc`
|
2017-08-28 18:18:34 +02:00
|
|
|
* `__freading`/`__fwriting` (completing <stdio_ext.h>)
|
2017-11-28 02:00:16 +01:00
|
|
|
* `endhostent`/`endnetent`/`endprotoent`/`getnetent`/`getprotoent`/`sethostent`/`setnetent`/`setprotoent` (completing <netdb.h>)
|
2017-10-19 23:35:18 +02:00
|
|
|
* `fexecve`
|
2017-10-31 01:47:12 +01:00
|
|
|
* `fflush_unlocked`/`fgetc_unlocked`/`fgets_unlocked`/`fputc_unlocked`/`fputs_unlocked`/`fread_unlocked`/`fwrite_unlocked`
|
2017-10-07 01:58:36 +02:00
|
|
|
* `getentropy`/`getrandom` (adding <sys/random.h>)
|
2017-08-28 18:18:34 +02:00
|
|
|
* `getlogin_r`
|
2017-10-07 01:58:36 +02:00
|
|
|
* `glob`/`globfree` (adding <glob.h>)
|
2017-11-28 02:00:16 +01:00
|
|
|
* `hcreate`/`hcreate_r`/`hdestroy`/`hdestroy_r`/`hsearch`/`hsearch_r` (completing <search.h>)
|
2017-08-28 18:18:34 +02:00
|
|
|
* `iconv`/`iconv_close`/`iconv_open` (adding <iconv.h>)
|
Implement pthread_attr_getinheritsched/pthread_attr_setinheritsched.
Historically, Android defaulted to EXPLICIT but with a special case
because SCHED_NORMAL/priority 0 was awkward. Because the code couldn't
actually tell whether SCHED_NORMAL/priority 0 was a genuine attempt to
explicitly set those attributes (because the parent thread is SCHED_FIFO,
say) or just because the pthread_attr_t was left at its defaults.
Now we support INHERIT, we could call sched_getscheduler to see whether
we actually need to call sched_setscheduler, but since the major cost
is the fixed syscall overhead, we may as well just conservatively
call sched_setscheduler and let the kernel decide whether it's a
no-op. (Especially because we'd then have to add both sched_getscheduler
and sched_setscheduler to any seccomp filter.)
Platform code (or app code that only needs to support >= P) can actually
add a call to pthread_attr_setinheritsched to say that they just want
to inherit (if they know that none of their threads actually mess with
scheduler attributes at all), which will save them a sched_setscheduler
call except in the doubly-special case of SCHED_RESET_ON_FORK (which we
do handle).
An alternative would be "make pthread_attr_setschedparams and
pthread_attr_setschedprio set EXPLICIT and change the platform default
to INHERIT", but even though I can only think of weird pathological
examples where anyone would notice that change, that behavior -- of
pthread_attr_setschedparams/pthread_attr_setschedprio overriding an
earlier call to pthread_attr_setinheritsched -- isn't allowed by POSIX
(whereas defaulting to EXPLICIT is).
If we have a lot of trouble with this change in the app compatibility
testing phase, though, we'll want to reconsider this decision!
-*-
This change also removes a comment about setting the scheduler attributes
in main_thread because we'd have to actually keep them up to date,
and it's not clear that doing so would be worth the trouble.
Also make async_safe_format_log preserve errno so we don't have to be
so careful around it.
Bug: http://b/67471710
Test: ran tests
Change-Id: Idd026c4ce78a536656adcb57aa2e7b2c616eeddf
2017-10-18 00:34:41 +02:00
|
|
|
* `pthread_attr_getinheritsched`/`pthread_attr_setinheritsched`/`pthread_setschedprio`
|
2018-01-26 07:50:09 +01:00
|
|
|
* `pthread_mutexattr_getprotocol`/`pthread_mutexattr_setprotocol` (mutex priority inheritance)
|
2018-02-01 23:21:51 +01:00
|
|
|
* <signal.h> support for `sigaction64_t` and `sigset64_t` allowing LP32 access to real-time signals
|
2017-10-07 01:58:36 +02:00
|
|
|
* <spawn.h>
|
2017-10-18 22:34:32 +02:00
|
|
|
* `swab`
|
2017-08-28 18:18:34 +02:00
|
|
|
* `syncfs`
|
2018-03-02 00:43:37 +01:00
|
|
|
|
2018-08-30 23:25:32 +02:00
|
|
|
New libc behavior in P (API level 28):
|
2019-03-27 03:07:40 +01:00
|
|
|
* `%C` and `%S` support in the printf family (previously only the wprintf family supported these).
