HWASan-instrumented code needs TLS_SLOT_SANITIZER set up to run, and
that is not done until the new thread calls __hwasan_thread_enter. Block
all signals until that time to prevent hwasan-instrumented signal
handlers running (and crashing) on the new thread.
Bug: 141893397
Test: seq 0 10000000 | xargs -n 1 -P 200 adb shell am instrument \
-w -r -e command grant-all \
com.android.permissionutils/.PermissionInstrumentation
(cherry picked from commit d181585dd5)
Change-Id: Id65fae836edcacdf057327ccf16cf0b5e0f9474a
The libs are not available for platform. Thus removing
'//apex_available:platform' from the apex_available property. However,
since there are test modules that statically links the libs, we
exceptionally make the static variant of the libs available to the
platform.
Test: m
Test: mm under bionic does not create
out/target/product/<name>/system/lib[64]/libc_malloc_[debug|hooks].so
Change-Id: Ia6d473658c4231b04b5db511f9dacbbdf0f207b0
The bionic libs are now restricted to be in the runtime APEX and the
platform (for bootstrapping). It can still be referenced from other
APEXes but can't be included there.
Bug: 139870423
Test: m
Change-Id: I7f99eef27ccf75844ca5c9a7ea866496841b738f
The NDK doesn't support anything older than API level 16, so remove some
more clutter.
Test: builds
Change-Id: If257a27841396af001b089b7ae0fbd8c3e0128e4
The NDK only supports >= 16, so remove anything older than that to avoid
giving the misleading impression that such old targets are still
supported.
(This change doesn't touch <unistd.h>. I'll follow up with that once the
outstanding FORTIFY changes to that file are in.)
Test: builds
Change-Id: I6cc6ecdb99fe228a4afa71f78e5fd45309ba9786
Refactor some of the definitions to separate out all of the native
allocator pieces into one place that can be changed easily. This
should fix a few static libraries that appear to have accidentally
included jemalloc wrapper functions. For example, I verified that
libc_nomalloc.a no longer has references to any je_XXX functions.
Modify the bionic_libc_platform_headers to not include any libraries.
If this isn't updated, soong thinks there are cycles when used by
libscudo.
To enable scudo, change the libc_native_allocator_defaults defaults
from libc_jemalloc5_defaults to libc_scudo_defaults and comment out
the defaults: ["libc_scudo_wrapper_defaults"], line for the shared
library libc_scudo.
To do a final switch to scudo, it will be necessary to clean up
some code in other parts of the tree, but this allows a single cl
to enable or disable.
Bug: 137795072
Test: Builds with jemalloc or scudo with a small change.
Test: Ran bionic unit tests.
Change-Id: I07bb5432a0d2b2f405f92412e8d04fb9c9e51b31
Merged-In: I07bb5432a0d2b2f405f92412e8d04fb9c9e51b31
(cherry picked from commit ccff1b19ef)
The tables in the BSD tolower/toupper are slower for ASCII than just
doing the bit twiddling.
We can't actually remove the tables on LP32, so move them into the
"cruft" we keep around for backwards compatibility (but remove them for
LP64 where they were never exposed).
I noticed that the new bit-twiddling tolower(3) was performing better
on arm64 than toupper(3). The 0xdf constant was requiring an extra MOV,
and there isn't a BIC that takes an immediate value. Since we've already
done the comparison to check that we're in the right range (where the
bit is always set), though, we can EOR 0x20 to get the same result as
the missing BIC 0x20 in just one instruction.
I've applied that same optimization to towupper(3) too.
Before:
BM_ctype_tolower_n 3.30 ns 3.30 ns 212353035
BM_ctype_tolower_y 3.31 ns 3.30 ns 211234204
BM_ctype_toupper_n 3.30 ns 3.29 ns 214161246
BM_ctype_toupper_y 3.29 ns 3.28 ns 207643473
BM_wctype_towupper_ascii_n 3.53 ns 3.53 ns 195944444
BM_wctype_towupper_ascii_y 3.48 ns 3.48 ns 199233248
After:
BM_ctype_tolower_n 2.93 ns 2.92 ns 242373703
BM_ctype_tolower_y 2.88 ns 2.87 ns 245365309
BM_ctype_toupper_n 2.93 ns 2.93 ns 243049353
BM_ctype_toupper_y 2.89 ns 2.89 ns 245072521
BM_wctype_towupper_ascii_n 3.34 ns 3.33 ns 212951912
BM_wctype_towupper_ascii_y 3.29 ns 3.29 ns 214651254
(Why do both the "y" and "n" variants speed up with the EOR
change? Because the compiler transforms the code so that we
unconditionally do the bit twiddling and then use CSEL to decide whether
or not to actually use the result.)
We also save 1028 bytes of data in the LP64 libc.so.
Test: ran the bionic benchmarks and tests
Change-Id: I7829339f8cb89a58efe539c2a01c51807413aa2d
There are places in frameworks and art code that directly included
private bionic header files. Move these files to the new platform
include files.
