Commit graph

67 commits

Author SHA1 Message Date
Elliott Hughes
95fa061678 Rename __pure, __pure2, and __purefunc.
These names were pretty misleading (aka "backwards"), so switch to the
same obvious names glibc uses.

Test: build.
Change-Id: Ia98c9dbbccd0820386116562347654e84669034a
2016-09-28 12:36:38 -07:00
Josh Gao
6cd9fb080c Fix warnings (and errors) in static inline headers.
Bug: http://b/31676510
Change-Id: Idcbc544e498f7e6bbe99c2bf7dc557a5681e96c4
Test: preupload hook
2016-09-23 14:34:03 -07:00
Dan Albert
6576a3749b Add legacy inlines for locale aware APIs.
Test: make checkbuild tests
Bug: http://b/31639993
Change-Id: Ic43d690dff3c6960d7826bd0b064640a3ea0e883
2016-09-22 00:44:37 -07:00
Dan Albert
e5dd632e43 Move strncpy fortify into android-21.
__strncpy_chk2 wasn't added until android-21.

Test: make checkbuild
Bug: None
Change-Id: I527f88aca55ef5010e12ece18abbdce3d54ce252
2016-09-08 13:08:47 -07:00
Dan Albert
dfa6bbb54b Guard fortify inlines with __ANDROID_API__.
Test: make checkbuild with libc ndk_library patches applied
Change-Id: Ic5e248994c4f2702b0f4d6dfeda787187ea86017
2016-08-05 16:33:32 -07:00
Elliott Hughes
5470c18361 Make it possible to build bionic with -I instead of -isystem.
Various things:

* work around -Wnullability-completeness.
* use C++ casts in C++ and C casts in C.
* stop using attributes clang doesn't support (such as `warning`).
* remove duplicate definitions of XATTR_CREATE and XATTR_REPLACE.

Change-Id: I07649e46275b28a23ca477deea119fe843999533
2016-07-22 13:12:53 -07:00
Josh Gao
46b44160e9 Update header versions for NDK platform fixes.
Bug: http://b/28178111
Change-Id: Icd638673b409aa43a91490f77c6b4d79c9ea20d9
2016-06-02 13:40:35 -07:00
Dan Albert
baa2a973bd Use clang's nullability instead of nonnull.
http://clang.llvm.org/docs/AttributeReference.html#nonnull

_Nonnull is similar to the nonnull attribute in that it will instruct
compilers to warn the user if it can prove that a null argument is
being passed. Unlike the nonnull attribute, this annotation indicated
that a value *should not* be null, not that it *cannot* be null, or
even that the behavior is undefined. The important distinction is that
the optimizer will perform surprising optimizations like the
following:

    void foo(void*) __attribute__(nonnull, 1);

    int bar(int* p) {
      foo(p);

      // The following null check will be elided because nonnull
      // attribute means that, since we call foo with p, p can be
      // assumed to not be null. Thus this will crash if we are called
      // with a null pointer.
      if (src != NULL) {
        return *p;
      }
      return 0;
    }

    int main() {
      return bar(NULL);
    }

Note that by doing this we are no longer attaching any sort of
attribute for GCC (GCC doesn't support attaching nonnull directly to a
parameter, only to the function and naming the arguments
positionally). This means we won't be getting a warning for this case
from GCC any more. People that listen to warnings tend to use clang
anyway, and we're quickly moving toward that as the default, so this
seems to be an acceptable tradeoff.

Change-Id: Ie05fe7cec2f19a082c1defb303f82bcf9241b88d
2016-05-05 17:11:54 -07:00
Josh Gao
14adff1cfa Add versioning information to symbols.
Bug: http://b/28178111
Change-Id: I46bf95accd819f4521afb1173d8badcc5e9df31c
2016-04-29 16:39:50 -07:00
Josh Gao
c3cec27ad7 Extract strcasecmp and friends to <bits/strcasecmp.h>.
Bug: http://b/28067717
Change-Id: I76bab098d4c35d07a7a108055c43c820087f9253
2016-04-07 18:01:59 -07:00
Josh Gao
eb9b925012 Fix GNU/POSIX basename headers.
Including glibc's <libgen.h> will result in the user getting the POSIX
version of basename always, regardless of when it is included relative
to <string.h>. Prior to this patch, our implementation would result in
the one that's included first winning.

Bug: http://b/25459151
Change-Id: Id4aaf1670dad317d6bbc05763a84ee87596e8e59
2015-11-04 14:19:55 -08:00
Elliott Hughes
7ac3c128bb Add strchrnul.
Bug: http://b/18374026
Change-Id: Iea923309c090a51a2d41c5a83320ab3789f40f1c
2015-08-26 09:59:29 -07:00
Daniel Micay
4ae773633a add fortified memchr/memrchr implementations
Change-Id: I38c473cc0c608b08f971409a95eb8b853cb2ba1c
2015-04-17 21:17:12 -04:00
Elliott Hughes
3cfb52aab2 Add GNU extensions mempcpy and wmemcpy.
Used by elfutils. On the bright side, they stopped using __mempcpy.

