This is required because virtualization_service use
libtombstoned_client_rust which has transitive dependency on
libasync_safe
Test: atest MicrodroidHostTestCases
Bug: 202153827
Change-Id: I9e670d02995f9ed9e67791aaecb300b6bfdbdb03
Clang has its own limits.h which is ahead of ours on the inclusion
path. This header uses include_next to include our header, but only
in hosted mode. This means that in freestanding mode we don't get our
limits.h macro definitions, including LONG_BIT. This ends up causing
our signal.h to produce errors when included in freestanding mode on
32-bit platforms.
Fix the errors by replacing usage of LONG_BIT with (8 * sizeof(long))
in the signal headers.
Change-Id: I18ec7b6876d5f862beae09f0c011128eef97c869
Kernel headers coming from:
Git: https://android.googlesource.com/kernel/common/
Branch: android-mainline
Tag: android-mainline-5.17
Test: Boots on a flame and all bionic unit tests pass.
Change-Id: I7057d7308241f3acfa600597d287994c39ababbc
Revert submission 1954983-master-I3030c47be9d02a27505bd4775c1982a20755758c
Reason for revert: PAC has shipped with S, and we're going with app compat outreach rather than regressing security.
Reverted Changes:
I3030c47be:Disable pointer authentication in app processes.
I3030c47be:Disable pointer authentication in app processes.
Change-Id: I8761f08ddbd9077ff98b1a9a0c323de968792778
Modify libfdtrack to use the normal Unwinder object. In addition,
update the libfdtrack so that it doesn't record frames in
libfdtrack.so rather than skipping frames it thinks will be in
the library.
Modify the malloc debug code to use the normal Unwinder object.
Bug: 120606663
Test: All unit tests pass.
Change-Id: I3c9612dd10e62389e6219e68045ee87f7b2625f5
The wrap.<APP> property was broken in Android 12, so provide documentation
about how to workaround it.
Test: NA
Change-Id: I98fdc5801997492442802e1295fb6969f9190e1c
I removed the bionic/scudo directory a while ago, but I must have
missed removing the subdirs from the Android.bp file.
Test: Builds.
Change-Id: I3e2a1f42b91273a566e587e923c7c3889a71ed17
The clang prebuilts now provide a single module with per-architecture
variants instead of a module per architecture.
Bug: 220019988
Test: m checkbuild
Ignore-AOSP-First: topic contains vendor projects
Change-Id: I079f36f94b13e06d59a16cf665b65db76084021a
Merged-In: I079f36f94b13e06d59a16cf665b65db76084021a
Add the bionic NOTICE file to cover the headers included in the
musl sysroot.
Bug: 190084016
Test: examine libc_musl_sysroot.zip
Change-Id: I2b5e1b89e997ac370983e5959a83f09cdcc240e8
Bug: http://b/197147102
versioner in aosp/1997532 is built with clang-r445002 and understands
the new attribute.
Test: mmma bionic
Change-Id: Ia3e3c3840e6013446d2679587b72011aff8c50eb
dup2(2) is a no-op if the new and old fds are equal, but it's pretty
clear that any useful caller in the posix_spawn(3) context wants us to
clear O_CLOEXEC even if we don't actually "move" the fd.
Bug: https://www.austingroupbugs.net/view.php?id=411
Test: treehugger
Change-Id: I5ce1a1f9216df5afd295cc9e35b84527873e9541
For the perf profiling signal handler to succeed in opening
/proc/self/mem, the process needs to be marked as dumpable in posix
terms. This patch addresses a scenario since Android S where the process
is considered profileable, but is not dumpable on "user" builds. The
solution is to mark the process as dumpable while opening the procfs
descriptors, restoring the original value afterwards. This is the same
approach as the heapprofd heap profiler, which performs the override
within the loaded client library [1].
The particular scenario being addressed is:
* user build
* app does not explicitly opt into being profiled by shell
* app does not explicitly opt out of all profiling
In this case, the app is considered profileable by the platform (but NOT
shell). Therefore ActivityThread marks the process as profileable [2],
but the zygote keeps the process as undumpable as it considers the
profileability from the shell domain [3]. We could change the logic in
the zygote to leave such processes in the dumpable state, but the
override within the signal handler is considered to be more contained as
the dumpability is only needed temporarily.
This override would also apply for any non-dumpable native services that
are signalled for profiling, which is also desireable for profiling
coverage.
This change does not elide any of the existing profileability
checks by the signal handler's preamble and the profiler itself.
[1]
https://cs.android.com/android/platform/superproject/+/master:external/perfetto/src/profiling/memory/client.cc;l=184;drc=78cd82ba31233ce810618e07d349fd34efdb861d
[2]
https://cs.android.com/android/platform/superproject/+/master:frameworks/base/core/java/android/app/ActivityThread.java;l=6610;drc=de9cf3392d7872c2bee69b65a614e77bb166b26e
[3]
https://cs.android.com/android/platform/superproject/+/master:frameworks/base/core/jni/com_android_internal_os_Zygote.cpp;l=1680;drc=master
Tested: clock app on barbet-user succeeds in opening the procfs
descriptors within the signal handler.
Tested: systemwide profiling on sargo-userdebug works as before.
Bug: 196810669
BYPASS_INCLUSIVE_LANGUAGE_REASON=referencing the name of a cmdline utility
Change-Id: Id621d4312418ff0736c97065e9ee577ff67f40da
Currently, the ELF note parsing in the loader is not permissive. This
patch relaxes the restrictions on the bits of the ELF note that could be
extended in the future.