This change also moves the __get_tls.h header file to tls.h and includes
the tls defines header so that there is a single header that platform
code can use to get __get_tls and the defines.
Also, simplify the visibility rules for platform includes.
Bug: 141560639
Test: Builds and bionic unit tests pass.
Change-Id: I9e5e9c33fe8a85260f69823468bc9d340ab7a1f9
Merged-In: I9e5e9c33fe8a85260f69823468bc9d340ab7a1f9
(cherry picked from commit 44631c919a)
The accompanying soong change causes sanitize attributes to be allowed on
cc_object targets and propagates sanitize attributes into dependencies. This
is problematic for the crt objects in sanitizer builds because everything
depends on them including the sanitizer runtime, so a circular dependency
would otherwise be created. Furthermore, some of the code in these objects
runs before sanitizer initialization so it is unlikely that sanitizing them
would work anyway. Therefore, disable sanitization on these objects.
Change-Id: I25380dfc8eed5db34b034ba127a9d6b5674032fa
We're going to have to add ifuncs to libm, and there will be some SVE
ones for arm64 soon too, so let's start sharing the absolute minimum...
Test: builds
Change-Id: Idbb9dd9477291ed3c15dc3902f65e593b766dfb9
Clang recently grew its own diagnostics for memcpy and such. These are
generally higher-quality than what we can do with diagnose_if, since
clang is happy to include e.g., sizes of things per-callsite. Move to
those instead where applicable.
Bug: 131861088, 123644155
Test: blueline internal-master checkbuild; treehugger
Change-Id: I701f5a8b247ba2948ca47fdc60ff5198b564c03e
Instead of having platform directories directly include the
private header, create a platform header directory and export it.
Bug: 130763340
Test: Builds.
Change-Id: Ie0f092b3fe077a3de8b90266c0b28bfbc20d0dfa
Merged-In: Ie0f092b3fe077a3de8b90266c0b28bfbc20d0dfa
(cherry picked from commit 8f582ef2f8)
Add a test for the new flag and add a test for the EFD_CLOEXEC flag.
Test: New unit tests pass on glibc and target.
Change-Id: Ib7a6ea4aadbd67ba8a523b6114a49fb8d6a43f12
This commit replaces `bzero` with `__bionic_bzero` and `bcopy` with
`__bionic_bcopy` because `bzero` and `bcopy` are partially defined in
`libc.map.txt`. Bionic versioner raises errors because versioner treats
static inline functions as exported function definitions then it
compares the availability with the information specified in
`libc.map.txt`.
This commit fixes the problem by replacing static inline functions into
`__bionic_{bzero,bcopy}` and defining aliases for source-level
compatibility.
Test: PATH=$(pwd)/prebuilts/clang-tools/linux-x86/bin:$PATH \
bionic/tools/versioner/run_tests.py
Bug: 140110040
Change-Id: I97f2f0dc0abccd0a9fcfe5bb02f4e918362d35cc
Split statfs and statvfs. The former has been available forever, and the
latter is implemented in terms of the former. The implementation has
been moved into headers so that it can be used at low API levels.
There's no reason for any Android or Linux code to use statvfs rather
than statfs, but code that needs to build on Darwin too will want to use
statvfs because Darwin's statfs is very spartan.
Bug: https://github.com/android-ndk/ndk/issues/609
Test: treehugger
Change-Id: Icf3d5723a260099fddb2d9f902e3047b0f041647
This commit annotates C11 Thread APIs so that bionic versioner won't
report errors.
This commit also adds a guard before `mtx_timedlock` because
`pthread_mutex_timedlock` was introduced in Android L.
Test: PATH=$(pwd)/prebuilts/clang-tools/linux-x86/bin:$PATH \
bionic/tools/versioner/run_tests.py
Bug: 140110040
Change-Id: I3c6ce0831f613ffd3a7bf1c1972fd3548195cc56
In ns_name_skip of ns_name.c, there is a possible out of bounds read due to
a missing bounds check. This could lead to remote denial of service with no
additional execution privileges needed. User interaction is not needed for
exploitation.
Bug: 137346580
Test: built, flashed, booted
Test: ns_parserr_fuzzer test
Change-Id: Ib023bd9b2ae97795d64195de9922a6a32d7b2f37
The arm32 case was omitted when the macro was originally added due to
clang issues (b/15469122#comment5).
Testing at ToT master, ".cfi_undefined r14" appears to compile & work as
expected. This is the same directive as used by the linker's begin.S.
Test: ran a 32 bit binary on crosshatch-userdebug, verified that
"debuggerd -b" (which uses libunwindstack) stops at __libc_init as in
the arm64 case (before it would unwind past _start_main, with an
erroneous frame at the bottom).
Test: ran unwind_reg_info tool on /system/lib/libc.so with an address
within __libc_init, confirmed that the "debug_frame" section includes
"r14 = undefine" (arm exidx still contains "r14 = [cfa - 4]", but that
looked correct to cferris@).
Bug: 140008396
Change-Id: I6eb0bc6cf516fddee2df40492350678a0547fee3
Most DSOs have a RELRO segment, but some of them have nothing except
__dso_handle in their .data section. This means __dso_handle is taking
up a page as well as a vm_area_struct in kernel slabs for those DSOs.