|
|
|
|
|
* `%mc`/`%ms`/`%m[` support in the scanf family.
|
|
|
|
|
* `%s` support in strptime (strftime already supported it).
|
2019-03-20 19:21:46 +01:00
|
|
|
* Using a `pthread_mutex_t` after it's been destroyed will be detected at
|
|
|
|
|
runtime and reported as a FORTIFY failure.
|
|
|
|
|
* Passing a null `FILE*` or `DIR*` to libc is now detected at runtime and
|
|
|
|
|
reported as a FORTIFY failure.
|
2017-08-28 18:18:34 +02:00
|
|
|
|
2018-08-30 23:25:32 +02:00
|
|
|
New libc functions in O (API level 26):
|
2017-08-28 18:18:34 +02:00
|
|
|
* `sendto` FORTIFY support
|
|
|
|
|
* `__system_property_read_callback`/`__system_property_wait`
|
|
|
|
|
* legacy `bsd_signal`
|
|
|
|
|
* `catclose`/`catgets`/`catopen` (adding <nl_types.h>)
|
|
|
|
|
* `ctermid`
|
|
|
|
|
* all 6 <grp.h>/<pwd.h> (get|set|end)(gr|pw)ent functions
|
|
|
|
|
* `futimes`/`futimesat`/`lutimes`
|
|
|
|
|
* `getdomainname`/`setdomainname`
|
|
|
|
|
* `getsubopt`
|
|
|
|
|
* `hasmntopt`
|
|
|
|
|
* `mallopt`
|
|
|
|
|
* `mblen`
|
|
|
|
|
* 4 <sys/msg.h> `msg*` functions
|
|
|
|
|
* <langinfo.h> `nl_langinfo`/`nl_langinfo_l`
|
|
|
|
|
* `pthread_getname_np`
|
|
|
|
|
* 2 new Linux system calls `quotactl` and `sync_file_range`
|
|
|
|
|
* 4 <sys/sem.h> `sem*` functions
|
|
|
|
|
* 4 <sys/shm.h> `shm*` functions
|
|
|
|
|
* 5 legacy <signal.h> functions: `sighold`/`sigignore`/`sigpause`/`sigrelse`/`sigset`
|
|
|
|
|
* `strtod_l`/`strtof_l`/`strtol_l`/`strtoul_l`
|
|
|
|
|
* <wctype.h> `towctrans`/`towctrans_l`/`wctrans`/`wctrans_l`
|
|
|
|
|
|
2019-03-20 19:21:46 +01:00
|
|
|
New libc behavior in O (API level 26):
|
|
|
|
|
* Passing an invalid `pthread_t` to libc is now detected at runtime and
|
|
|
|
|
reported as a FORTIFY failure. Most commonly this is a result of confusing
|
|
|
|
|
`pthread_t` and `pid_t`.
