Commit graph

2738 commits

Author SHA1 Message Date
Evgenii Stepanov
3ff4245c70 Merge "Add tagged pointers to bionic." 2020-01-24 00:26:32 +00:00
Elliott Hughes
8fe1fcd804 Merge "Reimplement realpath." 2020-01-23 20:34:15 +00:00
Mitch Phillips
3b21ada5f1 Add tagged pointers to bionic.
This patch introduces tagged pointers to bionic. We add a static tag to
all pointers on arm64 compatible platforms (needs requisite
top-byte-ignore hardware feature and relevant kernel patches).

We dynamically detect TBI-compatible devices (a device with the TBI feature and
kernel support) at process start time, and insert an implementation-dependent
tag into the top byte of the pointer for all heap allocations. We then check
that the tag has not been truncated when deallocating the memory.

If an application incorrectly writes to the top byte of the pointer, we
terminate the process at time of detection. This will allow MTE-incompatible
applications to be caught early.

Bug: 135754954
Bug: 147147490

Test: cd bionic && atest .
Change-Id: Ie424325ba1e3c4443040ac265aeaa28d9e405d28
2020-01-23 10:37:24 -08:00
Elliott Hughes
75064c177f Initialize __progname correctly.
setprogname() does a basename, but we were initializing __progname
directly. Stop doing that, and add some tests.

Test: treehugger
Change-Id: I06f306ade4161b2f0c7e314a3b1b30c9420117b7
2020-01-23 08:28:48 -08:00
Elliott Hughes
22fb267ad6 Reimplement realpath.
Use O_PATH like musl to let the kernel do the hard work, rather than the
traditional BSD manual scheme.

Also add the most obvious missing tests from reading the man page, plus
a non-obvious test for deleted files.

Bug: http://b/131435126
Test: treehugger
Change-Id: Ie8a8986fea55f045952a81afee377ce8288a49d5
2020-01-22 18:30:50 -08:00
Nicolas Geoffray
5c9efd1d66 Merge "Revert "Add tagged pointers to bionic."" 2020-01-21 13:57:45 +00:00
Nicolas Geoffray
ce4c42e09f Revert "Add tagged pointers to bionic."
This reverts commit 43d5f9d4dd.

Bug: 135754954
Bug: 147147490

Exempt-From-Owner-Approval: clean revert

Reason for revert: Breaks ART gtest, see:
https://ci.chromium.org/p/art/builders/ci/angler-armv8-non-gen-cc/561

The crash happens on mprotect of a page, the test crashes with ENOMEM.

Change-Id: I52eea1abbfaf8d8e2226f92d30aa55aba3810528
2020-01-21 13:57:26 +00:00
Dan Willemsen
a547762ae3 Merge "Convert more bionic tests to Android.bp" 2020-01-21 04:52:16 +00:00
Mitch Phillips
3460b6c265 Merge "Add tagged pointers to bionic." 2020-01-20 23:31:27 +00:00
Dan Willemsen
4bcfe3c330 Convert more bionic tests to Android.bp
Bug: 122332847
Bug: 130734182
Test: mmm bionic/tests; same files installed before & after
Test: m cts; same files in cts before & after
Test: `objdump -x <files> | grep NEEDED` is identical
Test: `objdump -x <files> | grep RUNPATH` difference make sense
      (additional lib64 entries from soong, minimal reorder)
Test: treehugger
Change-Id: I6eea4c3f9c0040efeba64e2b47c7b573767cd386
2020-01-16 10:12:46 -08:00
Christopher Ferris
f5421dde7f Merge "Add new malloc align tests." 2020-01-16 17:20:26 +00:00
Ryan Savitski
b72fed164e Merge "allow for heapprofd's signal to be multiplexed" 2020-01-16 16:04:08 +00:00
Mitch Phillips
43d5f9d4dd Add tagged pointers to bionic.
This patch introduces tagged pointers to bionic. We add a static tag to
all pointers on arm64 compatible platforms (needs requisite
top-byte-ignore hardware feature and relevant kernel patches).

We dynamically detect TBI-compatible devices (a device with the TBI feature and
kernel support) at process start time, and insert an implementation-dependent
tag into the top byte of the pointer for all heap allocations. We then check
that the tag has not been truncated when deallocating the memory.

If an application incorrectly writes to the top byte of the pointer, we
terminate the process at time of detection. This will allow MTE-incompatible
applications to be caught early.

Bug: 135754954
Bug: 147147490

Test: cd bionic && atest .
Change-Id: I6e5b809fc81f55dd517f845eaf20f3c0ebd4d86e
2020-01-15 15:03:00 -08:00
Ryan Savitski
175c8867b0 allow for heapprofd's signal to be multiplexed
This patch refactors heapprofd_malloc to make it easier to reuse the
reserved signal for multiple purposes. We define a new generic signal
handler for profilers, which dispatches to more specific logic based on
the signal's payload (si_value).

