* Variadic functions usually cannot be inlined.
* Do not use misleading __always_inline attribute,
and also avoid early clang 7.0 compiler bug.
Bug: 72412382
Test: build and boot aosp*-eng in emulator
Change-Id: I7490976166581abc626f397ad408581ada0ed308
We're still seeing lots of confusion. People do seem to look as far as
the headers, but stop there. So let's try a bit harder to point them in
the right direction.
Also explicitly state that removing _FILE_OFFSET_BITS=64 is the
behavior-preserving fix for compilation problems when upgrading to NDK
r15 or later.
Bug: N/A
Test: N/A
Change-Id: I2d5c65b2fb5cccb9977901e51fea1ad2ccc0fd95
Having FORTIFY enabled for clang-tidy adds no value, and breaks some
heuristics for recognizing standard library functions (see the bug).
This also disables FORTIFY for the static analyzer (which we use
through clang-tidy), because it presumably tries to recognize standard
library functions through similar heuristics.
Bug: 36664104
Test: mma with and without the patch to cdefs. New test breaks without.
Change-Id: I40c66ff9e638b306878ada006bc2c98f2346e77a
While this was never an inline, this function alone has caused most of
the bug reports related to _FILE_OFFSET_BITS=64. Providing an inline
for it should allow a lot more code to build with _FILE_OFFSET_BITS=64
when targeting pre-L.
Test: make checkbuild
Test: built trivial cc_binary for LP32 against API 14 with
_FILE_OFFSET_BITS=64 set
Bug: lots
Change-Id: I8479d34af4da358c11423bee43d45b59e9d4143e
We can cut a lot of stuff out of the NDK's libandroid_support with this,
and reduce unnecessary relocations for all LP32 code. LP64 code should
be unaffected.
Bug: https://issuetracker.google.com/64450768
Bug: https://github.com/android-ndk/ndk/issues/507
Test: ran tests, plus manual readelf on the _test.o files
Change-Id: I3de6015921195304ea9c829ef31665cd34664066
FORTIFY's *_chk functions mess with ASAN's library function
interceptors, which can apparently result in false-positives.
Since adding even more complexity to every run-time check condition in
FORTIFY doesn't seem like a great idea, and the majority of our builds
will still use FORTIFY anyway, turning FORTIFY off here seems
reasonable.
Bug: 63104159
Test: checkbuild on internal master + CtsBionicTestCases. No new
failures.
Change-Id: Id32e551e28ee70a9815ad140c3253b86f03de63f
GCC's FORTIFY required optimizations to be enabled in order to function
properly. Clang's FORTIFY doesn't have this limitation, so it seems
pointless to keep it disabled due to a GCC-specific limitation.
Bug: 12231437
Test: Checkbuild on bullhead internal master + CtsBionicTestCases. No
new failures.
Change-Id: I74aa35f9d3f3d2a6b11a7adfe72a787e3d7f7f36
I plan on having one review per file for the enable_if->diagnose_if
FORTIFY migration. Having this in means that no one review is dependent
on another.
Bug: 12231437
Test: m.
Change-Id: Ic0b07d7f7f6782e371c8792eb1e40cdfa32d3e35
This patch cleans up our standard headers by moving most of the FORTIFY
cruft out in to its own sandbox. In order to include the *_chk and
*_real declarations, you can either enable FORTIFY, or `#define
__BIONIC_DECLARE_FORTIFY_HELPERS`.
Both sys/select.h and strings.h are explicitly ignored by this patch.
Both of these files have very small __BIONIC_FORTIFY blocks, and don't
define any actual FORTIFY'ed functions (just macros, and 3 *_chk
functions).
This patch also makes the versioner ignore the FORTIFY implementation
headers, since we're guaranteed to pick the FORTIFY'ed headers up when
looking at the regular headers. (...Not to mention that making the
FORTIFY'ed headers freestanding would be annoying to do and maintain for
~no benefit).