|
|
|
|
|
|
2018-08-30 23:25:32 +02:00
|
|
|
New libc functions in N (API level 24):
|
2017-08-28 18:18:34 +02:00
|
|
|
* more FORTIFY support functions (`fread`/`fwrite`/`getcwd`/`pwrite`/`write`)
|
|
|
|
|
* all remaining `_FILE_OFFSET_BITS=64` functions, completing `_FILE_OFFSET_BITS=64` support in bionic (8)
|
|
|
|
|
* all 7 `pthread_barrier*` functions
|
|
|
|
|
* all 5 `pthread_spin*` functions
|
|
|
|
|
* `lockf`/`preadv`/`pwritev`/`scandirat` and `off64_t` variants
|
|
|
|
|
* `adjtimex`/`clock_adjtime`
|
2018-08-30 23:25:32 +02:00
|
|
|
* <ifaddrs.h> `getifaddrs`/`freeifaddrs`/`if_freenameindex`/`if_nameindex`
|
2017-08-28 18:18:34 +02:00
|
|
|
* `getgrgid_r`/`getgrnam_r`
|
|
|
|
|
* GNU extensions `fileno_unlocked`/`strchrnul`
|
|
|
|
|
* 32-bit `prlimit`
|
|
|
|
|
|
2019-03-20 19:21:46 +01:00
|
|
|
New libc behavior in N (API level 24):
|
|
|
|
|
* `sem_wait` now returns EINTR when interrupted by a signal.
|
|
|
|
|
|
2018-08-30 23:25:32 +02:00
|
|
|
New libc functions in M (API level 23):
|
|
|
|
|
* <dirent.h> `telldir`, `seekdir`.
|
|
|
|
|
* <malloc.h> `malloc_info`.
|
|
|
|
|
* <netdb.h> `gethostbyaddr_r`, `gethostbyname2_r`.
|
|
|
|
|
* <pthread.h> `pthread_rwlockattr_getkind_np`/`pthread_rwlockattr_setkind_np`.
|
|
|
|
|
* <pty.h> `forkpty`, `openpty`.
|
|
|
|
|
* <signal.h> `sigqueue`, `sigtimedwait`, `sigwaitinfo`.
|
|
|
|
|
* <stdio.h> `fmemopen`, `open_memstream`, `feof_unlocked`, `ferror_unlocked`, `clearerr_unlocked`.
|
|
|
|
|
* <stdio_ext.h> `__flbf`, `__freadable`, `__fsetlocking`, `__fwritable`, `__fbufsize`, `__fpending`, `_flushlbf`, `__fpurge`.
|
|
|
|
|
* <stdlib.h> `mkostemp`/`mkostemps`, `lcong48`.
|
|
|
|
|
* <string.h> `basename`, `strerror_l`, `strerror_r`, `mempcpy`.
|
|
|
|
|
* <sys/sysinfo.h> `get_nprocs_conf`/`get_nprocs`, `get_phys_pages`, `get_avphys_pages`.
|
|
|
|
|
* <sys/uio.h> `process_vm_readv`/`process_vm_writev`.
|
|
|
|
|
* `clock_getcpuclockid`, `login_tty`, `mkfifoat`, `posix_madvise`, `sethostname`, `strcasecmp_l`/`strncasecmp_l`.
|
|
|
|
|
* <wchar.h> `open_wmemstream`, `wcscasecmp_l`/`wcsncasecmp_l`, `wmempcpy`.
|
|
|
|
|
* all of <error.h>.
|
|
|
|
|
* re-introduced various <resolv.h> functions: `ns_format_ttl`, `ns_get16`, `ns_get32`, `ns_initparse`, `ns_makecanon`, `ns_msg_getflag`, `ns_name_compress`, `ns_name_ntol`, `ns_name_ntop`, `ns_name_pack`, `ns_name_pton`, `ns_name_rollback`, `ns_name_skip`, `ns_name_uncompress`, `ns_name_unpack`, `ns_parserr`, `ns_put16`, `ns_put32`, `ns_samename`, `ns_skiprr`, `ns_sprintrr`, and `ns_sprintrrf`.
|
|
|
|
|
|
|
|
|
|
New libc functions in L (API level 21):
|
|
|
|
|
* <android/dlext.h>.
|
|
|
|
|
* <android/set_abort_message.h>.
|
|
|
|
|
* <arpa/inet.h> `inet_lnaof`, `inet_netof`, `inet_network`, `inet_makeaddr`.
|
|
|
|
|
* <wctype.h> `iswblank`.
