Exports GWP-ASan allocator information callbacks to libdebuggerd so that
tombstoned can get information from the GWP-ASan allocator in the case
of a crash.
Bug: 135634846
Test: atest bionic-unit-tests
Change-Id: Ie16426af55602fb2a76c4e69217773354c365843
The notification that GWP-ASan is enabled causes ART tests to break.
Remove the log for now.
Bug: 135634846
Bug: 149790891
Test: (Attempt to fix the ART tests).
Change-Id: I8a7751a838a64f160b3b7b9f07752bb64644b9db
An upcoming change to scudo will cause us to start calling
android_unsafe_frame_pointer_chase() from within the allocator. Since this
function uses ScopedDisableMTE, this would otherwise make it unsafe to use
the allocator from within ScopedDisableMTE. This seems like an unreasonable
restriction, so make ScopedDisableMTE save the PSTATE.TCO state in the
constructor and restore it in the destructor.
Bug: 135772972
Change-Id: I47e18d5fb2929efd5a58676488180cd85731007b
This patch enables GWP-ASan with process sampling.
**Note**: If you are visiting this patch because this broke a test or
otherwise is causing failures, please contact mitchp@ directly (or
respond to this patchset). GWP-ASan is designed to cause heap-based
memory safety bugs to manifest in SEGV on a sampled basis.
Bug: 135634846
Test: atest bionic-unit-tests gwp_asan_unittest
Change-Id: I58ca9373def105fdd718cf283482b3220b770698
GWP-ASan + heapprofd don't currently play nice together in some
circumstances. heapprofd thinks it's still an only child, and refuses to
accept the existence of its little brother, GWP-ASan.
If GWP-ASan is installed before heapprofd, then heapprofd is *required*
to respect that libc has a favourite child. If an allocation/free is passed
to heapprofd, then heapprofd *must* (eventually) pass that allocation/free to
GWP-ASan. If heapprofd doesn't do this, then a free() of a GWP-ASan
allocation can be passed to the system allocator.
This can happen in two places right now:
1. The heapprofd hooks simply clobber any trace of what was
previously in the default_dispatch_table when enabled through the
heapprofd signal.
2. Heapprofd can die when the system is under significant pressure.
Some pipes can timeout, which ends up in the client calling ShutdownLazy()
-> mallopt(M_RESET_HOOKS) -> DispatchReset(). This also clobbers any
trace of the previous default_dispatch_table.
To fix both these problems, we fix heapprofd to restore the previous
default_dispatch_table whenever either circumstance happens. We do some
tricky copying to avoid race conditions on the malloc_dispatch_table in
fixing #1.
Bug: 135634846
Test: Run HeapprofdEndToEnd.NativeProfilingActiveAtProcessExit/ForkMode
a significant number of times with large amounts of system pressure (I
just run bionic-unit-tests-scudo in parallel). You will see some test
failures where heapprofd died due to system pressure, but never a death
from the allocator. Tests should never fail when the system isn't under
immense pressure.
Change-Id: I20ab340d4bdc35d6d1012da5ee1a25634428d097
LLVM now knows how to fold __strlen_chk, so we can make this function a
one-liner.
Also fix strlcat to not double-return while I'm in the area.
Bug: 148189733
Test: TreeHugger
Change-Id: I71ee308defbefe96f3fe6e357a2127309d2f0942
When enabled, GWP-ASan sets the current dispatch table. Then, when a
shim layer (malloc_debug, malloc_hooks, heapprofd) comes along, they
should (by design) overwrite the current dispatch table.
Currently, these shim layers check to see whether malloc_limit is
installed by checking the current dispatch table against nullptr.
Because GWP-ASan owns the current dispatch table, the shim thinks that
malloc_limit is installed and falls back to only use the default
dispatch, thinking that malloc_limit will call them. This is not the
case, and they should take over the current dispatch pointer.
Bug: 135634846
Test: atest bionic
Change-Id: Ifb6f8864a15af9ac7f20d9364c40f73c5dd9d870
The WriteProtected mutator for __libc_globals isn't reentrant.
Previously we were calling __libc_globals.mutate() inside of GWP-ASan's
libc initialisation, which is called inside the __libc_globals.mutate().
This causes problems with malloc_debug and other malloc shims, as they
fail to install when GWP-ASan is sampling their processes.
Bug: 135634846
Test: atest bionic
Change-Id: Iae51faa8d78677eeab6204b6ab4f3ae1b7517ba5
Scudo still isn't quite at the same RSS as jemalloc for the svelte config
so only enable this for normal config.
Bug: 137795072
Test: Built svelte config and verified it is still jemalloc.
Test: Ran performance tests on normal config (bionic benchmarks).
Test: Ran trace tests (system/extras/memory_replay).
Test: Ran scudo unit tests.
Test: Ran bionic unit tests.
Test: Ran libmemunreachable tests.
Test: Ran atest CtsRsBlasTestCases on cuttlefish.
Test: Ran atest AslrMallocTest.
Test: Ran atest CtsHiddenApiKillswitchWildcardTestCases and verified it has
Test: the same runtime as the jemalloc.
Change-Id: I241165feb8fe9ea814b7b166e3aaa6563d18524a
I had hoped that this would then let us remove more of the "introduced
in" annotations, but it looks like that's not really going to happen
until the NDK's minimum supported API is 21.
Also remove a .c file that wasn't referenced anywhere.
Test: treehugger
Change-Id: I8b4a61c082293f8445195a4fa5ee30595d70444e
This patch introduces GWP-ASan - a sampled allocator framework that
finds use-after-free and heap-buffer-overflow bugs in production
environments.
GWP-ASan is being introduced in an always-disabled mode. This means that
GWP-ASan will be permanently disabled until a further patch turns on
support. As such, there should be no visible functional change for the
time being.
GWP-ASan requires -fno-emulated-tls wherever it's linked from. We
intentionally link GWP-ASan into libc so that it's part of the initial
set of libraries, and thus has static TLS storage (so we can use
Initial-Exec TLS instead of Global-Dynamic). As a benefit, this reduces
overhead for a sampled process.
GWP-ASan is always initialised via. a call to
mallopt(M_INITIALIZE_GWP_ASAN, which must be done before a process is
multithreaded).