Bug: 18374026
Change-Id: Id29bbe6ef1c5ed5a171bb6c32182f129d8332abb
2015-02-18 22:02:56 -08:00
Elliott Hughes
5038b19cef Break two incorrect transitive includes.
Change-Id: I95519caa5258cf5c6b8053f1c7e08ade2a824e49
2015-01-29 20:12:13 -08:00
Elliott Hughes
76f8916b90 Clean up <stdlib.h> slightly.
Interestingly, this mostly involves cleaning up our implementation of
various <string.h> functions.

Change-Id: Ifaef49b5cb997134f7bc0cc31bdac844bdb9e089
2015-01-26 14:28:41 -08:00
Elliott Hughes
b20c24456e Implement all the POSIX _l functions.
Strictly speaking, this only implements the _l variants of the functions
we actually have. We're still missing nl_langinfo_l, for example, but we
don't have nl_langinfo either.

Change-Id: Ie711c7b04e7b9100932a13f5a5d5b28847eb4c12
2014-11-06 15:52:22 -08:00
Dan Albert
658727e111 Inline helpers need to be exported unmangled.
__open_2() is used by the fortify implementation of open(2) in
fcntl.h, and as such needs an unmangled C name. For some reason
(inlining?), this doesn't cause problems at the default optimization
level, but does for -O0.

The rest of these didn't cause build failures, but they look suspect
and probably will, we just haven't caught them yet.

Bug: 17784968
Change-Id: I7391a7a8999ee204eaf6abd14a3d5373ea419d5b
2014-10-07 16:46:47 -07:00
Nick Kralevich
b84f667e93 further cleanup memcpy fortify implementation
Change-Id: I0380f3c8ca8f9bb8a206accd839c32c9daf13c56
2014-10-05 06:52:24 -07:00
Nick Kralevich
48be71d02b string.h: remove unused variable
Change-Id: I08b7dab1b374ad427fcbee4183f2c7d93d0199a9
2014-10-04 15:20:00 -07:00
Elliott Hughes
416d7ddaff Add GNU-compatible strerror_r.
We already had the POSIX strerror_r, but some third-party code defines
_GNU_SOURCE and expects to get the GNU strerror_r instead.

This exposed a bug in the libc internal logging functions where unlike
their standard brethren they wouldn't return the number of bytes they'd
have liked to have written.

Bug: 16243479
Change-Id: I1745752ccbdc569646d34f5071f6df2be066d5f4
2014-08-28 16:37:09 -07:00
Elliott Hughes
09c39d6df0 Implement the GNU basename(3) in addition to the POSIX one.
Code like perf(1) needs this.

Bug: 11860789
Change-Id: I907eb448052a7b165e4012d74303330d32328cb2
2014-08-19 14:30:30 -07:00
Elliott Hughes
2cfb4e8e2e Improve <sys/cdefs.h>.
Fix and use __RENAME (and lose ___RENAME --- two underscores should be
enough for anybody). This was the point of this change, because I want
to use __RENAME to support the two basename variants and the two
strerror_r variants.

Lose a bunch of macros that weren't being used.

Lose three dead files from the DNS code.

Change-Id: I3ef645c566b16a52217bc2e68c7d54b37c7c9522
2014-08-18 14:45:42 -07:00
Dehao Chen
28285f85a1 Workaround b/16818336 which fails build under aggressive inlining.
(cherry-pick of 7aa27e1c1a53afe28f6180fd1fc50d096cabea7b.)

Change-Id: Ifcd596714c427a2ec39502b9c0af9082ded91884
2014-08-06 11:43:38 -07:00
Dan Albert
dfb5ce42bc Revert "Revert "Add locale aware APIs.""
This reverts commit 063e20c269.

Change-Id: Ib8c9004efefe75a5346b3af50dfe37952d91eb21
2014-07-11 16:21:31 +00:00
Dan Albert
063e20c269 Revert "Add locale aware APIs."
Accidentally verified against a dirty tree. Needs the companion change to libc++ to land upstream before I can submit this.

This reverts commit e087eac404.

Change-Id: I317ecd0923114f415eaad7603002f77feffb5e3f
2014-07-09 22:50:43 +00:00
Dan Albert
e087eac404 Add locale aware APIs.
Since we only support the C locale, we can just forward all of these to
their non-locale equivalents for correct behavior.

Change-Id: Ib7be71b7f636309c0cc3be1096a4c1f693f04fbb
2014-07-09 15:41:53 -07:00
Dan Albert
40fca0f08b Removes index() from bionic.
This function has been removed from POSIX.

