Simplify:
- Use a single memory-mapped region to hold the table of destructors.
Double its capacity each time it is expanded.
- Add a recompaction pass at the end of __cxa_finalize that shifts
entries forward and uses madvise to clean pages.
Bug: http://b/148055738
Test: bionic-unit-tests
Change-Id: Ieb9da2b88640a8a5277d217b43826b5b7e246781
Bug: 137795072
Test: Built using jemalloc, and verified that the two processes that
Test: use libc_scudo do not crash.
Change-Id: Icf773b656d7e2bcdf41b4979e9b6cd980b02d34d
When the heapprofd lazy-initialization dispatch table is installed, two
threads can call malloc() at the same time. One will do the
lazy-initialization, the other will fail the atomic_exchange of
gHeapprofdInitHookInstalled and go to system malloc. The system malloc
still contains the lazy-init malloc, and will recurse.
Fix it so the second thread goes directly to the previous dispatch
table, or to the system allocator directly (instead of through libc
malloc()).
Bug: 150085813
Test: atest perfetto_integrationtests
Test: TracedPerfCtsTest.SystemWideDebuggableApp on cuttlefish x86.
Change-Id: Ia85ad619a0d5e3f558136d84c34dbada4e8b845d
The values of some constants have changed, and the tag mask has changed from
being an exclusion mask to an inclusion mask.
Bug: 135772972
Change-Id: I322fceae7003bee6b391e7187194ed4c0cb28c58
If an alternate signal stack is set and the frame record is in bounds of
that stack, we need to use the top of the alternate signal stack for bounds
checking rather than the normal stack.
Bug: 150215618
Change-Id: I78b760d61b27da44f8e0cfee3fe94a791011fe58
To prevent unnecessary SELinux denials, the check referred to by the
comment is kept in place. This allows us to keep auditing the
SELinux denial in order to catch apps that intentionally send
RTM_GETLINK messages.
Fix: 141455849
Test: atest bionic-unit-tests-static
Test: atest NetworkInterfaceTest
Change-Id: I41e5ad6f071c820a8246177a0c629b3be788a942
Heapprofd uses an ephemeral dispatch table to ensure that GWP-ASan can
be called during heapprofd initialization. Previously, we grabbed the
backup dispatch table from the globals, which is wrong if GWP-ASan isn't
installed (as the malloc_dispatch_table is linker-initialised and not
set to a known good value if a malloc hooker isn't used).
Instead, grab the correct ephemeral dispatch table. When GWP-ASan is
installed, use a copy of its table as the dispatch. When nothing is
installed, fall back to using the native allocator dispatch.
Bug: 135634846
Bug: 150085813
Test: atest perfetto_integrationtests
Test: TracedPerfCtsTest.SystemWideDebuggableApp on cuttlefish x86.
Change-Id: I4beaf9192acadbe00adc02de2e0b0aab6f7a2190
This is a best-effort mitigation for potential crashes when the
profiling signal handler is triggered within certain secomp'd processes.
In particular, we're working around cases where the seccomp policy
doesn't allow some of the handler syscalls, and has a crashing
disposition towards violations via SECCOMP_RET_TRAP, plus a crashing
SIGSYS handler. While not general, this covers the configurations seen
in practice on Android (which are all using minijail in the same way).
By overriding the SIGSYS handling for the duration of the profiling
handler, we can instead receive such SIGSYS signals, and instead recover
from them in a non-crashing manner (the handler is responsible for
filling the syscall return register, since the syscall itself was
skipped).
For simplicity, we're swallowing all SIGSYS signals during this window,
without trying to figure out whether they're something that could be
caused by the profiling signal handler. I've quite convinced myself that
-ENOSYS seems to be safe to return to all of bionic's syscall wrappers
across the four architectures (looking at gensyscalls + the
special-cases like vfork and clone). It is theoretically possible for
all kinds of conflicting (ab)uses of SIGSYS to exist, but I'm assuming
it's not a realistic concern until proven otherwise.
Tested: manually sigqueue'd configstore on crosshatch, confirmed that
the SIGSYS override log was printed, and the process did not
crash (as it does on master).
Bug: 149328505
Change-Id: Iab8f09e51169807c9d3e1e0bcfd042f09f7df6a4
For interfaces that didn't get their name set, try to resolve their name
using if_indextoname first, before removing them from the list.
This allows getifaddrs() to keep returning interfaces that only have an
IPv6 address set (as opposed to the previous behavior where only
interfaces with an IPv4 address would be returned).