More information about GWP-ASan can be found in the upstream
documentation: http://llvm.org/docs/GwpAsan.html
Bug: 135634846
Test: atest bionic
Change-Id: Ib9bd33337d17dab39ac32f4536bff71bd23498b0
tracefs will be mounted at /sys/kernel/tracing when debugfs
is not mounted.
Bug: 134669095
Test: atest bionic-unit-tests-static
Change-Id: Ic224cf13500efc570da8b6a27ce925bbcf068fdd
For consistency, linker namespace for apex modules use its apex name
instead of hard-coded short name.
Bug: 148826508
Test: m / boot
Change-Id: I4bf565cd528d744fc42841fd2d9f8bf652d4d346
We've optimized the ctype functions to the point where they're pretty
much all down to one instruction. This change takes the obvious next
step of just inlining them.
On Android these function have only ever been for ASCII. You need the
<wctype.h> functions for non-ASCII.
libc++ currently has its own inlines for the _l variants, so if we want
to just inline them in bionic directly, we'll need to coordinate that.
Bug: http://b/144165498
Test: treehugger plus benchmarks
Change-Id: I4cc8aa96f7994ae710a562cfc9d4f220ab7babd6
Over the last year, LLVM apparently learned how to optimize many
FORTIFY'ed functions. I went through the list of functions it optimizes,
and simplified their implementations here.
This is more than a code health thing; __bos_trivially_ge expands to a
branch that's not eliminated until after inlining, so it can actually
cause some functions (like one of std::string's ctors) to become
uninlineable.
Bug: 148189733
Test: hand-checked the IR we get for each of the changed functions. Many
get optimized to their non-_chk variant when appropriate. Others
will get optimized to non-_chk versions when bos == -1. Bug repro
also now shows all 'inline's.
Change-Id: Ic360818ad9daaeda3958e1282af41087f85122a3
These just cause confusion because they often have different
values/layouts, but they're never actually used.
Test: treehugger
Change-Id: I424034088e017c919f62fcefa7d6d3f903f31cfb
This function will be used by Scudo and GWP-ASan to efficiently collect
stack traces for frames built with frame pointers.
Bug: 135634846
Bug: 135772972
Change-Id: Ic63efdbafe11dfbb1226b5b4b403d53c4dbf28f3
Merged-In: Ic63efdbafe11dfbb1226b5b4b403d53c4dbf28f3
If we remove the mips uapi headers, versioner fails because it assumes
they're available. We'll need a new versioner prebuilt beforre we can
remove the libc/versioner-dependencies/mips* symlinks.
Test: treehugger
Change-Id: Ife6df0cb57938f806a31ec334d648df9694c3d17
Add a hook that's called upon file descriptor creation to libc, and a
library that uses it to capture backtraces for file descriptor creation,
to make it easier to hunt down file descriptor leaks.
Currently, this doesn't capture all of the ways of creating a file
descriptor, but completeness isn't required for this to be useful as
long as leaked file descriptors are created with a function that is
tracked. The primary unhandled case is binder, which receives file
descriptors as a payload in a not-trivially-parsable byte blob, but
there's a chance that the leak we're currently trying to track down
isn't of a file descriptor received over binder, so leave that for
later.
Bug: http://b/140703823
Test: manual
Change-Id: I308a14c2e234cdba4207157b634ab6b8bc539dd9
(cherry picked from commit b7eccd4b15)
Many of our header files are very sensitive to the order in which
their #includes appear...
Bug: N/A
Test: N/A
Change-Id: I2c21cac5e9bd49b7e80620d14971af8fefa17e91
mte_supported() lets code efficiently detect the presence of MTE, and
ScopedDisableMTE lets code disable MTE RAII-style in a particular region
of code.
Bug: 135772972
Change-Id: I628a054b50d79f67f39f35d44232b7a2ae166afb
Even with formatting off, clang still tries to rearrange the include
files or the using statements, so disable that too.
Test: Verified that the include directories are not rearranged.
Change-Id: I991a1b2bfa94a8202c5a486664658d654f1c7811
On Android, fcntl is always implemented by fcntl64(2). This means that
an LP32 binary can `fcntl(F_SETLK, struct flock)` (because fcntl64(2)
passes through to the 32-bit fcntl(2) to handle F_SETLK), and it can
also `fcntl(F_SETLK64, struct flock64)`. What it can't do before this
patch is set _FILE_OFFSET_BITS=64 and then `fcntl(F_SETLK, struct
flock)` where that `struct flock` is actually implicitly `struct
flock64`.
Move the kernel uapi structs out of the way, define them ourselves based
on __LP64__ and _FILE_OFFSET_BITS, and fix up the relevant F_ constants.
(Also add a .clang-format to turn off clang-format in libc/include/.)
Bug: N/A
Test: treehugger (and strace!)
Change-Id: Iccd6c83d9133e1efcf93a7b49a6ae0f1bbd3d58b
Use the .clang-format-2 found in system/core instead of this which is
not actually being used.
Also, enable clang-format running by default.
All upstream directories are marked as ignoring formatting so that
their source files are not modified.
Test: NA
Change-Id: Icee6030f373fa5f072df162f97e6f34320e3d89a
In order to support scudo for non-svelte malloc and jemalloc5 for
svelte malloc, do not include jemalloc_new directly. Move that to
the export_include_dirs for libjemalloc5.
Also, change the way to enable scudo so that it only enables it
for the non-svelte config for now.
Bug: 137795072
Test: Builds
Change-Id: I3d68b443fe4d6b21729795649d0dcf66b7e95e03
Until now we've only supported RELR with our own OS-private-use
constants. Add support for the official numbers (while maintaining
support for the historical numbers).
Add tests to ensure we continue to support both indefinitely.
We can't yet flip the build system over to using the official constants
because the old GNU binutils objcopy we still use in most cases (for the
mini-debug section) only supports the historical constants.
Bug: http://b/147452927
Test: treehugger
Change-Id: If214fce7fade4316115947e90b78ab40864b61f2
Fixes includes in heap tagging to ensure that bionic under MTE builds
successfully.
Thanks Kevin for finding this!
