Refactor the code a bit to allow retrying if a log message is missing.
This is because there is a possibility of a log message getting dropped.
If that happens, merely rerun up to three times and pass if the missing
message is present.
Also fix a race condition that can occur if the LogReader threads are
being terminated but happen to be allocating memory while they are
in the signal handler. This situation causes aborts in the memory
allocator or a deadlock. Before this change, the verify_leak*
tests would fail in less than twenty iterations. After, I could run
for hundreds of iterations.
Bug: 193898572
Test: Ran unit tests in a loop.
Change-Id: I0fb5beab6041dcf3e3fd19f6748bb20bb81a2506
If the DispatchReset fails, the subsequent iteration has the wrong
idea of what the "original" table is, and if a subsequent DispatchReset
succeeds it unhooks them.
Repro in https://r.android.com/1767868.
Bug: 193012939
Bug: 189776979
Change-Id: Ie0644412291d3b53dcf89cdd056e542d32822975
These tests can be flaky if something is spamming the log and
expiring messages. Previously, the log wasn't read until the
forked process was complete. Now, two threads are spawned right
after the process forks to read the log while running. This
should avoid any problems if the log is being spammed while the
test runs.
In addition, fixed some potential flakiness in the test that might
occur if the test incorrectly gets stale log data.
Bug: 193898572
Test: All unit tests pass on cuttlefish (both 32 bit and 64 bit).
Test: Forced an abort and verified that the crash log reader sees
Test: the message.
Test: Verified that the log reader for the main and crash log properly
Test: read data.
Test: Verified the test passes while swamping the log by running
Test: the log unit tests while running two copies of the system
Test: tests.
Change-Id: I68bd92a8c483eac0146ada87dd4201dda0902c49
default_shared_libs has been removed, go back to the system_shared_libs
property that now has the same behavior.
Bug: 193559105
Test: m checkbuild
Change-Id: I9edac93f7e6d9d4b99883b7a7b14ab52942c0ef2
Add a utility function to get the current value of a property and
remove some keystore2-specific strings.
Bug: 182498247
Test: Build
Change-Id: Ie7e9903546a4d4cd6c54a118c42257a23510dda6
This is purely a port: it does not add or change any functionality
(other than renaming the library).
Bug: 182498247
Test: Use library.
Change-Id: I4cb8f1c22ca4ca5a398116952fb9957d283d235b
Revert submission 1403568-sysprop_trace
Reason for revert: makes property get/set non-reentrant
Reverted Changes:
I6f85f3f52:Add systrace tag for system property
Id2b93acb2:Adding system property tracing
Id78992d23:Add systrace tag for system property
I1ba9fc7bd:Add systrace tag for system property
Bug: 193050299
Test: build and boot a device
Change-Id: Ic7a83fb01a39113d408ed0c95d27f694d5a2649c
Merged-In: Ic7a83fb01a39113d408ed0c95d27f694d5a2649c
(cherry picked from commit 61a5a8380d)
This reverts commit 1e1c7845aa.
Reason for revert: makes property get/set non-reentrant
Bug: 193050299
Test: build and boot a device
Change-Id: If59e3dc25684a3c2b1d3ff74f995311afe6c6e89
Merged-In: If59e3dc25684a3c2b1d3ff74f995311afe6c6e89
(cherry picked from commit 3ec21f527a)
This is a follow-on to commit 5358cc40ab.
I forgot that there were two places the undefined behavior could occur.
Make the literal unsigned in the other place.
Test: TreeHugger
Bug: 189541929
Change-Id: Iaef81507ca61e802d277246bf5995157c93d86ce
Technically, shifting a signed value beyond its maximum range is
undefined behavior in C++. A bare integer literal is signed, and
defaults to 'int'. On platforms where 'int' is 32-bits, we
shift outside this range with 1 << 31.
We make our literal an unsigned integer to avoid this.
Test: TreeHugger
Bug: 189541929
Change-Id: Iade1bcd3f86d025dd6e10c26622d10c26e2c8295
When the main thread is exiting, the code deleted the g_debug global
pointer and destroys the disable pthread key. Unfortunately, if
malloc debug was enabled in a way that requires a header for the pointer,
any frees that occur after the main thread is torn down result in calls
to the underlying allocator with bad pointers.
To avoid this, don't delete the g_debug pointer and don't destroy the
disable pthread key.
Added a new system test that allocates a lot of pointers and frees them
after letting the main thread finish.