We bake the knowledge of where FORTIFY headers live directly into the
versioner. We could go with a more general approach (e.g. adding an -X
IGNORED_FILE flag that tells the versioner to ignore
$HEADER_PATH/$IGNORED_FILE), but we'd then have to repeat that for every
test, every manual invocation of the versioner, etc. for no benefit
that's obvious to me.
Bug: 12231437
Test: m checkbuild on bullhead internal master + CtsBionicTestCases. no
new errors.
Change-Id: Iffc0cc609009b33d989cdaddde0a809282131a5b
It's not usable for cases where the off_t and off64_t functions became
available in different API levels, so it's not as big an improvement as
we'd hoped, but it cleans up several headers and should be usable for
any future additions (though recent Linux additions have _only_ supported
off64_t anyway).
Bug: N/A
Test: builds
Change-Id: I18b00f30666079d9d12d5b9c0ed916076d6c3641
Convenience macro for __RENAME if __USE_FILE_OFFSET64 mode. Lets us
avoid duplicating all the doxygen comments in frameworks headers.
Test: make checkbuild
Bug: https://github.com/android-ndk/ndk/issues/459
Change-Id: Ica44f22b2f1596e484694006c0926d94d16187b5
libcxx provides const-correct overloads for a few string.h functions.
These overloads use clang's enable_if attribute, so they're preferred
over our FORTIFY'ed equivalents.
This weakens _FORTIFY_SOURCE=2 when used with some of these functions,
since clang needs to see __pass_object_size in order to pass an accurate
result for __builtin_object_size(s, 1) at a callsite. Since those
functions don't have __pass_object_size on their params, clang can't do
that. This makes LLVM lower the __builtin_object_size calls, which means
we get the same result as __builtin_object_size(s, 0).
We have to provide all of the overloads in Bionic, since enable_if is
only used to disambiguate overloads with (otherwise) the same type. In
other words:
// overload 1
char *strchr(const char *, int s) __attribute__((enable_if(1, "")));
// overload 2
char *strchr(char *, int s);
void foo() {
char cs[1] = {};
strchr(static_cast<const char *>(cs), '\0'); // calls overload #1.
strchr(cs, '\0'); // calls overload #2.
}
Bug: 34747525
Test: m checkbuild on bullhead internal master + AOSP. vts -m
BionicUnitTests passes on both. Surprisingly, the only code that this
seems to break is contained in Bionic.
Change-Id: Ie406f42fb3d1c5bf940dc857889876fc39b57c90
pass_object_size(N) forwards the result of __builtin_object_size(param,
N) to a function. So, a function that looks like:
size_t foo(void *const p __pass_object_size) { return __bos0(p); }
int bar = foo(baz);
would effectively be turned into
size_t foo(void *const p, size_t sz) { return sz; }
int bar = foo(baz, __bos(baz)); // note that this is not __bos0
This is bad, since if we're using __bos0, we want more relaxed
objectsize checks.
__bos0 should be more permissive than __bos in all cases, so this
change Should Be Fine™.
This change also makes GCC and clang share another function's
implementation (recv). I just realized we need to add special
diagnostic-related overloads bits for clang to it, but I can do that in
another patch.
Bug: None
Test: Bullhead builds and boots; CtsBionicTestCases passes.
Change-Id: I6818d0041328ab5fd0946a1e57321a977c1e1250
This patch adds clang-style FORTIFY to Bionic. For more information on
FORTIFY, please see https://goo.gl/8HS2dW . This implementation works
for versions of clang that don't support diagnose_if, so please see the
"without diagnose_if" sections. We plan to swap to a diagnose_if-based
FORTIFY later this year (since it doesn't really add any features; it
just simplifies the implementation a lot, and it gives us much prettier
diagnostics)
Bug: 32073964
Test: Builds on angler, bullhead, marlin, sailfish. Bionic CTS tests
pass on Angler and Bullhead.
Change-Id: I607aecbeee81529709b1eee7bef5b0836151eb2b
These names were pretty misleading (aka "backwards"), so switch to the
same obvious names glibc uses.