Change-Id: I0e4e6611948b12794cd3e354538f2964fbf31078
Fix: 148886805
Bug: 141455849
Test: atest NetworkInterfaceTest
Test: atest bionic-unit-tests-static
Test: atest IpSecManagerTunnelTest
The tag level may now be async, which is now the default. When the tag level
is set to none, memory tagging is disabled in the allocator using the new
API proposed in https://reviews.llvm.org/D70762 .
Bug: 135772972
Change-Id: I847f5822a70913c446ed9ffa13792177bbfc96af
Current APEX Namespace is named with APEX name itself, which also uses
.(dot) so linker configuration can keep the syntax safe.
For example, if there are APEX modules named 'A' and 'A.link.A', then
'namespace.A.link.A.link.A = a.so' phrase can be ambiguous from the
linker. To allow any additional linker syntax in the future, we should
avoid dot separator from the namespace name.
Bug: 148826508
Test: m -j passed
Test: boot succeeded from cuttlefish and walleye
Change-Id: Ic3fe396aef6366fc6c7a0677bc7f92a57fd4e229
Exports GWP-ASan allocator information callbacks to libdebuggerd so that
tombstoned can get information from the GWP-ASan allocator in the case
of a crash.
Bug: 135634846
Test: atest bionic-unit-tests
Change-Id: Ie16426af55602fb2a76c4e69217773354c365843
The notification that GWP-ASan is enabled causes ART tests to break.
Remove the log for now.
Bug: 135634846
Bug: 149790891
Test: (Attempt to fix the ART tests).
Change-Id: I8a7751a838a64f160b3b7b9f07752bb64644b9db
This patch enables GWP-ASan with process sampling.
**Note**: If you are visiting this patch because this broke a test or
otherwise is causing failures, please contact mitchp@ directly (or
respond to this patchset). GWP-ASan is designed to cause heap-based
memory safety bugs to manifest in SEGV on a sampled basis.
Bug: 135634846
Test: atest bionic-unit-tests gwp_asan_unittest
Change-Id: I58ca9373def105fdd718cf283482b3220b770698
GWP-ASan + heapprofd don't currently play nice together in some
circumstances. heapprofd thinks it's still an only child, and refuses to
accept the existence of its little brother, GWP-ASan.
If GWP-ASan is installed before heapprofd, then heapprofd is *required*
to respect that libc has a favourite child. If an allocation/free is passed
to heapprofd, then heapprofd *must* (eventually) pass that allocation/free to
GWP-ASan. If heapprofd doesn't do this, then a free() of a GWP-ASan
allocation can be passed to the system allocator.
This can happen in two places right now:
1. The heapprofd hooks simply clobber any trace of what was
previously in the default_dispatch_table when enabled through the
heapprofd signal.
2. Heapprofd can die when the system is under significant pressure.
Some pipes can timeout, which ends up in the client calling ShutdownLazy()
-> mallopt(M_RESET_HOOKS) -> DispatchReset(). This also clobbers any
trace of the previous default_dispatch_table.
To fix both these problems, we fix heapprofd to restore the previous
default_dispatch_table whenever either circumstance happens. We do some
tricky copying to avoid race conditions on the malloc_dispatch_table in
fixing #1.
Bug: 135634846
Test: Run HeapprofdEndToEnd.NativeProfilingActiveAtProcessExit/ForkMode
a significant number of times with large amounts of system pressure (I
just run bionic-unit-tests-scudo in parallel). You will see some test
failures where heapprofd died due to system pressure, but never a death
from the allocator. Tests should never fail when the system isn't under
immense pressure.
Change-Id: I20ab340d4bdc35d6d1012da5ee1a25634428d097
When enabled, GWP-ASan sets the current dispatch table. Then, when a
shim layer (malloc_debug, malloc_hooks, heapprofd) comes along, they
should (by design) overwrite the current dispatch table.
Currently, these shim layers check to see whether malloc_limit is
installed by checking the current dispatch table against nullptr.
Because GWP-ASan owns the current dispatch table, the shim thinks that
malloc_limit is installed and falls back to only use the default
dispatch, thinking that malloc_limit will call them. This is not the
case, and they should take over the current dispatch pointer.
Bug: 135634846
Test: atest bionic
Change-Id: Ifb6f8864a15af9ac7f20d9364c40f73c5dd9d870
The WriteProtected mutator for __libc_globals isn't reentrant.
Previously we were calling __libc_globals.mutate() inside of GWP-ASan's
libc initialisation, which is called inside the __libc_globals.mutate().
This causes problems with malloc_debug and other malloc shims, as they
fail to install when GWP-ASan is sampling their processes.