Test: TARGET_EXPERIMENTAL_MTE=true mmma bionic
Bug: N/A
Change-Id: Idd1b9ed3737e48a35f8d8628d13e85f1d58f5c93
This patch introduces tagged pointers to bionic. We add a static tag to
all pointers on arm64 compatible platforms (needs requisite
top-byte-ignore hardware feature and relevant kernel patches).
We dynamically detect TBI-compatible devices (a device with the TBI feature and
kernel support) at process start time, and insert an implementation-dependent
tag into the top byte of the pointer for all heap allocations. We then check
that the tag has not been truncated when deallocating the memory.
If an application incorrectly writes to the top byte of the pointer, we
terminate the process at time of detection. This will allow MTE-incompatible
applications to be caught early.
Bug: 135754954
Bug: 147147490
Test: cd bionic && atest .
Change-Id: Ie424325ba1e3c4443040ac265aeaa28d9e405d28
setprogname() does a basename, but we were initializing __progname
directly. Stop doing that, and add some tests.
Test: treehugger
Change-Id: I06f306ade4161b2f0c7e314a3b1b30c9420117b7
Updates getifaddrs() to behave as if RTM_GETLINK requests are not
allowed for non-system apps that have their target SDK set to R.
This change will be reverted when kernel changes enforcing this behavior
are merged, and is purely meant to check for potential appcompat issues
beforehand.
Bug: 141455849
Test: atest bionic-unit-tests-static
Test: atest NetworkInterfaceTest
Test: Connect to Wi-Fi network
Test: Set up hotspot
Test: Cast from device
Test: Pair Bluetooth device
Test: Call getifaddrs() directly from within an app.
Test: Call NetworkInterface#getNetworkInterfaces() from within an app.
Test: Repeat above tests with an app that targets Android R.
Change-Id: I472891d3e8a18c86ae478be1bab1048636aa95b4
The previous implementation of getifaddrs() depended on RTM_GETLINK requests being allowed, returning an error otherwise. This change makes getifaddrs() attempt to get all necessary information from RTM_NEWADDR messages when RTM_NEWLINK messages are not available.
The code is functionally the same when RTM_GETLINK requests are allowed. When RTM_GETLINK requests are denied, only interfaces that have a network address are returned, and physical addresses for these interfaces remain unset.
In addition, this change updates the copyright notice because repohooks asked nicely.
Bug: 141455849
Test: atest bionic-unit-tests-static
Test: atest NetworkInterfaceTest
Test: Connect to Wi-Fi network
Test: Set up hotspot
Test: Cast from device
Test: Pair Bluetooth device
Test: Call getifaddrs() directly from within an app.
Test: Call NetworkInterface#getNetworkInterfaces() from within an app.
Change-Id: Ia47e037d181ca5df6d9fdae19b405cabfafc6b0f
Use O_PATH like musl to let the kernel do the hard work, rather than the
traditional BSD manual scheme.
Also add the most obvious missing tests from reading the man page, plus
a non-obvious test for deleted files.
Bug: http://b/131435126
Test: treehugger
Change-Id: Ie8a8986fea55f045952a81afee377ce8288a49d5
The BSD "Not a typewriter" translation of ENOTTY looks very weird in
2020. The glibc "Inappropriate ioctl for device" is more generic, and
so much less likely to be inappropriate.
Test: strace on a failed fs ioctl
Change-Id: Iad374d6b91ca9f2e4fa1079986fd698feef8359f
Particularly to document why both this and liblog exist, when they do
essentially the same thing.
Test: n/a
Change-Id: I216194402a12270cfbb6bc9b840d054dc9c1dc16
This patch adds a case for the profiling signal handler (previously just
for native heapprofd profiling) when si_value == 1, corresponding to
traced_perf being the requesting party.
The handler opens /proc/self/{maps,mem}, connects to (init-created)
/dev/socket/traced_perf, and then sends the fds over the socket.
Everything happens synchronously within the signal handler. Socket is
made non-blocking, and we do not retry.
Bug: 144281346
Change-Id: Iea904694caeefe317ed8818e5b150e8819af91c2
This patch refactors heapprofd_malloc to make it easier to reuse the
reserved signal for multiple purposes. We define a new generic signal
handler for profilers, which dispatches to more specific logic based on
the signal's payload (si_value).
The profiler signal handler is installed during libc preinit, after
malloc initialization (so races against synchronous heapprofd
initialization need not be considered). In terms of code organization, I
copied the existing approach with a loosely referenced function in
bionic_globals.h. Do tell if you'd rather a different approach here.
The profileability of a process is quite tied to the malloc
files/interfaces in bionic - in particular, it's set through
android_mallopt. I do not change that, but instead introduce a new
android_mallopt option to be able to query profileability of the
process (which is now used by the new profiler signal handler). As part
of that, gZygoteChildProfileable is moved from heapprofd_malloc to
common (alongside gZygoteChild).
I've removed the masking and reraising of the heapprofd signal when
racing against malloc_limit init. We're ok with taking a simpler
approach and dropping the heapprofd signal in such an unlikely race.
Note: this requires a corresponding change in heapprofd to use sigqueue()
instead of kill(), as the latter leaves the si_value uninitialized(?) on
the receiving side.
Bug: 144281346
Change-Id: I93bb2e82cff5870e5ca499cf86439860aca9dfa5
This is attempt number two, all known failures and issues have
been fixed.
Bug: 137795072
Test: Built both svelte and non-svelte versions. Ran enormous numbers
Test: of performance testing.
Test: Ran scudo unit tests.
Test: Ran bionic unit tests.
Test: Ran libmemunreachable tests.
Test: Ran atest CtsRsBlasTestCases on cuttlefish instance.
Change-Id: Ib0c6ef38b63b7a1f39f4431ed8414afe3a92f9b5
This reverts commit 74cdb253ba.
Chromium (and thus WebView) no longer uses Breakpad for crash reporting,
so the old compat syscalls that were whitelisted for Breakpad can be
moved back to the APP list.
Test: `am start com.android.settings/.SettingsLicenseActivity`
Test: Get the pid of the sandboxed_process0 for the license viewer.
Test: Send the process SIGABRT and check logcat for Crashpad log
messages.
Bug: 115557900
Change-Id: I877ebe6bfabec544e58723b2e9a2f84c9cbf0a57
This supports the soong commit which causes most platform binaries to stop
statically linking against the unwinder implementation. The soong commit
message has more motivation for this change.