This may allow more MTE options in apexes. If we add some extra metadata
bit (say, in bit 5) in the future, and then build MTE into every apex,
we don't want it to crash on Android 13 devices (we'd much rather it
just be a no-op).
Remove the (unused anywhere) NT_MEMTAG_DEFAULT and call it
NT_MEMTAG_NONE.
And finally, make the tests work on bionic-unit-tests-static. We
previously didn't deploy the test binaries, so add them as a data
dependency.
Bug: N/A
Test: atest bionic-unit-tests-static
Change-Id: I13530faad55c719c6eb848297f8ce378e18afbfc
The bp2build build is failing with:
ERROR: /buildbot/src/android/master/out/soong/workspace/bionic/libc/BUILD.bazel:3187:8: Label '//bionic/libc:execinfo/include/execinfo.h' is duplicated in the 'srcs' attribute of rule 'libc_musl_sysroot_bionic_headers'
ERROR: /buildbot/src/android/master/out/soong/workspace/bionic/libc/BUILD.bazel:3187:8: Label '//bionic/libc:kernel/android/uapi/linux/compiler.h' is duplicated in the 'srcs' attribute of rule 'libc_musl_sysroot_bionic_headers'
ERROR: /buildbot/src/android/master/out/soong/workspace/bionic/libc/BUILD.bazel:3187:8: Label '//bionic/libc:b64/include/bionic/b64.h' is duplicated in the 'srcs' attribute of rule 'libc_musl_sysroot_bionic_headers'
ERROR: /buildbot/src/android/master/out/soong/workspace/bionic/libc/BUILD.bazel:3187:8: Label '//bionic/libc:kernel/uapi/linux/capability.h' is duplicated in the 'srcs' attribute of rule 'libc_musl_sysroot_bionic_headers'
ERROR: /buildbot/src/android/master/out/soong/workspace/bionic/libc/BUILD.bazel:3187:8: Label '//bionic/libc:kernel/android/scsi/scsi/scsi.h' is duplicated in the 'srcs' attribute of rule 'libc_musl_sysroot_bionic_headers'
Rewrite the genrule to avoid referring to the same header twice by
using the NOTICE file as a known location in the bionic/libc directory.
Bug: 190084016
Bug: 218405924
Test: libc_musl_sysroot.zip has same contents
Change-Id: Id1a0484a3ed623bcc03b015d02eef19bbb31c06a
Normally, platform-specific note types in the toolchain are prefixed
with the platform name. Because we're exposing the NT_TYPE_MEMTAG and
synthesizing the note in the toolchain in an upcoming patch
(https://reviews.llvm.org/D118948), it's been requested that we change
the name to include the platform prefix.
While NT_TYPE_IDENT and NT_TYPE_KUSER aren't known about or synthesized
by the toolchain, update those references as well for consistency.
Bug: N/A
Test: Build Android
Change-Id: I7742e4917ae275d59d7984991664ea48028053a1
The musl sysroot needs kernel uapi headers, export them as a zip
file. Also include the execinfo and b64 headers for libexecinfo
and libb64 that are embedded in musl libc.
Bug: 190084016
Test: m USE_HOST_MUSL=true libc_musl_sysroot
Change-Id: Ie862934f6dabd3fc6cbb9f5be01e21549bce51c2
Musl doesn't provide the resolv b64_* functions, but adb uses them.
Export them from bionic.
Bug: 190084016
Test: m USE_HOST_MUSL=true host-native
Change-Id: I37837e6179a15754d4cbd89e67649df9dea9d9f1
Musl doesn't provide the execinfo function. Export the from bionic.
Bug: 190084016
Test: m USE_HOST_MUSL=true host-native
Change-Id: I0361b84b0160d419cd857f5bb1314a58d0a69234
Bug: http://b/197147102
Bug: http://b/214080353
With https://reviews.llvm.org/D77491, clang got stricter when issuing
diagnostics regarding builtin functions.
https://reviews.llvm.org/D112024 adds a diagnose_as_builtin attribute
which lets it diagnose builtins even though their signature is slightly
different. This patch adds diagnose_as_builtin attribute as needed.
Versioner is built with an older clang so it doesn't recognize this
attribute. So this is added with a preprocessor check on clang
versions. We can remove the version check once versioner gets updated
shortly after the compiler update.
Test: mmma bionic/tests with clang-r445002
Change-Id: I3d0d63ecdbea0cffe97eb5110e2d9f2a7595a38e
Bug: http://b/214080353
The wrong alignment to aligned_alloc() is deliberate. Silence the
warning around the test.
Test: build with clang-r445002
Change-Id: I73bad7775423c908c2bbe1c550e8ce5aeede129d
The first time should_trace() returns true, bionic_trace_begin() calls
open() on trace_marker.
The problem is that open() can call bionic_trace_begin(). We've observed
this happening, for example when:
* fdtrack is enabled. dlopen("libfdtrack.so") can be used to enable
fdtrack on a process.
* ThreadA is busy unwinding inside fdtrack and is holding an fdtrack
internal mutex.
* ThreadB calls bionic_trace_begin() for the first time since the
property "debug.atrace.tags.enableflags" contains ATRACE_TAG_BIONIC.
* ThreadB calls open("/sys/kernel/tracing/trace_marker"). Since fdtrack
is enabled, ThreadB tries to do unwinding as well.