Unfortunately, we can't leave #define index(a, b) strchr((a), (b)) in its place
because defining a preprocessor macro for index() breaks a whole lot of code.

Bug: 13935372
Change-Id: Ifda348acde06da61c12e7ee2f8fe6950a3174dd1
2014-06-05 11:05:10 -07:00
Christopher Ferris
950a58e24d Add stpcpy/stpncpy.
Add tests for the above.

Add the fortify implementations of __stpcpy_chk and __stpncpy_chk.

Modify the strncpy test to cover more cases and use this template for
stpncpy.

Add all of the fortify test cases.

Bug: 13746695
Change-Id: I8c0f0d4991a878b8e8734fff12c8b73b07fdd344
2014-04-07 16:41:53 -07:00
Elliott Hughes
152b9de19a Remove non-standard memswap.
Change-Id: I06548dda339987b755ef7139c590ca3e1f9fe0a9
2014-03-10 15:54:40 -07:00
Elliott Hughes
53e43292aa More OpenBSD cleanup (primarily string).
This patch removes the string/ and wchar/ directories.

Change-Id: Ia489904bc67047e4bc79acb1f3eec21aa3fe5f0d
2014-02-24 18:02:05 -08:00
Nick Kralevich
d13c2b1ba6 Fix unnecessary call to __strncpy_chk2
If "n" is smaller than the size of "src", then we'll
never read off the end of src. It makes no sense to call
__strncpy_chk2 in those circumstances.

For example, consider the following code:

int main() {
  char src[10];
  char dst[5];
  memcpy(src, "0123456789", sizeof(src));
  strncpy(dst, src, sizeof(dst));
  dst[4] = '\0';
  printf("%s\n", dst);
  return 0;
}

In this code, it's clear that the strncpy will never read off
the end of src.

Change-Id: I9cf58857a0c5216b4576d21d3c1625e2913ccc03
2013-09-27 13:21:24 -07:00
Pavel Chupin
3c4b50fd8c Fix strchr for basic non-sse case on x86
Fix source location. Move declaration of __strchr_chk out of
ifdef __BIONIC_FORTIFY which should be available for strchr.cpp
compilation when __BIONIC_FORTIFY is not defined.

Change-Id: I552a6e16656e59b276b322886cfbf57bbfb2e6a7
Signed-off-by: Pavel Chupin <pavel.v.chupin@intel.com>
2013-09-03 16:20:52 +04:00
Nick Kralevich
bd8e6749b7 cdefs.h: introduce __bos0
Introduce __bos0 as a #define for __builtin_object_size((s), 0).
This macro is intended to be used for places where the standard
__bos macro isn't appropriate.

memcpy, memmove, and memset deliberately use __bos0. This is done
for two reasons:

1) I haven't yet tested to see if __bos is safe to use.
2) glibc uses __bos0 for these methods.

Change-Id: Ifbe02efdb10a72fe3529dbcc47ff647bde6feeca
2013-08-28 14:27:14 -07:00
Nick Kralevich
93501d3ab8 FORTIFY_SOURCE: introduce __strncpy_chk2
This change detects programs reading beyond the end of "src" when
calling strncpy.

Change-Id: Ie1b42de923385d62552b22c27b2d4713ab77ee03
2013-08-28 12:39:06 -07:00
Nick Kralevich
a6cde39276 More FORTIFY_SOURCE functions under clang
* bzero
* umask
* strlcat

Change-Id: I65065208e0b8b37e10f6a266d5305de8fa9e59fc
2013-06-29 08:16:22 -07:00
Nick Kralevich
8bafa7452e libc: enable FORTIFY_SOURCE clang strlcpy
Change-Id: Idcfe08f5afc3dde592416df9eba83f64e130c7c2
2013-06-20 12:17:44 -07:00
Nick Kralevich
16d1af167f libc: add limited FORTIFY_SOURCE support for clang
In 829c089f83, we disabled all
FORTIFY_SOURCE support when compiling under clang. At the time,
we didn't have proper test cases, and couldn't easily create targeted
clang tests.

This change re-enables FORTIFY_SOURCE support under clang for a
limited set of functions, where we have explicit unittests available.
The functions are:

* memcpy
* memmove
* strcpy
* strncpy
* strcat
* strncat
* memset
* strlen (with modifications)
* strchr (with modifications)
* strrchr (with modifications)

It may be possible, in the future, to enable other functions. However,
I need to write unittests first.

For strlen, strchr, and strrchr, clang unconditionally calls the
fortified version of the relevant function. If it doesn't know the
size of the buffer it's dealing with, it passes in ((size_t) -1),
which is the largest possible size_t.

I added two new clang specific unittest files, primarily copied
from fortify?_test.cpp.

I've also rebuild the entire system with these changes, and didn't
observe any obvious problems.