Let's move it to the RELRO segment to save memory.
On a 32-bit device I tested on, I saw ~400 KB less slab usage on
vm_area_struct. To control for difference in number of cached
processes, I also measured with Android stopped, and I saw ~100 KB less
slab usage. Summing up all dirty pages attributed to shared libraries,
I saw 5.6 MB less dirty pages.
Test: Build and boot.
Change-Id: Ib88e49f1c72352e610affc19623895d954110d4e
Previously, Bionic's dl_phdr_info only included the first four
dl_iterate_phdr fields. Several other libc's have these additional fields:
unsigned long long dlpi_adds -- incremented when a library is loaded
unsigned long long dlpi_subs -- incremented when a library is unloaded
size_t dlpi_tls_modid -- TLS module ID
void* dlpi_tls_data -- pointer to current thread's TLS block or NULL
These extra fields are also exposed by glibc, musl, and FreeBSD. The
unwinder in libgcc.a, linked into shipping Android DSOs, has a
PC->eh_frame cache that activates if dl_phdr_info has the dlpi_adds and
dlpi_subs fields (indicated at run-time by a sufficiently-large size
argument to the callback).
Bug: https://github.com/android-ndk/ndk/issues/1062
Test: bionic unit tests
Change-Id: I6f0bab548cf8c828af2ddab9eb01c5c6d70cd81f
(Via <sys/cdefs.h>, which is where we get <android/api-level.h> from.)
Not super helpful today, but when NDK r21 is the oldest NDK anyone cares
about, they'll be able to stop worrying about this specific header as
long as they've included _something_.
Test: builds
Change-Id: Ia5bc42f89b7025d8e3963e4fd590f0e3723157be
The call to the load hook needs to be moved before the call to link_image()
because the latter calls ifunc resolvers which might access global
variables. This fixes a bunch of ifunc tests.
The dlfcn.segment_gap test is currently failing. One problem is that the name
of the .bss.end_of_gap section changes as a result of global instrumentation.
Add some wildcards in so that we match both names. The other problem seems
to be the same as b/139089152.
It turns out that we need to untag pointers in a few more places. Since we have
quite a few of these now it seems worth creating a function for it.
Test: bionic-unit-tests
Change-Id: I44e2b0904faacdda7cc0c5e844ffc09de01dea2d
This reverts commit 66b5e3ca19.
Reason for revert: Causes installd_dexopt_test to fail. Presumably there is an existing issue which this change is turning into a hard fail, so that needs to be fixed before this can be rolled forwards. See b/139092341.
Bug: 139092341
Bug: 137788030
Change-Id: I1beccddff64c86541bc003b9b009f4046ec9cbf1
The fortify implementations of stpncpy and strncpy read out of bounds and
only then check that they did so. This causes newer versions of hwasan
to complain during the fortify tests as a result of the new support for
byte-precise error checks. Move the bounds check into the loop so that it
is detected before the load.
Test: bionic-unit-tests
Change-Id: Id990a4a0217f6c4b39bba60ff41776875615fcb4
Make fdsan fatal by default on native processes, and Java processes that
target R or later.
Bug: http://b/137788030
Test: manual
Change-Id: I5900efc606fc0d47b69223574ad7dca89afe4eda
Before aosp/1086558, this was needed, since we would have
_USING_LIBCXX defined, yet <atomic> was not available, so we'd run
into compiler issues. After that change, we're using
__has_include(<atomic>) so this is no longer an issue.
Test: build
Change-Id: Ia81d343000e7d90f07422120fc1e1eb5becb01aa
These hooks notify the HWASan runtime library whenever a library is loaded
or unloaded so that it can update its shadow memory.
Bug: 138159093
Test: walleye_hwasan-userdebug boots with+without https://reviews.llvm.org/D65770
Change-Id: I6caf2a6540ed2c0d94db444e806a3c7ba504cabb
These are old enough now that the latest devices will have kernels that
support them.
Also add basic doc comments to <sys/mman.h>.
Test: treehugger
Change-Id: I1b5ff5db0b6270f5c374287cac1d6a751a0259f5
Also, fix a bug in update_all.py when the syscalls file does not change.
Test: Builds and boots on a taimen.
Change-Id: If85b00daef2c176f804a0861894f5bbca9c6d5df
renameat2 is now exposed, my comment about timerfd was nonsense, and
it's worth documenting when and where the various syscalls appeared.
Bug: http://b/127675384
Test: treehugger
Change-Id: I84662398d39678df3ee7ce39add670337ff8abea
The cuttlefish folks are hitting this because the VDSO clock_gettime
falls back to the clock_gettime64 system call when given an invalid
clock.
Bug: http://b/138781460
Test: examined the generated .cpp files.
