It was discovered that we were building some objects inconsistently due
to an optimization in cc_library to only build objects once and use them
for both the static and shared libraries. But static libraries didn't
get system_shared_libs set automatically, and we didn't notice that we
would have built the objects differently.
So static libraries now get the default system_shared_libs, we allow
adjusting that for static vs shared in a cc_library, and we disable the
optimization if the linked libraries are configured differently between
static and shared in a single cc_library.
This triggers dependency cycles for static libraries that libc/libdl
use, so fix those cycles here.
Test: treehugger
Change-Id: I3cf7fda161a05ec32e0c1e871999720d12a4d38e
Because we also want to profile Java applications, which have longer
names, the character limit of comm is a problem. To avoid complexity, it
is preferable to apply the same logic for finding running processes
(which includes Java apps), and determining whether to profile a process
from startup.
Test: m
Test: flash sailfish
Test: setprop heapprofd.enable 1
setprop heapprofd.enable.ls 1
ls
/system/bin/ls
/system/bin/ls /
Bug: 120175590
Change-Id: Id0859d4a333efcb05883e611ea6a31a51468f82c
Did this for fun but turns out it generates better assembly code.
With a C implementation, compiler can expand both the comparison
loop and cpu_variant_names array. Results in a decision tree like
structure. For example the "cortex-a" prefix common in many variants
will only be compared once.
Test: run bionic unit tests.
Test: use debugger to check which variant is used.
Change-Id: Id70e5536f968161f20b18f35d46430457c338f0f
* changes:
Use shared globals to init __progname + environ
Move the abort message to libc_shared_globals
Expose libc_shared_globals to libc.so with symbol
Initialize the __progname and environ global variables using
libc_shared_globals rather than KernelArgumentBlock.
Also: suppose the linker is invoked on an executable:
linker prog [args...]
The first argument passed to main() and constructor functions is "prog"
rather than "linker". For consistency, this CL changes the BSD
__progname global from "linker" to "prog".
Bug: none
Test: bionic unit tests
Change-Id: I376d76953c9436706dbc53911ef6585c1acc1c31
__libc_shared_globals() is available in dynamic modules as soon as
relocation has finished (i.e. after ifuncs run). Before ifuncs have run,
the android_set_abort_message() function already doesn't work because it
calls public APIs via the PLT. (If this matters, we can use a static
bool variable to enable android_set_abort_message after libc
initialization).
__libc_shared_globals() is hidden, so it's available in the linker
immediately (i.e. before relocation). TLS memory (e.g. errno) currently
isn't accessible until after relocation, but a later patch fixes that.
Bug: none
Test: bionic unit tests
Change-Id: Ied4433758ed2da9ee404c6158e319cf502d05a53
Previously, the address of the global variable was communicated from the
dynamic linker to libc.so using a field of KernelArgumentBlock, which is
communicated using the TLS_SLOT_BIONIC_PREINIT slot.
As long as this function isn't called during relocations (i.e. while
executing an ifunc), it always return a non-NULL value. If it's called
before its PLT entry is relocated, I expect a crash.
I removed the __libc_init_shared_globals function. It's currently empty,
and I don't think there's one point in libc's initialization where
shared globals should be initialized.
Bug: http://b/25751302
Test: bionic unit tests
Change-Id: I614d25e7ef5e0d2ccc40d5c821dee10f1ec61c2e
Other minor changes:
* document assignment that relies on _Atomic assignments to use
atomic_store.
* consistently use atomic_store when assigning to atomics.
* remove incorrect comment.
Test: m
Test: flash & boot sailfish
Change-Id: I4789c08f7ac28a2de8d6925d03af354514bfd9d7
These modules have issues running with execute-only memory. Disable it
in them until we can resolve the issues.
Bug: 77958880
Test: No more XOM-related crashes in these binaries
Change-Id: Ie6c957731155566c2bbe7dbb7a91b9583d9aff93
__sanitize_environment_variables is only called when getauxval(AT_SECURE)
is true.
Instead of scanning __libc_auxv, reuse getauxval. If the entry is missing,
getauxval will set errno to ENOENT.
