Commit graph

82 commits

Author SHA1 Message Date
Elliott Hughes
3f66e74b90 Remove nullability specifications.
Bug: http://b/64251432
Test: builds
Change-Id: I5b1613484783f7478d30b5e694007f77fa626659
2017-08-01 13:24:40 -07:00
Elliott Hughes
ec6850d849 Remove restrict/__restrict.
We've never really used __restrict: only <string.h> and <stdio.h> (which
are still very similar to upstream BSD headers) consistently have these
annotations. Neither clang nor GCC warns for trivial cases, and there's
little obvious documentation benefit.

Bug: http://b/30833514
Test: builds
Change-Id: I3e4384281865475d0c55d764b546d8166419ee31
2017-08-01 08:28:46 -07:00
George Burgess IV
b97049c039 libc: Split FORTIFY into its own headers
This patch cleans up our standard headers by moving most of the FORTIFY
cruft out in to its own sandbox. In order to include the *_chk and
*_real declarations, you can either enable FORTIFY, or `#define
__BIONIC_DECLARE_FORTIFY_HELPERS`.

Both sys/select.h and strings.h are explicitly ignored by this patch.
Both of these files have very small __BIONIC_FORTIFY blocks, and don't
define any actual FORTIFY'ed functions (just macros, and 3 *_chk
functions).

This patch also makes the versioner ignore the FORTIFY implementation
headers, since we're guaranteed to pick the FORTIFY'ed headers up when
looking at the regular headers. (...Not to mention that making the
FORTIFY'ed headers freestanding would be annoying to do and maintain for
~no benefit).

We bake the knowledge of where FORTIFY headers live directly into the
versioner. We could go with a more general approach (e.g. adding an -X
IGNORED_FILE flag that tells the versioner to ignore
$HEADER_PATH/$IGNORED_FILE), but we'd then have to repeat that for every
test, every manual invocation of the versioner, etc. for no benefit
that's obvious to me.

Bug: 12231437
Test: m checkbuild on bullhead internal master + CtsBionicTestCases. no
new errors.

Change-Id: Iffc0cc609009b33d989cdaddde0a809282131a5b
2017-07-27 17:00:13 -07:00
Josh Gao
16d9ba808b Add version info for C++ versions of basename, strchrnul.
These still won't get guards added by the preprocessor, because it
compiles with C-only.

Bug: https://github.com/android-ndk/ndk/issues/440
Test: treehugger
Change-Id: I893b345e528ed1b761e0db00700037411bbb8b78
2017-06-30 13:21:25 -07:00
George Burgess IV
31e5a35f3d libc: fix typo in __RENAME macro
Apparently __strncpy_real redirects to strcpy instead of strncpy for GCC
builds. This is bad, and it confused a project compiled by GCC that uses
strcpy.

I audited all of the FORTIFY-related __RENAMEs both manually and with a
script I hacked together; they all look correct aside from this one.

FWIW, with the cleaned up clang FORTIFY, lots of the `void foo()
__RENAME(foo)` will just become `void foo()` if this last thing I'm
working on gets through review.

Bug: 35329524
Test: Previously broken project now seems to work. Bullhead and Ryu
both build + boot.

Change-Id: Ib18ee3535ae31eb7e8ae846dc012f9b64cac80bf
2017-04-19 18:46:44 +00:00
Treehugger Robot
278d31d36e Merge "libc: add const-correct string.h overloads" 2017-04-05 23:57:13 +00:00
George Burgess IV
19710f761b libc: remove newlines in prototypes in string.h
This gives more useful diagnostics if clang needs to mention these
functions (or a parameter of them).

Bug: 36984245
Test: m on bullhead completes successfully.
Change-Id: I17c2b624d08bc9dd3f08185b30029ed0c49ebb08
2017-04-05 13:30:52 -07:00
George Burgess IV
bd3d2088d9 libc: add const-correct string.h overloads
libcxx provides const-correct overloads for a few string.h functions.
These overloads use clang's enable_if attribute, so they're preferred
over our FORTIFY'ed equivalents.

This weakens _FORTIFY_SOURCE=2 when used with some of these functions,
since clang needs to see __pass_object_size in order to pass an accurate
result for __builtin_object_size(s, 1) at a callsite. Since those
functions don't have __pass_object_size on their params, clang can't do
that. This makes LLVM lower the __builtin_object_size calls, which means
we get the same result as __builtin_object_size(s, 0).

