Motivated by the fact that bazel doesn't like #include "../", but this
feels like it could use a deeper clean.
In fact, even after this change, I think we should remove this entirely,
since as far as I can tell Clang never implemented this GCC workaround
for 32-bit x86's awful PIC code.
Test: treehugger
Change-Id: I72715ee46f873f42d5707712aebe246ef78fcde1
This is the second or third time I've scratched my head wondering why
this destructor has no coverage. I was tempted to leave it in with a
comment saying it should never be called, but that seemed sillier than
just replacing it with an assertion.
Test: treehugger
Change-Id: I3442d9f8a391fae668e77c6888a4457ededee494
This makes Bazel conversion easier (because in Bazel package boundaries really matter).
Test: m libc still builds, and m also builds.
Change-Id: I5cfc9d83dffd3110ffad9ce03198e6141c8c5b33
Enable userfaultfd syscall to be used by ART-GC.
Bug: 160737021
Test: manually tested by invoking userfaultfd syscall in ART
Change-Id: I9f98402a96bb8363a1e5fa49dbadbb37dc70d561
Currently there is a pattern of `crtbegin_${type}1` and `crtbegin_${type}` modules, where the former
has sources and the latter depends on the former. The two modules for a type share many properties,
rather than duplicating these, we merge modules, such that each type only has a `crtbegin_${type}`
module.
Test: Treehugger
Change-Id: I7803ea0e97d660f620c334b6bfdfac22cb6e36d7
This works around buggy applications that read a few bytes past the
end of their allocation, which would otherwise cause a segfault with
the concurrent Scudo change that aligns large allocations to the right.
Because the implementation of
android_set_application_target_sdk_version() lives in the linker,
we need to introduce a hook so that libc is notified when the target
SDK version changes.
Bug: 181344545
Change-Id: Id4be6645b94fad3f64ae48afd16c0154f1de448f
Binaries defined in Makefiles that use the SDK need a variant to link
to. Generate a SDK variant of the ELF note as well. This is necessary to
allow makefile-generated binaries and CTS tests to use heap MTE.
Bug: 156029370
Bug: 181133973
Test: atest CtsBionicTestCases on QEMU+MTE, observe previously-failing
tests will now succeed.
Change-Id: I0a8243b0920769a196e7596904259e30c4a93105
Spotted while looking at our shiny new coverage numbers. Though how the
change that removed the code from this file without removing the file
made it through code review... Clearly I wasn't paying attention that
day!
Test: treehugger
Change-Id: Id61bb48bae60660d2e5ba9b26f00a68e51157c6d
Mixed builds can now use the label from an automatically converted
target.
Test: build/bazel/scripts/milestone-2/demo.sh full
Test: build/bazel/scripts/milestone-2/demo.sh generate
build/bazel/scripts/milestone-2/demo.sh sync
mixed build of libc
build/bazel/scripts/milestone-2/demo.sh cleanup
Change-Id: I1499b75f1348bf342b4cd134606786150b2f8b26
This is the last of remaining cc_objects in the libc package.
Test: go tests.
Test: build/bazel/scripts/milestone-2/demo.sh
Change-Id: Ib9c01be0faae10707305b81e72d3fac22bf96356
__libc_init_scudo() calls directly into the allocator, bypassing the
normal guest to host transition in the native bridge. Therefore we
need to let the native bridge override it with a no-op.
Bug: 159352723
Change-Id: I642c7a058e483cc09335290f66b9c053150fca06
This CL also discovered that a couple of cc_objects include headers from the bionic subdir, without declaring them in the local_include_dirs.
Test: build/bazel/scripts/milestone-2/demo.sh full && build/bazel/scripts/milestone-2/demo.sh cleanup
Change-Id: I943980b1d1c6dab39d3c27da8037e587f97f76e3
This leaf module is selected as the first cc_object module to be converted by
the bp2build converter.
Test: GENERATE_BAZEL_FILES=true m nothing && bp2build-sync write && bazel build //bionic/libc:crt_beginso1
Change-Id: Idf752e7b5251161a4fbd58ba52b52dd85c8fc92b
This matches what we do for arm and arm64. 32-bit x86 is too big a mess
to warrant the effort still, but the more testing is done on cuttlefish,
the more value there is to making every stack frame count.