* ThreadB, inside fdtrack's unwinding tries to grab the same mutex that
ThreadA is holding.
* Mutex contention is reported using bionic_systrace, therefore
bionic_trace_begin() is called again on ThreadB.
* ThreadB tries to grab g_lock in bionin_systrace.cpp, but that's
already held by ThreadB itself, earlier on the stack. Therefore
ThreadB is stuck.
I managed to reproduce the above scenario by manually pausing ThreadA
inside unwinding with a debugger and letting ThreadB hitting
bionic_trace_begin() for the first time.
We could avoid using g_lock while calling open() (either by releasing
g_lock and reacquiring it later, or by using atomics), but
bionic_trace_begin() would try to call open() again. In my tests, open()
does not call bionic_trace_begin() a third time, because fdtrack has
reentrancy protection, but there might be another code path inside open
that calls bionic_trace_begin again (it could be racy or only happen in
certain configurations).
This commit fixes the problem by implementing reentrancy protection in
bionic_systrace.
Sample callstack from ThreadA deadlocked before the fix:
```
* frame #0: 0x0000007436db077c libc.so`syscall at syscall.S:41
frame #1: 0x0000007436db0ba0 libc.so`bionic_trace_begin(char const*) [inlined] __futex(ftx=0x000000743737a548, op=<unavailable>, value=2, timeout=0x0000000000000000, bitset=-1) at bionic_futex.h:45:16
frame #2: 0x0000007436db0b8c libc.so`bionic_trace_begin(char const*) [inlined] __futex_wait_ex(ftx=0x000000743737a548, value=2) at bionic_futex.h:66:10
frame #3: 0x0000007436db0b78 libc.so`bionic_trace_begin(char const*) [inlined] Lock::lock(this=0x000000743737a548) at bionic_lock.h:67:7
frame #4: 0x0000007436db0b74 libc.so`bionic_trace_begin(char const*) [inlined] should_trace() at bionic_systrace.cpp:38:10
frame #5: 0x0000007436db0b74 libc.so`bionic_trace_begin(message="Contending for pthread mutex") at bionic_systrace.cpp:59:8
frame #6: 0x0000007436e193e4 libc.so`NonPI::MutexLockWithTimeout(pthread_mutex_internal_t*, bool, timespec const*) [inlined] NonPI::NormalMutexLock(mutex=0x0000007296cae9f0, shared=0, use_realtime_clock=false, abs_timeout_or_null=0x0000000000000000) at pthread_mutex.cpp:592:17
frame #7: 0x0000007436e193c8 libc.so`NonPI::MutexLockWithTimeout(mutex=0x0000007296cae9f0, use_realtime_clock=false, abs_timeout_or_null=0x0000000000000000) at pthread_mutex.cpp:719:16
frame #8: 0x0000007436e1912c libc.so`::pthread_mutex_lock(mutex_interface=<unavailable>) at pthread_mutex.cpp:839:12 [artificial]
frame #9: 0x00000071a4e5b290 libfdtrack.so`std::__1::mutex::lock() [inlined] std::__1::__libcpp_mutex_lock(__m=<unavailable>) at __threading_support:256:10
frame #10: 0x00000071a4e5b28c libfdtrack.so`std::__1::mutex::lock(this=<unavailable>) at mutex.cpp:31:14
frame #11: 0x00000071a4e32634 libfdtrack.so`unwindstack::Elf::Step(unsigned long, unwindstack::Regs*, unwindstack::Memory*, bool*, bool*) [inlined] std::__1::lock_guard<std::__1::mutex>::lock_guard(__m=0x0000007296cae9f0) at __mutex_base:104:27
frame #12: 0x00000071a4e32618 libfdtrack.so`unwindstack::Elf::Step(this=0x0000007296cae9c0, rel_pc=66116, regs=0x0000007266ca0470, process_memory=0x0000007246caa130, finished=0x0000007ff910efb4, is_signal_frame=0x0000007ff910efb0) at Elf.cpp:206:31
frame #13: 0x00000071a4e2b3b0 libfdtrack.so`unwindstack::LocalUnwinder::Unwind(this=0x00000071a4ea1528, frame_info=<unavailable>, max_frames=34) at LocalUnwinder.cpp:102:22
frame #14: 0x00000071a4e2a3ec libfdtrack.so`fd_hook(event=<unavailable>) at fdtrack.cpp:119:18
frame #15: 0x0000007436dbf684 libc.so`::__open_2(pathname=<unavailable>, flags=<unavailable>) at open.cpp:72:10
frame #16: 0x0000007436db0a04 libc.so`bionic_trace_begin(char const*) [inlined] open(pathname=<unavailable>, flags=524289) at fcntl.h:63:12
frame #17: 0x0000007436db09f0 libc.so`bionic_trace_begin(char const*) [inlined] get_trace_marker_fd() at bionic_systrace.cpp:49:25
frame #18: 0x0000007436db09c0 libc.so`bionic_trace_begin(message="pthread_create") at bionic_systrace.cpp:63:25
```
Bug: 213642769
Change-Id: I10d331859045cb4a8609b007f5c6cf2577ff44df
Unfortunately we have discovered that some applications in the wild
are using PAC instructions incorrectly. To keep those applications
working on PAC enabled devices, disable PAC in application processes
for now.
Bug: 212660282
Change-Id: I3030c47be9d02a27505bd4775c1982a20755758c
This was pretty broken. I think anything using this was being given
always-available annotations for everything but 32-bit x86? Treehugger
should complain loudly if this was actually impacting anything though.