Reduce the number of times that __libc_sysinfo and __libc_auxv are
initialized. (Previously, __libc_sysinfo was initialized 3 times for the
linker's copy). The two variables are initialized in these places:
- __libc_init_main_thread for libc.a (including the linker copy)
- __libc_preinit_impl for libc.so
- __linker_init: the linker's copy of __libc_sysinfo is still initialized
twice, because __libc_init_main_thread runs after relocation. A later
CL consolidates the linker's two initializations.
Bug: none
Test: bionic unit tests
Change-Id: I196f4c9011b0d803ee85c07afb415fcb146f4d65
Previous change was reverted in 9690b121e3.
This change added .arch directive to kryo/ to avoid invalid instruction error.
Test: Run bionic unit test.
Test: Use gdb to make sure the right function is selected.
Test: Build previously failed target: make PRODUCT-sdk_phone_arm64-sdk
Change-Id: I14de41851121fc1a0b38c98fda5eb844b6a9695c
- Insert /apex/com.android.runtime/lib(64) before /system/lib(64)
in the default library search paths (`kDefaultLdPaths`,
`kAsanDefaultLdPaths`).
- Insert apex/com.android.runtime/bin before /system/bin in the
default shell search path (`_PATH_DEFPATH`).
Test: Device boot test with Android Runtime APEX.
Test: Device boot test without Android Runtime APEX.
Bug: 113373927
Change-Id: I9ae6bfe6939f63e7d76e7b3c9b21d8b698bd8fda
This reverts commit ce4ff9c44d.
Reason for revert: broke master in ab/5138164 target sdk_phone_armv7-sdk
Change-Id: Ia4b0c7e6117a37df694509078116963f41d7865e
remove android_open_proxy and use dns_open_proxy instead of it.
dns_open_proxy is in libnetd_client and
it does the same thing as android_open_proxy except return value.
It returns fd directly now.
Test: build, dns works fine
Change-Id: I984743fb50b23eeb9a7d24e9fc347832acfe2afe
This lets us do two things:
1) Make setjmp and longjmp compatible with shadow call stack.
To avoid leaking the shadow call stack address into memory, only the
lower log2(SCS_SIZE) bits of x18 are stored to jmp_buf. This requires
allocating an additional guard page so that we're guaranteed to be
able to allocate a sufficiently aligned SCS.
2) SCS overflow detection. Overflows now result in a SIGSEGV instead
of corrupting the allocation that comes after it.
Change-Id: I04d6634f96162bf625684672a87fba8b402b7fd1
Test: bionic-unit-tests
Also move this and android_get_device_api_level into <android/api-level.h>
so that they're always available.
This involves cleaning up <sys/cdefs.h> slightly.
Bug: N/A
Test: builds
Change-Id: I25435c55f3549cd0d827a7581bee75ea8228028b
Instead of allocating the stack within a 16MB guard region as we
were doing before, just allocate the stack on its own. This isn't
as secure as with the guard region (since it means that an attacker
who can read the pthread_internal_t can determine the address of the
SCS), but it will at least allow us to discover more blockers until
a solution to b/118642754 is decided on.
Bug: 112907825
Bug: 118642754
Change-Id: Ibe5dffbad1b4700eaa0e24177eea792e7c329a61
Landing this change separately to the change that implements SCS
because it needs to land at the same time as an internal change. This
will simplify the situation in case SCS needs to be reverted again.
Change-Id: Ibe18750829665b6dcf6e36628a5e5bbdd1a0dd4f
Merged-In: Ibe18750829665b6dcf6e36628a5e5bbdd1a0dd4f
Adds libc_common_static and libc_common_shared targets. So that static
and shared objects can use different libraries.
In following changes I'll add dynamic dispatch code to
libc_common_shared.
Test: compile and run bionic unit test.
Change-Id: I056742fdf8af76ed7deb274c515951656b176fcb
Memory leak happen when Android data framework updates identical DNS
information to netd.
(cherrypick of c466fe95dc641d879683700aea4233ffd42bc762.)