Also, fix one test that can fail sporadically due to a lack of unwinding
information on arm32.
Bug: 189541929
Test: Passes new system tests.
Change-Id: I1cfe868987a8f0dc880a5b65de6709f44a5f1988
Bionic currently renames the kernel's __kernel_sockaddr_storage
to sockaddr_storage. We would like to reuse the bionic kernel
headers for musl, but musl defines its own sockaddr_storage,
causing redefinition errors when the musl and kernel headers
are both included.
Give bionic its own definition of sockaddr_storage so the kernel
one can be left as __kernel_sockaddr_storage, avoiding the
conflict in musl.
Some of the structs in netinet/in.h contain sockaddr_storage members.
There are definitions in linux/in.h, but they now use the
__kernel_sockaddr_storage naming. To avoid having to copy the structs
from linux/in.h into netinet/in.h, add some #define hackery to
rename __kernel_sockaddr_storage to sockaddr_storage when including
linux/in.h from netinet/in.h.
Bug: 190084016
Test: m checkbuild
Test: bionic-unit-tests
Change-Id: I8f654511722b3a4a8e0bb146e4418ebcd370305c
Use target.bionic.system_shared_libs when it is used to limit the
default shared libraries (as opposed to remove them completely).
This avoids attempting to add a host dependency on libc when
system_shared_libs is modified to apply to all variants.
Bug: 193559105
Test: m checkbuild
Change-Id: I8d623321ce5145cf2968f83f78b5cb50711290f4
cc_objects get libc headers by default now unless they opt out through
system_shared_libs: [] or default_shared_libs: [], so they no longer
need explicit visibility.
Fixes: b/153662223
Test: m nothing
Change-Id: Ib61a597cbfee4616a632abdfbf4b4f108d35c2b6
On devices where the performance of ASYNC mode is similar to SYNC
mode on certain CPUs, OEMs may choose to configure the kernel to
prefer SYNC mode on those CPUs by writing the value "sync" to the
sysfs node: /sys/devices/system/cpu/cpu<N>/mte_tcf_preferred
The kernel will only respect the per-CPU preference if the user program
allows this by specifying the preferred mode as a member of a set of
allowed modes. Since only kernels with r.android.com/1754670 support
specifying multiple modes, fall back to trying to specify a single
mode if that doesn't work.
Bug: 189966263
Change-Id: Ie7ada3b073178b7967f0819cbdadc2d8e3a2c648
When replacing structs with bits/ includes, count the number of
opening and closing braces to find the end of the struct.
Test: tools/update_all.py
Change-Id: Ic9712a385da517710ceffccbdb223c89ae0b5f65
cc_object modules will now honor the default_shared_libs, override
it to empty to avoid circular dependencies.
Bug: 153662223
Test: m checkbuild
Change-Id: I02dd9510fcc0b6bf724d9cdd7c3e80c08430a7b9
This function doesn't return, but it does appear in stack traces. Avoid
using return PAC in this function because we may end up resetting IA,
which may confuse unwinders due to mismatching keys.
Bug: 189808795
Change-Id: I953da9078acd1d43eb7a47fb11f75caa0099fa12
Otherwise, since it's `noreturn`, clang will merge multiple call sites
in the same function, destroying information that helps you debug
_which_ call fired from a tombstone.
Bug: https://github.com/android/ndk/issues/1514
Test: treehugger
Change-Id: I7930318a813f6a2220266794f16c0e5e72d32869
I don't know when LLVM's x86 assembler started making the same
assumptions as GAS used to, but I'm happy to get rid of "calll".
Test: treehugger
Change-Id: I0a924993aebf7d701a846805fea9a015e8feb58a
This CL adds an instruction to the _start label that clears the frame
pointer. This allows stack walking code to determine when it has
reached the end of the stack.
The __bionic_clone function is similarly modified, for architectures
that weren't already doing both.
Test: bionic-unit-tests
Test: CtsBionicTestCases
Change-Id: Iea3949f52c44f7931f9fff2d60d4d9e5c742c120
Extend existing restrictions targeting only apps with API level >= 30 to
all apps.
Actual enforcement happens in SELinux. This change just prevents
logspam.
To be merged when automerge to sc-dev ends.