I suspect not since the only user of this mode is mainline which
doesn't target far back enough to have arch-specific introduction
guards.
Test: treehugger
Bug: None
Change-Id: I64e96a89d83e64512e661e88915c48a091198992
Definitions for these are provided in libandroid_support for API
levels that do not expose this in the stubs. For the rare cases where
libandroid_support is not being used this will result in a lower
quality diagnostic (undefined reference instead of "not available
until API 21"), but other fixes would also have that behavior because
the libandroid_support headers are *always* available, even if
libandroid_support won't be linked.
Test: Reverted xfailed tests for #1108 and reran tests with this
Bug: https://github.com/android/ndk/issues/1108
Change-Id: I371f5b9d7caeef8dc7c80f2f6d11280ecba119c9
When we added the fast path for the common case of ASCII, we forgot to
remove the now-dead code that handled the 1-byte case later in these
functions. This was obvious from the code coverage data.
Note that the 16-bit variants are unaffected because they're implemented
as calls to the 32-bit variants with extra range checks/surrogate
handling surrounding the call.
Test: treehugger
Change-Id: Ibd40f823519acb9aae8037bdeb3f9c5e36b9d9a6
A decent chunk of the logcat profile is spent formatting the timestamps
for each line, and most of that time was going to snprintf(3). We should
find all the places that could benefit from a lighter-weight "format an
integer" and share something between them, but this is easy for now.
Before:
-----------------------------------------------------------
Benchmark Time CPU Iterations
-----------------------------------------------------------
BM_time_strftime 781 ns 775 ns 893102
After:
-----------------------------------------------------------
Benchmark Time CPU Iterations
-----------------------------------------------------------
BM_time_strftime 149 ns 147 ns 4750782
Much of the remaining time is in tzset() which seems unfortunate.
Test: treehugger
Change-Id: Ie0f7ee462ff1b1abea6f87d4a9a996d768e51056
clang was getting in the way of a strftime(3) optimization, and smaller
hammers weren't working, and this seems like the right choice for libc
anyway? If we have code that can usefully be optimized, we should do it
in the source. In general, though, no libc/libm author should be
ignorant of memset(3) or memcpy(3), and would have used it themselves if
it made sense. (And the compiler isn't using profiling data or anything;
it's just always assuming it should use the functions, and doesn't
consider whether the cost of the calls can be amortized or not.)
Test: treehugger
Change-Id: Ia7e22623e47bfbfcfe46c1af0d95ef7e8669c0f6
The implementation of FUSE BPF requires the FUSE daemon to access BPF
functionalities, i.e., to get the fd of a pinned BPF prog and to update
maps.
In Android the FUSE daemon is part of MediaProvider which, belonging to
the apps domain, can only access the subset of syscalls allowed by
seccomp, of which bpf() is currently blocked.
This patch removes this limitation by adding the bpf() syscall to the
allowed seccomp syscalls.
Allowing the bpf() syscall is safe as its usage is still gated by
selinux and regular apps are not allowed to use it.
Bug: 202785178
Test: m
Signed-off-by: Alessio Balsini <balsini@google.com>
Change-Id: I5887e8d22906c386307e54d3131c679fee0d9f26
We could remove this line, but it seems reasonable to leave it in for
clarification/safety, especially if it's moved after the common success
case?
Test: treehugger
Change-Id: I5f7e0da8397f80018e6d55321b26371790087f5c
Mbstowcs and wcstombs cannot get correct return value when called in the environment below api 21, and need to raise the API level to solve the problem.
Test: None
fix bug 1108 https://github.com/android/ndk/issues/1108
Change-Id: Iabcf1bff0be087288646687732ef68870630b48a
"nonplat" was renamed to "vendor" in Android Pie, but was retained
here for Treble compatibility.
We're now outside of the compatbility window for these devices so
it can safely be removed.
Test: build boot cuttlefish device. adb remount, modify
/system/etc/selinux/plat_sepolicy_and_mapping.sha256 to force
on-device policy compilation. reboot. Verify that device boots
without new selinux denials.
Change-Id: I663a524670120ee19dfe785aa5f89b3981bdd378
This came up with POSIX recently. Doesn't seem like it matters since
everyone's had this wrong for 40 years, but "meh" --- it's a trivial
fix, and it's strictly correct even if nobody needs this, so let's just
do it...
(Geoff Clare pointed out that my app compat concern "what if someone's
relying on this bug to pass flags to the shell?" isn't relevant because
while you can indeed do that, you then can't pass a command!)
Bug: https://austingroupbugs.net/view.php?id=1440
Test: treehugger
Change-Id: I64f6440da55e2dc29d0136ee62007197d2f00d46
Clang cannot build ifunc with LTO. This is a KI: https://bugs.llvm.org/show_bug.cgi?id=46488
Move the LTO: never down to libc itself, so that we can have LTO for the
rest of linker.
Test: m GLOBAL_THINLTO=true linker
Change-Id: I483fc3944e340638a664fb390279e211c2ae224b
The native bridge libc.so is overridden by
//frameworks/libs/native_bridge_support/libc:libc, mark it
installable: false to avoid a collision in the install rules.
Allows removing BUILD_BROKEN_DUP_RULES from cuttlefish builds.
Relands I5379aa9595a714efdbe1ddc1ff4f65bb45fc67e8 with a fix to
only apply to the shared variant.