Bug: 115595601
Test: netd_unit_test, netd_integration_test
Change-Id: Idcc0956729286563603f482258f488a1ccd75e6a
The signal stack is sufficiently large for a single invocation of the
signal handler, but in cases where the signal handler needs to recurse,
(e.g. if our address space is limited by RLIMIT_AS), it's too small for
us to get to the part where we recognize that we've recursed and bail
out.
Bug: http://b/118772392
Test: /data/nativetest64/debuggerd_test/debuggerd_test64 --gtest_filter=CrasherTest.seccomp_crash_oom
Change-Id: Ic7a2cf8b01b3f7ea7f4a2318a3ec22a0c3649da6
The package name in the manifest.json is changing to
remove apex so the hardcoded path must change.
Bug: 119026403
Test: build
Change-Id: I906b595a1325b40f8af8c37d7d08cd543c988cc8
This commit adds "include" (full path: "bionic/libc/include") to
exported_include_dirs for libc. Without this change,
header-abi-checker will strip all functions from ABI dumps.
Bug: 117963950
Test: libc.so.lsdump has a non-empty functions array
Change-Id: I192a4ec0251f1320ced56c6201818076ebd2a2da
Currently, getnameinfo() will never issue a reverse DNS lookup if the first
byte of the IPv6 address is 0x00. This means it is not possible to do a
reverse DNS lookup for a NAT64 address if the NAT64 prefix is the well-known
prefix. Make this possible by treating the well-known prefix specially. This
is not needed for unicast NAT64 prefixes because they do not start with 0x00.
Bug: 78545619
Test: netd_{unit,integration}_test pass
Test: bionic-unit-tests --gtest_filter='net*' pass
Change-Id: I176d30dcf411a5ffe1eec110db99cd73b48e956f
The changes needed to pick up time zone data files from
a mounted APEX directory. Code that looks for time zone
data now looks in a new location after checking for
data installed by the time zone updates via APK feature.
This hasn't been tested in combination with a real APEX but
it shouldn't do anything bad if the new path does not exist.
Bug: 115612964
Test: CTS: run cts-dev -m CtsBionicTests
Test: Build / boot without APEX support
Change-Id: I56ae50e26f2cbfa0e537029a0e6f679fa2394327
The golang runtime currently expects to find the pthread key data after
the tls slots.
Bug: http://b/78026329
Bug: http://b/118381796
Test: run a golang-based app, bionic unit tests
Change-Id: Idc777d809b803093e1c81d9a2ce4eafcc7d61f8d
Merged-In: Idc777d809b803093e1c81d9a2ce4eafcc7d61f8d
(cherry picked from commit a2c30723da)
This reverts commit da1bc79f93.
Reason for revert: Caused OOM in media process
Bug: 112907825
Bug: 118593766
Change-Id: I545663871d75889b209b9fd2131cdaa97166478f
When a construct like:
if defined(something)
blocks1
elif 1
blocks2
else
blocks3
endif
The parser would put the first clause but then simply omit the elif and
put all of blocks2 without a terminating #endif. The code also did
something similar when the #else was an #endif.
Also convert all of the unit tests to real unit tests and only run
them if you run cpp.py by itself. Added new unit tests to cover the
new cases.
Test: Ran cpp.py unit tests.
Test: Reran update_all.py and verified nothing changed, and that running
Test: it on the new kernel headers that exposed this problem.
Change-Id: Ie168511303c4e15afdb60c37baef75a966ca29a8
* changes:
libc: Match header annotations to version script
versioner: Build SymbolDatabase from version scripts
versioner: Add 28 to version list
libc: Add default __STRING implementation
With ELF TLS, the static linker assumes that an executable's TLS segment
is at a known offset from the thread pointer (i.e. __get_tls()). The
segment can be located prior to the TP (variant 2, x86[_64], sparc) or
after it (variant 1, arm{32,64}, ppc, mips, ia64, riscv).
We can't make our pthread_internal_t exactly follow the ordinary arm64
ABI (at least) because TP[5] is used for clang's -fstack-protector on
Android. Instead, reserve extra space after the TP (up to 16 words), which
will be followed by the executable's TLS segment.
