This change implements the following property:
Any 2**N aligned memory region on size 2**N contains no more than one DSO.
The value N can be configured, with 16 or 18 looking like a good choice.
Additionally, DSOs are loaded at random page-aligned address inside these large
regions.
This change has dual purpose:
1. Larger values of N allow a lot more compact CFI shadow implementation.
See change I14dfea630de468eb5620e7f55f92b1397ba06217.
For example, CFI shadow for the system_server process has the following size (RSS, KB):
152 for N = 12, 32 for N = 16, 16 for N = 18.
2. Extra randomization is good for security.
This change does not result in extra RAM usage, because everything is still page-aligned.
It does result in a bit more VM fragmentation because of the gaps between shared libraries.
As it turns out, this fragmentation is barely noticeable because the kernel creates new mapping
at the highest possible address, and we do enough small mappings to almost completely fill the
gaps (ex. in the Zygote the gaps are filled with .ttf file mappings and thread stacks).
I've measured VM fragmentation as the sum of all VM gaps (unmapped regions) that are larger
than 1MB according to /proc/$PID/maps. On aosp_angler-userdebug, the numbers are (in GB):
| N = 12 | N = 18
system_server | 521.9 | 521.1
zygote64 | 522.1 | 521.3
zygote32 | 2.55 | 2.55
mediaserver | 4.00 | 4.00
Change-Id: Ia6df840dd409c82837efd1f263be420d9723c84a
Previous patch changed pthread_cond_timedwait_relative_np to use
CLOCK_REALTIME, which causes app compatibility problem. So change
it back to CLOCK_MONOTONIC.
Bug: 30106240
Change-Id: I8e04058e92ede098f4f9f8d133f094001921441e
Previously, arc4random would register a fork-detecting pthread_atfork
handler to not have to call getpid() after a fork. pthread_atfork uses
pthread_mutex_lock, which requires the current thread to be initialized,
preventing the use of arc4random for initializing the global stack guard,
which needs to happen before the main thread has been initialized.
Extract the arc4random fork-detection flag and use the existing
arc4random fork handler to set it.
Bug: http://b/29622562
Change-Id: I98c9329fa0e489c3f78cad52747eaaf2f5226b80
Spotted these while cleaning up <sys/cdefs.h> --- if we remove __USE_XOPEN2K8,
libchrome decides you "must" have futimes. Adding the missing functions (all
just alternative interfaces to utimensat(2) system call) lets us clean up
without breaking anything.
Change-Id: If44fab08ee3de0e31066d650d128a3c96323529b
There's no change to the generated stubs, because the script only cares
that this is a pointer type, not what it's a pointer to.
Change-Id: I766720965f0f3d201fc90677a076b26870485377
Move everything to where it should be.
Along the way, we lose <net/ethertypes.h>. glibc only has a handful of these
types, and they're all in <net/ethernet.h>, not <net/ethertypes.h>. I've taken
the liberty of not including the AppleTalk ones, since it is 2016.
Also, <net/if_ether.h> should be <netinet/if_ether.h> (though with different
contents).
Bug: http://b/28519060
Change-Id: Ia41c3fc136fd3e6b008c8d08018e0629134ea6fc
* Allow clone where both the child function and stack are null. It's
obviously wrong to ask to call a function without a stack, but it's not
necessarily wrong to supply no stack if you're also not supplying a
function.
* Reimplement fork in terms of the clone function, rather than using the
clone system call directly.
This is intended as a step towards enabling use of pid namespaces.
Change-Id: I03c89bd1dc540d8b4ed1c8fdf6644290744b9e91
http://clang.llvm.org/docs/AttributeReference.html#nonnull
_Nonnull is similar to the nonnull attribute in that it will instruct
compilers to warn the user if it can prove that a null argument is
being passed. Unlike the nonnull attribute, this annotation indicated
that a value *should not* be null, not that it *cannot* be null, or
even that the behavior is undefined. The important distinction is that
the optimizer will perform surprising optimizations like the
following:
void foo(void*) __attribute__(nonnull, 1);
int bar(int* p) {
foo(p);
// The following null check will be elided because nonnull
// attribute means that, since we call foo with p, p can be
// assumed to not be null. Thus this will crash if we are called
// with a null pointer.
if (src != NULL) {
return *p;
}
return 0;
}
int main() {
return bar(NULL);
}
Note that by doing this we are no longer attaching any sort of
attribute for GCC (GCC doesn't support attaching nonnull directly to a
parameter, only to the function and naming the arguments
positionally). This means we won't be getting a warning for this case
from GCC any more. People that listen to warnings tend to use clang
anyway, and we're quickly moving toward that as the default, so this
seems to be an acceptable tradeoff.
Change-Id: Ie05fe7cec2f19a082c1defb303f82bcf9241b88d
* Fix the return type of towlower_l/towupper_l.
* Implement wctrans/wctrans_l/towctrans/towctrans_l.
* Move declarations that POSIX says are available from both <wchar.h> and
<wctype.h> to <bits/wctype.h> and include from both POSIX headers.
* Write the missing tests.
Change-Id: I3221da5f3d7e8a2fb0a7619dc724de45f7b55398
Not efficient to iterate through given the large number of Android
ids (AID). Compile warning will result if you use these functions,
telling you as much. Not for general consumption, however for
example, some filesystem tests would like to see these to perform
all corners.