Change-Id: I98b311cd8652716eb6d45fb99308fdf952e79ba3
The AArch64 ELF specification originally specified these relocations:
R_AARCH64_TLS_DTPREL64 1028
R_AARCH64_TLS_DTPMOD64 1029
However, the GNU toolchain implemented them as:
R_AARCH64_TLS_DTPMOD64 1028
R_AARCH64_TLS_DTPREL64 1029
The AArch64 ELF specification has been updated to replace the relocations
with R_AARCH64_TLS_IMPDEF1 and with R_AARCH64_TLS_IMPDEF2, where each
implementation can choose which interpretation it implements, but with a
suggestion to follow the GNU behavior.
Also: remove the 64 suffixes from the TLS relocations. The newest version
of the AArch64 ELF specification (version f) also omits the suffixes, as
do the glibc headers.
Bug: http://b/123385182
Bug: https://bugs.llvm.org/show_bug.cgi?id=40507
Test: build device, it boots
Change-Id: Ie98b7624752982973f0ac969d646454a86784cab
Versioner is now a prebuilt in prebuilts/clang-tools and that project
has the Clang headers packaged with it. Use that dependency instead of
external/clang/lib/Headers. Use the linux-x86 path for both Linux and
Darwin since they are both the same.
Test: presubmit
Change-Id: I01ad4c05fe3301a2fdad3662377f78694af6cd81
Instead of maintaining a symbol ordering file, using the new
sort_bss_symbols_by_size property allows for symbol sorting at build
time.
Bug: 135754984
Test: Build and check the resulting libc.so has its bss symbols sorted.
Change-Id: I4a1cd6774dfe61b73f454bdf95b535db1f9fb1ac
The demangler is moving out of libc++abi to save on bloat.
Test: make checkbuild
Bug: http://b/138245375
Change-Id: I7402894bb326f524388c9efdf86509dad50f2018
We will put instrumentation in ART to write out Java heap memory
information on receipt of this signal.
Bug: 136210868
Test: Flash blueline-userdebug and boot
Change-Id: I63173a4051c46b8569faaf3064e1db1dbd0ea3fe
Bionic creates a single thread mapping to hold a thread's stack and static
TLS memory. Use PR_SET_VMA_ANON_NAME to name this region
"stack_and_tls:tid". dumpsys meminfo can report this region as "Stack"
memory.
The main thread's memory is instead named stack_and_tls:main, and the VMA
is renamed to stack_and_tls:main in a post-fork child.
For the main thread, and threads using pthread_attr_setstack, Bionic still
creates the stack_and_tls mapping, but it only has TLS memory in it.
Bug: http://b/134795155
Test: run "dumpsys meminfo" and verify that this CL increases the reported
stack memory usage from about 4MB to 21MB.
Change-Id: Id1f39ff083329e83426130b4ef94222ffacb90ae
Merged-In: Id1f39ff083329e83426130b4ef94222ffacb90ae
Bug: 136138882
Test: Ran malloc debug tests.
Test: Ran an app with backtrace_full and verified demangling working in
Test: log file.
Test: Enabled leak checking and verified that the logs include properly
Test: demangled.
Change-Id: Ic4fd9f1522451e867048ac1bea59d8c5ed0d3577
The previous check was causing some problems with platform builds
using the NDK. The new check is more accurate.
Move the C definitions from stdatomic.h to bits/stdatomic.h since
with the new check, we no longer can use the #undef trick to test
them.
Test: build platform NDK with stdatomic.h in pthread.h header
Test: stdatomic bionic-unit-tests
Change-Id: Ia0bc3cc8344f2ba4e6e55a52248fb6efee799d1d
This avoids art having a direct reference to bionic directories which
would prevent the bionic module from being unbundled from the runtime
module.
Bug: 134379140
Test: m droid
Change-Id: I9545767b76341fd01166b675bdd156f620d4f262
A bit of over-reliance on implementing pthread_cond_clockwait() in
terms of existing functions ended up with a bug that if the condition
variable was initialized to use CLOCK_MONOTONIC, then
pthread_cond_clockwait() would do the wrong thing.
This change corrects that and adds a test for this case.
Test: new and existing tests pthread_cond unit tests
Change-Id: I708d5dfbef95a67678db56dceda011f2f8fd1c5c
A future version of HWASAN will set pointer tags when taking the address of
a global. This means that we need to untag pointers in a couple of cases
where potential global pointers are passed to an interface that expects
untagged pointers:
- The WriteProtected class, whose only instances are globals, passes its
own address to mprotect. However, our device kernels do not currently
untag pointers passed to mprotect (the proposed upstream kernel patches
do, however, untag these pointers), so once HWASAN starts tagging global
pointers, this will start failing.
- The shadow_load function loads from a shadow that corresponds to the
address space bounds of loaded binaries. Since these address space
bounds are untagged, the pointer needs to be untagged to match.
Test: boots
Change-Id: I3f11ce6eb7261752e5ff6d039d04dd45516b236f
They're used by 32-bit sanitizers. We used to get these for free (as the
comment says), but the place we got them from changed. Just be explicit.
Longer-term we should fix how we build the sanitizers to only use the
canonical system calls, like they already do for arm64.
