initgroups() is just a call to getgrouplist() followed by a call to
setgroups(). The tricky part is memory allocation. OpenBSD allocates an
NGROUPS_MAX-sized array of gid_t on the stack. FreeBSD allocates a
sysconf(_SC_NGROUPS_MAX)-sized array of gid_t on the heap. bionic had a
mix where it would try a 2-element stack array but fall back to a heap
allocation, which sounds reasonable if you want to avoid a 256KiB
(64Ki*4 bytes) allocation on either stack or heap. But that constant 2?
That's weird in two ways... It's really small (musl has an NGROUPS_MAX
of 32 unlike the Linux kernel's 64Ki, but 32 is still a lot larger than
2), but at the same time it's too big --- bionic's getgrouplist() always
returns a single element.
So although the FreeBSD "what the hell, let's just allocate 256KiB on
the heap" implementation would have been fine, there's really no point,
and anyone who's trying to understand initgroups() on Android really
needs to read getgroupslist() anyway, so let's just have the most
trivial implementation -- a single-element array -- and let's have it
right next to getgroupslist() in the same file as all the other <grp.h>
functions.
Also add a trivial smoke test. You mostly won't have permission to do
anything interesting with initgroups(), and it's basically unused save
for privilege dropping tcpdump and strace, but we may as well make an
effort. (I tested tcpdump before and after too.)
Test: treehugger
Change-Id: I67fe02e309ed1dbefc490c01733738363ca606be
The previous implementation wasn't wrong (it returned the "maximum
maximum"), but we can return the actual runtime value from the kernel.
Noticed while looking at initgroups().
Test: treehugger
Change-Id: I891fe4ff29bd82ee05d9e05ed8299d32c21abd7f
When the page_size < p_align of the ELF load segment, the loader
will end up creating extra PROT_NONE gap VMA mappings between the
LOAD segments. This problem is exacerbated by Android's zygote
model, where the number of loaded .so's can lead to ~30MB increase
in vm_area_struct unreclaimable slab memory.
Extend the LOAD segment VMA's to cover the range between the
segment's end and the start of the next segment, being careful
to avoid touching regions of the extended mapping where the offset
would overrun the size of the file. This avoids the loader
creating an additional gap VMA for each LOAD segment.
Consider a system with 4KB page size and the ELF files with 64K
alignment. e.g:
$ readelf -Wl /system/lib64/bootstrap/libc.so | grep 'Type\|LOAD'
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
LOAD 0x000000 0x0000000000000000 0x0000000000000000 0x0441a8 0x0441a8 R 0x10000
LOAD 0x0441b0 0x00000000000541b0 0x00000000000541b0 0x091860 0x091860 R E 0x10000
LOAD 0x0d5a10 0x00000000000f5a10 0x00000000000f5a10 0x003d40 0x003d40 RW 0x10000
LOAD 0x0d9760 0x0000000000109760 0x0000000000109760 0x0005c0 0x459844 RW 0x10000
Before this patch:
$ cat /proc/1/maps | grep -A1 libc.so
7fa1d4a90000-7fa1d4ad5000 r--p 00000000 fe:09 20635520 /system/lib64/bootstrap/libc.so
7fa1d4ad5000-7fa1d4ae4000 ---p 00000000 00:00 0
7fa1d4ae4000-7fa1d4b76000 r-xp 00044000 fe:09 20635520 /system/lib64/bootstrap/libc.so
7fa1d4b76000-7fa1d4b85000 ---p 00000000 00:00 0
7fa1d4b85000-7fa1d4b8a000 r--p 000d5000 fe:09 20635520 /system/lib64/bootstrap/libc.so
7fa1d4b8a000-7fa1d4b99000 ---p 00000000 00:00 0
7fa1d4b99000-7fa1d4b9a000 rw-p 000d9000 fe:09 20635520 /system/lib64/bootstrap/libc.so
7fa1d4b9a000-7fa1d4feb000 rw-p 00000000 00:00 0 [anon:.bss]
3 additional PROT_NONE (---p) VMAs for gap mappings.