ARM32 uses LLVM libunwind, while all other platforms use libgcc as the
unwinder implementation. This matches the current choices of unwinders on
the various architectures, but means that apps which were directly linking
against the libc.so unwinder symbols on ARM32 are now using LLVM libunwind
instead of libgcc.
Set libc_headers sdk_version to 1 so that libunwind_llvm can depend on it,
and stop statically linking libunwind into libc_malloc_debug.
Bug: 144430859
Change-Id: I52c7f7893d93f500383aeb0b76086c3b6f1935a5
This doesn't add any functionality for now, but there are
a couple of changes in flight that will want to add enumerators
to the mallopt, so let's give them a place to add them.
Bug: 135772972
Bug: 135754954
Change-Id: I6e810020f66070e844500c6fa99b703963365659
/system_ext/bin has executable binaries. They must be in the shell
search path.
Bug: 134909174
Bug: 134359158
Test: check PATH in the adb shell
Change-Id: I997a2347fa85c444f2e335bede0d63b7703ba001
This commit adds `__VERSIONER_FORTIFY_INLINE` to fortify overload
functions. Fortified functions are always overloaded and are likely to
be different from `libc.map.txt`.
Bug: 118991081
Test: source development/vndk/tools/header-checker/android/envsetup.sh && \
source build/envsetup.sh && \
lunch aosp_arm64-userdebug && \
m versioner && \
./bionic/tools/versioner/run_tests.py
Change-Id: I28903d0f039d74a07eb2833c754ff017335bac95
This commit fixes an error in fortified `sendto` function. Since
`__sendto_chk` is only introduced in API 26, the usage should be guarded
with `__ANDROID__API__ >= 26` instead of
`__ANDROID_API__ >= __ANDROID_API_N_MR1__` (25).
Bug: 118991081
Test: source development/vndk/tools/header-checker/android/envsetup.sh && \
source build/envsetup.sh && \
lunch aosp_arm64-userdebug && \
m versioner && \
./bionic/tools/versioner/run_tests.py
Change-Id: Ibc08244645c3fe76a72d0107138f67ffd56f5caa
This commit removes several symbol versions (API 14 and 15) from
`libc.map.txt` because we no longer support NDK with those API levels.
This also matches the versioner annotations in the header files.
This commit also annotates twalk() with __INTRODUCED_IN(21). It was
accidentally removed in aosp/1157510.
Test: source development/vndk/tools/header-checker/android/envsetup.sh && \
source build/envsetup.sh && \
lunch aosp_arm64-userdebug && \
m versioner && \
./bionic/tools/versioner/run_tests.py
Change-Id: I211fe5b7b1b66793d5e76a8676f9d18825f96b5e
Historically we've made a few mistakes where they haven't matched the
right number. And most non-Googlers are much more familiar with the
numbers, so it seems to make sense to rely more on them. Especially in
header files, which we actually expect real people to have to read from
time to time.
Test: treehugger
Change-Id: I0d4a97454ee108de1d32f21df285315c5488d886
This reverts commit 6ffbe97859.
Reason for revert: Droidcop-triggered revert due to breakage b/146543543
Change-Id: Ie9a5b2f6ca5dbc8d3c6cafe70e34838d74e45c56
Bug: 146543543
Bug: 137795072
Test: Built both svelte and non-svelte versions. Ran enormous numbers
Test: of performance testing.
Test: Ran scudo unit tests.
Test: Ran bionic unit tests.
Change-Id: Iec6c98f2bdf6e0d5a6d18dff0c0883fac391c6d5
This CL exports bionic/libc/kernel/android/scsi directory
to enable the usage of header files (e.g. sg.h) on that directory.
Test: Build AOSP 1187028
Change-Id: If580fcbc67378fab42d4f14cca1de337b603b673
Update generate_uapi_headers.sh to checkout the android mainline
kernel. Also, add a small modification to look for the kernel directory
in common not linux-stable.
Remove deprecated android headers from android/uapi/linux. Also,
remove f_accessory.h since it's in the android mainline kernel.
Test: Builds and runs on walleye.
Change-Id: Ia371305e19f56e6bcc2db6d5b4d299819f07ffc6
We are about to introduce code into ndk_cruft that uses dlfcn.h, which isn't
available in static executables. Besides, none of the users of libc.a ought
to be depending on ndk_cruft anyway.
Bug: 144430859
Change-Id: Ic1f2e554e1fdbfee768c859acac032c1306d71fc
This is a no-op (kernel returns -EINVAL) if the kernel doesn't understand
the prctl.
Bug: 144799191
Change-Id: I8708e92e31d7a60b2847ae2bc242e46dafb77680
In configs like ASAN, we can't use _chk functions. This CL builds off of
previous work to allow us to still emit diagnostics in conditions like
these.
Wasn't 100% sure what a good test story would look like here. Opinions
appreciated.
Bug: 141267932
Test: checkbuild on internal-master. TreeHugger for x86_64.
Change-Id: I65da9ecc9903d51a09f740e38ab413b9beaeed88
We have data that indicates that we no longer need to export the libgcc
unwinder's implementation detail symbols from libc.so, as well as the entire
unwinder interface from libm.so, so stop exporting them.
Bug: 144430859
Change-Id: Iebb591c4a121abe6368d9854ec96819abe70a006
malloc debug and malloc hooks have been broken for a long time
and no one noticed. So add them to be run by default on bionic
changes since that provides the most coverage.
Change the malloc debug and malloc hooks tests to support isolated
runs.
Changed the name of the malloc hooks unit tests to system tests
because they weren't really unit tests.
Changed the verify leak malloc debug tests to print out extra
information so it is possible to figure out what sized allocation
failed.
Test: Ran tests.
Change-Id: Idea4c864f1d62598148ee78d7c9397e45234b1ca
For reasons explained in the code comment, go back to roughly our old
code. The "new" tests are just the old tests resurrected.
This also passes the current toybox xargs tests, which were the
motivation for going back on our earlier decision.
Test: bionic and toybox tests
Change-Id: I33cbcc04107efe81fdbc8166dc9ae844e471173e
Currently, scudo doesn't call libc's malloc initialisers. This causes
problems with any functionality that relies on an initialised__libc_globals
inside of bionic malloc's stubs (e.g. malloc()).