Bug: 204136549
Test: m checkbuild
Change-Id: I84abb577e3bb924d39a369670d0b2dbfac45bbc4
The native bridge libc.so is overridden by
//frameworks/libs/native_bridge_support/libc:libc, mark it
installable: false to avoid a collision in the install rules.
Allows removing BUILD_BROKEN_DUP_RULES from cuttlefish builds.
Bug: 204136549
Test: m checkbuild
Change-Id: I5379aa9595a714efdbe1ddc1ff4f65bb45fc67e8
This saves a couple of syscalls in the common case, and also lets static
binaries run in a chroot without /dev/null as long as
stdin/stdout/stderr are actually connected to something (which the
toybox maintainer tried to do).
Test: manual with strace
Change-Id: Ic9a28896a07304a3bd428acfd9ddca9d22015f6e
They're in glibc, though not in musl.
Also add basic doc comments to the whole of <sys/uio.h>.
Bug: http://b/203002492
Test: treehugger
Change-Id: Ic607f7f349e5b7c9bf66c25b7bd68f827da530d6
In the following scenario:
* Heapprofd wants to profile a process.
* The process receives the heapprofd signal, so it sets up the ephemeral
hooks.
* The process does not perform any allocation, so the proper heapprofd
hook is never installed.
* Heapprofd terminates.
* Now heapprofd wants to start a new profiling session.
* The process receives the heapprofd signal (again).
In the signal handler, no action is needed at this point. The ephemeral
hooks are already setup, so, at the next malloc, the proper heapprofd
hooks will be installed.
Before this commit, the code logged an error message, but still worked
correctly.
This commit basically just skips the error_log below.
Example of the error message that is now suppressed:
```
process: heapprofd: failed to transition kInitialState ->
kInstallingEphemeralHook. current state (possible race): 2
```
Tested by:
* Running a process that calls malloc on input from stdin.
* (Optional, tested both cases) Enable GWP-Asan by calling
`android_mallopt(M_INITIALIZE_GWP_ASAN, ...`. The call will return
success.
* Attaching heapprofd:
```
external/perfetto/tools/heap_profile -i 1 -p `adb shell pidof <...>`
```
* Detaching heapprofd (CTRL-C). The trace will be empty.
* (If not enabled before) Enabling GWP-Asan. The call will fail (because
GWP-Asan detects heapprofd hooks).
* Reattaching heapprofd.
* Triggering some malloc()s in the process. The error log from above
will not appear in `adb logcat`.
* Detaching heapprofd (CTRL-C). The trace will NOT be empty.
Bug: 192258849
Change-Id: I01699b10ecd19e52e1e77f83fcca955ebd885942
Strictly this still isn't quite the same, because they won't actually be
profiled, but at least they won't *crash* now if they're sent a
profiling signal.
Bug: http://b/201497662
Test: treehugger
Change-Id: I0728492eed77584cd850d28897056996387e6671
When calling write on an FD for trace_marker, it is expected that the
pointer passed will be paged into memory. If this isn't the case, the
kernel will ignore the string passed and instead write "<faulted>" to
the ring buffer.
For end events, we were passing a constant string which resides in
the rodata section of the ELF file. If this section is paged out, we
end up not closing atrace stacks correctly leading to very broken traces.
For even more context, see the associated bug.
Fix this issue by reading the constant string to the stack first
which should mean the string is always paged in.
Bug: 197620214
Change-Id: I6a444ac6fe83a6a9fb696c5621e392eca7e9437a
When calling android_mallopt using M_INITIALIZE_GWP_ASAN, nothing
was being returned. Fix this, add a test, and also refactor the
code a bit so dynamic and static share the same code.
Test: Unit tests pass in dynamic and static versions.
Test: Passed using both jemalloc and scudo.
Change-Id: Ibe54b6ccabdbd44d2378892e793df393978bc02b
...since the implementation is BSD. I missed this in the original code
review (and the presubmit hooks were skipped, so the machines didn't
notice).
Test: N/A
Change-Id: Ia9fe067c68b3ab8045d3f5dfe256f3200f102fbf
musl libc doesn't provide fts, but elfutils and libabigail need it.
Export bionic's fts as a staic library that can be linked into elfutils
and libabigail when compiling against musl.
fts uses recallocarray, which musl doesn't provide, so also include
recallocarray.c in libfts.a.
Requires minor tweaks to fts.c and a wrapper around fts.h to make them
compatible with musl, primarily by providing local definitions of macros
provided in bionic's sys/cdefs.h.
Bug: 190084016
Test: m libfts
Change-Id: Ifac9a59e7504c0c1f5f8a3a5bd3c19a13980b83c
fts.c is from openbsd and has compatibility macros to make it compile
as part of bionic. Move it into libc_openbsd_ndk where it will
get the workarounds from -include openbsd-compat.h instead.
Test: m libc
Change-Id: I213d423af8f010e39460b611e902acbf3561ae7a
I accidentally made the tests run MAX_RETRIES times instead of
running once when passing, and at most MAX_RETRIES when the
test fails. Also, add a bit of randomness to the usleep to try and
avoid tests syncing up on failures.
Bug: 193898572
Test: Ran unit tests and verified that a pass doesn't result in another run.
Test: Ran three copies of the unit tests at the same time to verify that
Test: there isn't a flaky test failure.
Change-Id: I8b8d3cd05ca7d1e87ce34bf10aeef84f6989fdab
If the DispatchReset fails, the subsequent iteration has the wrong
idea of what the "original" table is, and if a subsequent DispatchReset
succeeds it unhooks them.