Bug: https://issuetracker.google.com/136777266
Test: builds
Change-Id: If80a8d47aa345aaaa8bed32b44f020e06e504d49
snprintf always calls free (on a null pointer) in its epilogue, which
results in infinite recursion if free calls a function that calls
bionic_trace_begin (e.g. when perfetto attempts to lock a mutex in
RecordFree).
Bug: http://b/137284735
Test: treehugger
Change-Id: I51c5b32e8f4e394be4602e06c7b94797df73c37b
Note that unlike the oem_ range that is used for the vendor
partitions, we do not create oem_<n> entries for these new reserved
ranges; they will only appear in getpwent()/getgrent() if there is an
entry in the corresponding passwd/group file.
Bug: 73062966
Test: can load AIDs from partitions other than vendor
Test: bionic-unit-tests
Change-Id: Ifcbbf202894adff948eaaba2a59e25c993611140
On systems where the tcache is disabled, the tcache clear option will
fail, and not really do a purge.
Bug: 137037462
Bug: 136236080
Test: Built taimen as malloc svelte and verified the M_PURGE mallopt
Test: call failed before this fix and passes afterwards.
Change-Id: Ib30e5f3e083a9c6d046adff30f2aa7eacaf6df10
__builtin_*_chk will emit warnings when things are trivially broken.
Emitting errors instead is probably better (and we can be a bit smarter
about how we emit code for trivially safe cases.)
Bug: 131861088
Test: checkbuild + bionic-unit-tests on blueline
Change-Id: I33957ad419922d0760304758ecb9bc8ad33e0b64
Plain __ for generated syscalls didn't mean it was a hidden symbol, it
just meant "please don't use this". We added ___ to signify that a
hidden symbol should be generated, but then we added the map files
anyway so you now have to explicitly export symbols. Given that, this
convention serves no particular purpose so we may as well just use the
nicer names have everything look the same.
Test: treehugger
Change-Id: If424e17a49c36f4be545f5d283c4561a6ea9c7ea
This also adds _2-variants for these functions, for extra glorious
checking
Bug: 131861088
Test: mma
Change-Id: I80475ff4bb220c0c47894e9532426f53412f176f
We should only be calling _real versions of the functions that use this
if the input size is verifiably <= SSIZE_MAX. Otherwise, just fall
through to _chk and let that handle it.
Bug: 131861088
Test: mma && bionic-unit-tests
Change-Id: Iba04e486ef91ea1b3539ab6df6260429264e66b4
As it says on the box.
Since realpath isn't a function definition, any attributes it provides
here just add to the "regular" realpath.
__wur is being added to realpath because it returns NULL on failure, and
the contents of the input buffer are undefined in that case. A blueline
checkbuild showed 0 complaints about this new __wur, so it seems
harmless to add.
Bug: 131861088
Test: mma
Change-Id: If5f47e0e290d86df69c0888711e29775c390fca4
This CL allows us to diagnose string functions that get an explicit size
passed into them, and string functions that are trivially misused.
Bug: 131861088
Test: mma
Change-Id: I894aec99420a75c6474cfd7d5010f0cf2f10ab21
The tzdata file is being removed from the runtime mainline module
in an upcoming commit. This commit removes the bionic references
to it.
This commit also contains general comment tidy-ups.
Bug: 132168458
Test: build only
Change-Id: I83cd9ff756b36e1d1222b7830f97c8bde2885ce4
Historical research (see bug) suggests that these functions were all in
22. The map file believed this with one (presumably typoed) exception,
but the header file didn't match the map file. It looks like the map was
correct (modulo the one typo), so fix up all the disagreement.
Bug: http://b/113618851
Test: treehugger
Change-Id: Ia579f4e6163206abfac79aa54dc98c792f00ee86
We're not going to change this code, ARM's not going to break it.
Silence the warnings.
Bug: http://b/114120867
Test: treehugger
Change-Id: Ie25ef44706c952efc5d54012391bee19af095818
Cleanup of references to 'coverage' in build files. Part of a larger
cleanup to make fuzzing work again in the Android build tree.
Also fixed a test issue with emulated TLS with the new changes, and
removed libc.so fuzzer support until a linked bug is fixed
(b/132640749).
Bug: 121042685
Test: With all patches in the bug merged: mmma bionic
Change-Id: I592352fe9210ff811a2660a88cbbfe48d70a1e57
Merged-In: I592352fe9210ff811a2660a88cbbfe48d70a1e57
In an attempt to make bionic's reporting of users and groups more
accurate, this change makes the user / group functions do the
following:
1) Fail to query a uid/gid for a secondary user when the uid/gid
doesn't exist. Currently bionic would return successfully but with
a empty string for the name.
2) Fail to query a platform uid/gid, except a limited pre-allocated
set for a secondary user, as these are not used by second users.
3) Fail to query uids for all users for the GID-only app ranges:
CACHE_GID, EXT_GID, EXT_CACHE_GID, SHARED_GID.
4) Fail to query gids in SHARED_GID range for secondary users, as
these GIDs are only allocated for the first user.
5) Use "u#_a#_ext" and u#_a#_ext_cache" for EXT_GID and EXT_CACHE_GID
ranges. This both allows querying based on these names and
returning these names for the appropriate uids/gids.