The profiler signal handler is installed during libc preinit, after
malloc initialization (so races against synchronous heapprofd
initialization need not be considered). In terms of code organization, I
copied the existing approach with a loosely referenced function in
bionic_globals.h. Do tell if you'd rather a different approach here.

The profileability of a process is quite tied to the malloc
files/interfaces in bionic - in particular, it's set through
android_mallopt. I do not change that, but instead introduce a new
android_mallopt option to be able to query profileability of the
process (which is now used by the new profiler signal handler). As part
of that, gZygoteChildProfileable is moved from heapprofd_malloc to
common (alongside gZygoteChild).

I've removed the masking and reraising of the heapprofd signal when
racing against malloc_limit init. We're ok with taking a simpler
approach and dropping the heapprofd signal in such an unlikely race.

Note: this requires a corresponding change in heapprofd to use sigqueue()
instead of kill(), as the latter leaves the si_value uninitialized(?) on
the receiving side.

Bug: 144281346
Change-Id: I93bb2e82cff5870e5ca499cf86439860aca9dfa5
2020-01-15 22:55:03 +00:00
Christopher Ferris
f32494c985 Add new malloc align tests.
Bug: 146576216

Test: Ran the test on jemalloc and glibc.
Test: Ran the test on scudo and verified that failed without the align
Test: change.
Change-Id: I31a96f8672c6bce2423210300288a13df1eda42a
2020-01-15 09:22:21 -08:00
Steven Moreland
06f39d36a4 stack_protector_DeathTest: work w/ local reorder
Before, the helper method for this test had two local variables:
    char buf[128];
    volatile char* p;

Then the test wrote zeros into the buffer and one past the buffer end.
This relied on the fact that the compiler constructed the stack frame
with 'p' first and then the buffer (and also optimized away the 'size'
variable).

However, some compiler options (namely -ftrivial-auto-var-init=pattern)
result in the stack frame being reordered so that 'p' is actually after
buf, and the test cannot pass.

Fixes: 132780819
Test: bionic-unit-tests-static (w/ w/o flag)
Change-Id: Icc87c02add211c2afb7c96ae22701ec27990364c
2020-01-14 14:11:16 -08:00
Elliott Hughes
5dc31300ff Explicitly test printf %s with nullptr.
I haven't found a bug, but tests are good.

Bug: https://github.com/landley/toybox/issues/163
Change-Id: I57149800099abc699cc841b69a5a72aeac7c2bcc
2020-01-07 08:48:10 -08:00
Elliott Hughes
95c6cd753f Stop using the __ANDROID_API_x__ constants.
Historically we've made a few mistakes where they haven't matched the
right number. And most non-Googlers are much more familiar with the
numbers, so it seems to make sense to rely more on them. Especially in
header files, which we actually expect real people to have to read from
time to time.

Test: treehugger
Change-Id: I0d4a97454ee108de1d32f21df285315c5488d886
2019-12-20 13:26:14 -08:00
Evgeny Eltsin
4ea64e91e8 Merge "Fix dlext.ns_anonymous test for native bridge" 2019-12-17 19:22:04 +00:00
Evgeny Eltsin
ad865d7b3d Fix dlext.ns_anonymous test for native bridge
The executable flag might not be present for the executable segment
if the code is being handled by native bridge implementation. Old
heuristics for this case was to assume first segment is executable.
This doesn't stand any more. Instead, look for segment that contains
the function test is going to call.

Test: bionic-unit-tests --gtest_filter=dlext.ns_anonymous
Change-Id: I960bebba86e225d739b73f6d093e145fff17b4a8
2019-12-17 18:54:17 +01:00
Evgeny Eltsin
4d9264c593 Fix signal.sigwait64_SIGRTMIN test
'kill(pid, sig)' sends signal to arbitrary thread within a process, thus
test was occasionally sending signal to the killing thread, not to the
waiting thread. Use 'tgkill(pid, tid, sig)' instead.

Test: bionic-unit-tests --gtest_filter=signal.sigwait64_SIGRTMIN
Change-Id: I80377295e2362cb87eb4fb4de2489c51c520ea77
2019-12-17 18:03:06 +01:00
Evgeny Eltsin
b29173cd64 Increase sleep time in sigwait64_SIGRTMIN test
With previous sleep time, if unlucky, newly started thread can send
signal before main thread starts sigwait.