Bug: 135634846
Test: atest bionic
Change-Id: Iae51faa8d78677eeab6204b6ab4f3ae1b7517ba5
Scudo still isn't quite at the same RSS as jemalloc for the svelte config
so only enable this for normal config.
Bug: 137795072
Test: Built svelte config and verified it is still jemalloc.
Test: Ran performance tests on normal config (bionic benchmarks).
Test: Ran trace tests (system/extras/memory_replay).
Test: Ran scudo unit tests.
Test: Ran bionic unit tests.
Test: Ran libmemunreachable tests.
Test: Ran atest CtsRsBlasTestCases on cuttlefish.
Test: Ran atest AslrMallocTest.
Test: Ran atest CtsHiddenApiKillswitchWildcardTestCases and verified it has
Test: the same runtime as the jemalloc.
Change-Id: I241165feb8fe9ea814b7b166e3aaa6563d18524a
This patch introduces GWP-ASan - a sampled allocator framework that
finds use-after-free and heap-buffer-overflow bugs in production
environments.
GWP-ASan is being introduced in an always-disabled mode. This means that
GWP-ASan will be permanently disabled until a further patch turns on
support. As such, there should be no visible functional change for the
time being.
GWP-ASan requires -fno-emulated-tls wherever it's linked from. We
intentionally link GWP-ASan into libc so that it's part of the initial
set of libraries, and thus has static TLS storage (so we can use
Initial-Exec TLS instead of Global-Dynamic). As a benefit, this reduces
overhead for a sampled process.
GWP-ASan is always initialised via. a call to
mallopt(M_INITIALIZE_GWP_ASAN, which must be done before a process is
multithreaded).
More information about GWP-ASan can be found in the upstream
documentation: http://llvm.org/docs/GwpAsan.html
Bug: 135634846
Test: atest bionic
Change-Id: Ib9bd33337d17dab39ac32f4536bff71bd23498b0
tracefs will be mounted at /sys/kernel/tracing when debugfs
is not mounted.
Bug: 134669095
Test: atest bionic-unit-tests-static
Change-Id: Ic224cf13500efc570da8b6a27ce925bbcf068fdd
For consistency, linker namespace for apex modules use its apex name
instead of hard-coded short name.
Bug: 148826508
Test: m / boot
Change-Id: I4bf565cd528d744fc42841fd2d9f8bf652d4d346
We've optimized the ctype functions to the point where they're pretty
much all down to one instruction. This change takes the obvious next
step of just inlining them.
On Android these function have only ever been for ASCII. You need the
<wctype.h> functions for non-ASCII.
libc++ currently has its own inlines for the _l variants, so if we want
to just inline them in bionic directly, we'll need to coordinate that.
Bug: http://b/144165498
Test: treehugger plus benchmarks
Change-Id: I4cc8aa96f7994ae710a562cfc9d4f220ab7babd6
This function will be used by Scudo and GWP-ASan to efficiently collect
stack traces for frames built with frame pointers.
Bug: 135634846
Bug: 135772972
Change-Id: Ic63efdbafe11dfbb1226b5b4b403d53c4dbf28f3
Merged-In: Ic63efdbafe11dfbb1226b5b4b403d53c4dbf28f3
Add a hook that's called upon file descriptor creation to libc, and a
library that uses it to capture backtraces for file descriptor creation,
to make it easier to hunt down file descriptor leaks.
Currently, this doesn't capture all of the ways of creating a file
descriptor, but completeness isn't required for this to be useful as
long as leaked file descriptors are created with a function that is
tracked. The primary unhandled case is binder, which receives file
descriptors as a payload in a not-trivially-parsable byte blob, but
there's a chance that the leak we're currently trying to track down
isn't of a file descriptor received over binder, so leave that for
later.
Bug: http://b/140703823
Test: manual
Change-Id: I308a14c2e234cdba4207157b634ab6b8bc539dd9
(cherry picked from commit b7eccd4b15)
mte_supported() lets code efficiently detect the presence of MTE, and
ScopedDisableMTE lets code disable MTE RAII-style in a particular region
of code.
Bug: 135772972
Change-Id: I628a054b50d79f67f39f35d44232b7a2ae166afb
Fixes includes in heap tagging to ensure that bionic under MTE builds
successfully.
Thanks Kevin for finding this!
Test: TARGET_EXPERIMENTAL_MTE=true mmma bionic
Bug: N/A
Change-Id: Idd1b9ed3737e48a35f8d8628d13e85f1d58f5c93