Bug: http://b/78026329
Test: boot device, bionic unit tests
Change-Id: I0f3b270b793f9872ba0effeac03f4dec364438d6
Merged-In: I0f3b270b793f9872ba0effeac03f4dec364438d6
(cherry picked from commit f397317e96)
Use <android-base/macros.h> instead where possible, and move the bionic
macros out of the way of the libbase ones. Yes, there are folks who manage
to end up with both included at once (thanks OpenGL!), and cleaning that
up doesn't seem nearly as practical as just making this change.
Bug: N/A
Test: builds
Change-Id: I23fc544f39d5addf81dc61471771a5438778895b
According to `libc.map.txt`, `pselect64()` was introduced since API
level 28. This commit adds the annotations to `sys/select.h`.
Bug: 113263746
Test: ./bionic/tools/versioner/run_tests.py
Change-Id: I70ea4b23cef92857f1654cebb660e0219238fc95
This commit defines a default `__STRING()` definition. There should be
a default definition because the unit test cases of versioner will
include `android/versioning.h` directly. We cannot include
`sys/cdefs.h` in `android/versioning.h` either because that will lead to
circular inclusion.
Bug: 113263746
Test: ./bionic/tools/versioner/run_tests.py
Change-Id: Ie99c0eef4414fd687347baf3a2d295468877464f
Fixes a build error when PLATFORM_SDK_VERSION is not set.
Bug: 31559095
Test: attempt to build host bionic
Change-Id: I9cbdcea206ef1239c330a5adafbfa5cc797fef5e
Add a new mallopt flag that purges any pending decaying pages.
Test: boots and works
bug 117795621
Change-Id: Ib250ae2b705b6a368c1efb801d6a7be54e075acb
(cherry pciekd from commit 5083e833a6)
Tests: Ran malloc_debug_unit_tests
Tests: Flashed to walleye, sent signal, observed
"Unable to open shared library: heapprofd.so".
Change-Id: Ia8ce216837e29e3edbda8789ca28023d53fa1fda
Previously, we were callign tgkill(pid, 0, signal) instead, which would
fail with EINVAL instead.
Test: bionic-unit-tests
Change-Id: I25b127dcf347e0223274502b0516a950b6c2093e
Caused an ODR violation trying to build current ToT of toybox.
Bug: N/A
Test: can successfully build code with `#ifdef __ANDROID_NDK__`
Change-Id: Ia80b8889b267779ee01f6257744e1794db0ebc65
There's little value to having strings for these, but we may as well
for consistency. There's no ELASTERRNO constant we can use to check
whether we've fallen behind again, but these were added in 2009 and
2011 respectively, so we're not likely to have to deal with any more
new errno values any time soon...
Bug: http://b/117755069
Test: ran tests
Change-Id: I5b7155c22cad92c2fe03a0b4c7cae415c37fa186
When error_level != ANDROID_FDSAN_ERROR_LEVEL_FATAL, fdsan_error()
traverses the varargs twice. Each traversal needs its own
va_start()/va_end() pair. Otherwise async_safe_format_buffer_va_list()
will start consuming arguments where async_safe_format_log_va_list()
stopped, ironically causing the sanitizer runtime to perform bad memory
accesses.
Test: debuggerd_test32
Test: debuggerd_test64
Change-Id: Ic85ca94501e55e9a435410fab89edb273c381a5a
Signed-off-by: Greg Hackmann <ghackmann@google.com>
A76 still uses A55 as little core. It should be ok to use the same
setting as A75 for now.
Bug: 117125298
Test: run bionic tests
Change-Id: Idfd15424c20ae60becb6539f6ae855f3e7c264cd
The executable can be inside a zip file using the same syntax used for
shared objects: path.zip!/libentry.so.
The linker currently requires an absolute path. This restriction could be
loosened, but it didn't seem important? If it allowed non-absolute paths,
we'd need to decide how to handle:
- foo/bar (relative to CWD?)
- foo (search PATH / LD_LIBRARY_PATH, or also relative to CWD?)