|
|
|
|
|
* <ctype.h> `isalnum_l`, `isalpha_l`, `isblank_l`, `icntrl_l`, `isdigit_l`, `isgraph_l`, `islower_l`, `isprint_l`, `ispunct_l`, `isspace_l`, `isupper_l`, `isxdigit_l`, `_tolower`, `tolower_l`, `_toupper`, `toupper_l`.
|
|
|
|
|
* <fcntl.h> `fallocate`, `posix_fadvise`, `posix_fallocate`, `splice`, `tee`, `vmsplice`.
|
|
|
|
|
* <inttypes.h> `wcstoimax`, `wcstoumax`.
|
|
|
|
|
* <link.h> `dl_iterate_phdr`.
|
|
|
|
|
* <mntent.h> `setmntent`, `endmntent`, `getmntent_r`.
|
|
|
|
|
* <poll.h> `ppoll`.
|
|
|
|
|
* <pthread.h> `pthread_condattr_getclock`, `pthread_condattr_setclock`, `pthread_mutex_timedlock`, `pthread_gettid_np`.
|
|
|
|
|
* <sched.h> `setns`.
|
|
|
|
|
* <search.h> `insque`, `remque`, `lfind`, `lsearch`, `twalk`.
|
|
|
|
|
* <stdio.h> `dprintf`, `vdprintf`.
|
|
|
|
|
* <stdlib.h> `initstate`, `setstate`, `getprogname`/`setprogname`, `atof`/`strtof`, `at_quick_exit`/`_Exit`/`quick_exit`, `grantpt`, `mbtowc`/`wctomb`, `posix_openpt`, `rand_r`/`rand`/`random`/`srand`/`srandom`, `strtold_l`/`strtoll_l`/`strtoull_l`.
|
|
|
|
|
* <string.h> `strcoll_l`/`strxfrm_l`, `stpcpy`/`stpncpy`.
|
|
|
|
|
* <sys/resource.h> `prlimit`.
|
|
|
|
|
* <sys/socket.h> `accept4`, `sendmmsg`.
|
|
|
|
|
* <sys/stat.h> `mkfifo`/`mknodat`.
|
|
|
|
|
* <time.h> `strftime_l`.
|
|
|
|
|
* <unistd.h> `dup3`, `execvpe`, `getpagesize`, `linkat`/`symlinkat`/`readlinkat`, `truncate`.
|
|
|
|
|
* <wchar.h> `wcstof`, `vfwscanf`/`vswscanf`/`vwscanf`, `wcstold_l`/`wcstoll`/`wcstoll_l`/`wcstoull`/`wcstoull_l`, `mbsnrtowcs`/`wcsnrtombs`, `wcscoll_l`/`wcsxfrm_l`.
|
|
|
|
|
* <wctype.h> `iswalnum_l`/`iswalpha_l`/`iswblank_l`/`iswcntrl_l`/`iswctype_l`/`iswdigit_l`/`iswgraph_l`/`iswlower_l`/`iswprint_l`/`iswpunct_l`/`iswspace_l`/`iswupper_l`/`iswxdigit_l`, `wctype_l`, `towlower_l`/`towupper_l`.
|
|
|
|
|
* all of <fts.h>.
|
|
|
|
|
* all of <locale.h>.
|
|
|
|
|
* all of <sys/epoll.h>.
|
|
|
|
|
* all of <sys/fsuid.h>.
|
|
|
|
|
* all of <sys/inotify.h>.
|
|
|
|
|
* all of <uchar.h>.
|
|
|
|
|
|
|
|
|
|
New libc functions in K (API level 19):
|
|
|
|
|
* <inttypes.h> `imaxabs`, `imaxdiv`.
|
|
|
|
|
* <stdlib.h> `abs`, `labs`, `llabs`.
|
|
|
|
|
* <sys/stat.h> `futimens`.
|
|
|
|
|
* all of <sys/statvfs.h>.
|
|
|
|
|
* all of <sys/swap.h>.
|
|
|
|
|
* all of <sys/timerfd.h>.
|
|
|
|
|
|
|
|
|
|
New libc functions in J-MR2 (API level 18):
|
|
|
|
|
* <stdio.h> `getdelim` and `getline`.