Bug: 170188668
Test: atest bionic-unit-tests-static
Test: atest NetworkInterfaceTest
Test: Connect to Wi-Fi network
Test: atest CtsSelinuxTargetSdk27TestCases
Test: atest CtsSelinuxTargetSdk28TestCasesTest: atest
CtsSelinuxTargetSdk29TestCases
Test: atest CtsSelinuxTargetSdkCurrentTestCases
Change-Id: If1761354216b23a1e55e6b9606de452899afff0c
Remove the vestigial llndk_library and replace it with properties
in the llndk clause of the implementation cc_library.
In order to reduce duplication of the arch-specific headers used
by the implementation and LLNDK, rename libc_headers_arch to
libc_llndk_headers and hoist the "include" directory out of it,
since that directory is preproccessed separately for LLNDK
libraries.
Bug: 170784825
Test: m checkbuild
Test: compare out/soong/build.ninja
Change-Id: I75f0ff9129d910640da55eee6a6387467e6e4a9d
Processes loaded from vendor partitions may have their own sandboxes
that would reject the prctl. Because no devices launched with PAC
enabled before S, we can avoid issues on upgrading devices by checking
for PAC support before issuing the prctl.
Bug: 186117046
Change-Id: I9905b963df01c9007d9fb4527273062ea87a5075
Ease later comparisons by making libc.llndk match libc_headers_arch.
Bug: 170784825
Test: m checkbuild
Change-Id: I90162c0bc5f6f0e79fe974208fde47cca7489fa1
Includes pointing to the python3 version of the clang bindings.
Also, remove stale .gitignore line.
Test: Ran bionic/libc/kernel/tools/update_all.py and verified
Test: the files generated the same exact way.
Change-Id: I4eb9dd7382bca013f70d921b6ef48c7e7478615a
The argument to this is the characters to strip, so `line.strip(line)`
just returns the empty string.
Test: None?
Bug: None
Change-Id: I4f62bffcd00936e4eef837a28b78023fcad54bb0
This fixes all of the problems with our kernel scripts, but not
the clang python script problems.
I also removed the updateGitFiles function since that code was
just silently failing any way. I replaced all calls with updateFiles.
Test: Ran script using python2 to verify it still works.
Test: Run script in python3 verifying that it starts to run.
Change-Id: I223a31a8324c59e6bc4067f48a6110361b3e26e8
Rather than "whatever people have installed as 'python' on their machine".
I've removed check-symbols.py because that's been broken for years and
we never even noticed, and I'm not sure it's worth fixing.
Test: treehugger, manual
Change-Id: Ieb996bbdf790a18d4b1fb46a409cc240ba2a2a49
Change 75830fb836 to fix _nres
initialization to be thread safe accidentally introduced a behavior
change whereby res_init() became a no-op. It also failed to remove all
direct accesses to _nres.
Move the file over to C++ so we can let RAII ensure we're always holding
a lock while using the global state, make all callers access the global
state via this class, and restore the previous behavior of res_init().
Test: atest DnsResolverTest
Bug: 166235340
Change-Id: Ib390a7eac063bc0ff5eeba755e8c74ef1383004e
Revert "Updates CTS tests for MAC address restrictions."
Revert submission 1528409-mac-softrestrict
Reason for revert: App compatibility
Reverted Changes:
I74a50b990:Return anonymized MAC for apps targeting SDK < 30
I8738f7912:Reland: Soft-enable MAC address restrictions with ...
Id13670747:Updates CTS tests for MAC address restrictions.
Change-Id: I64e17cb04acf2862bc657e60694067a456b4f936
Also delete some fdsan code that attempts to check for the post-fork
state, but never will, because we update the cached pid upon fork.
Bug: http://b/174542867
Test: /data/nativetest64/bionic-unit-tests/bionic-unit-tests
Test: treehugger
Change-Id: I9b748dac9de9b4c741897d93e64d31737e52bf8e
Currently, the initialization of _nres is not thread-saferes_mkquery is not thread-safe,
which might cause memory double free problem if caller ran under multithread.
To fix it, only initialize _nres once.
Also remove the redundant code.
Test: atest DnsResolverTest
Bug: 166235340
Change-Id: I9caa6eab37cb530fc60dae9bcca9650973a4536a
arm64 was already being careful, but x86/x86-64 and 32-bit ARM could be
caught by a signal in a state where the stack pointer was mangled.
For 32-bit ARM I've taken care with the link register too, to avoid
potential issues with unwinding.