- foo.zip!/bar (normalize_path() requires an absolute path)
The linker adjusts the argc/argv passed to main() and to constructor
functions to hide the initial linker argument, but doesn't adjust the auxv
vector or files like /proc/self/{exe,cmdline,auxv,stat}. Those files will
report that the kernel loaded the linker as an executable.
I think the linker_logger.cpp change guarding against (g_argv == NULL)
isn't actually necessary, but it seemed like a good idea given that I'm
delaying initialization of g_argv until after C++ constructors have run.
Bug: http://b/112050209
Test: bionic unit tests
Change-Id: I846faf98b16fd34218946f6167e8b451897debe5
Previously, we were zeroing out the reserved signals, when we actually
wanted to have TIMER_SIGNAL always be blocked, and the other signals
always be unblocked. This resulted in process termination when a
SIGEV_THREAD timer callback calls sigprocmask(SIG_SETMASK, ...) with
any signal mask value, and then subsequently fails to complete its
callback and reach the sigtimedwait in bionic before the next timer
iteration triggers.
Add a how argument to filter_reserved_signals to appropriately
block/unblock our reserved signals.
Bug: http://b/116783733
Test: bionic-unit-tests32/64
Change-Id: Ie5339682cdeb914711cd4089cd26ee395704d0df
glibc and musl both have these as synonyms for one another, so we may
as well do the same and get backwards compatibility on old OS releases.
Bug: N/A
Test: ran tests
Change-Id: I6bf38ea446560e1b11022ff539f07eb67c157049
I failed to convince the compiler/linker to just refrain (via factoring out,
attribute `noinline`, or meddling with `--icf=none`), but luckily I noticed
that we should have CHECK_FP in each function for a better error message,
and the distinct error messages keep the two functions apart.
(Also add a missing CHECK_FP to `clearerr_unlocked`.)
Bug: http://b/116969207
Test: manual with a modified `crasher`
Change-Id: Ic122e90e94f7e22f486be57d3dac7137a225d682
During the review of the script that generates /vendor/etc/passwd, it
was suggested that the shell be /vendor/bin/sh instead of the typical
/system/bin/sh. This has subsequently caused bionic unit tests to
fail, since they always check that the shell is set to /system/bin/sh.
In the spirit of that review, libc is modified to return
/vendor/bin/sh for the OEM AID ranges and the test is updated to
expect this.
Test: bionic unit tests
Change-Id: Ie7c1c48fde8a71b3df1aa0ef112d42ab7bd3baec
cc_objects are getting support for STL headers, disable them for
crt objects to avoid a circular dependency through libc++.
Test: m checkbuild
Change-Id: I4e0f4a2193ce98ec4b8802492add9014ec0dba98
Originally a BSD extension, now in glibc too. We've used it internally
for a while.
(cherry-pick of e4b13f7e3ca68edfcc5faedc5e7d4e13c4e8edb9.)
Bug: http://b/112163459
Test: ran tests
Change-Id: I813c3a62b13ddb91ba41e32a5a853d09207ea6bc
Merged-In: I813c3a62b13ddb91ba41e32a5a853d09207ea6bc
Make sure that TLS_SLOT_TSAN is always available and correctly set up in
HWASan-instrumented functions by setting up the tls register and running hwasan
initialization (__hwasan_init in the main thread and __hwasan_thread_enter in
secondary) early enough.
This is needed to accomodate a change in HWASan: https://reviews.llvm.org/D52249
Bug: 112438058
Test: boot with SANITIZE_TARGET=hwaddress, run bionic-tests
Change-Id: Icd909a4ea0da6c6c1095522bcc28debef5f2c63d
I stumbled across this because I was looking at the various locks in libc.
Bug: N/A
Test: ran tests
Change-Id: I77c9954f49aaae7519ea7f4917bbe6f138b841ad
These system calls are required by Breakpad for crash reporting.
WebViews are spawned from the webview_zygote, which itself is spawned
from the app_process zygote. The webview_zygote gets the SYSTEM seccomp
policy applied because it is not an app, and so the WebView sandboxed
processes inherit that policy.
In Ifd8a85b0de2eb6f2a76a6458570fc03b020a90ab, these system calls were
moved from COMMON to APP, which breaks Breakpad/crash reporting for
WebView sandboxed processes.