This also consolidates the tests for better readability.
Test: these unit tests, boot
Change-Id: I59a1af0792e7806d423439582e56ce7f9f801c94
This converts all of stdio to short-circuit _chk functions in trivially
safe cases.
Bug: 131861088
Test: checkbuild on internal master. blueline bionic tests pass + it
boots.
Change-Id: I981ac9bd19112492d5a47dc5277526426b9af710
This also lets us retire our |__enable_if| version of |strlen|, which
should catch strictly fewer cases where we can fold the string's length
to a constant than |__builtin_constant_p| inside of |strlen|.
Bug: 131861088
Test: checkbuild on internal master. blueline bionic tests pass + it
boots.
Change-Id: I21b750a24f7d1825591a88d12a385be03a0a7ca3
Android's current lld build has a hack that overaligns TLS segments, but
it broke glibc when it produced TLS segments where (p_vaddr % p_align) was
non-zero. Move the hack into Bionic's crtbegin instead. It will emit a
0-sized, 64-byte alignment TLS segment into executables that don't use
TLS, but that should be harmless.
This variant of the hack is compatible with the gold and lld linkers. The
ld.bfd linker will optimize the .tdata output section out if its size is
zero, preventing the overalignment in an executable that only has .tbss
sections. This problem could be fixed by adding a ". = .;" statement
inside .tdata in ld.bfd's linker script.
See discussion on https://reviews.llvm.org/D61824.
Bug: https://bugs.llvm.org/show_bug.cgi?id=41527
Test: bionic unit tests, boot a device
Change-Id: I34df8b5594b6518d4590e4861e3d0b74d6fa754e
|__builtin_constant_p| has become more flexible in clang. In particular,
it's no longer forcibly lowered before inlining, so we can actually use
it on function parameters (or |__bos(param)|).
This CL tweaks things so that trivially safe calls to FORTIFY'ed
functions compile into direct calls to those functions, rather than to
their _chk counterparts. This will be the most impactful with things
like |memset|, |memcpy|, etc., since clang has way more flexibility
about how to lower those than it does with |__memset_chk|,
|__memcpy_chk|, ...
As noted in the comments, the spelling of the new macros is meant to
match closely with the spelling of our |__bos_static| macros used in
|diagnose_if|.
This isn't a full cleanup of all of the cases in which we can do this.
Just a start on the super simple cases.
Bug: 131861088
Test: m checkbuild; blueline boots.
Change-Id: I696f42ce4a65231e0c4a78a4c5133a6be1cb7708
These were originally #defined so we could share them between our
GCC and clang FORTIFY implementations. Since we no longer have a GCC
FORTIFY, #defining them is sort of pointless.
Bug: 131861088
Test: mma
Change-Id: I2ae4e0bdebbed16c946f5df7cc38c471881b481e
Our diagnose_if conditions are repetitive. It's potentially convenient
to hide that behind a macro. There's an upcoming refactor to our
run-time checks; having static checks look super similar is convenient,
and makes correctness (hopefully) slightly more obvious.
Bug: 131861088
Test: checkbuild on internal master.
Change-Id: Ic39a3b6bf020734c1bef6be144f61ef81466aafe
Bug: 123312263
Test: Verified with asan enabled, malloc debug does not initialize.
Test: Ran tests on non-asan build and verify they pass.
Change-Id: I3c37c170bf6c1de42740972f2113ae991351d931
The arm exidx unwind information can be sparse and clang is producing
functions that cannot be properly represented. The .debug_frame includes
extra unwind information that covers the cases that are not complete, so
do not remove it. For example, the __strchr_chk function has a push
in the middle of the function, so any crash before that instruction will
not unwind properly.
This does increase the size of libc.so, but only by about 80,000 bytes.
Bug: 132992102
Test: Verified the .debug_frame exists in libc.so only for arm32.
Test: Used the unwind_reg_info to verify that __str_chk gets proper
Test: unwind info. Also use unwind_reg_info on some assembler functions
Test: to make sure that there is no overlapping information.
Change-Id: If9a6de15b3adf08a93c4563da8c89846e4dd059b
Add the malloc symbols used by libmemunreachable to the VNDK, and
make libc_malloc_debug_backtrace vendor_available.
Bug: 132302484
Test: m checkbuild
Change-Id: Ide555195afa084c13eaeaf0eab6ff90787b5f2d0
getpwnam_r() and getpwuid_r() clobber the storage used by getpwnam()
and getpwuid(). This isn't likely to be a big issue, but since we do
this right for the group functions, fix this as well as add a test.
Both use more space in buf than is actually required, but well below
their sysconf() suggested values, so we accept that to keep the code
concise.
Add tests for dealing with unaligned input buffers, particularly for
getgrnam_r() and getgrgid_r(), as they require alignment but this
wasn't being tested.
Refactor common initialization code for both passwd and group state
structs.
Remove extraneous null pointer checks; the values they were testing
were offsets of a previous pointer, so guaranteed to never actually be
null. If the underlying pointer is actually null, we're beyond repair
anyway, so accept that we'll crash.