After this patch:
$ cat /proc/1/maps | grep -A1 libc.so
7f468f069000-7f468f0bd000 r--p 00000000 fe:09 20635520 /system/lib64/bootstrap/libc.so
7f468f0bd000-7f468f15e000 r-xp 00044000 fe:09 20635520 /system/lib64/bootstrap/libc.so
7f468f15e000-7f468f163000 r--p 000d5000 fe:09 20635520 /system/lib64/bootstrap/libc.so
7f468f163000-7f468f172000 rw-p 000da000 fe:09 20635520 /system/lib64/bootstrap/libc.so
7f468f172000-7f468f173000 rw-p 000d9000 fe:09 20635520 /system/lib64/bootstrap/libc.so
7f468f173000-7f468f5c4000 rw-p 00000000 00:00 0 [anon:.bss]
No additional gap VMAs. However notice there is an extra RW VMA at
offset 0x000da000. This is caused by the RO protection of the
GNU_RELRO segment, which causes the extended RW VMA to split.
The GNU_RELRO protection extension is handled in the subsequent
patch in this series.
Bug: 316403210
Bug: 300367402
Bug: 307803052
Bug: 312550202
Test: atest -c linker-unit-tests [Later patch]
Test: atest -c bionic-unit-tests
Change-Id: I3363172c02d5a4e2b2a39c44809e433a4716bc45
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
This reverts commit 79c9694c91.
Reason for revert: DroidMonitor: Potential culprit for Bug b/324348078 - verifying through ABTD before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted.
Change-Id: I32f7bc824900e18a7d53b025ffe3aaef0ee71802
The libcs we use don't need these any more (if they ever did), and we
were setting these globally in the build system anyway.
Also remove the -D_LIBCPP_ENABLE_CXX17_REMOVED_BINDERS from versioner
which doesn't seem needed any more either.
Test: treehugger
Change-Id: I9fb225b085906a02918c5847401d6c59f7779581
BYPASS_INCLUSIVE_LANGUAGE_REASON="man" refers to manual not person
Bug: 318749472
Test: atest pthread on MTE enabled device
Test: atest memtag_stack_dlopen_test on MTE enabled device
Test: manual with NDK r26b built app with fsanitize=memtag-stack
Change-Id: Iac191c31b87ccbdc6a52c63ddd22e7b440354202
This CL is created as a best effort to migrate test targets to the new Android ownership model.
It is based on historical data from repository history and insights from git blame.
Given the nature of this effort, there may be instances of incorrect attribution. If you find incorrect or unnecessary
attribution in this CL, please create a new CL to fix that.
For detailed guidelines and further information on the migration please refer to the link below,
go/new-android-ownership-model
Bug: 304529413
Test: N/A
Change-Id: Ie36b2a3245d9901323affcc5e51dafbb87af9248
I'd assumed that it was _deliberate_ that filesystems like procfs
reported 0 here, but apparently not. Good news: this makes for a more
worthwhile test than we had previously (at least when run on a 6.7+
kernel).
Bug: http://b/321880382 (for sys_vfs_test)
Bug: http://b/319590754 (for sys_statvfs_test)
Test: treehugger
Change-Id: I0a63faa8ca359592a29d7bca1a40ecd94fd50044
(cherry picked from commit 7506c37386)
I'd assumed that it was _deliberate_ that filesystems like procfs
reported 0 here, but apparently not. Good news: this makes for a more
worthwhile test than we had previously (at least when run on a 6.7+
kernel).
(This is the sys_vfs_test equivalent of the earlier change made to
sys_statvfs_test.)
Bug: http://b/321880382 (for sys_vfs_test)
Bug: http://b/319590754 (for sys_statvfs_test)
Test: treehugger
Change-Id: I3c6f784d1e348bf1be3a102d1dd6336c33d0b2db
(cherry picked from commit 1b48afbc66)
I'd assumed that it was _deliberate_ that filesystems like procfs
reported 0 here, but apparently not. Good news: this makes for a more
worthwhile test than we had previously (at least when run on a 6.7+
kernel).
(This is the sys_vfs_test equivalent of the earlier change made to
sys_statvfs_test.)