Test: bionic-unit-tests --gtest_filter=signal.sigwait64_SIGRTMIN
Change-Id: I63d7825a695988e388903c7951e2435cb69773a1
2019-12-16 17:01:11 +01:00
Ryan Prichard
d4299c3f0f Merge changes I052011f2,I40f42464
* changes:
  dl_test: update error message
  dl_test: use GTEST_SKIP() in a few places
2019-12-11 20:32:04 +00:00
Evgeny Eltsin
bd1c63065e Fix sys_ptrace_test feature check on arm64
The code was checking PTRACE_GETREGSET output even in case of error.
This seems not correct. Though ptrace can still write some output in
case of EINVAL, implementation should still check updated iov_len before
reading it.

Change the code to avoid checking output in case of error at all.

Test: bionic-unit-tests --gtest_filter=sys_ptrace.watchpoint_stress
Change-Id: I7b1ca18ac64f81055ff89f56b453aff0ce8e1057
2019-12-11 15:42:04 +01:00
Ryan Prichard
0f67214c50 dl_test: update error message
Bug: http://b/145998177
Test: atest CtsBionicTestCases on a non-debuggable, user build
Change-Id: I052011f274edc331aa63fc6cd7666af2aebc2ad0
2019-12-10 14:50:11 -08:00
Ryan Prichard
55f9a24acc dl_test: use GTEST_SKIP() in a few places
Bug: none
Test: bionic unit tests
Change-Id: I40f42464359576ffbd55d0f56347c6c45daf73f9
2019-12-10 14:45:20 -08:00
Elliott Hughes
9416e02757 Merge "Sync with upstream OpenBSD strstr()." 2019-12-02 20:12:56 +00:00
Dmytro Chystiakov
595c381841 Fix linker path for emulated architecture
dl#exec_linker* tests are failing on devices with emulated
architecture due to hardcoded path to linker.

Test: bionic-unit-tests --gtest_filter=dl.exec_linker*
Bug: b/141914915

Change-Id: Id6d8d3ee7114e70b07e44034aa62dce0a3e0760e
Signed-off-by: Dmytro Chystiakov <dmytro.chystiakov@intel.com>
2019-11-26 15:32:02 +01:00
Elliott Hughes
c6b38aefa7 Sync with upstream OpenBSD strstr().
Bug: http://b/124855136
Test: treehugger
Change-Id: I6cbeb82bc0e418f50e6c171ac4e38e335c448db8
2019-11-22 11:16:23 -08:00
George Burgess IV
8a0cdb15a1 fortify: allow diagnostics without run-time checks (attempt #2)
In configs like ASAN, we can't use _chk functions. This CL builds off of
previous work to allow us to still emit diagnostics in conditions like
these.

Wasn't 100% sure what a good test story would look like here. Opinions
appreciated.

Bug: 141267932
Test: checkbuild on internal-master. TreeHugger for x86_64.
Change-Id: I65da9ecc9903d51a09f740e38ab413b9beaeed88
2019-11-19 14:20:26 -08:00
Elliott Hughes
db602e8a47 sysconf(_SC_ARG_MAX): go back to imitating the kernel.
For reasons explained in the code comment, go back to roughly our old
code. The "new" tests are just the old tests resurrected.

This also passes the current toybox xargs tests, which were the
motivation for going back on our earlier decision.

Test: bionic and toybox tests
Change-Id: I33cbcc04107efe81fdbc8166dc9ae844e471173e
2019-11-15 09:24:35 -08:00
Raman Tenneti
afe44cc483 Merge "Revert "Revert "Make system property reads wait-free""" 2019-11-12 20:43:29 +00:00
Raman Tenneti
b481a2e743 Revert "Revert "Make system property reads wait-free""
This reverts commit de39d9242a.

Reason for revert: This revert is not needed

Change-Id: I34af8e5d75c724f6c4066fafbfc6bc7d58377601
2019-11-12 20:41:55 +00:00
Raman Tenneti
1b28efa2d1 Merge "Revert "Make system property reads wait-free"" 2019-11-12 18:26:48 +00:00
Raman Tenneti
de39d9242a Revert "Make system property reads wait-free"
This reverts commit 0cf90556de.

Reason for revert: Device boot failures - 144355953

Change-Id: Icd4fc8c7a1d06d688a6d37e6f1c1aa45563f711b
2019-11-12 18:24:06 +00:00
Treehugger Robot
985e678516 Merge "Make system property reads wait-free" 2019-11-12 17:14:30 +00:00
Daniel Colascione
0cf90556de Make system property reads wait-free
Right now, when we read a system property, we first (assuming we've
already looked up the property's prop_info) read the property's serial
number; if we find that the low bit (the dirty bit) in the serial
number is set, we futex-wait for that serial number to become
non-dirty. By doing so, we spare readers from seeing partially-updated
property values if they race with the property service's non-atomic
memcpy to the property value slot. (The futex-wait here isn't
essential to the algorithm: spinning while dirty would suffice,
although it'd be somewhat less efficient.)

The problem with this approach is that readers can wait on the
property service process, potentially causing delays due to scheduling
variance. Property reads are not guaranteed to complete in finite time
right now.