We have to provide all of the overloads in Bionic, since enable_if is
only used to disambiguate overloads with (otherwise) the same type. In
other words:

// overload 1
char *strchr(const char *, int s) __attribute__((enable_if(1, "")));
// overload 2
char *strchr(char *, int s);

void foo() {
  char cs[1] = {};
  strchr(static_cast<const char *>(cs), '\0'); // calls overload #1.
  strchr(cs, '\0'); // calls overload #2.
}

Bug: 34747525
Test: m checkbuild on bullhead internal master + AOSP. vts -m
BionicUnitTests passes on both. Surprisingly, the only code that this
seems to break is contained in Bionic.

Change-Id: Ie406f42fb3d1c5bf940dc857889876fc39b57c90
2017-04-05 13:17:07 -07:00
George Burgess IV
bce9a7d518 libc: use __bos instead of __bos0 for strchr.
I dunno why I used __bos0 in the first place; clang's strrchr (and
GCC's strchr+strrchr) both use __bos.

Bug: 34747525
Test: m. Device still boots. cts -m BionicUnitTests shows no new
failures.
Change-Id: Ifec0e05a6a1144fa3e3ac70562af3ec57c09c194
2017-04-04 11:12:18 -07:00
Dan Albert
9c2094f3c5 Fixup API level guards for new fortify functions.
Test: tools/update_headers.sh && make checkbuild
Bug: None
Change-Id: I9d06ea8a5ee9dc27d957f59e6e84150651ed1c76
2017-02-14 22:22:13 -08:00
Dan Albert
8b154b1e82 Guard the GNU strerror_r with an API check.
The deprecated headers have always had only the POSIX definition
available (and it's always been available). With the unified headers
as they are now, we actually make it unavailable for C++ users (C++
implies _GNU_SOURCE) targeting below M. Adding this guard means that
pre-M users will still at least get the POSIX one.

It's not great that moving to M as your target API will actually
change the signature of your strerror_r, but I don't see a better
option here (not until we have the compatibility library, anyway).

Test: make checkbuild
Bug: None
Change-Id: I2d15702467533a826c4ec10fd973ee929d2b562a
2017-02-14 19:29:31 -08:00
George Burgess IV
156d5a8ae9 Match __bos0 to __pass_object_size0 in FORTIFY
pass_object_size(N) forwards the result of __builtin_object_size(param,
N) to a function. So, a function that looks like:

  size_t foo(void *const p __pass_object_size) { return __bos0(p); }
  int bar = foo(baz);

would effectively be turned into

  size_t foo(void *const p, size_t sz) { return sz; }
  int bar = foo(baz, __bos(baz)); // note that this is not __bos0

This is bad, since if we're using __bos0, we want more relaxed
objectsize checks.

__bos0 should be more permissive than __bos in all cases, so this
change Should Be Fine™.

This change also makes GCC and clang share another function's
implementation (recv). I just realized we need to add special
diagnostic-related overloads bits for clang to it, but I can do that in
another patch.

Bug: None
Test: Bullhead builds and boots; CtsBionicTestCases passes.
Change-Id: I6818d0041328ab5fd0946a1e57321a977c1e1250
2017-02-10 18:14:43 -08:00
George Burgess IV
7cc779f15c libc: add clang FORTIFY support
This patch adds clang-style FORTIFY to Bionic. For more information on
FORTIFY, please see https://goo.gl/8HS2dW . This implementation works
for versions of clang that don't support diagnose_if, so please see the
"without diagnose_if" sections. We plan to swap to a diagnose_if-based
FORTIFY later this year (since it doesn't really add any features; it
just simplifies the implementation a lot, and it gives us much prettier
diagnostics)

Bug: 32073964
Test: Builds on angler, bullhead, marlin, sailfish. Bionic CTS tests
pass on Angler and Bullhead.

Change-Id: I607aecbeee81529709b1eee7bef5b0836151eb2b
2017-02-09 15:49:32 -08:00
Elliott Hughes
5bc78c8bcd Add and use constants for the Android API levels.
Test: bionic tests still pass
Change-Id: If1b619cfc9db1d3f5d91f14f2ace71058dca0c4a
2016-11-16 16:55:42 -08:00
Dan Albert
a3ce418ca6 Revert "Add legacy inlines for locale aware APIs."
We can't really add these to the unified headers yet since we're
still using the old headers as well, and libandroid_support needs to
work with both. These functions are already defined in
libandroid_support, so when using unified headers we'll get duplicate
definitions.