Change-Id: If12a15089bb0ffe93824b485290d05b14355fcaa
2013-06-18 12:14:20 -07:00
Nick Kralevich
b24c0637d0 libc: Introduce __errordecl()
Define __errordecl and replace __attribute__((__error__("foo")))
with __errordecl. Make sure __errordecl is a no-op on clang, as it
generates a compile time warning.

Change-Id: Ifa1a2d3afd6881de9d479fc2adac6737871a2949
2013-06-18 12:13:52 -07:00
Nick Kralevich
cf870199d5 FORTIFY_SOURCE: strcat / strncat optimize
__strcat_chk and __strncat_chk are slightly inefficient,
because they end up traversing over the same memory region
two times.

This change optimizes __strcat_chk / __strncat_chk so they
only access the memory once. Although I haven't benchmarked these
changes, it should improve the performance of these functions.

__strlen_chk - expose this function, even if -D_FORTIFY_SOURCE
isn't defined. This is needed to compile libc itself without
-D_FORTIFY_SOURCE.

Change-Id: Id2c70dff55a276b47c59db27a03734d659f84b74
2013-05-31 09:07:46 -07:00
Nick Kralevich
1c462b7a04 Use restrict pointers for various libc functions.
All the cool kids say this is the best thing since sliced bread.
http://cellperformance.beyond3d.com/articles/2006/05/demystifying-the-restrict-keyword.html

For the most part, these changes match what glibc does.

Change-Id: I176268f27f82800162fe5f2515b08d5469ea2dfe
2013-05-07 10:00:21 -07:00
Nick Kralevich
3b2e6bc9ac libc: upgrade strrchr to FORTIFY_SOURCE=2
Change-Id: I4c34c2ce22c5092c4446dc1ab55f37604c1c223f
2013-04-30 14:19:23 -07:00
Nick Kralevich
9020fd503c libc: upgrade some libc functions to _FORTIFY_SOURCE=2
Upgrade the following functions:

* vsnprintf
* vsprintf
* snprintf
* fgets
* strcpy
* strcat
* strncat
* strlcpy
* strlcat
* strlen
* strchr

Change-Id: Icc036fc7f0bb317e05f7c051617887a1601271aa
2013-04-30 11:31:35 -07:00
Nick Kralevich
1aae9bd170 strncpy: implement _FORTIFY_SOURCE=2
Add support for fortify source level 2 to strncpy.
This will enable detection of more areas where strncpy
is used inappropriately. For example, this would have detected
bug 8727221.

Move the fortify_source tests out of string_test.cpp, and
put it into fortify1_test.cpp.

Create a new fortify2_test.cpp file, which copies all
the tests in fortify1_test.cpp, and adds fortify_source level
2 specific tests.

Change-Id: Ica0fba531cc7d0609e4f23b8176739b13f7f7a83
2013-04-29 15:22:10 -07:00
Elliott Hughes
890c8ed6ef Fix builds where _FORTIFY_SOURCE is off.
Also add a more intention-revealing guard so we don't have loads of
places checking whether our inlining macro is defined.

Change-Id: I168860cedcfc798b07a5145bc48a125700265e47
2013-03-22 10:58:55 -07:00
Elliott Hughes
538f6fc202 Stop advertising rindex(3), which is both deprecated and unimplemented.
Change-Id: I3c775d9974e49c3f76a53e46e022659657b89034
2013-02-21 17:39:06 -08:00
Nick Kralevich
a44e9afdd1 FORTIFY_SOURCE: optimize
Don't do the fortify_source checks if we can determine, at
compile time, that the provided operation is safe.

This avoids silliness like calling fortify source on things like:

  size_t len = strlen("asdf");
  printf("%d\n", len);

and allows the compiler to optimize this code to:

  printf("%d\n", 4);

Defer to gcc's builtin functions instead of pointing our code
to the libc implementation.

Change-Id: I5e1dcb61946461c4afaaaa983e39f07c7a0df0ae
2013-01-17 15:41:33 -08:00
Nick Kralevich
5787475390 FORTIFY_SOURCE: remove memcpy overlap checks
These checks haven't been as useful as I hoped, and it's
causing a false positive finding.  Remove the overlap
compile time checks.

Change-Id: I5d45dde10ae4663d728230d41fa904adf20acaea
2012-12-07 09:57:01 -08:00
Nick Kralevich
9a4d305340 FORTIFY_SOURCE: fortify strrchr
This change compliments 049e58369c

Change-Id: I27d015d70a520713c7472558a3c427f546d36ee4
2012-12-03 10:39:16 -08:00
Nick Kralevich
049e58369c FORTIFY_SOURCE: fortify strchr
Detect when strchr reads off the end of a buffer.

Change-Id: I0e952eedcff5c36d646a9c3bc4e1337b959224f2
2012-11-30 15:19:15 -08:00