Repro in https://r.android.com/1767868.
Bug: 193012939
Bug: 189776979
Change-Id: I30445c053fcb785669f75d9c83056926d850edce
The posix spec says strerror_r returns a positive error number, not
-1 and set errno.
Test: bionic-unit-tests-static
Change-Id: I6a12d50d046f9caac299bf3bff63e6c9496c1b6f
Refactor the code a bit to allow retrying if a log message is missing.
This is because there is a possibility of a log message getting dropped.
If that happens, merely rerun up to three times and pass if the missing
message is present.
Also fix a race condition that can occur if the LogReader threads are
being terminated but happen to be allocating memory while they are
in the signal handler. This situation causes aborts in the memory
allocator or a deadlock. Before this change, the verify_leak*
tests would fail in less than twenty iterations. After, I could run
for hundreds of iterations.
Bug: 193898572
Test: Ran unit tests in a loop.
Change-Id: I0fb5beab6041dcf3e3fd19f6748bb20bb81a2506
If the DispatchReset fails, the subsequent iteration has the wrong
idea of what the "original" table is, and if a subsequent DispatchReset
succeeds it unhooks them.
Repro in https://r.android.com/1767868.
Bug: 193012939
Bug: 189776979
Change-Id: Ie0644412291d3b53dcf89cdd056e542d32822975
These tests can be flaky if something is spamming the log and
expiring messages. Previously, the log wasn't read until the
forked process was complete. Now, two threads are spawned right
after the process forks to read the log while running. This
should avoid any problems if the log is being spammed while the
test runs.
In addition, fixed some potential flakiness in the test that might
occur if the test incorrectly gets stale log data.
Bug: 193898572
Test: All unit tests pass on cuttlefish (both 32 bit and 64 bit).
Test: Forced an abort and verified that the crash log reader sees
Test: the message.
Test: Verified that the log reader for the main and crash log properly
Test: read data.
Test: Verified the test passes while swamping the log by running
Test: the log unit tests while running two copies of the system
Test: tests.
Change-Id: I68bd92a8c483eac0146ada87dd4201dda0902c49
default_shared_libs has been removed, go back to the system_shared_libs
property that now has the same behavior.
Bug: 193559105
Test: m checkbuild
Change-Id: I9edac93f7e6d9d4b99883b7a7b14ab52942c0ef2
Add a utility function to get the current value of a property and
remove some keystore2-specific strings.
Bug: 182498247
Test: Build
Change-Id: Ie7e9903546a4d4cd6c54a118c42257a23510dda6
This is purely a port: it does not add or change any functionality
(other than renaming the library).
Bug: 182498247
Test: Use library.
Change-Id: I4cb8f1c22ca4ca5a398116952fb9957d283d235b
Revert submission 1403568-sysprop_trace
Reason for revert: makes property get/set non-reentrant
Reverted Changes:
I6f85f3f52:Add systrace tag for system property
Id2b93acb2:Adding system property tracing
Id78992d23:Add systrace tag for system property
I1ba9fc7bd:Add systrace tag for system property
Bug: 193050299
Test: build and boot a device
Change-Id: Ic7a83fb01a39113d408ed0c95d27f694d5a2649c
Merged-In: Ic7a83fb01a39113d408ed0c95d27f694d5a2649c
(cherry picked from commit 61a5a8380d)
This reverts commit 1e1c7845aa.
Reason for revert: makes property get/set non-reentrant
Bug: 193050299
Test: build and boot a device
Change-Id: If59e3dc25684a3c2b1d3ff74f995311afe6c6e89
Merged-In: If59e3dc25684a3c2b1d3ff74f995311afe6c6e89
(cherry picked from commit 3ec21f527a)
This is a follow-on to commit 5358cc40ab.
I forgot that there were two places the undefined behavior could occur.
Make the literal unsigned in the other place.
Test: TreeHugger
Bug: 189541929
Change-Id: Iaef81507ca61e802d277246bf5995157c93d86ce
Technically, shifting a signed value beyond its maximum range is
undefined behavior in C++. A bare integer literal is signed, and
defaults to 'int'. On platforms where 'int' is 32-bits, we
shift outside this range with 1 << 31.
We make our literal an unsigned integer to avoid this.
Test: TreeHugger
Bug: 189541929
Change-Id: Iade1bcd3f86d025dd6e10c26622d10c26e2c8295
When the main thread is exiting, the code deleted the g_debug global
pointer and destroys the disable pthread key. Unfortunately, if
malloc debug was enabled in a way that requires a header for the pointer,
any frees that occur after the main thread is torn down result in calls
to the underlying allocator with bad pointers.
To avoid this, don't delete the g_debug pointer and don't destroy the
disable pthread key.
Added a new system test that allocates a lot of pointers and frees them
after letting the main thread finish.
Also, fix one test that can fail sporadically due to a lack of unwinding
information on arm32.
Bug: 189541929
Test: Passes new system tests.
Change-Id: I1cfe868987a8f0dc880a5b65de6709f44a5f1988
Bionic currently renames the kernel's __kernel_sockaddr_storage
to sockaddr_storage. We would like to reuse the bionic kernel
headers for musl, but musl defines its own sockaddr_storage,
causing redefinition errors when the musl and kernel headers
are both included.
Give bionic its own definition of sockaddr_storage so the kernel
one can be left as __kernel_sockaddr_storage, avoiding the
conflict in musl.