About 1/4 second for getpwent, and 1/8 second for getgrent to iterate
through all reserved Android aids.
Bug: 27999086
Change-Id: I7784273b7875c38e4954ae21d314f35e4bf8c2fc
* changes:
Move <sys/sysconf.h> to <bits/sysconf.h>.
Remove mbstowcs from <wchar.h>.
Extract getopt and friends to <bits/getopt.h>
Remove declaration of unlinkat from <fcntl.h>.
Extract ioctl to <bits/ioctl.h>.
Extract fcntl to <bits/fcntl.h>.
Extract strcasecmp and friends to <bits/strcasecmp.h>.
Make <bits/lockf.h> compile standalone.
Make <android/dlext.h> compile standalone.
Make the network headers compile standalone.
Remove duplicate declaration of mlock, munlock.
The XXXX now lines up to the underlying uid and has no offset.
Work with AID_OEM_RESERVED uids.
Test uses hard coded values to catch changes in the API expectations
that may occur in private/android_filesystem_config.h.
SideEffects: names change, some product dependencies.
Bug: 27999086
Change-Id: Ic2b4c36de74ae009a44e14711c75834293828207
- added grp_pwd.cpp containing POSIX passwd and group functions,
colocated because they share with the Android ID (AID) roots.
- stubs.cpp contains all the truly empty functions (network and
protocol accessors)
Bug: 27999086
Change-Id: I036f9e2dd246f48302cb7c97d23176fa24d19c33
Implement the legacy SysV signal handling functions sighold(),
sigignore(), sigpause(), sigrelse(), and sigset() in terms of the newer
POSIX signal APIs. As of POSIX 2013 the SysV signal APIs are deprecated
but still required.
Change-Id: I4ca40e3d706605a7d1a30dc76c78b2b24586387d
Signed-off-by: Greg Hackmann <ghackmann@google.com>
The code to calculate thread stack and signal stack looks weird:
the thread stack size and signal stack size are related with
each other on 32-bit mode, but not on 64-bit mode. So change the
code to make the logic more resonable. This doesn't change anything
as we have defined SIGSTKSZ to 16K on arm64.
Bug: 28005110
Change-Id: I04d2488cfb96ee7e2d894d062c66cef950fec418
This function only exists for backwards compatibility, so leave it as it was.
Bug: http://b/26944282
Change-Id: I31973d1402660933103ee2d815649ab9569e4dfc
Although there is a test pthread.pthread_mutex_owner_tid_limit
to check pid_max, but bionic-unit-tests hangs before reaching
that test. So abort at libc initialization if not able to reach
the test when running bionic-unit-tests32. It is more friendly
for debugging.
Bug: 24016357
Change-Id: Ia70c2e36fd8a3a040d41ea5722c7b48a6134e102
POSIX makes "the CPU-time clock of the calling thread" (i.e.,
CLOCK_THREAD_CPUTIME_ID) a special case which returns EINVAL instead of
ENOTSUP.
However, the clock_nanosleep syscall treats this clock just like any
other, and returns -EOPNOTSUPP to indicate an unimplemented nanosleep
handler. So we need to handle this ourselves in userspace.
This change fixes the LTP clock_nanosleep01 testcase.
Change-Id: If3bed940d276834bcd114d8c17f96197e9384711
Signed-off-by: Greg Hackmann <ghackmann@google.com>
bionic has the Linux-specific mntent.h but is missing hasmntopt().
Change-Id: I0ab7b83626c969704add4e64b37a6fc715d4a723
Signed-off-by: Greg Hackmann <ghackmann@google.com>
{get,set}domainname aren't in POSIX but are widely-implemented
extensions.
The Linux kernel provides a setdomainname syscall but not a symmetric
getdomainname syscall, since it expects userspace to get the domain name
from uname(2).
Change-Id: I96726c242f4bb646c130b361688328b0b97269a0
Signed-off-by: Greg Hackmann <ghackmann@google.com>
This patch uses __kernel_vsyscall instead of "int 0x80"
as the syscall entry point. AT_SYSINFO points to
an adapter to mask the arch specific difference and gives a
performance boost on i386 architecture.
Change-ID: Ib340c604d02c6c25714a95793737e3cfdc3fc5d7
Signed-off-by: Mingwei Shi <mingwei.shi@intel.com>
Even though the size parameter to epoll_create(2) is (otherwise) unused,
passing in size <= 0 is explicitly documented as an error.
This change fixes the LTP epoll01 testcase.
Change-Id: I044a38be823c2fa956b57e77cc66571dfae8a4bb
Signed-off-by: Greg Hackmann <ghackmann@google.com>
The clone syscall accepts NULL child stacks, interpreting this to mean
the child gets a copy of the parent's stack with copy-on-write
semantics. However clone(2) is explicitly documented to treat this an
an error.
"Fortunately" every architecture's __bionic_clone implementation pushes
something onto the child stack before making the clone syscall. So we
know fixing this won't break legacy apps, because any app that tried
using a NULL child stack would have died with SIGSEGV.
This change fixes the LTP clone04 testcase.
Change-Id: I663b34f34bc8dad2aa405c46e4eed4418cccca0d
Signed-off-by: Greg Hackmann <ghackmann@google.com>