Test: build.
Change-Id: Ia98c9dbbccd0820386116562347654e84669034a
Major refactor to use __attribute__((annotate)) to be able to keep
track of the semantic differences between __INTRODUCED_IN(x) and
__INTRODUCED_IN_X86(x), for use in the upcoming preprocessor.
Bug: http://b/30170081
Change-Id: I6496a8c40ba7f4553de9a2be0bbddcf37c813937
__STDC_VERSION__ isn't defined for __cplusplus, so we've been removing
such checks. Some got missed.
Stop defining __func__ and just use the __PRETTY_FUNCTION__ GCC extension
in <assert.h>. Also fix the #if there so that C++ gets __assert2 rather
than __assert, and rewrite the cast to work with -I rather than -isystem.
Also remove __restrict and just always use the __restrict GCC extension.
Add a trivial test for <assert.h>.
Bug: http://b/30353757
Change-Id: Ie49bb417976293d3a9692b516e28fe3c0ae0a6d9
Test: ran bionic unit tests.
Don't use the same declaration to declare both static and non-static
functions, to make life easier for versioner.
(Also, remove __BIONIC_LEGACY_INLINE from two functions in termios.h
that weren't actually legacy inlines.)
Bug: http://b/30170081
Change-Id: Ibb73377d77a2b4cee016289b7c46a01452e45fae
Various things:
* work around -Wnullability-completeness.
* use C++ casts in C++ and C casts in C.
* stop using attributes clang doesn't support (such as `warning`).
* remove duplicate definitions of XATTR_CREATE and XATTR_REPLACE.
Change-Id: I07649e46275b28a23ca477deea119fe843999533
We have much better control over visibility now, so we don't need to
pollute the headers with cruft.
Bug: http://b/24767418
Change-Id: I349f4c3bc30102477375ad9f80926e560c7c1d8b
Just expose the ones that bionic historically leaked.
Also, many of the M_* constants in <math.h> are actually POSIX.
Change-Id: I6275df84c5866b872b71f1c8ed14e2aada12b793
We don't support anything other than Clang and GCC, and we don't support
GCC earlier than 4.9.
Move the various synonyms for __attribute__(__whatever__) together.
Fix a __STDC__VERSION__ (for __STDC_VERSION__) typo.
Drop support for BSD _ANSI_SOURCE and _C99_SOURCE; there's enough confusing
nonsense here already, and plenty of other ways to ask for obsolete standards.
There are plenty more problems here -- what I really want to do is rationalize
our treatment of __STDC_VERSION__ -- but let's get some of this easy stuff
out of the way first.
Bug: https://code.google.com/p/android/issues/detail?id=194631
Change-Id: I7526b9770fdc01f8a4667781b65e2fb08287b20b
http://clang.llvm.org/docs/AttributeReference.html#nonnull
_Nonnull is similar to the nonnull attribute in that it will instruct
compilers to warn the user if it can prove that a null argument is
being passed. Unlike the nonnull attribute, this annotation indicated
that a value *should not* be null, not that it *cannot* be null, or
even that the behavior is undefined. The important distinction is that
the optimizer will perform surprising optimizations like the
following:
void foo(void*) __attribute__(nonnull, 1);
int bar(int* p) {
foo(p);
// The following null check will be elided because nonnull
// attribute means that, since we call foo with p, p can be
// assumed to not be null. Thus this will crash if we are called
// with a null pointer.
if (src != NULL) {
return *p;
}
return 0;
}
int main() {
return bar(NULL);
}
Note that by doing this we are no longer attaching any sort of
attribute for GCC (GCC doesn't support attaching nonnull directly to a
parameter, only to the function and naming the arguments
positionally). This means we won't be getting a warning for this case
from GCC any more. People that listen to warnings tend to use clang
anyway, and we're quickly moving toward that as the default, so this
seems to be an acceptable tradeoff.