Some of the structs in netinet/in.h contain sockaddr_storage members.
There are definitions in linux/in.h, but they now use the
__kernel_sockaddr_storage naming. To avoid having to copy the structs
from linux/in.h into netinet/in.h, add some #define hackery to
rename __kernel_sockaddr_storage to sockaddr_storage when including
linux/in.h from netinet/in.h.
Bug: 190084016
Test: m checkbuild
Test: bionic-unit-tests
Change-Id: I8f654511722b3a4a8e0bb146e4418ebcd370305c
Use target.bionic.system_shared_libs when it is used to limit the
default shared libraries (as opposed to remove them completely).
This avoids attempting to add a host dependency on libc when
system_shared_libs is modified to apply to all variants.
Bug: 193559105
Test: m checkbuild
Change-Id: I8d623321ce5145cf2968f83f78b5cb50711290f4
cc_objects get libc headers by default now unless they opt out through
system_shared_libs: [] or default_shared_libs: [], so they no longer
need explicit visibility.
Fixes: b/153662223
Test: m nothing
Change-Id: Ib61a597cbfee4616a632abdfbf4b4f108d35c2b6
On devices where the performance of ASYNC mode is similar to SYNC
mode on certain CPUs, OEMs may choose to configure the kernel to
prefer SYNC mode on those CPUs by writing the value "sync" to the
sysfs node: /sys/devices/system/cpu/cpu<N>/mte_tcf_preferred
The kernel will only respect the per-CPU preference if the user program
allows this by specifying the preferred mode as a member of a set of
allowed modes. Since only kernels with r.android.com/1754670 support
specifying multiple modes, fall back to trying to specify a single
mode if that doesn't work.
Bug: 189966263
Change-Id: Ie7ada3b073178b7967f0819cbdadc2d8e3a2c648
When replacing structs with bits/ includes, count the number of
opening and closing braces to find the end of the struct.
Test: tools/update_all.py
Change-Id: Ic9712a385da517710ceffccbdb223c89ae0b5f65
cc_object modules will now honor the default_shared_libs, override
it to empty to avoid circular dependencies.
Bug: 153662223
Test: m checkbuild
Change-Id: I02dd9510fcc0b6bf724d9cdd7c3e80c08430a7b9
This function doesn't return, but it does appear in stack traces. Avoid
using return PAC in this function because we may end up resetting IA,
which may confuse unwinders due to mismatching keys.
Bug: 189808795
Change-Id: I953da9078acd1d43eb7a47fb11f75caa0099fa12
Otherwise, since it's `noreturn`, clang will merge multiple call sites
in the same function, destroying information that helps you debug
_which_ call fired from a tombstone.
Bug: https://github.com/android/ndk/issues/1514
Test: treehugger
Change-Id: I7930318a813f6a2220266794f16c0e5e72d32869
I don't know when LLVM's x86 assembler started making the same
assumptions as GAS used to, but I'm happy to get rid of "calll".
Test: treehugger
Change-Id: I0a924993aebf7d701a846805fea9a015e8feb58a
This CL adds an instruction to the _start label that clears the frame
pointer. This allows stack walking code to determine when it has
reached the end of the stack.
The __bionic_clone function is similarly modified, for architectures
that weren't already doing both.
Test: bionic-unit-tests
Test: CtsBionicTestCases
Change-Id: Iea3949f52c44f7931f9fff2d60d4d9e5c742c120
Extend existing restrictions targeting only apps with API level >= 30 to
all apps.
Actual enforcement happens in SELinux. This change just prevents
logspam.
To be merged when automerge to sc-dev ends.
Bug: 170188668
Test: atest bionic-unit-tests-static
Test: atest NetworkInterfaceTest
Test: Connect to Wi-Fi network
Test: atest CtsSelinuxTargetSdk27TestCases
Test: atest CtsSelinuxTargetSdk28TestCasesTest: atest
CtsSelinuxTargetSdk29TestCases
Test: atest CtsSelinuxTargetSdkCurrentTestCases
Change-Id: If1761354216b23a1e55e6b9606de452899afff0c
Remove the vestigial llndk_library and replace it with properties
in the llndk clause of the implementation cc_library.
In order to reduce duplication of the arch-specific headers used
by the implementation and LLNDK, rename libc_headers_arch to
libc_llndk_headers and hoist the "include" directory out of it,
since that directory is preproccessed separately for LLNDK
libraries.
Bug: 170784825
Test: m checkbuild
Test: compare out/soong/build.ninja
Change-Id: I75f0ff9129d910640da55eee6a6387467e6e4a9d
Processes loaded from vendor partitions may have their own sandboxes
that would reject the prctl. Because no devices launched with PAC
enabled before S, we can avoid issues on upgrading devices by checking
for PAC support before issuing the prctl.
Bug: 186117046
Change-Id: I9905b963df01c9007d9fb4527273062ea87a5075
Ease later comparisons by making libc.llndk match libc_headers_arch.
Bug: 170784825
Test: m checkbuild
Change-Id: I90162c0bc5f6f0e79fe974208fde47cca7489fa1
Includes pointing to the python3 version of the clang bindings.
Also, remove stale .gitignore line.
Test: Ran bionic/libc/kernel/tools/update_all.py and verified
Test: the files generated the same exact way.
Change-Id: I4eb9dd7382bca013f70d921b6ef48c7e7478615a
The argument to this is the characters to strip, so `line.strip(line)`
just returns the empty string.