This was only going to be a temporary solution anyway. Instead we'll
just rely on libandroid_support (and eventually its rewrite) to handle
these.

This reverts commit 6576a3749b.

Test: ./tools/update_headers.py && make ndk && make native
      # Copied into working directory for unified headers NDK work.
      ndk/checkbuild.py
      ndk/run_tests.py --force-unified-headers
Bug: None

Change-Id: I5762e815e2030c89d7f2540df08dd67b6c2d10a5
2016-10-31 16:47:22 -07:00
Elliott Hughes
95fa061678 Rename __pure, __pure2, and __purefunc.
These names were pretty misleading (aka "backwards"), so switch to the
same obvious names glibc uses.

Test: build.
Change-Id: Ia98c9dbbccd0820386116562347654e84669034a
2016-09-28 12:36:38 -07:00
Josh Gao
6cd9fb080c Fix warnings (and errors) in static inline headers.
Bug: http://b/31676510
Change-Id: Idcbc544e498f7e6bbe99c2bf7dc557a5681e96c4
Test: preupload hook
2016-09-23 14:34:03 -07:00
Dan Albert
6576a3749b Add legacy inlines for locale aware APIs.
Test: make checkbuild tests
Bug: http://b/31639993
Change-Id: Ic43d690dff3c6960d7826bd0b064640a3ea0e883
2016-09-22 00:44:37 -07:00
Dan Albert
e5dd632e43 Move strncpy fortify into android-21.
__strncpy_chk2 wasn't added until android-21.

Test: make checkbuild
Bug: None
Change-Id: I527f88aca55ef5010e12ece18abbdce3d54ce252
2016-09-08 13:08:47 -07:00
Dan Albert
dfa6bbb54b Guard fortify inlines with __ANDROID_API__.
Test: make checkbuild with libc ndk_library patches applied
Change-Id: Ic5e248994c4f2702b0f4d6dfeda787187ea86017
2016-08-05 16:33:32 -07:00
Elliott Hughes
5470c18361 Make it possible to build bionic with -I instead of -isystem.
Various things:

* work around -Wnullability-completeness.
* use C++ casts in C++ and C casts in C.
* stop using attributes clang doesn't support (such as `warning`).
* remove duplicate definitions of XATTR_CREATE and XATTR_REPLACE.

Change-Id: I07649e46275b28a23ca477deea119fe843999533
2016-07-22 13:12:53 -07:00
Josh Gao
46b44160e9 Update header versions for NDK platform fixes.
Bug: http://b/28178111
Change-Id: Icd638673b409aa43a91490f77c6b4d79c9ea20d9
2016-06-02 13:40:35 -07:00
Dan Albert
baa2a973bd Use clang's nullability instead of nonnull.
http://clang.llvm.org/docs/AttributeReference.html#nonnull

_Nonnull is similar to the nonnull attribute in that it will instruct
compilers to warn the user if it can prove that a null argument is
being passed. Unlike the nonnull attribute, this annotation indicated
that a value *should not* be null, not that it *cannot* be null, or
even that the behavior is undefined. The important distinction is that
the optimizer will perform surprising optimizations like the
following:

    void foo(void*) __attribute__(nonnull, 1);

    int bar(int* p) {
      foo(p);

      // The following null check will be elided because nonnull
      // attribute means that, since we call foo with p, p can be
      // assumed to not be null. Thus this will crash if we are called
      // with a null pointer.
      if (src != NULL) {
        return *p;
      }
      return 0;
    }

    int main() {
      return bar(NULL);
    }

Note that by doing this we are no longer attaching any sort of
attribute for GCC (GCC doesn't support attaching nonnull directly to a
parameter, only to the function and naming the arguments
positionally). This means we won't be getting a warning for this case
from GCC any more. People that listen to warnings tend to use clang
anyway, and we're quickly moving toward that as the default, so this
seems to be an acceptable tradeoff.

Change-Id: Ie05fe7cec2f19a082c1defb303f82bcf9241b88d
2016-05-05 17:11:54 -07:00
Josh Gao
14adff1cfa Add versioning information to symbols.
Bug: http://b/28178111
Change-Id: I46bf95accd819f4521afb1173d8badcc5e9df31c
2016-04-29 16:39:50 -07:00
Josh Gao
c3cec27ad7 Extract strcasecmp and friends to <bits/strcasecmp.h>.
Bug: http://b/28067717
Change-Id: I76bab098d4c35d07a7a108055c43c820087f9253
2016-04-07 18:01:59 -07:00
Josh Gao
eb9b925012 Fix GNU/POSIX basename headers.
Including glibc's <libgen.h> will result in the user getting the POSIX
version of basename always, regardless of when it is included relative
to <string.h>. Prior to this patch, our implementation would result in
the one that's included first winning.