Before:
#00 pc 00000000000596d8 .../libc.so (syscall+24)
#01 pc 000000000005d072 .../libc.so (abort+194)
#02 pc 000000000005f1f0 .../libc.so (__fortify_fatal(char const*, ...)+160)
After:
#00 pc 000000000005d07d .../libc.so (abort+205)
#01 pc 000000000005f1e0 .../libc.so (__fortify_fatal(char const*, ...)+160)
Test: crasher64 fortify
Change-Id: Ib74cb8b36341093c268872e26020f35eb2d8ef66
This is undefined behavior, but glibc and macOS are both lenient, and
someone hit this in the wild, so we may as well be lenient too. (The
only cost is that it's now slightly easier to write code that works on
everything except old versions of Android.)
Bug: https://issuetracker.google.com/180598400
Test: treehugger
Change-Id: Ia217169ea6283cc53f4fbf71e5abfa08356c2049
Bug: http://b/157081822
If __libc_int0x80 is in a C/C++ file, Clang's coverage instrumentation
adds instructions to count the number of times it gets executed [1].
With coverage instrumentation, __libc_sysinfo, used on 32-bit x86, is
initialized to the wrong value, causing dl.preinit_system_calls to fail.
Moving the function to an assembly file leaves __libc_sysinfo properly
initialized.
[1] We could change clang so it doesn't instrument functions marked
__attribute__((naked)) as a followup.
Test: `m CLANG_COVERAGE=true NATIVE_COVERAGE_PATHS=bionic` and run
bionic-unit-tests
Change-Id: I73558253512392d345de8d5b66d38bb14b308fdf
Kernel headers coming from:
Git: https://android.googlesource.com/kernel/common/
Branch: android-mainline
Tag: android-mainline-5.11
Test: Built cuttlefish and flame images. Ran bionic unit tests on both.
Change-Id: Ie60337aafad4bda55af99b6c8fe9f56bf2fa787f
Auto-generate NOTICE files for all the directories, and for each one
individually rather than mixing libc and libm together.
Test: N/A
Change-Id: I7e251194a8805c4ca78fcc5675c3321bcd5abf0a
With this change we can report memory errors involving secondary
allocations. Update the existing crasher tests to also test
UAF/overflow/underflow on allocations with sizes sufficient to trigger
the secondary allocator.
Bug: 135772972
Change-Id: Ic8925c1f18621a8f272e26d5630e5d11d6d34d38
On LP32, just abort if we're asked to handle an fd that's too big for
the `short` field in `struct FILE`. This is unreachable anyway because
the ulimit is 32Ki, and this will make issues far more noticeable if we
ever do increase that limit (which seems unlikely for LP32 devices).
Also rename __finit() to __FILE_init() to match __FILE_close().
Test: treehugger
Change-Id: I5db4d6c4529a1f558aff135b4dea071d73666be5
This has been in the standard since C99, but we've never supported it
before. It's apparently used by SPIRV-Tools.
I tried implementing this the other way (with fcntl(2)) first, but
eventually realized that that's more complicated and gives worse
results. This implementation assumes that /proc is mounted, but so much
of libc relies on that at this point that I don't think there's any
realistic case where the fcntl(2) implementation would be preferable,
and there are many where it's not.
The fact that no-one's mentioned this until now suggests that it's not a
heavily used feature anyway.
I've also replaced AssertCloseOnExec() with a CloseOnExec()
boolean-valued function instead, because it's really annoying getting
assertion failures that don't point you at the test line in question,
and instead point to some common helper code.
Test: treehugger
Change-Id: Ia2e53bf2664a4f782581042054ecd492830e2aed
Python module names should be lower case and not use hyphens (the
former is a convention, the latter is a requirement for importable
modules).
Also updates the shell script to always use Python 3 so we don't need
to maintain Python 2 compatibility.
Test: repo upload, in both a python 2 and python 3 virtualenv
Bug: None
Change-Id: I486e54a12686b4e528dc6c9c47af5c7a52a7b790
The genseccomp tests haven't been run since at least 2018. Deleted the
ones that are testing APIs that no longer exist or have been
refactored to take very different inputs.
Test: treehugger
Test: pytest tools
Bug: None
Change-Id: Iaf6b6b6a2e922b181a457a74eb4b5abe90425dfb
This is a manual refactoring to ensure that the modules respect package boundaries for input files.