This change makes property reads wait-free and ensures that they
complete in finite time in all cases. In the new approach, we prevent
value tearing by backing up each property we're about to modify and
directing readers to the backup copy if they try to read a property
with the dirty bit set.

(The wait freedom is limited to the case of readers racing against
*one* property update. A writer can still delay readers by rapidly
updating a property --- but after this change, readers can't hang due
to PID 1 scheduling delays.)

I considered adding explicit atomic access to short property values,
but between binary compatibility with the existing property database
and the need to carefully handle transitions of property values
between "short" (compatible with atomics) and "long" (incompatible
with atomics) length domains, I figured the complexity wasn't worth it
and that making property reads wait-free would be adequate.

Test: boots
Bug: 143561649
Change-Id: Ifd3108aedba5a4b157b66af6ca0a4ed084bd5982
2019-11-11 11:17:00 -08:00
Treehugger Robot
28fb781ef7 Merge "linker: add more context to link failure error." 2019-11-09 00:13:31 +00:00
George Burgess IV
2fead5fd89 Merge "Revert "fortify: allow diagnostics without run-time checks"" 2019-11-07 07:10:38 +00:00
George Burgess IV
f359548bf1 Revert "fortify: allow diagnostics without run-time checks"
This reverts commit d7e11b8853.

Reason for revert: Breaks aosp_x86_64-eng. Will look into it and
unbreak when it's not almost midnight. :)

Change-Id: I21f76efe4d19c70d0b14630e441376d359a45b49
2019-11-07 07:07:38 +00:00
Treehugger Robot
d1dcb72882 Merge "fortify: allow diagnostics without run-time checks" 2019-11-07 01:34:11 +00:00
Christopher Ferris
7a3a5d8cd7 Merge "Fix allocations escaping malloc debug." 2019-11-06 23:31:33 +00:00
Tom Cherry
b18158c3c9 Merge changes I01d061c4,I2e3f6ee7
* changes:
  Check that __system_property_set() doesn't leak FDs
  clang-format: Add IncludeBlocks: Preserve
2019-11-06 21:54:00 +00:00
Christopher Ferris
ff88fb0d3a Fix allocations escaping malloc debug.
When using a FILE object for some malloc debug functions, calling
fprintf will trigger an allocation to be put in the object. The problem
is that these allocations were not allocated by the malloc debug
wrapper and they get freed during the fclose as if they are malloc
debug allocation. In most cases, the code will detect the bad pointer
and leak the memory, but it might also cause a crash.

The fix is to avoid using fprintf so that no allocations are made
in the object that survive and need to be freed in the fclose call.

Change the MallocXmlElem.h to use a file decsriptor not a FILE object.

Add new unit and system tests to detect this case.

Bug: 143742907

Test: Ran unit and system tests.
Test: Ran bionic unit tests.
Change-Id: I524392de822a29483aa5be8f14c680e70033eba2
2019-11-06 10:42:42 -08:00
Elliott Hughes
9a09137b0e Merge "Limit threads in pthread_leak#detach for low power devices." 2019-11-06 16:00:48 +00:00
Josh Gao
1626957666 linker: add more context to link failure error.
This change makes it easier to diagnose mistakes in linker
configuration that result in a library being accidentally loaded in
multiple namespaces without its dependencies available everywhere.

Test: manually tested the error message
Test: bionic-unit-tests
Change-Id: I03a20507f8fc902c2445a7fbbf59767ffffd5ebf
2019-11-05 13:45:54 -08:00
Tom Cherry
fd7216cc19 Check that __system_property_set() doesn't leak FDs
Bug: 143936364
Test: fail when b/143936364 repros
Test: pass when b/143936364 is fixed
Change-Id: I01d061c4fb4f37b0300ef418a19c88003038092c
2019-11-05 12:33:33 -08:00
George Burgess IV
d7e11b8853 fortify: allow diagnostics without run-time checks
In configs like ASAN, we can't use _chk functions. This CL builds off of
previous work to allow us to still emit diagnostics in conditions like
these.

Wasn't 100% sure what a good test story would look like here. Opinions
appreciated.

Bug: 141267932
Test: checkbuild on internal-master
Change-Id: I8d4f77d7b086a8128a18a0a0389243d7fa05b00f
2019-11-01 16:25:55 -07:00
Peter Collingbourne
609d6ec416 Merge "Adopt GNU calling convention for ifunc resolvers." 2019-10-29 17:19:33 +00:00
Elliott Hughes
ca3f8e4901 sleep/usleep: switch to trivial implementations.
Upstream keeps rearranging the deckchairs for these, so let's just
switch to the [roughly] one-liners rather than track that...

Test: treehugger
Change-Id: If655cf7a7f316657de44d41fadd43a8c55ee6f23
2019-10-28 22:25:02 -07:00