Bug: http://b/25459151
Change-Id: Id4aaf1670dad317d6bbc05763a84ee87596e8e59
2015-11-04 14:19:55 -08:00
Elliott Hughes
7ac3c128bb Add strchrnul.
Bug: http://b/18374026
Change-Id: Iea923309c090a51a2d41c5a83320ab3789f40f1c
2015-08-26 09:59:29 -07:00
Daniel Micay
4ae773633a add fortified memchr/memrchr implementations
Change-Id: I38c473cc0c608b08f971409a95eb8b853cb2ba1c
2015-04-17 21:17:12 -04:00
Elliott Hughes
3cfb52aab2 Add GNU extensions mempcpy and wmemcpy.
Used by elfutils. On the bright side, they stopped using __mempcpy.

Bug: 18374026
Change-Id: Id29bbe6ef1c5ed5a171bb6c32182f129d8332abb
2015-02-18 22:02:56 -08:00
Elliott Hughes
5038b19cef Break two incorrect transitive includes.
Change-Id: I95519caa5258cf5c6b8053f1c7e08ade2a824e49
2015-01-29 20:12:13 -08:00
Elliott Hughes
76f8916b90 Clean up <stdlib.h> slightly.
Interestingly, this mostly involves cleaning up our implementation of
various <string.h> functions.

Change-Id: Ifaef49b5cb997134f7bc0cc31bdac844bdb9e089
2015-01-26 14:28:41 -08:00
Elliott Hughes
b20c24456e Implement all the POSIX _l functions.
Strictly speaking, this only implements the _l variants of the functions
we actually have. We're still missing nl_langinfo_l, for example, but we
don't have nl_langinfo either.

Change-Id: Ie711c7b04e7b9100932a13f5a5d5b28847eb4c12
2014-11-06 15:52:22 -08:00
Dan Albert
658727e111 Inline helpers need to be exported unmangled.
__open_2() is used by the fortify implementation of open(2) in
fcntl.h, and as such needs an unmangled C name. For some reason
(inlining?), this doesn't cause problems at the default optimization
level, but does for -O0.

The rest of these didn't cause build failures, but they look suspect
and probably will, we just haven't caught them yet.

Bug: 17784968
Change-Id: I7391a7a8999ee204eaf6abd14a3d5373ea419d5b
2014-10-07 16:46:47 -07:00
Nick Kralevich
b84f667e93 further cleanup memcpy fortify implementation
Change-Id: I0380f3c8ca8f9bb8a206accd839c32c9daf13c56
2014-10-05 06:52:24 -07:00
Nick Kralevich
48be71d02b string.h: remove unused variable
Change-Id: I08b7dab1b374ad427fcbee4183f2c7d93d0199a9
2014-10-04 15:20:00 -07:00
Elliott Hughes
416d7ddaff Add GNU-compatible strerror_r.
We already had the POSIX strerror_r, but some third-party code defines
_GNU_SOURCE and expects to get the GNU strerror_r instead.

This exposed a bug in the libc internal logging functions where unlike
their standard brethren they wouldn't return the number of bytes they'd
have liked to have written.

Bug: 16243479
Change-Id: I1745752ccbdc569646d34f5071f6df2be066d5f4
2014-08-28 16:37:09 -07:00
Elliott Hughes
09c39d6df0 Implement the GNU basename(3) in addition to the POSIX one.
Code like perf(1) needs this.

Bug: 11860789
Change-Id: I907eb448052a7b165e4012d74303330d32328cb2
2014-08-19 14:30:30 -07:00
Elliott Hughes
2cfb4e8e2e Improve <sys/cdefs.h>.
Fix and use __RENAME (and lose ___RENAME --- two underscores should be
enough for anybody). This was the point of this change, because I want
to use __RENAME to support the two basename variants and the two
strerror_r variants.

Lose a bunch of macros that weren't being used.

Lose three dead files from the DNS code.

Change-Id: I3ef645c566b16a52217bc2e68c7d54b37c7c9522
2014-08-18 14:45:42 -07:00
Dehao Chen
28285f85a1 Workaround b/16818336 which fails build under aggressive inlining.
(cherry-pick of 7aa27e1c1a53afe28f6180fd1fc50d096cabea7b.)