Bug: 112572914
Test: `am start com.android.settings/.SettingsLicenseActivity`
Test: Get the pid of the sandboxed_process0 for the license viewer.
Test: Send the process SIGABRT and check logcat for "google-breakpad"
error messages.
Change-Id: I1cf56ae85b1a67ec91e979bc7e0f941726a9cc0e
The alleged improvement consists in making the detection actually work
when netd is spawned by init, which of course uses the full path.
I had tested the previous logic by running netd from the shell, which
worked because argv[0] was just set to "netd". My bad -_-
Test: flash, boot and grep logcat for "Skipping libnetd_client init"
Change-Id: Ie5f11436dfa2a9347721147dc2b980144452404a
This change adds a 128-bit magic value just before the abort message
(and its length). This allows Chrome OS crash collector (which cannot
reliably correlate a crash with its corresponding tombstone) to extract
the abort message from the core dump.
Bug: 62387553
Test: /data/nativetest{,64}/debuggerd_test/*
Test: /data/nativetest{,64}/bionic-unit-tests{,-static}/*
Change-Id: I69ff021d773b3a10081ab16ddf6f23233320fb02
There's TLS space used for unknown errno values, and a call to printf
shouldn't clobber that. No-one will ever hit this in real life, but
since it's easily fixed...
Bug: http://b/112776560
Test: ran tests
Change-Id: I8c2437f2e5214e652119791d4e162a197b049d5b
Allows ART JIT use membarrier to invalidate instruction
pipelines.
Bug: 66095511
Test: bionic-unit-tests
Change-Id: I8cf83929f00baf5a3c440a899d2667a992bda8e2
HWASan needs to re-tag the newly unallocated stack space to match SP.
Bug: 112438058
Test: SANITIZE_TARGET=hwaddress
Change-Id: I4dddef542d802d63bdea59e32a03425a2c4f870b
Netd looping connections to itself via the libnetd_client connect()
wrapper has always unintended, although it worked until now. Once we
move the resolver into netd, the frequency of connect() calls will
increase, which makes it less acceptable.
There are several ways to detect if the calling process is netd.
Checking both uid == 0 and the argv[0] == netd makes it hard for
non-system components to spoof as netd.
Test: flash a device and check that netd logs the "Skipping..." message
Test: atest netd_integration_test
Change-Id: I9506facb4aa3094b16a98a913a1e2394056ce91a
Convert abort's inline_tgkill to do the equivalent of
pthread_sigqueue(pthread_self(), ...), so that we can use it in fdsan
as well.
Test: bionic-unit-tests
Test: debuggerd_test32
Test: debuggerd_test64
Change-Id: I92a7b84e2f00ce021b4043ed8a3bd8683d77fe9c
Conditional branch has limited range (1MB) and can not be extended by
the linker. The current distance (in walleye build) is 500KB, about
half of the maximum. HWASan pushes it over the limit.
Replace conditional branch with regular branch, which has longer
range (26 vs 19 bits offset) and can be extended in the linker if
needed.
Bug: 112437884
Bug: 12231437
Test: SANITIZE_TARGET=hwaddress
Change-Id: Idc083fb557ab3a859541beb009809992406a6703
* Some callers, e.g. external/curl/lib/select.c, do
poll(NULL, 0, ...) and get clang-diagnostic-nonnull check error.
Test: build with WITH_TIDY=1
Bug: 111850071
Change-Id: I7ea433d185cb84011a954f05964181b5518febd4
* changes:
fdsan: provide abort message in warning tombstones.
Implement pthread_sigqueue.
Stringify api_level in <android/versioning.h>.
Delete archaic pre-ANSI C support.
In particular, document the fact that they only affect the calling thread
on Android.
Bug: http://b/13134174
Test: ran tests
Change-Id: Ica6af451400d47e24358f59495ded63b2110eb8b
Make it so that we can use __ANDROID_API_<letter>__ constants in
__INTRODUCED_IN macros.
Test: treehugger
Change-Id: I0929c01e23e58f51d12f73200e1daf5ef484ea5d