|
|
|
|
|
* <sys/auxv.h> `getauxval`.
|
|
|
|
|
* <sys/signalfd.h> `signalfd`.
|
|
|
|
|
|
|
|
|
|
New libc functions in J-MR1 (API level 17):
|
|
|
|
|
* <ftw.h>.
|
|
|
|
|
* <signal.h> `psiginfo` and `psignal`.
|
|
|
|
|
* `getsid`, `malloc_usable_size`, `mlockall`/`munlockall`, `posix_memalign`, `unshare`.
|
|
|
|
|
|
|
|
|
|
New libc functions in J (API level 16):
|
|
|
|
|
* the <search.h> tree functions `tdelete`, `tdestroy`, `tfind`, and `tsearch`.
|
|
|
|
|
* `faccessat`, `readahead`, `tgkill`.
|
|
|
|
|
* all of <sys/xattr.h>.
|
|
|
|
|
|
2017-08-28 18:18:34 +02:00
|
|
|
libc function count over time:
|
|
|
|
|
|
2019-11-13 06:06:07 +01:00
|
|
|
| OS | API level | Function count |
|
|
|
|
|
|-------|-----------|----------------|
|
|
|
|
|
| J | 16 | 842 |
|
|
|
|
|
| J MR1 | 17 | 870 |
|
|
|
|
|
| J MR2 | 18 | 878 |
|
|
|
|
|
| K | 19 | 893 |
|
|
|
|
|
| L | 21 | 1118 |
|
|
|
|
|
| M | 23 | 1183 |
|
|
|
|
|
| N | 24 | 1228 |
|
|
|
|
|
| O | 26 | 1280 |
|
|
|
|
|
| P | 28 | 1378 |
|
|
|
|
|
| Q | 29 | 1394 |
|
|
|
|
|
|
|
|
|
|
Data collected by:
|
2017-08-28 18:18:34 +02:00
|
|
|
```
|
2019-11-13 06:06:07 +01:00
|
|
|
ndk-r21$ for i in `ls -1v platforms/android-*/arch-arm/usr/lib/libc.so` ; do \
|
|
|
|
|
echo $i; nm $i | grep -w T | wc -l ; done
|
2017-08-28 18:18:34 +02:00
|
|
|
```
|
|
|
|
|
|
2017-12-14 00:18:15 +01:00
|
|
|
### libm
|
2017-08-28 18:18:34 +02:00
|
|
|
|
2023-10-05 01:36:14 +02:00
|
|
|
Current libm symbols: https://android.googlesource.com/platform/bionic/+/main/libm/libm.map.txt
|
2017-08-28 18:18:34 +02:00
|
|
|
|
2019-11-13 06:06:07 +01:00
|
|
|
0 remaining missing C11/POSIX libm functions.
|
2017-08-28 18:18:34 +02:00
|
|
|
|
2018-08-30 23:25:32 +02:00
|
|
|
New libm functions in O (API level 26):
|
|
|
|
|
* <complex.h> `clog`/`clogf`, `cpow`/`cpowf` functions.
|
|
|
|
|
|
|
|
|
|
New libm functions in M (API level 23):
|
|
|
|
|
* <complex.h> `cabs`, `carg`, `cimag`, `cacos`, `cacosh`, `casin`, `casinh`, `catan`, `catanh`, `ccos`, `ccosh`, `cexp`, `conj`, `cproj`, `csin`, `csinh`, `csqrt`, `ctan`, `ctanh`, `creal`, `cabsf`, `cargf`, `cimagf`, `cacosf`, `cacoshf`, `casinf`, `casinhf`, `catanf`, `catanhf`, `ccosf`, `ccoshf`, `cexpf`, `conjf`, `cprojf`, `csinf`, `csinhf`, `csqrtf`, `ctanf`, `ctanhf`, `crealf`, `cabsl`, `cprojl`, `csqrtl`.
|
|
|
|
|
* <math.h> `lgammal_r`.