Change-Id: Ie05fe7cec2f19a082c1defb303f82bcf9241b88d
Future API levels aren't known (e.g. 25 could be a maintenance release
of N that doesn't contain any bionic updates), so use a placeholder
macro that we can find and replace with the actual API level before each
release.
Bug: http://b/28178111
Change-Id: I667fe53ea1ac49b64135170fc30d5dbe9df94e29
Some symbols appeared at different times between 32 and 64 bit. Add a
macro to represent this.
Bug: http://b/28178111
Change-Id: I0aa46d9da3c7301b60df0416bce252f0f37b7b36
Add an __UNAVAILABLE macro, and use it for several functions which lack
implementations, but need to have visible declarations to be reexported
in the C++ standard library.
Bug: http://b/28178111
Change-Id: Ia4ae0207bbfcb7baa61821f0ef946257b019c0db
It's useful to have the legacy inlines compile by themselves, both to
make header unification easier, and to ensure that the inline versions
match the regular declarations. Notably, this wasn't true for
sigismember, which took a const sigset_t* in the regular header, and
sigset_t* in the inline version.
Bug: http://b/28178111
Change-Id: Id8a3b7dcb1bfa61eed93c9fb50d3192744f8bef5
__size_mul_overflow generates warning under following compilation envrionment:
-OX -D_FORTIFY_SOURCE=2 (X=1, 2, 3)
For example:
echo '#include <stdio.h>' | \
prebuilts/gcc/linux-x86/arm/arm-linux-androideabi-4.9/bin/arm-linux-androideabi-gcc \
-I bionic/libc/arch-arm/include \
-I bionic/libc/include \
-I bionic/libc/kernel/uapi \
-I bionic/libc/kernel/common \
-I bionic/libc/kernel/uapi/asm-arm \
-I bionic/libm/include \
-I bionic/libm/include/arm \
-I bionic/libc/include \
-Werror \
-O1 \
-D_FORTIFY_SOURCE=2 \
-c \
-x c \
-
bionic/libc/include/stdio.h:360:13: error: '__size_mul_overflow' is
static but used in inline function 'fread' which is not static [-Werror]
if (__size_mul_overflow(size, count, &total)) {
^
C99 - 6.7.4
"An inline definition of a function with external linkage shall not contain
a definition of a modifiable object with static storage duration, and shall
not contain a reference to an identifier with internal linkage."
As standard does not require compiler to determine when it is safe to
reference an internal function in an external inline function, but instead
delegalizes such reference as a whole, gcc throws a warning for such code
under C99 compilation. Warning produced by libc header is inhereted widely
and strips the option of using -Werror to track code sanity.
Replace static inline specifier with gnu89 extern inline. Latter "is used
only for inlining. In no case is the function compiled on its own", which
is slightly different from former semantically, but should produce the same
result here.
Change-Id: I6a3374498e5499d110e54468cf9d0d67d2debbe2
In particular, we don't need to record the peculiarities of every
version of GCC ever shipped. It just makes this file harder to follow.
Change-Id: Ie9035d78eae86b4aed9dff3576c6f54e268aaced
A __size_mul_overflow utility is used to take advantage of the checked
overflow intrinsics in Clang and GCC (>= 5). The fallback for older
compilers is the optimized but less than ideal overflow checking pattern
used in OpenBSD.
Change-Id: Ibb0d4fd9b5acb67983e6a9f46844c2fd444f7e69
libchrome uses __USE_XOPEN2K8 to decide whether futimens is
available. That's perhaps not the best idea, but there are other
cases where we defined the same feature macros as glibc to aid
portability.
Change-Id: Ie6e04cb181d88698d618e7dbd26cd347a6bf076c
I still don't think we can make stdio's fseeko and ftello work, but we can
have everything else, and very few programs use fseeko/ftello (and they can
just refrain from using _FILE_OFFSET_BITS and be no worse off than they are
today).
Bug: 11865851
Change-Id: Ic3cb409aae6713f4b345de954bcc4241fcd969ec