This manifests in two ways (that I can think of):
1. Dispatch tables don't work with scudo, so malloc_debug has never
worked in an executable linked against scudo.
2. Allocators that require initialisation and are called from bionic
malloc's stubs (GWP-ASan) never get initialised.
Bug: 135634846
Test: atest bionic-unit-tests-scudo
Change-Id: I3e3344d7d510ce4e8d3709cd69c8cb0fe5adedda
pthread_atfork may call malloc() during its once-init. This causes
problems with allocators (GWP-ASan) that require explicit initialisation
before calls to malloc().
Bug: 135634846
Test: atest bionic
Change-Id: I1810a00465db99d5aa34fa6f74dea5908a628d3a
The APIs that are tagged with # vndk are actually for LLNDK libraries.
Although LLNDK is part of VNDK, calling those APIs 'vndk' has given
users a wrong perception that the APIs don't need to be kept stable
because that's the norm for most of the VNDK libraries that are not
LLNDK.
In order to eliminate the misunderstanding, rename the tag to 'llndk' so
that people introducing new such API will realize what they are signing
themselves up for.
Bug: 143765505
Test: m
Merged-In: I56e49876410bd43723a80d0204a9aef21d20fca9
(cherry picked from commit 3e2cd44aa4)
Change-Id: I56e49876410bd43723a80d0204a9aef21d20fca9
This library was previously being statically linked into both libraries as a
consequence of the relocation to __aeabi_unwind_cpp_prX present in most object
files. However, after LLVM commit 1549b469, we no longer emit these relocations
on Android, so we need to link the library explicitly with --whole-archive. The
intent is to eventually stop linking libgcc into these libraries altogether,
but for now, we need to keep linking them in order to avoid breaking the build.
Change-Id: I275109527b7cbd6c4247b3fe348975d720626273
Right now, when we read a system property, we first (assuming we've
already looked up the property's prop_info) read the property's serial
number; if we find that the low bit (the dirty bit) in the serial
number is set, we futex-wait for that serial number to become
non-dirty. By doing so, we spare readers from seeing partially-updated
property values if they race with the property service's non-atomic
memcpy to the property value slot. (The futex-wait here isn't
essential to the algorithm: spinning while dirty would suffice,
although it'd be somewhat less efficient.)
The problem with this approach is that readers can wait on the
property service process, potentially causing delays due to scheduling
variance. Property reads are not guaranteed to complete in finite time
right now.
This change makes property reads wait-free and ensures that they
complete in finite time in all cases. In the new approach, we prevent
value tearing by backing up each property we're about to modify and
directing readers to the backup copy if they try to read a property
with the dirty bit set.
(The wait freedom is limited to the case of readers racing against
*one* property update. A writer can still delay readers by rapidly
updating a property --- but after this change, readers can't hang due
to PID 1 scheduling delays.)
I considered adding explicit atomic access to short property values,
but between binary compatibility with the existing property database
and the need to carefully handle transitions of property values
between "short" (compatible with atomics) and "long" (incompatible
with atomics) length domains, I figured the complexity wasn't worth it
and that making property reads wait-free would be adequate.
Test: boots
Bug: 143561649
Change-Id: Ifd3108aedba5a4b157b66af6ca0a4ed084bd5982
aosp/144287300 set it to a global cppflag.
The compiler upgrade can now check for this warning in C code.
This patch should be reverted once the BSD sources with instances of
-Wimplicit-fallthrough have been fixed.
Remove it from cflags, so that it's not re-enabled for C code until
fixed.
Bug: 139945549
Bug: 144287300
Test: mm
Change-Id: Ieca0d5b41634636477392e5209a41807f9b44bd4
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
libc++ poisons `__out` because it's #defined on Windows. Rather than
hack libc++, let's just avoid that name. "src" and "dst" are far more
widely used than "in" and "out" for this purpose anyway.
Test: treehugger
Change-Id: I0db9997fd5f06f626dbf0ee967b52145395466b4
I have no idea why I used the iterate name internally which is
completely unlike every other function name. Change this to match
everyone else so that it's now malloc_iterate everywhere.
This is probably the last chance to change this before mainline
modules begin, so make everything consistent.
Test: Compiles, unit tests passes.
Change-Id: I56d293377fa0fe1a3dc3dd85d6432f877cc2003c
This reverts commit d7e11b8853.
Reason for revert: Breaks aosp_x86_64-eng. Will look into it and
unbreak when it's not almost midnight. :)
Change-Id: I21f76efe4d19c70d0b14630e441376d359a45b49
When using a FILE object for some malloc debug functions, calling
fprintf will trigger an allocation to be put in the object. The problem
is that these allocations were not allocated by the malloc debug
wrapper and they get freed during the fclose as if they are malloc
debug allocation. In most cases, the code will detect the bad pointer
and leak the memory, but it might also cause a crash.
The fix is to avoid using fprintf so that no allocations are made
in the object that survive and need to be freed in the fclose call.
Change the MallocXmlElem.h to use a file decsriptor not a FILE object.
Add new unit and system tests to detect this case.
Bug: 143742907
Test: Ran unit and system tests.
Test: Ran bionic unit tests.
Change-Id: I524392de822a29483aa5be8f14c680e70033eba2
Using ifuncs allows the linker to select faster versions of libc functions
like strcmp, making linking faster.
The linker continues to first initialize TLS, then call the ifunc
resolvers. There are small amounts of code in Bionic that need to avoid
calling functions selected using ifuncs (generally string.h APIs). I've
tried to compile those pieces with -ffreestanding. Maybe it's unnecessary,
but maybe it could help avoid compiler-inserted memset calls, and maybe
it will be useful later on.
The ifuncs are called in a special early pass using special
__rel[a]_iplt_start / __rel[a]_iplt_end symbols. The linker will encounter
the ifuncs again as R_*_IRELATIVE dynamic relocations, so they're skipped
on the second pass.
Break linker_main.cpp into its own liblinker_main library so it can be
compiled with -ffreestanding.
On walleye, this change fixes a recent 2.3% linker64 start-up time
regression (156.6ms -> 160.2ms), but it also helps the 32-bit time by
about 1.9% on the same benchmark. I'm measuring the run-time using a
synthetic benchmark based on loading libandroid_servers.so.