Bug: http://b/152210274
Test: treehugger
Change-Id: I1ce285b017a633c732dbe04743368f4cae27af85
This log message exists to provide more context (the property name) to
SELinux denials for the same access check. The SELinux log severity
is 'W' since SELinux denials do not necessarily point to user-visible
errors, therefore this message should be 'W' as well.
Bug: 181269159
Test: build
Change-Id: Ie25091d96214a175b7ca39d5615f9a09b789d1e3
FORTIFY'ed functions try to be as close to possible as 'invisible';
having stack protectors detracts from that.
Don't apply this to functions which clang has no chance of inlining
anyway (like variadic functions)
Bug: 182948263
Test: TreeHugger
Change-Id: I08cfec25464b8ea1e070942e3dc76fc84da73dd0
Resetting PAC keys on fork appears to lead to a number of problems. One
problem is that we are constrained in where we can run C++ code after
forking, and with ART those places are implementation-defined. For
example, in app zygotes, ART turns out to insert "interpreter frames"
in the stack trace. Returning into these interpreter frames may lead
to crashes due to failing the ROP protection check on return.
It seems better to reset keys on thread creation instead. We only need
to reset IA because only this key needs to be reset for reverse-edge
PAC, and resetting the other keys may be incompatible with future ABIs.
Chrome (and potentially other applications) has a sandbox that prevents
the use of the prctl, so we restrict its use to applications targeting
S and above.
Bug: 183024045
Change-Id: I1e6502a7d7df319d424e2b0f653aad9a343ae71b
As far as I can tell, clang never implemented this GCC workaround for
32-bit x86's terrible PIC code. Since the whole point of
__stack_chk_fail_local() requires that it's in the same executable or
library as its callers, any prebuilt with a dependency on this (because
it was built by GCC) already has its own copy anyway. And clang isn't
creating any new ones, so I think this has been dead for several years
now.
Test: treehugger
Change-Id: I96997bbf912bbff506db44c285d9941fef9f86ce
Motivated by the fact that bazel doesn't like #include "../", but this
feels like it could use a deeper clean.
In fact, even after this change, I think we should remove this entirely,
since as far as I can tell Clang never implemented this GCC workaround
for 32-bit x86's awful PIC code.
Test: treehugger
Change-Id: I72715ee46f873f42d5707712aebe246ef78fcde1
This is the second or third time I've scratched my head wondering why
this destructor has no coverage. I was tempted to leave it in with a
comment saying it should never be called, but that seemed sillier than
just replacing it with an assertion.
Test: treehugger
Change-Id: I3442d9f8a391fae668e77c6888a4457ededee494
This makes Bazel conversion easier (because in Bazel package boundaries really matter).
Test: m libc still builds, and m also builds.
Change-Id: I5cfc9d83dffd3110ffad9ce03198e6141c8c5b33
Enable userfaultfd syscall to be used by ART-GC.
Bug: 160737021
Test: manually tested by invoking userfaultfd syscall in ART
Change-Id: I9f98402a96bb8363a1e5fa49dbadbb37dc70d561
Currently there is a pattern of `crtbegin_${type}1` and `crtbegin_${type}` modules, where the former
has sources and the latter depends on the former. The two modules for a type share many properties,
rather than duplicating these, we merge modules, such that each type only has a `crtbegin_${type}`
module.
Test: Treehugger
Change-Id: I7803ea0e97d660f620c334b6bfdfac22cb6e36d7
This works around buggy applications that read a few bytes past the
end of their allocation, which would otherwise cause a segfault with
the concurrent Scudo change that aligns large allocations to the right.
Because the implementation of
android_set_application_target_sdk_version() lives in the linker,
we need to introduce a hook so that libc is notified when the target
SDK version changes.
Bug: 181344545
Change-Id: Id4be6645b94fad3f64ae48afd16c0154f1de448f
Binaries defined in Makefiles that use the SDK need a variant to link
to. Generate a SDK variant of the ELF note as well. This is necessary to
allow makefile-generated binaries and CTS tests to use heap MTE.
Bug: 156029370
Bug: 181133973
Test: atest CtsBionicTestCases on QEMU+MTE, observe previously-failing
tests will now succeed.
Change-Id: I0a8243b0920769a196e7596904259e30c4a93105
Spotted while looking at our shiny new coverage numbers. Though how the
change that removed the code from this file without removing the file
made it through code review... Clearly I wasn't paying attention that
day!
Test: treehugger
Change-Id: Id61bb48bae60660d2e5ba9b26f00a68e51157c6d
Mixed builds can now use the label from an automatically converted
target.