Change-Id: Ifcd596714c427a2ec39502b9c0af9082ded91884
2014-08-06 11:43:38 -07:00
Dan Albert
dfb5ce42bc Revert "Revert "Add locale aware APIs.""
This reverts commit 063e20c269.

Change-Id: Ib8c9004efefe75a5346b3af50dfe37952d91eb21
2014-07-11 16:21:31 +00:00
Dan Albert
063e20c269 Revert "Add locale aware APIs."
Accidentally verified against a dirty tree. Needs the companion change to libc++ to land upstream before I can submit this.

This reverts commit e087eac404.

Change-Id: I317ecd0923114f415eaad7603002f77feffb5e3f
2014-07-09 22:50:43 +00:00
Dan Albert
e087eac404 Add locale aware APIs.
Since we only support the C locale, we can just forward all of these to
their non-locale equivalents for correct behavior.

Change-Id: Ib7be71b7f636309c0cc3be1096a4c1f693f04fbb
2014-07-09 15:41:53 -07:00
Dan Albert
40fca0f08b Removes index() from bionic.
This function has been removed from POSIX.

Unfortunately, we can't leave #define index(a, b) strchr((a), (b)) in its place
because defining a preprocessor macro for index() breaks a whole lot of code.

Bug: 13935372
Change-Id: Ifda348acde06da61c12e7ee2f8fe6950a3174dd1
2014-06-05 11:05:10 -07:00
Christopher Ferris
950a58e24d Add stpcpy/stpncpy.
Add tests for the above.

Add the fortify implementations of __stpcpy_chk and __stpncpy_chk.

Modify the strncpy test to cover more cases and use this template for
stpncpy.

Add all of the fortify test cases.

Bug: 13746695
Change-Id: I8c0f0d4991a878b8e8734fff12c8b73b07fdd344
2014-04-07 16:41:53 -07:00
Elliott Hughes
152b9de19a Remove non-standard memswap.
Change-Id: I06548dda339987b755ef7139c590ca3e1f9fe0a9
2014-03-10 15:54:40 -07:00
Elliott Hughes
53e43292aa More OpenBSD cleanup (primarily string).
This patch removes the string/ and wchar/ directories.

Change-Id: Ia489904bc67047e4bc79acb1f3eec21aa3fe5f0d
2014-02-24 18:02:05 -08:00
Nick Kralevich
d13c2b1ba6 Fix unnecessary call to __strncpy_chk2
If "n" is smaller than the size of "src", then we'll
never read off the end of src. It makes no sense to call
__strncpy_chk2 in those circumstances.

For example, consider the following code:

int main() {
  char src[10];
  char dst[5];
  memcpy(src, "0123456789", sizeof(src));
  strncpy(dst, src, sizeof(dst));
  dst[4] = '\0';
  printf("%s\n", dst);
  return 0;
}

In this code, it's clear that the strncpy will never read off
the end of src.

Change-Id: I9cf58857a0c5216b4576d21d3c1625e2913ccc03
2013-09-27 13:21:24 -07:00
Pavel Chupin
3c4b50fd8c Fix strchr for basic non-sse case on x86
Fix source location. Move declaration of __strchr_chk out of
ifdef __BIONIC_FORTIFY which should be available for strchr.cpp
compilation when __BIONIC_FORTIFY is not defined.

Change-Id: I552a6e16656e59b276b322886cfbf57bbfb2e6a7
Signed-off-by: Pavel Chupin <pavel.v.chupin@intel.com>
2013-09-03 16:20:52 +04:00
Nick Kralevich
bd8e6749b7 cdefs.h: introduce __bos0
Introduce __bos0 as a #define for __builtin_object_size((s), 0).
This macro is intended to be used for places where the standard
__bos macro isn't appropriate.

memcpy, memmove, and memset deliberately use __bos0. This is done
for two reasons:

1) I haven't yet tested to see if __bos is safe to use.
2) glibc uses __bos0 for these methods.

Change-Id: Ifbe02efdb10a72fe3529dbcc47ff647bde6feeca
2013-08-28 14:27:14 -07:00
Nick Kralevich
93501d3ab8 FORTIFY_SOURCE: introduce __strncpy_chk2
This change detects programs reading beyond the end of "src" when
calling strncpy.

Change-Id: Ie1b42de923385d62552b22c27b2d4713ab77ee03
2013-08-28 12:39:06 -07:00