Test: m gensseccomp genfunctosyscallnrs
Change-Id: I8ca6cbe85a50e41bfe874a899653c2309c59a822
libc++ still depends on these being declared even if they are
unavailable. This results in a worse error message (a link error
rather than a compiler diagnostic) if these functions end up being
used, but without the decl headers like libc++'s math.h can't be
included because it refers to an undeclared function.
For the cases where weak symbols aren't being used, don't annotate
these functions with their availability information.
Also need to avoid using __builtin_available for this case because the
NDK doesn't have __isOSVersionAtLeast yet.
__ANDROID_UNGUARDED_AVAILABILITY__ is being used as a proxy for
"building for the NDK" here because we don't have a good signal for
that which works for both the NDK proper and the NDK-in-the-platform
case.
Test: imported into the NDK, built and tested NDK
Bug: None
Change-Id: I9ef3e19a8fa083bca0be47b80dfef7ba52a94866
For backwards compatibility (e.g. with old apps), arm32 libc.so and
libm.so export some of the builtins. On 32-bit x86, libc.so also
exports some of the builtins.
The non-exported variant of the builtins will eventually have hidden
symbols but doesn't currently because D93431 hasn't been merged into
our toolchain yet. See:
- https://reviews.llvm.org/D93431
- I44ec79728db92c089e2f39823c35b6f97d24c1ab in toolchain/llvm_android
Bug: http://b/153025717
Test: bionic unit tests
Change-Id: Ic489cb06a07ef61412502fc65a21b0cf630c11ed
Introduces new heap-zero-init API. We've realised that it's better to be
able to individually control MTE and heap zero-init. Having
heap-zero-init not be controllable without affecting MTE affects our
ability to turn off heap-zero-init in zygote-forked applications.
Bug: 135772972
Test: On FVP: atest -s localhost:5555 malloc#zero_init \
Test: malloc#disable_mte heap_tagging_level
Change-Id: I8c6722502733259934c699f4f1269eaf1641a09f
The toolchain is new enough that should be able to use the actual
instructions now...
Test: treehugger
Change-Id: I30aafcdc5386268344c40dc6cc9a22caf591915a
"#" there is incorrect: macro parameter is expected following a hashmark.
Test: build libc with -mbranch-protection=standard
Change-Id: Ib8e7ddf260b4cdbd36246cc70f69970f33dee200
* changes:
crtbegin_static is built with min_sdk_version: "current"
Guard __libc_current_sigrtmin/max with __builtin_available
__INTRODUCED_IN macros add the availability attribute
scudo_malloc_* for fill contents in __libc_init_scudo calls scudo's
initializers. We haven't told Scudo whether we want MTE-capable (i.e.
mapped with PROT_MTE) size class regions yet, which happens in
SetDefaultHeapTaggingLevel. This can lead to inconsistent mappings,
where processes without ELF notes get the base region with PROT_MTE
(which is undesirable because the performance implications are not
known).
Make sure that scudo is informed of whether regions need to be mapped
PROT_MTE or not by hoising the tagging level up.
Bug: 135772972
Bug: 172365548
Test: On FVP - 'adb shell MEMTAG_OPTIONS=off sanitizer-status' should
have no PROT_MTE mappings (validation by looking for no 'mt' under
'VmFlags:' in /proc/smaps').
Change-Id: Idad64479c4a9459cb40dd211fe942437f8ca16fd
Native bridge modules will never compile against stubs, remove
native_bridge_supported: true.
Test: m checkbuild
Change-Id: I0eb93fe1a2c3f6ca34ce4dab17edda8807132ce8
These are available from mallopt() now, and all callers have been
switched over.
Bug: http://b/135772972
Test: treehugger
Change-Id: I90c7a7573b261c27001a2dfd4589b23861ad613b
crtbegin_static is used by static exectuables which are guaranteed to be
with the latest library regardless of their target API level.
This change is in fact not a regression as crtbegin_static has been
built with __ANDROID_API__=10000 before
I645e6bb1234c27ae0a69b7b87a59206cfd350744 when __ANDROID_API__ tracked
sdk_version, not min_sdk_version. sdk_version was not set for crtbegin_*
objects and therefore the default "current" was (incorrectly) used.
With this change, we are recovering the original behavior for the static
variant, while the building of the dynamic variant becomes more correct
- it's now with __ANDROID_API__=16.