Test: bionic unit tests, manual benchmarking
Bug: none
Merged-In: Ieb9446c2df13a66fc0d377596756becad0af6995
Change-Id: Ieb9446c2df13a66fc0d377596756becad0af6995
(cherry picked from commit 772bcbb0c2)
The shadowing of `ai` meant that the freeaddrinfo() call outside the
loop would never see anything but NULL.
Bug: https://issuetracker.google.com/143928781
Test: treehugger
Change-Id: I1bf137f7933201eb8024603bfd569ff7bbc7f9b7
The underlying descriptor is supposed to be closed when the ScopedFd
goes out of scope but due to a typo in reset() that never happens.
This change was inspired by an earlier implementation of ScopedFd in:
04dc91ae7 Load library using file handle.
Issue: 143918215
Test: Manual (verify fd usage on device)
Change-Id: I5664fa82d3e732113732e34a7ae6df3ca79d3cee
Also remove the __INTRODUCED_IN(16)s, since we don't support anything
lower than 16.
Test: treehugger
Change-Id: I2cbd023d211a0f0ddf27251071caa29839c671a8
Remove some __INTRODUCED_IN(16)s, since we don't support anything lower
than 16, so that's a no-op. And add the missing doc comments to those
headers while we're there.
Test: treehugger
Change-Id: I0328c530675564f0f1124bd483da05ad06df3507
In configs like ASAN, we can't use _chk functions. This CL builds off of
previous work to allow us to still emit diagnostics in conditions like
these.
Wasn't 100% sure what a good test story would look like here. Opinions
appreciated.
Bug: 141267932
Test: checkbuild on internal-master
Change-Id: I8d4f77d7b086a8128a18a0a0389243d7fa05b00f
This will activate code in bionic that uses the experimental MTE
userspace interface.
Bug: 135772972
Change-Id: I9ac641b9528de5376cdb920bee0e900a1b1fa9c2
This is actually for the new change I'm working on, but let's retrofit
it first to separate any bugs in these changes from those in the new
change...
Test: treehugger
Change-Id: I890aeb61f9792810a77ad0da3f9674c9cc5db7bb
This flag prevents the compiler from inserting calls to libc functions in
the ifunc resolver code, which will definitely cause problems if the libc
function is itself an ifunc, but other calls that use the PLT may also be
affected, since libc may not have been fully resolved yet. As it turns out,
newer versions of clang will insert calls to memcmp in the body of the
init_cpu_variant() function in arch-arm/dynamic_function_dispatch.cpp.
Change-Id: I91f18d450835adc4b74565e9f48d5834f594a0c4
r334928 | kib | 2018-06-10 10:54:44 -0700 (Sun, 10 Jun 2018) | 16 lines
libc qsort(3): stop aliasing.
Qsort swap code aliases the sorted array elements to ints and longs in
order to do swap by machine words. Unfortunately this breaks with the
full code optimization, e.g. LTO.
See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83201 which seems to
reference code directly copied from libc/stdlib/qsort.c.
PR: 228780
Reported by: mliska@suse.cz
Reviewed by: brooks
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
Differential revision: https://reviews.freebsd.org/D15714
Test: treehugger
Change-Id: Iac608b13bbf8a2dcb48c935a7871c0d2f05bff79
As it turns out, our "generic" arm64 implementations of certain string.h
functions are not actually generic, since they will eagerly read memory
possibly outside of the bounds of an MTE granule, which may lead to a segfault
on MTE-enabled hardware. Therefore, move the implementations into a "default"
directory and use ifuncs to select between them and a new set of "mte"
implementations, conditional on whether the hardware and kernel support MTE.
The MTE implementations are currently naive implementations written in C
but will later be replaced with a set of optimized assembly implementations.
Bug: 135772972
Change-Id: Ife37c4e0e6fd60ff20a34594cc09c541af4d1dd7
r293856 | brooks | 2016-01-13 13:50:08 -0800 (Wed, 13 Jan 2016) | 10 lines
Avoid reading pass the end of the source buffer when it is not NUL
terminated.
If this buffer is adjacent to an unmapped page or a version of C with
bounds checked is used this may result in a crash.
PR: 206178
Submitted by: Alexander Cherepanov <cherepan@mccme.ru>
MFC after: 1 week
and
r293855 | brooks | 2016-01-13 13:49:01 -0800 (Wed, 13 Jan 2016) | 10 lines
Avoid reading pass the end of the source buffer when it is not NUL
terminated.
If this buffer is adjacent to an unmapped page or a version of C with
bounds checked is used this may result in a crash.
PR: 206177
Submitted by: Alexander Cherepanov <cherepan@mccme.ru>
MFC after: 1 week
Test: treehugger
Change-Id: I3f7b9e6d0648574d2836f7721dfe47c1bae146de
r342757 | kevans | 2019-01-03 19:13:24 -0800 (Thu, 03 Jan 2019) | 19 lines
getopt_long(3): fix case of malformed long opt
When presented with an arg string like '-l-', getopt_long will successfully
parse out the 'l' short option, then proceed to match '--' against the first
longopts entry as it later does a strncmp with len=0. This latter bit is
arguably another bug in itself, but presumably not a practical issue as all
callers of parse_long_options are already doing the right thing (except this
one pointed out).
An opt string like '-l-' should be considered malformed and throw a bad
argument rather than behaving as if '--' were passed. It cannot possibly do
what the invoker expects, and it's probably the result of a typo (ls -l- a)
rather than any intent.
Reported by: Tony Overfield <toverfield@yahoo.com>
Reviewed by: imp
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D18616
Test: treehugger
Change-Id: I593713bc35d70eb1975c9d7587528f2b3f9731af
r325389 | kib | 2017-11-04 03:52:58 -0700 (Sat, 04 Nov 2017) | 7 lines
C++17 requires quick_exit(3) to be async-signal safe.
Make it safe, and update man page with the useful information.
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Test: treehugger
Change-Id: Idf84b1f1e360c031b0e39d5f6e80d17308db1940
Upstream keeps rearranging the deckchairs for these, so let's just
switch to the [roughly] one-liners rather than track that...