Test: pwd/grp unit tests
Change-Id: I60c4d00e9ab3cf55daf8314c5029fd914025b696
When building the bionic tests, we use -fno-builtins, which turns off
clang's recognition of vfork as a magical function that can return
twice. Explicitly annotate our returns_twice functions to ensure that
we generate correct code even in -fno-builtins (and while we're at it,
annotate the no_return functions as well, so we generate faster code).
Bug: http://b/131856005
Test: treehugger
Change-Id: I465f8042a965f0c7c03caa5f17af67deea8f5d9d
Added get_malloc_leak_info and free_malloc_leak_info for arm 32 bit
only so that the kindle app will continue to run.
Bug: 132175052
Test: Ran kindle app, read pdf file. Verified libKindleReaderJNI.so
Test: is loaded in memory properly.
Change-Id: Ib1ea3a37b3729f9bcc2739c5f3a584ea8f66d200
Merged-In: Ib1ea3a37b3729f9bcc2739c5f3a584ea8f66d200
(cherry picked from commit 235f35a266)
I wrote a new unit test that would fail on the old version of the
code.
On a walleye big cpu, this costs about 40ns-50ns (going from ~430ns to ~480ns).
I think this is an acceptable performance degradation.
Bug: 131867816
Test: New unit tests pass.
Change-Id: I4c0f4373fb0694bf29c3824dbb1224a8a17e211e
Without pulling in <linux/fs.h>, the UAPI source of these constants,
because it's full of pollution, in particular a macro called BLOCK_SIZE
that breaks a lot of stuff.
Test: treehugger
Change-Id: I7258ec57e91c67645c2b4d0ce44850d757c4bb12
Enable native bridge support for bionic libraries.
Makes it possible to use them in binaries for translated
architectures.
Bug: http://b/77159578
Test: make
Change-Id: Iccd4ad7aecfa5260cc15f09ca975d2e18987278a
The locking can fail in a couple of ways:
- A concurrent fread from an unbuffered or line-buffered file flushes
the output of other line-buffered files, and if _fwalk locks every
file, then the fread blocks until other file reads have completed.
- __sfp can initialize a file lock while _fwalk is locking/unlocking it.
For now, revert to the behavior Bionic had in previous releases. This
commit reverts the file locking parts of commit
468efc80da.
Bug: http://b/131251441
Bug: http://b/130189834
Test: bionic unit tests
Change-Id: I9e20b9cd8ccd14e7962f7308e174f08af72b56c6
Also change the names of some of the functions to make it very obvious
that the functions being called are in je code.
Write new test to make sure mallinfo and malloc_info match.
Bug: 131864803
Test: New unit tests pass (along with all other bionic unit tests).
Change-Id: I26eda7e64f57a8c56cc8d70e3ed6a29dcb87f630
Merged-In: I26eda7e64f57a8c56cc8d70e3ed6a29dcb87f630
(cherry picked from commit 125d32cb46)
Bug: 131362671
Test: Ran bionic unit tests.
Test: Wrote a test that did a purge and verified that the tcache->ncached
Test: number went from 3 to 0. Also verified that mallinfo reflects the
Test: cached entries being flushed.
Change-Id: I64e35618fa3b523cf29bdaceedef676abe440dd3
Similar to the way we handle LIBC_DEBUG_MALLOC_OPTIONS
(bug 68003719), filter LIBC_HOOKS_ENABLE when we cross a
security boundary. This prevents modifying the allocation
behavior of a privileged program.
Introduced in
db478a6274%5E%21/#F0
(bug 30561479)
Test: compiles and boots
Change-Id: I59a7c224734b0991fd62efb45ab599dab8570723
For security reasons, when a binary is executed which causes a security
transition (eg, a setuid binary, setgid binary, filesystem capabilities,
or SELinux domain transition), the AT_SECURE flag is set. This causes
certain blacklisted environment variables to be stripped before the
process is executed. The list of blacklisted environment variables is
stored in UNSAFE_VARIABLE_NAMES. Generally speaking, most environment
variables used internally by libc show up in this list.
Commit 02586a2a34 ("linker: the
global group is added to all built-in namespaces", Aug 2017) added
support for the environment variable LD_CONFIG_FILE. This debug build
only feature allows the caller to specify the path to the loader
configuration file. Like other linker environment variables, setting
this variable allows the calling process to control executed code of the
called process, which has security implications (on debuggable builds
only).
Add LD_CONFIG_FILE to UNSAFE_VARIABLE_NAMES. This has the effect of
stripping, on all build types, the LD_CONFIG_FILE environment variable.
This has three advantages:
1) Prevents security bugs should LD_CONFIG_FILE ever be inadvertantly
exposed on a production build.
2) Makes the behavior of userdebug and user builds more similar, helping
prevent build-type dependent bugs where someone may come to rely on this
debug-only feature.
3) Protect droidfood users against malicious applications which can
trigger a security transition, eg, the execution of crash_dump or the
renderscript compiler.