|
|
|
|
|
|
|
|
|
|
New libm functions in L (API level 21):
|
|
|
|
|
* <complex.h> `cabsl`, `cprojl`, `csqrtl`.
|
|
|
|
|
* <math.h> `isinf`, `significandl`.
|
|
|
|
|
|
|
|
|
|
New libm functions in J-MR2 (API level 18):
|
|
|
|
|
* <math.h> `log2`, `log2f`.
|
2017-08-28 18:18:34 +02:00
|
|
|
|
2017-12-14 00:18:15 +01:00
|
|
|
|
|
|
|
|
## Target API level behavioral differences
|
|
|
|
|
|
|
|
|
|
Most bionic bug fixes and improvements have been made without checks for
|
2024-03-27 03:16:49 +01:00
|
|
|
the app's `targetSdkVersion`. There are a handful of exceptions. (If in
|
|
|
|
|
doubt, search the source for `android_get_application_target_sdk_version()`.)
|
2017-12-14 00:18:15 +01:00
|
|
|
|
2024-03-27 03:16:49 +01:00
|
|
|
### Destroyed mutex checking (targetSdkVersion >= 28)
|
|
|
|
|
|
|
|
|
|
If a destroyed `pthread_mutex_t` is passed to any of the mutex functions, apps
|
|
|
|
|
targeting API level 28 or higher will see a
|
|
|
|
|
"<function> called on a destroyed mutex" fortify failure. Apps targeting older
|
|
|
|
|
API levels will just have the function fail with EBUSY (matching the likely
|
|
|
|
|
behavior before we added the check).
|
|
|
|
|
|
|
|
|
|
### Invalid `pthread_t` handling (targetSdkVersion >= 26)
|
2017-12-14 00:18:15 +01:00
|
|
|
|
|
|
|
|
As part of a long-term goal to remove the global thread list,
|
|
|
|
|
and in an attempt to flush out racy code, we changed how an invalid
|
|
|
|
|
`pthread_t` is handled. For `pthread_detach`, `pthread_getcpuclockid`,
|
|
|
|
|
`pthread_getschedparam`/`pthread_setschedparam`, `pthread_join`, and
|
|
|
|
|
`pthread_kill`, instead of returning ESRCH when passed an invalid
|
2024-03-27 03:16:49 +01:00
|
|
|
`pthread_t`, if you're targeting API level 26 or above, they'll abort with the
|
2017-12-14 00:18:15 +01:00
|
|
|
message "attempt to use invalid pthread\_t".
|
|
|
|
|
|
|
|
|
|
Note that this doesn't change behavior as much as you might think: the
|
|
|
|
|
old lookup only held the global thread list lock for the duration of
|
|
|
|
|
the lookup, so there was still a race between that and the dereference
|
|
|
|
|
in the caller, given that callers actually need the tid to pass to some
|
|
|
|
|
syscall or other, and sometimes update fields in the `pthread_internal_t`
|
|
|
|
|
struct too.
|
|
|
|
|
|
|
|
|
|
We can't check a thread's tid against 0 to see whether a `pthread_t`
|
|
|
|
|
is still valid because a dead thread gets its thread struct unmapped
|
|
|
|
|
along with its stack, so the dereference isn't safe.
|
|
|
|
|
|
|
|
|
|
To fix your code, taking the affected functions one by one:
|
|
|
|
|
|
|
|
|
|
* `pthread_getcpuclockid` and `pthread_getschedparam`/`pthread_setschedparam`
|
|
|
|
|
should be fine. Unsafe calls to those seem highly unlikely.
|
|
|
|
|
|
|
|
|
|
* Unsafe `pthread_detach` callers probably want to switch to
|
|
|
|
|
`pthread_attr_setdetachstate` instead, or use
|
|
|
|
|
`pthread_detach(pthread_self());` from the new thread's start routine
|
|
|
|
|
rather than calling detach in the parent.
|
|
|
|
|
|
|
|
|
|
* `pthread_join` calls should be safe anyway, because a joinable thread
|
|
|
|
|
won't actually exit and unmap until it's joined. If you're joining an
|
|
|
|
|
unjoinable thread, the fix is to stop marking it detached. If you're
|
|
|
|
|
joining an already-joined thread, you need to rethink your design!