Without this change, several static executables fail to build as 1)
crtbegin_static for them is built with __ANDROID_API__=16 and 2)
libc_init_common.cpp uses pthread_atfork which is available only after
API level 23. We hit undefined symbol error when linking.
Bug: 134795810
Test: m
Change-Id: I1430e57302951df33530ea0ae91b0d7a0609bf3d
The two APIs were added for the API level 21 and beyond. Currently, its
existence is tested using the null check which is done regardless of the
min sdk version of the compilation unit. (which in turn required us to
mark the API symbol weak regardless of the min sdk version.)
Now, we have a better way of testing the API availability;
__builtin_available. The null check is replaced with the call to the
compiler-provided macro which determines if the code is running in a
version of OS where the API is known to exist.
Bug: 150860940
Bug: 134795810
Test: m
Change-Id: Ib96c78f8d3cc71d7e755d1eab86051517bbbcc44
__INTRODUCED_IN (and its variants) macro is used to mark the
availability of an API symbol. The macros were used by the versioner
tool for the NDK clients. When the Bionic headers are processed by the
tool, APIs with the macros are guarded with __ANDROID_API__. e.g.,
void foo() __INTRDUCED_IN(30);
is processed into
\#if __ANDROID_API__ >= 30
void foo();
\#endif
by the versioner.
The macros however didn't play a role for other cases, e.g. OS
components.
This is too strict for NDK clients and too loose for the non-NDK
clients. For the former, this completely hides the APIs that are newer
than the min sdk version (__ANDROID_API__). For the latter, a call to
such an API can be made without being guarded.
This change is the first step towards a better way of handling the
native APIs availability. The plan is that every NDK APIs are annotated
with the availability attribute and callers are required to guard their
API calls with a runtime check if the API is newer than the min sdk
version of the caller.
In this change, the macros now emits the availability attribute for the
non-NDK clients (i.e. when not processed by versioner).
Bug: 163288375
Bug: 134795810
Test: m
Change-Id: I6eb2bce2bc2770cbfd69815e6816b6f25b3d6127
For libc.so, use a special build of libunwind.a whose symbols aren't
hidden ("libunwind-exported"), because libc.so exports the _Unwind_*
APIs.
Bug: http://b/153025717
Test: bionic unit tests
Change-Id: I7435e076ec8cc4410e3e6086d3cf5d2c6011c80c
These were only available internally via android_mallopt(), but they're
likely to be needed by more code in future, so move them into mallopt().
This change leaves the android_mallopt() options for now, but I plan on
coming back to remove them after I've switched the handful of callers
over to mallopt() instead.
Bug: http://b/135772972
Test: treehugger
Change-Id: Ia154614069a7623c6aca85975a91e6a156f04759
These two options allow for ARM MTE to be enabled dynamically (instead
of at compile time via the ELF note). They are settable from a non-root
shell to allow device owners to test system binaries with MTE.
The following values may be set:
1. 'off' -> No MTE, uses TBI on compatible devices.
2. 'sync' -> SYNC MTE.
3. 'async' -> ASYNC MTE.
The following methods can be used to launch a process (sanitizer-status)
with configurable values:
1. adb shell MEMTAG_OPTIONS=async sanitizer-status
2. adb shell setprop arm64.memtag.process.sanitizer-status async && \
adb shell sanitizer-status
Note: The system server will require some special handing in the zygote
pre-fork to check the sysprops. The zygote should always have the ELF
note. TODO in a subsequent patch.
Bug: 135772972
Bug: 172365548
Test: Launching sanitizer-status above using both the settings.
Change-Id: Ic1dbf3985a3f23521ec86725ec482c8f6739c182
Android S devices must support eBPF.
Test: builds, atest, TreeHugger
Bug: 167500195
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I84a8d00f786fca8113dd3d555af279a1029f66f2
Now that the feature guarded by this flag has landed in Linux 5.10
we no longer need the flag, so we can remove it.
Bug: 135772972
Change-Id: I02fa50848cbd0486c23c8a229bb8f1ab5dd5a56f
I realize that we can probably clean up more of our half-forked code by
reusing the same *-compat.h headers we use for the clean upstream code,
but I'll come back and do that later.
Bug: http://b/177003648
Test: treehugger
Change-Id: I081255aaafd62718b85956c5502911a1cc80225d