Test: None?
Bug: None
Change-Id: I4f62bffcd00936e4eef837a28b78023fcad54bb0
This fixes all of the problems with our kernel scripts, but not
the clang python script problems.
I also removed the updateGitFiles function since that code was
just silently failing any way. I replaced all calls with updateFiles.
Test: Ran script using python2 to verify it still works.
Test: Run script in python3 verifying that it starts to run.
Change-Id: I223a31a8324c59e6bc4067f48a6110361b3e26e8
Rather than "whatever people have installed as 'python' on their machine".
I've removed check-symbols.py because that's been broken for years and
we never even noticed, and I'm not sure it's worth fixing.
Test: treehugger, manual
Change-Id: Ieb996bbdf790a18d4b1fb46a409cc240ba2a2a49
Change 75830fb836 to fix _nres
initialization to be thread safe accidentally introduced a behavior
change whereby res_init() became a no-op. It also failed to remove all
direct accesses to _nres.
Move the file over to C++ so we can let RAII ensure we're always holding
a lock while using the global state, make all callers access the global
state via this class, and restore the previous behavior of res_init().
Test: atest DnsResolverTest
Bug: 166235340
Change-Id: Ib390a7eac063bc0ff5eeba755e8c74ef1383004e
Revert "Updates CTS tests for MAC address restrictions."
Revert submission 1528409-mac-softrestrict
Reason for revert: App compatibility
Reverted Changes:
I74a50b990:Return anonymized MAC for apps targeting SDK < 30
I8738f7912:Reland: Soft-enable MAC address restrictions with ...
Id13670747:Updates CTS tests for MAC address restrictions.
Change-Id: I64e17cb04acf2862bc657e60694067a456b4f936
Also delete some fdsan code that attempts to check for the post-fork
state, but never will, because we update the cached pid upon fork.
Bug: http://b/174542867
Test: /data/nativetest64/bionic-unit-tests/bionic-unit-tests
Test: treehugger
Change-Id: I9b748dac9de9b4c741897d93e64d31737e52bf8e
Currently, the initialization of _nres is not thread-saferes_mkquery is not thread-safe,
which might cause memory double free problem if caller ran under multithread.
To fix it, only initialize _nres once.
Also remove the redundant code.
Test: atest DnsResolverTest
Bug: 166235340
Change-Id: I9caa6eab37cb530fc60dae9bcca9650973a4536a
arm64 was already being careful, but x86/x86-64 and 32-bit ARM could be
caught by a signal in a state where the stack pointer was mangled.
For 32-bit ARM I've taken care with the link register too, to avoid
potential issues with unwinding.
Bug: http://b/152210274
Test: treehugger
Change-Id: I1ce285b017a633c732dbe04743368f4cae27af85
This log message exists to provide more context (the property name) to
SELinux denials for the same access check. The SELinux log severity
is 'W' since SELinux denials do not necessarily point to user-visible
errors, therefore this message should be 'W' as well.
Bug: 181269159
Test: build
Change-Id: Ie25091d96214a175b7ca39d5615f9a09b789d1e3
FORTIFY'ed functions try to be as close to possible as 'invisible';
having stack protectors detracts from that.
Don't apply this to functions which clang has no chance of inlining
anyway (like variadic functions)
Bug: 182948263
Test: TreeHugger
Change-Id: I08cfec25464b8ea1e070942e3dc76fc84da73dd0
Resetting PAC keys on fork appears to lead to a number of problems. One
problem is that we are constrained in where we can run C++ code after
forking, and with ART those places are implementation-defined. For
example, in app zygotes, ART turns out to insert "interpreter frames"
in the stack trace. Returning into these interpreter frames may lead
to crashes due to failing the ROP protection check on return.
It seems better to reset keys on thread creation instead. We only need
to reset IA because only this key needs to be reset for reverse-edge
PAC, and resetting the other keys may be incompatible with future ABIs.
Chrome (and potentially other applications) has a sandbox that prevents
the use of the prctl, so we restrict its use to applications targeting
S and above.
Bug: 183024045
Change-Id: I1e6502a7d7df319d424e2b0f653aad9a343ae71b
As far as I can tell, clang never implemented this GCC workaround for
32-bit x86's terrible PIC code. Since the whole point of
__stack_chk_fail_local() requires that it's in the same executable or
library as its callers, any prebuilt with a dependency on this (because
it was built by GCC) already has its own copy anyway. And clang isn't
creating any new ones, so I think this has been dead for several years
now.
Test: treehugger
Change-Id: I96997bbf912bbff506db44c285d9941fef9f86ce
Motivated by the fact that bazel doesn't like #include "../", but this
feels like it could use a deeper clean.
In fact, even after this change, I think we should remove this entirely,
since as far as I can tell Clang never implemented this GCC workaround
for 32-bit x86's awful PIC code.
Test: treehugger
Change-Id: I72715ee46f873f42d5707712aebe246ef78fcde1
This is the second or third time I've scratched my head wondering why
this destructor has no coverage. I was tempted to leave it in with a
comment saying it should never be called, but that seemed sillier than
just replacing it with an assertion.
Test: treehugger
Change-Id: I3442d9f8a391fae668e77c6888a4457ededee494
This makes Bazel conversion easier (because in Bazel package boundaries really matter).
Test: m libc still builds, and m also builds.
Change-Id: I5cfc9d83dffd3110ffad9ce03198e6141c8c5b33