|
|
|
|
|
|
|
|
|
|
* Unsafe `pthread_kill` calls aren't portably fixable. (And are obviously
|
|
|
|
|
inherently non-portable as-is.) The best alternative on Android is to
|
|
|
|
|
use `pthread_gettid_np` at some point that you know the thread to be
|
|
|
|
|
alive, and then call `kill`/`tgkill` with signal 0 (which checks
|
|
|
|
|
whether a process exists rather than actually sending a
|
|
|
|
|
signal). That's still not completely safe because if you're too late
|
|
|
|
|
the tid may have been reused, but your code is inherently unsafe without
|
|
|
|
|
a redesign anyway.
|
|
|
|
|
|
2024-03-27 03:16:49 +01:00
|
|
|
### Interruptable `sem_wait` (targetSdkVersion >= 24)
|
2017-12-14 00:18:15 +01:00
|
|
|
|
|
|
|
|
POSIX says that `sem_wait` can be interrupted by delivery of a
|
|
|
|
|
signal. This wasn't historically true in Android, and when we fixed this
|
|
|
|
|
bug we found that existing code relied on the old behavior. To preserve
|
|
|
|
|
compatibility, `sem_wait` can only return EINTR on Android if the app
|
2024-03-27 03:16:49 +01:00
|
|
|
targets API level 24 or later.
|
2018-05-01 22:13:47 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
## FORTIFY
|
|
|
|
|
|
|
|
|
|
The `_FORTIFY_SOURCE` macro can be used to enable extra
|
|
|
|
|
automatic bounds checking for common libc functions. If a buffer
|
|
|
|
|
overrun is detected, the program is safely aborted as in this
|
2019-06-28 05:42:38 +02:00
|
|
|
[example](https://source.android.com/devices/tech/debug/native-crash#fortify).
|
2018-05-01 22:13:47 +02:00
|
|
|
|
2024-05-02 21:13:37 +02:00
|
|
|
Note that Android's FORTIFY has been extended to cover other issues. It can
|
|
|
|
|
detect, for example, passing `O_CREAT` to open(2) without specifying a mode. It
|
|
|
|
|
also performs some checking regardless of whether the caller was built with
|
|
|
|
|
FORTIFY enabled. From API level 28, for example, calling a `pthread_mutex_`
|
|
|
|
|
function on a destroyed mutex, calling a `<dirent.h>` function on a null
|
|
|
|
|
pointer, using `%n` with the printf(3) family, or using the scanf(3) `m`
|
|
|
|
|
modifier incorrectly will all result in FORTIFY failures even for code not built
|
|
|
|
|
with FORTIFY.
|
2018-05-01 22:13:47 +02:00
|
|
|
|
|
|
|
|
More background information is available in our
|
2019-06-28 05:42:38 +02:00
|
|
|
[FORTIFY in Android](https://android-developers.googleblog.com/2017/04/fortify-in-android.html)
|
2024-05-02 21:13:37 +02:00
|
|
|
blog post, and there's more detail about the implementation in
|
|
|
|
|
[The Anatomy of Clang FORTIFY](clang_fortify_anatomy.md).
|
|
|
|
|
|
|
|
|
|
The Android platform is built with `-D_FORTIFY_SOURCE=2`. Users of ndk-build
|
|
|
|
|
or the NDK's CMake toolchain file also get this by default with NDK r21 or
|
|
|
|
|
newer. Users of other build systems
|
|
|
|
|
need to manually enable FORTIFY by setting `_FORTIFY_SOURCE` themselves in
|
|
|
|
|
whatever build system they're using. The exact subset of FORTIFY available to
|
2018-05-01 22:13:47 +02:00
|
|
|
NDK users will depend on their target ABI level, because when a FORTIFY
|
|
|
|
|
check can't be guaranteed at compile-time, a call to a run-time `_chk`
|
|
|
|
|
function is added.
|