Test: treehugger
Change-Id: If655cf7a7f316657de44d41fadd43a8c55ee6f23
In order for an ifunc resolver to detect the presence of certain CPU features,
access to getauxval(AT_HWCAP) or getauxval(AT_HWCAP2) may be required. In order
for getauxval() to work, it needs to access the pointer to the auxiliary vector
stored by the linker in the libc shared globals data structure. Accessing the
shared globals requires libc to call the __libc_shared_globals() function
exported by the linker. However, in order to call this function, libc must
be fully relocated, which is not guaranteed to be the case at the point when
ifunc resolvers are called.
glibc solves this problem by passing the values of getauxval(AT_HWCAP)
(and getauxval(AT_HWCAP2) on aarch64) as arguments to the ifunc resolver.
Since this seems to be not only the most straightforward way to solve the
problem but also improves our compatibility with glibc, we adopt their
calling convention.
This change is ABI compatible with old resolvers because the arguments are
passed in registers, so the old resolvers will simply ignore the new arguments.
Bug: 135772972
Change-Id: Ie65bd6e7067f0c878df3d348c815fda61dc12de2
arm32 has two special APIs to find exidx exception handling info,
dl_unwind_find_exidx and __gnu_Unwind_Find_exdix. The two functions have
identical behavior and function prototypes. libgcc's arm32 unwinder calls
__gnu_Unwind_Find_exdix, whereas LLVM's libunwind previously called
__gnu_Unwind_Find_exdix, but switched to dl_unwind_find_exidx as a result
of three patches (D30306, D30681, D39468).
In Bionic, for dynamic linking, __gnu_Unwind_Find_exdix in libc.so calls
dl_unwind_find_exidx in libdl.so.
For static executables, though, __gnu_Unwind_Find_exdix in libc.a used the
__exidx_* symbols, while dl_unwind_find_exidx in libdl.a(libdl_static.o)
was a return-0 no-op.
To fix the LLVM unwinder, replace the no-op dl_unwind_find_exidx in
libdl.a with a real function in libc.a(exidx_static.o), and have the GNU
function call the dl function for more consistency with dynamic linking.
dl_iterate_phdr follows a similar pattern, where the function exists in
libc.a and libdl.so (not libc.so or libdl.a).
This change makes unwinding work with an updated libunwind_llvm on arm32,
and it helps to allow unwinding in static executables without libdl.a.
Bug: https://github.com/android/ndk/issues/1094
Bug: http://b/141485154
Test: NDK tests, bionic unit tests
Change-Id: Ieeeb9b39a0e28544e21f9afe6fe51ef10d7c828c
At heart a revert of "Don't #define __ANDROID_NDK__ for the platform build!",
which was commit eb61430374.
The original change was insufficiently motivated, and meant that the
NDK -- not just the platform -- no longer defines __ANDROID_NDK__. Which
then broke at least building toybox with NDK r19.
Change-Id: Ic616688e4d17d25714a9ef381269d7431deac9b0
* changes:
libc: remove now-unused FORTIFY functions
fortify: remove last uses of __bos_trivially_not*
fortify(string): emit diagnostics regardless of API level
fortify(fcntl): emit diagnostics regardless of API level
As of I2037548cc2061e46c379931588194c21dfe234b4, these are no longer
used. Since they're new in R, we can remove them instead of keeping
backwards compat 'forever'. Take that opportunity now.
Bug: 141267932
Test: TreeHugger
Change-Id: I13f94cdcff6e75ad19b964be76445f113f79559b
Since we're using the gt/ge ones a lot now, having `not` versions
probably just adds to confusion. Swap out their remaining uses and
delete them.
Bug: 141267932
Test: m checkbuild on internal-master
Change-Id: I2107ae65007a4995e4fa23371fefe4db7547f43b
HWASan-instrumented code needs TLS_SLOT_SANITIZER set up to run, and
that is not done until the new thread calls __hwasan_thread_enter. Block
all signals until that time to prevent hwasan-instrumented signal
handlers running (and crashing) on the new thread.
Bug: 141893397
Test: seq 0 10000000 | xargs -n 1 -P 200 adb shell am instrument \
-w -r -e command grant-all \
com.android.permissionutils/.PermissionInstrumentation
(cherry picked from commit d181585dd5)
Change-Id: Id65fae836edcacdf057327ccf16cf0b5e0f9474a
The libs are not available for platform. Thus removing
'//apex_available:platform' from the apex_available property. However,
since there are test modules that statically links the libs, we
exceptionally make the static variant of the libs available to the
platform.
Test: m
Test: mm under bionic does not create
out/target/product/<name>/system/lib[64]/libc_malloc_[debug|hooks].so
Change-Id: Ia6d473658c4231b04b5db511f9dacbbdf0f207b0
The bionic libs are now restricted to be in the runtime APEX and the
platform (for bootstrapping). It can still be referenced from other
APEXes but can't be included there.
Bug: 139870423
Test: m
Change-Id: I7f99eef27ccf75844ca5c9a7ea866496841b738f
The NDK doesn't support anything older than API level 16, so remove some
more clutter.
Test: builds
Change-Id: If257a27841396af001b089b7ae0fbd8c3e0128e4
The NDK only supports >= 16, so remove anything older than that to avoid
giving the misleading impression that such old targets are still
supported.
(This change doesn't touch <unistd.h>. I'll follow up with that once the
outstanding FORTIFY changes to that file are in.)
Test: builds
Change-Id: I6cc6ecdb99fe228a4afa71f78e5fd45309ba9786
Refactor some of the definitions to separate out all of the native
allocator pieces into one place that can be changed easily. This
should fix a few static libraries that appear to have accidentally
included jemalloc wrapper functions. For example, I verified that
libc_nomalloc.a no longer has references to any je_XXX functions.
Modify the bionic_libc_platform_headers to not include any libraries.
If this isn't updated, soong thinks there are cycles when used by
libscudo.
To enable scudo, change the libc_native_allocator_defaults defaults
from libc_jemalloc5_defaults to libc_scudo_defaults and comment out
the defaults: ["libc_scudo_wrapper_defaults"], line for the shared
library libc_scudo.
To do a final switch to scudo, it will be necessary to clean up
some code in other parts of the tree, but this allows a single cl
to enable or disable.
Bug: 137795072
Test: Builds with jemalloc or scudo with a small change.