Test: build/bazel/scripts/milestone-2/demo.sh full
Test: build/bazel/scripts/milestone-2/demo.sh generate
build/bazel/scripts/milestone-2/demo.sh sync
mixed build of libc
build/bazel/scripts/milestone-2/demo.sh cleanup
Change-Id: I1499b75f1348bf342b4cd134606786150b2f8b26
This is the last of remaining cc_objects in the libc package.
Test: go tests.
Test: build/bazel/scripts/milestone-2/demo.sh
Change-Id: Ib9c01be0faae10707305b81e72d3fac22bf96356
__libc_init_scudo() calls directly into the allocator, bypassing the
normal guest to host transition in the native bridge. Therefore we
need to let the native bridge override it with a no-op.
Bug: 159352723
Change-Id: I642c7a058e483cc09335290f66b9c053150fca06
This CL also discovered that a couple of cc_objects include headers from the bionic subdir, without declaring them in the local_include_dirs.
Test: build/bazel/scripts/milestone-2/demo.sh full && build/bazel/scripts/milestone-2/demo.sh cleanup
Change-Id: I943980b1d1c6dab39d3c27da8037e587f97f76e3
This leaf module is selected as the first cc_object module to be converted by
the bp2build converter.
Test: GENERATE_BAZEL_FILES=true m nothing && bp2build-sync write && bazel build //bionic/libc:crt_beginso1
Change-Id: Idf752e7b5251161a4fbd58ba52b52dd85c8fc92b
This matches what we do for arm and arm64. 32-bit x86 is too big a mess
to warrant the effort still, but the more testing is done on cuttlefish,
the more value there is to making every stack frame count.
Before:
#00 pc 00000000000596d8 .../libc.so (syscall+24)
#01 pc 000000000005d072 .../libc.so (abort+194)
#02 pc 000000000005f1f0 .../libc.so (__fortify_fatal(char const*, ...)+160)
After:
#00 pc 000000000005d07d .../libc.so (abort+205)
#01 pc 000000000005f1e0 .../libc.so (__fortify_fatal(char const*, ...)+160)
Test: crasher64 fortify
Change-Id: Ib74cb8b36341093c268872e26020f35eb2d8ef66
This is undefined behavior, but glibc and macOS are both lenient, and
someone hit this in the wild, so we may as well be lenient too. (The
only cost is that it's now slightly easier to write code that works on
everything except old versions of Android.)
Bug: https://issuetracker.google.com/180598400
Test: treehugger
Change-Id: Ia217169ea6283cc53f4fbf71e5abfa08356c2049
Bug: http://b/157081822
If __libc_int0x80 is in a C/C++ file, Clang's coverage instrumentation
adds instructions to count the number of times it gets executed [1].
With coverage instrumentation, __libc_sysinfo, used on 32-bit x86, is
initialized to the wrong value, causing dl.preinit_system_calls to fail.
Moving the function to an assembly file leaves __libc_sysinfo properly
initialized.
[1] We could change clang so it doesn't instrument functions marked
__attribute__((naked)) as a followup.
Test: `m CLANG_COVERAGE=true NATIVE_COVERAGE_PATHS=bionic` and run
bionic-unit-tests
Change-Id: I73558253512392d345de8d5b66d38bb14b308fdf
Kernel headers coming from:
Git: https://android.googlesource.com/kernel/common/
Branch: android-mainline
Tag: android-mainline-5.11
Test: Built cuttlefish and flame images. Ran bionic unit tests on both.
Change-Id: Ie60337aafad4bda55af99b6c8fe9f56bf2fa787f
Auto-generate NOTICE files for all the directories, and for each one
individually rather than mixing libc and libm together.
Test: N/A
Change-Id: I7e251194a8805c4ca78fcc5675c3321bcd5abf0a
With this change we can report memory errors involving secondary
allocations. Update the existing crasher tests to also test
UAF/overflow/underflow on allocations with sizes sufficient to trigger
the secondary allocator.
Bug: 135772972
Change-Id: Ic8925c1f18621a8f272e26d5630e5d11d6d34d38
On LP32, just abort if we're asked to handle an fd that's too big for
the `short` field in `struct FILE`. This is unreachable anyway because
the ulimit is 32Ki, and this will make issues far more noticeable if we
ever do increase that limit (which seems unlikely for LP32 devices).
Also rename __finit() to __FILE_init() to match __FILE_close().