Bug: http://b/321880382 (for sys_vfs_test)
Bug: http://b/319590754 (for sys_statvfs_test)
Test: treehugger
Change-Id: I3c6f784d1e348bf1be3a102d1dd6336c33d0b2db
Obviously stack MTE conflates with the stack protector test. It doesn't
conflate with heap MTE (which we're expecting to push more broadly as
part of the -eng build), and so we want to keep this test working under
heap-mte scenarios as well.
Hence, the check-if-stack-variable-is-tagged test, and only under that
case, we skip.
Test: atest bionic-unit-tests on a fullmte device (with stack MTE turned
back on and the new compiler).
Bug: 320448268
Change-Id: I2ecee8a7c46416883235bf5c4ee2de9408047829
This reverts commit 4c5eeb8346 in main,
where we have the newer tzcode and so can pass the stricter test.
Bug: http://b/307680874
Test: treehugger
Change-Id: I28a6f423815655a59fb503230e50a7b618b0349a
As long as 2024Q1 is using Android 14's CTS, Android 14's CTS needs to
work with both. That doesn't make much sense for this test of a bug fix,
so just disable it.
Bug: http://b/307680874
Test: treehugger
Change-Id: Ic1bea5d0404c91279a025ac97b521f07e4d2d387
I'd assumed that it was _deliberate_ that filesystems like procfs
reported 0 here, but apparently not. Good news: this makes for a more
worthwhile test than we had previously (at least when run on a 6.7+
kernel).
Bug: http://b/319590754
Test: treehugger
Change-Id: I0a63faa8ca359592a29d7bca1a40ecd94fd50044
gtest's Message class has a special handler for operator<< of wchar_t*
to convert it to UTF-8, but it doesn't have one for a single wchar_t or
for a char16_t* string. It delegates these to std::stringstream, which
as of a libc++ upgrade, deletes its operator<< for char16_t and
wchar_t. See wg21.link/p1423r3.
Bug: http://b/175635923
Test: m MODULES-IN-bionic
Change-Id: I8307663b72855cfc0b91d7f63993f1f6fe028b8e
What's important is that we name the flag. It doesn't really matter
whether you have the better message that will be in Android 15. As long
as 2024Q1 is using Android 14's CTS, Android 14's CTS needs to work with
both.
Bug: http://b/307680874
Test: treehugger
Change-Id: I8c50707e1dfd6b40e6ced887ae105508c6339989
As long as 2024Q1 is using Android 14's CTS, Android 14's CTS needs
to work with both. That doesn't really seem practical for these tests,
so just disable them.
Bug: http://b/307680874
Test: treehugger
Change-Id: Iab4085ce1be1b0e00a6714eaf3008787e29e7e7b
We've updated the corresponding glibc headers so we don't need these
hacks any more.
Bug: http://b/318541070
Test: treehugger
Change-Id: Ic1974f30f9edb2589cc93041822706bc89909882
This reverts commit 46cce48995.
Reason for revert:
Will put a change behind flags to bump storage to 1Mb for internal build only. AOSP code does not need to be changed. The change will be only made to git_main.
Change-Id: If3484d0e56f4c3d8fc729f55744c2d8ebdd13b11
While aconfig flag storage is being migrated to its own dedicated
storage, we need to provide some relief to the current flag users which
are running into storage capacity limit of system property. Currently
system property by default allocates a file of 128Kb for each storage
node. Bump it to 256Kb for now.
Bug: b/316037066
Change-Id: I8b0b58733f362c3789ec92ae09ee589c7c1b72c6
Benchmark added to test an optimization I'll send round next, test added
when an even bigger refactoring (as part of a more interesting
optimization) broke strtol() in a way the strtol() tests didn't notice.
Test: treehugger
Change-Id: Ic974900021107938dbbbe98648960adb102d9595
The sysconf_SC_ARG_MAX test was failing because it didn't
handle the case for 16k. After fixing the test case, it will
handle 4k/16k page sizes and fail when there is another page
size.
Bug: 315174209
Test: atest -c bionic-unit-tests-static
Change-Id: Ie24a79be9d6790a1243be48d39f67acda485c37d
These were added because the tests wouldn't build without them, but they
do now.
Bug: http://b/132640749
Test: treehugger
Change-Id: Idc0aff08ce461bde5ed2cd816f04dcdef5d7af5d
Fix the pthread test cases to support 4k/16k page sizes.