Alternative considered but rejected:
If we treated LD_CONFIG_FILE like LD_PRELOAD, we could expose this on
all build types, and remove the build-type dependent behavior. But this
is contrary to enh's Aug 02 2017 guidance at
https://android-review.googlesource.com/c/platform/bionic/+/449956
i'm still uncomfortable about LD_CONFIG_FILE because i'd like
to be reducing the number of environment variables that affect
the linker in P rather than increasing them.
Test: atest CtsBionicTestCases
Test: atest linker-unit-tests
Change-Id: I82d286546ee079b5cde04428dc89941c253c2d20
In __cxa_finalize, only call fflush(NULL) when the program is exiting, not
when a library is unloaded with dlclose. This change restores behavior
from 2015.
Flushing output is needed when the program exits, but flushing everything
is hazardous at other times because it can block -- fflush(NULL) locks
every file, so it also blocks on read operations.
Bug: http://b/130655235
Test: manual
Change-Id: I2f5ecffa6724bfd98a93d145ab5313c793c01ae6
Devices launched before Q may be using OEM defined AID that are not in
the OEM_RESERVED ranges. Those devices should be allowed to keep using
legacy oem AID values given it may not be possible to upgrade the
userdata and persist files through OTA.
Bug: 131095318
Test: bionic-unit-tests
Change-Id: I73fc0c452420be5287adcacb36a1e772acc9bb3e
Move /system dependency on tz_version to bionic from core-libart.
The file is not used by code but is useful on device to identify
the format / version / origin of the tzdata file. The
tz_version file identifies the Android release (e.g. 3.1 == Q), which
implies the version of zic used to generate tzdata, and any Android
revision of the tzdata (e.g. 2019a v2) that may have taken place. The
file was previously used by by the tzdatacheck binary but it has since
switched to using the copy in the runtime module.
The bionic README.md is also updated here to reflect latest locations of
scripts.
Bug: 131239046
Test: make installclean / make droid / inspect /system
Change-Id: Ib142f98aa30c8c9d5eda33df55d4191478570ced
We loop through android_ids in many functions, but this can be
consolidated into find functions.
Test: bionic-unit-tests
Change-Id: I70c423affe49090a93e999c72bb4c84a068de5d8
FreeBSD, glibc, and musl have all implemented C11 threads at this
point. POSIX is looking at how to align with it. Probably time to jump
on the bandwagon ourselves...
Implemented in the same style as <termios.h> so we can provide this
functionality even on older API levels. This does mean that this is
strictly more expensive than calling pthread functions directly.
Although this isn't in POSIX yet, assume that it's going to be basically
the same as C11 and add the header test anyway. We should revisit this
when POSIX actually adds <threads.h>.
Test: new tests
Change-Id: I8602d67ce71ca7f8ed1529daa0a8ea1feb083dd6
These symbols were previously provided by Android's out-dated libgcc,
but they're removed/deprecated in upstream libgcc, and also won't be
available in libclang_rt.builtins. We need to provide these methods in
libc itself for compatiblity.
Test: build with these symbols stripped in libgcc
Bug: 29275768
Change-Id: I04a05258c6c06b5a22ead41e148b02792ffbc941
This reverts commit e4788d4c7e,
which undid this change during the Q betas.
Bug: http://b/120989619
Change-Id: Iea589fd0e56426971adf9f7c19c2aedf0d7a7a60
Ensure we call realloc@plt rather than (as was previously happening)
inlining realloc into reallocarray, which makes the allocation invisible
to ASan.
Bug: http://b/129989984
Test: objdump
Change-Id: If8a43cba11aa5a2f2f62bacd02ef6ef4032e0dbb
Add a couple of comments explaining that a mutex can be freed during
the unlock call, immediately after the unlock's atomic exchange call but
before its futex wakeup call.
Bug: http://b/129744706
Test: bionic unit tests
Change-Id: I2d290ebde880f46866098d022720896039e7022e
For a recursive or errorcheck PI mutex, the old_owner variable wasn't
being initialized. As a result, unlocking a doubly-locked recursive
mutex owned by another thread decremented the mutex counter. Instead, the
unlock call should fail with EPERM.
Bug: http://b/130841532
Test: bionic-unit-tests
Test: bionic-unit-tests-glibc --gtest_filter='pthread.pthread_mutex_lock*'
Change-Id: I37adb094cb2ce8d51df7b4f48e8d6bc144436418
The libstdc++ directory has no copyright headers, so it was a no-op
anyway.
The interesting part will be switching libc and libm over to genrules...
Test: N/A
Change-Id: Iec92562af40c451fdcb4a7468984878ec5dba2ce
Bug: 130028357
Test: malloc_hooks unit tests.
Test: Enable backtrace for mediaserver, run dumpsys media.player -m
Test: Enable backtrace for calendar, run am dumpheap -n <PID> <FILE>
Change-Id: I6774e28ccd9b3f2310127a5b39ccd15fe696a787
Merged-In: I6774e28ccd9b3f2310127a5b39ccd15fe696a787
(cherry picked from commit 3aadc5e80a)