Test: treehugger
Change-Id: I5db4d6c4529a1f558aff135b4dea071d73666be5
This has been in the standard since C99, but we've never supported it
before. It's apparently used by SPIRV-Tools.
I tried implementing this the other way (with fcntl(2)) first, but
eventually realized that that's more complicated and gives worse
results. This implementation assumes that /proc is mounted, but so much
of libc relies on that at this point that I don't think there's any
realistic case where the fcntl(2) implementation would be preferable,
and there are many where it's not.
The fact that no-one's mentioned this until now suggests that it's not a
heavily used feature anyway.
I've also replaced AssertCloseOnExec() with a CloseOnExec()
boolean-valued function instead, because it's really annoying getting
assertion failures that don't point you at the test line in question,
and instead point to some common helper code.
Test: treehugger
Change-Id: Ia2e53bf2664a4f782581042054ecd492830e2aed
Python module names should be lower case and not use hyphens (the
former is a convention, the latter is a requirement for importable
modules).
Also updates the shell script to always use Python 3 so we don't need
to maintain Python 2 compatibility.
Test: repo upload, in both a python 2 and python 3 virtualenv
Bug: None
Change-Id: I486e54a12686b4e528dc6c9c47af5c7a52a7b790
The genseccomp tests haven't been run since at least 2018. Deleted the
ones that are testing APIs that no longer exist or have been
refactored to take very different inputs.
Test: treehugger
Test: pytest tools
Bug: None
Change-Id: Iaf6b6b6a2e922b181a457a74eb4b5abe90425dfb
This is a manual refactoring to ensure that the modules respect package boundaries for input files.
Test: m gensseccomp genfunctosyscallnrs
Change-Id: I8ca6cbe85a50e41bfe874a899653c2309c59a822
libc++ still depends on these being declared even if they are
unavailable. This results in a worse error message (a link error
rather than a compiler diagnostic) if these functions end up being
used, but without the decl headers like libc++'s math.h can't be
included because it refers to an undeclared function.
For the cases where weak symbols aren't being used, don't annotate
these functions with their availability information.
Also need to avoid using __builtin_available for this case because the
NDK doesn't have __isOSVersionAtLeast yet.
__ANDROID_UNGUARDED_AVAILABILITY__ is being used as a proxy for
"building for the NDK" here because we don't have a good signal for
that which works for both the NDK proper and the NDK-in-the-platform
case.
Test: imported into the NDK, built and tested NDK
Bug: None
Change-Id: I9ef3e19a8fa083bca0be47b80dfef7ba52a94866
For backwards compatibility (e.g. with old apps), arm32 libc.so and
libm.so export some of the builtins. On 32-bit x86, libc.so also
exports some of the builtins.
The non-exported variant of the builtins will eventually have hidden
symbols but doesn't currently because D93431 hasn't been merged into
our toolchain yet. See:
- https://reviews.llvm.org/D93431
- I44ec79728db92c089e2f39823c35b6f97d24c1ab in toolchain/llvm_android
Bug: http://b/153025717
Test: bionic unit tests
Change-Id: Ic489cb06a07ef61412502fc65a21b0cf630c11ed
Introduces new heap-zero-init API. We've realised that it's better to be
able to individually control MTE and heap zero-init. Having
heap-zero-init not be controllable without affecting MTE affects our
ability to turn off heap-zero-init in zygote-forked applications.
Bug: 135772972
Test: On FVP: atest -s localhost:5555 malloc#zero_init \
Test: malloc#disable_mte heap_tagging_level
Change-Id: I8c6722502733259934c699f4f1269eaf1641a09f
The toolchain is new enough that should be able to use the actual
instructions now...
Test: treehugger
Change-Id: I30aafcdc5386268344c40dc6cc9a22caf591915a
"#" there is incorrect: macro parameter is expected following a hashmark.
Test: build libc with -mbranch-protection=standard
Change-Id: Ib8e7ddf260b4cdbd36246cc70f69970f33dee200
* changes:
crtbegin_static is built with min_sdk_version: "current"
Guard __libc_current_sigrtmin/max with __builtin_available
__INTRODUCED_IN macros add the availability attribute
scudo_malloc_* for fill contents in __libc_init_scudo calls scudo's
initializers. We haven't told Scudo whether we want MTE-capable (i.e.
mapped with PROT_MTE) size class regions yet, which happens in
SetDefaultHeapTaggingLevel. This can lead to inconsistent mappings,
where processes without ELF notes get the base region with PROT_MTE
(which is undesirable because the performance implications are not
known).