Bug: 315174209
Test: atest -c bionic-unit-tests-static
Change-Id: Ie364e756120c396144f20372cac8239eed6c7bd8
This is now the default.
I've left the fuzzer workaround in for now, but we can come back and see
whether the fuzzer library has actually switched.
Test: treehugger
Change-Id: Ia3a09738396bfe915ceabec4a6019f4cedb0f39c
Calling free() during system property init results in premature
allocator initialization. This has been fixed with a Scudo change in
https://r.android.com/2853684. This patch extends MemtagNoteTest to
verify that there are no stray PROT_MTE mappings when MTE is not
enabled in the binary.
Test: adb shell setprop arm64.memtag.bootctl memtag
adb reboot
bionic-unit-tests --gtest_filter=MemtagNoteTest.SEGV/*
Bug: 309698651
Change-Id: I6c7733d8799537d898c97b00d494ce6591cf44d9
This reverts commit f71ee5adb7.
Reason for revert: linker crash in soinfo::apply_relr_reloc
Bug: 314038442
Change-Id: Ib2415519e37d6b2acb30f50afa6c45391e2a4b70
This way, callees don't need to worry about whether or not their
reference to __riscv_hwprobe() has been resolved before their ifunc
resolver is called.
This matches the current glibc proposal from rivos.
Test: treehugger
Change-Id: I0d5244aa837d0d1f0e6bd7d22091dfedb8a55bdb
This test comes in two flavours: a prebuilt, and one from source (which is used
to generate the prebuilt). For now, the in-tree prebuilt compiler isn't
new enough to actually build binaries with proper MTE globals support,
so I've provided prebuilts using a tip-of-tree compiler. Thus, the MTE
globals support in the linker can be experimented on, tested, and
(hopefully) submitted while not being blocked on the toolchain roll.
You can see the binaries have MTE globals by grabbing a tip-of-tree
compiler, and running 'llvm-readelf --memtag <bin>'.
Bug: N/A
Test: atest bionic-unit-tests --test-filter=*Memtag*
Change-Id: I2fc4fc9d1c6ddd16c2204dd728d4ebe463928522
... to make sure that stores to the same locations are harder to
eliminate.
Also ensure that reader gets a chance to run by sleeping if necessary.
Bug: 308744279
Test: atest stdatomic
Test: Check that we don't usually sleep.
Change-Id: Iddab2a109525f96e065ac8331f227baa08dd8e22
The bionic benchmarks set the decay time in various ways, but
don't necessarily restore it properly. Add a new method for
getting the current decay time and then a way to restore it.
Right now the assumption is that the decay time defaults to zero,
but in the near future that assumption might be incorrect. Therefore
using this method will future proof the code.
Bug: 302212507
Test: Unit tests pass for both static and dynamic executables.
Test: Ran bionic benchmarks that were modified.
Change-Id: Ia77ff9ffee3081c5c1c02cb4309880f33b284e82
msgsnd() takes the following arguments:
1. msqid: the message queue ID
2. msgp: a pointer to a struct whose first member is the message
type (long) and the second the message itself (char array).
3. msgsz: the size of the message
4. msgflg: optional flags
sys_msg.smoke does not correctly specify msgsz, as it provides the
size of the whole struct instead of its message (data) member.
sys_msg.msgsnd_failure does not provide a pointer to a full struct
as msgp. In both cases, this results in the kernel reading garbage
on the stack.
Fix both issues by providing the appropriate size and struct
pointer.
Test: run bionic-tests --gtest_filter=sys_msg.*
Change-Id: Iaa005e259d3ecfa28484dd66222ed6c4584ffc08
We were copying the data fine, but the return value was one vector
length too far (but also not taking into account the actual number of
bytes in the last transfer).
Also move the stpcpy() tests to EXPECT_EQ() so we get all the details
of the failure at once.