Test: Ran bionic unit tests.
Change-Id: I07bb5432a0d2b2f405f92412e8d04fb9c9e51b31
Merged-In: I07bb5432a0d2b2f405f92412e8d04fb9c9e51b31
(cherry picked from commit ccff1b19ef)
The tables in the BSD tolower/toupper are slower for ASCII than just
doing the bit twiddling.
We can't actually remove the tables on LP32, so move them into the
"cruft" we keep around for backwards compatibility (but remove them for
LP64 where they were never exposed).
I noticed that the new bit-twiddling tolower(3) was performing better
on arm64 than toupper(3). The 0xdf constant was requiring an extra MOV,
and there isn't a BIC that takes an immediate value. Since we've already
done the comparison to check that we're in the right range (where the
bit is always set), though, we can EOR 0x20 to get the same result as
the missing BIC 0x20 in just one instruction.
I've applied that same optimization to towupper(3) too.
Before:
BM_ctype_tolower_n 3.30 ns 3.30 ns 212353035
BM_ctype_tolower_y 3.31 ns 3.30 ns 211234204
BM_ctype_toupper_n 3.30 ns 3.29 ns 214161246
BM_ctype_toupper_y 3.29 ns 3.28 ns 207643473
BM_wctype_towupper_ascii_n 3.53 ns 3.53 ns 195944444
BM_wctype_towupper_ascii_y 3.48 ns 3.48 ns 199233248
After:
BM_ctype_tolower_n 2.93 ns 2.92 ns 242373703
BM_ctype_tolower_y 2.88 ns 2.87 ns 245365309
BM_ctype_toupper_n 2.93 ns 2.93 ns 243049353
BM_ctype_toupper_y 2.89 ns 2.89 ns 245072521
BM_wctype_towupper_ascii_n 3.34 ns 3.33 ns 212951912
BM_wctype_towupper_ascii_y 3.29 ns 3.29 ns 214651254
(Why do both the "y" and "n" variants speed up with the EOR
change? Because the compiler transforms the code so that we
unconditionally do the bit twiddling and then use CSEL to decide whether
or not to actually use the result.)
We also save 1028 bytes of data in the LP64 libc.so.
Test: ran the bionic benchmarks and tests
Change-Id: I7829339f8cb89a58efe539c2a01c51807413aa2d
There are places in frameworks and art code that directly included
private bionic header files. Move these files to the new platform
include files.
This change also moves the __get_tls.h header file to tls.h and includes
the tls defines header so that there is a single header that platform
code can use to get __get_tls and the defines.
Also, simplify the visibility rules for platform includes.
Bug: 141560639
Test: Builds and bionic unit tests pass.
Change-Id: I9e5e9c33fe8a85260f69823468bc9d340ab7a1f9
Merged-In: I9e5e9c33fe8a85260f69823468bc9d340ab7a1f9
(cherry picked from commit 44631c919a)
The accompanying soong change causes sanitize attributes to be allowed on
cc_object targets and propagates sanitize attributes into dependencies. This
is problematic for the crt objects in sanitizer builds because everything
depends on them including the sanitizer runtime, so a circular dependency
would otherwise be created. Furthermore, some of the code in these objects
runs before sanitizer initialization so it is unlikely that sanitizing them
would work anyway. Therefore, disable sanitization on these objects.
Change-Id: I25380dfc8eed5db34b034ba127a9d6b5674032fa
We're going to have to add ifuncs to libm, and there will be some SVE
ones for arm64 soon too, so let's start sharing the absolute minimum...
Test: builds
Change-Id: Idbb9dd9477291ed3c15dc3902f65e593b766dfb9
Clang recently grew its own diagnostics for memcpy and such. These are
generally higher-quality than what we can do with diagnose_if, since
clang is happy to include e.g., sizes of things per-callsite. Move to
those instead where applicable.
Bug: 131861088, 123644155
Test: blueline internal-master checkbuild; treehugger
Change-Id: I701f5a8b247ba2948ca47fdc60ff5198b564c03e
Instead of having platform directories directly include the
private header, create a platform header directory and export it.
Bug: 130763340
Test: Builds.
Change-Id: Ie0f092b3fe077a3de8b90266c0b28bfbc20d0dfa
Merged-In: Ie0f092b3fe077a3de8b90266c0b28bfbc20d0dfa
(cherry picked from commit 8f582ef2f8)
Add a test for the new flag and add a test for the EFD_CLOEXEC flag.
Test: New unit tests pass on glibc and target.
Change-Id: Ib7a6ea4aadbd67ba8a523b6114a49fb8d6a43f12
This commit replaces `bzero` with `__bionic_bzero` and `bcopy` with
`__bionic_bcopy` because `bzero` and `bcopy` are partially defined in
`libc.map.txt`. Bionic versioner raises errors because versioner treats
static inline functions as exported function definitions then it
compares the availability with the information specified in
`libc.map.txt`.
This commit fixes the problem by replacing static inline functions into
`__bionic_{bzero,bcopy}` and defining aliases for source-level
compatibility.
Test: PATH=$(pwd)/prebuilts/clang-tools/linux-x86/bin:$PATH \
bionic/tools/versioner/run_tests.py
Bug: 140110040
Change-Id: I97f2f0dc0abccd0a9fcfe5bb02f4e918362d35cc
Split statfs and statvfs. The former has been available forever, and the
latter is implemented in terms of the former. The implementation has
been moved into headers so that it can be used at low API levels.
There's no reason for any Android or Linux code to use statvfs rather
than statfs, but code that needs to build on Darwin too will want to use
statvfs because Darwin's statfs is very spartan.
Bug: https://github.com/android-ndk/ndk/issues/609
Test: treehugger
Change-Id: Icf3d5723a260099fddb2d9f902e3047b0f041647
This commit annotates C11 Thread APIs so that bionic versioner won't
report errors.
This commit also adds a guard before `mtx_timedlock` because
`pthread_mutex_timedlock` was introduced in Android L.
Test: PATH=$(pwd)/prebuilts/clang-tools/linux-x86/bin:$PATH \
bionic/tools/versioner/run_tests.py
Bug: 140110040
Change-Id: I3c6ce0831f613ffd3a7bf1c1972fd3548195cc56