Test: treehugger
Change-Id: I76bf02c8a31f40722acb7c9fd8e301d50e405bf8
The zygote cannot have visiblity to LIBC_PLATFORM methods. Therefore,
move __system_properties_reload to LIBC, and rename it
__system_properties_zygote_reload, and indicate in comments that it
should not be used by non-zygote apps
Bug: 291814949
Test: atest CtsBionicRootTestCases
Change-Id: Iee8fa0c76b740543c05a433393f2f4bef36d6d3d
I was re-reading this comment and thought I'd gotten my interpretation
backward, but it's actually just very nuanced. Elaborate a bit so I
hopefully don't reinterpret this again in a few more months.
Bug: None
Test: None
Change-Id: I8ca444f2fb143c46e6068f349e9f5eb574fc4b31
Instead of the hardcoded PAGE_SIZE 4096 macro, use the
real system page-size as queried from the auxillary vector.
Bug: 277272383
Bug: 300367402
Test: atest -c bionic-unit-tests
Change-Id: I2f1ad1b431e36ef45e9f53f713ced6b06e0d4f70
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
Create a second set of system properties, that can be overlaid over the
real ones if necessary, for appcompat purposes.
Bug: 291814949
Ignore-AOSP-First: Aosp -> internal merge conflict
Test: manual, treehugger, system_properties_test
Change-Id: I541d3658cab7753c16970957c6ab4fc8bd68d8f3
Merged-In: I884a78b67679c1f0b90a6c0159b17ab007f8cc60
The first app developer (we know of) that hit this didn't understand
what it was trying to tell them.
Before:
FORTIFY: fcntl(F_SETFD) passed non-FD_CLOEXEC flag: 0x801
After:
FORTIFY: fcntl(F_SETFD) only supports FD_CLOEXEC but was passed 0x801
Bug: https://issuetracker.google.com/304348746
Test: treehugger
Change-Id: I8522e851d8f74c91152ebae68b083b5272d49255
Remove tests of implementation details rather than the CFI
functionality itself. In particular, CFI is designed to protect against
invalid calls to executable code, whereas heap memory is covered by page
protection.
Bug: http://b/298741930
Test: treehugger
Change-Id: Ib7f8af283b4c0001da8fa80a1b281bdc4c50af51
Hopefully this is totally unambiguous and non-confusing output:
```
Expected equality of these values:
Errno(22)
Which is: EINVAL
Errno((*__errno()))
Which is: ENOSYS
```
Test: treehugger
Change-Id: Iefe6a8a6447e76681c18256d2713e2c527081c75
strerrordesc_np() isn't very useful (being just another name for
strerror()), but strerrorname_np() lets you get "ENOSYS" for ENOSYS,
which will make some of our test assertion messages clearer when we
switch over from strerror().
This also adds `%#m` formatting to all the relevant functions.
Test: treehugger
Change-Id: Icfe07a39a307d591c3f4f2a09d008dc021643062
The close_range() test in particular has been confusing a lot of
partners. I think the sys_epoll_test.cpp idiom is the clearest of the
ones in use, so let's use that everywhere. (I haven't actually touched
the SysV IPC tests, because if we do touch them, _deleting_ them --
since all those syscalls are not allowed on Android -- is probably the
change to be made!)
I'm on the fence about factoring this idiom out into a macro. There
should never be too many of these, and we should probably be removing
them? Is anyone still running the current bionic tests on 4.3 kernels
without membarrier(2), and if they are --- why?!
For now though, I haven't removed any of our existing tests; I've just
moved them over to the sys_epoll_test.cpp style.
Test: treehugger
Change-Id: Ie69a0bb8f416c79957188e187610ff8a3c4d1e8f
We've talked about this many times in the past, but partners struggle to
understand "expected 38, got 22" in these contexts, and I always have to
go and check the header files just to be sure I'm sure.
I actually think the glibc geterrorname_np() function (which would
return "ENOSYS" rather than "Function not implemented") would be more
helpful, but I'll have to go and implement that first, and then come
back.
Being forced to go through all our errno assertions did also make me
want to use a more consistent style for our ENOSYS assertions in
particular --- there's a particularly readable idiom, and I'll also come
back and move more of those checks to the most readable idiom.
I've added a few missing `errno = 0`s before tests, and removed a few
stray `errno = 0`s from tests that don't actually make assertions about
errno, since I had to look at every single reference to errno anyway.
Test: treehugger
Change-Id: Iba7c56f2adc30288c3e00ade106635e515e88179