Make sure that scudo is informed of whether regions need to be mapped
PROT_MTE or not by hoising the tagging level up.
Bug: 135772972
Bug: 172365548
Test: On FVP - 'adb shell MEMTAG_OPTIONS=off sanitizer-status' should
have no PROT_MTE mappings (validation by looking for no 'mt' under
'VmFlags:' in /proc/smaps').
Change-Id: Idad64479c4a9459cb40dd211fe942437f8ca16fd
Native bridge modules will never compile against stubs, remove
native_bridge_supported: true.
Test: m checkbuild
Change-Id: I0eb93fe1a2c3f6ca34ce4dab17edda8807132ce8
These are available from mallopt() now, and all callers have been
switched over.
Bug: http://b/135772972
Test: treehugger
Change-Id: I90c7a7573b261c27001a2dfd4589b23861ad613b
crtbegin_static is used by static exectuables which are guaranteed to be
with the latest library regardless of their target API level.
This change is in fact not a regression as crtbegin_static has been
built with __ANDROID_API__=10000 before
I645e6bb1234c27ae0a69b7b87a59206cfd350744 when __ANDROID_API__ tracked
sdk_version, not min_sdk_version. sdk_version was not set for crtbegin_*
objects and therefore the default "current" was (incorrectly) used.
With this change, we are recovering the original behavior for the static
variant, while the building of the dynamic variant becomes more correct
- it's now with __ANDROID_API__=16.
Without this change, several static executables fail to build as 1)
crtbegin_static for them is built with __ANDROID_API__=16 and 2)
libc_init_common.cpp uses pthread_atfork which is available only after
API level 23. We hit undefined symbol error when linking.
Bug: 134795810
Test: m
Change-Id: I1430e57302951df33530ea0ae91b0d7a0609bf3d
The two APIs were added for the API level 21 and beyond. Currently, its
existence is tested using the null check which is done regardless of the
min sdk version of the compilation unit. (which in turn required us to
mark the API symbol weak regardless of the min sdk version.)
Now, we have a better way of testing the API availability;
__builtin_available. The null check is replaced with the call to the
compiler-provided macro which determines if the code is running in a
version of OS where the API is known to exist.
Bug: 150860940
Bug: 134795810
Test: m
Change-Id: Ib96c78f8d3cc71d7e755d1eab86051517bbbcc44
__INTRODUCED_IN (and its variants) macro is used to mark the
availability of an API symbol. The macros were used by the versioner
tool for the NDK clients. When the Bionic headers are processed by the
tool, APIs with the macros are guarded with __ANDROID_API__. e.g.,
void foo() __INTRDUCED_IN(30);
is processed into
\#if __ANDROID_API__ >= 30
void foo();
\#endif
by the versioner.
The macros however didn't play a role for other cases, e.g. OS
components.
This is too strict for NDK clients and too loose for the non-NDK
clients. For the former, this completely hides the APIs that are newer
than the min sdk version (__ANDROID_API__). For the latter, a call to
such an API can be made without being guarded.
This change is the first step towards a better way of handling the
native APIs availability. The plan is that every NDK APIs are annotated
with the availability attribute and callers are required to guard their
API calls with a runtime check if the API is newer than the min sdk
version of the caller.
In this change, the macros now emits the availability attribute for the
non-NDK clients (i.e. when not processed by versioner).
Bug: 163288375
Bug: 134795810
Test: m
Change-Id: I6eb2bce2bc2770cbfd69815e6816b6f25b3d6127
For libc.so, use a special build of libunwind.a whose symbols aren't
hidden ("libunwind-exported"), because libc.so exports the _Unwind_*
APIs.
Bug: http://b/153025717
Test: bionic unit tests
Change-Id: I7435e076ec8cc4410e3e6086d3cf5d2c6011c80c
These were only available internally via android_mallopt(), but they're
likely to be needed by more code in future, so move them into mallopt().
This change leaves the android_mallopt() options for now, but I plan on
coming back to remove them after I've switched the handful of callers
over to mallopt() instead.
Bug: http://b/135772972
Test: treehugger
Change-Id: Ia154614069a7623c6aca85975a91e6a156f04759
These two options allow for ARM MTE to be enabled dynamically (instead
of at compile time via the ELF note). They are settable from a non-root
shell to allow device owners to test system binaries with MTE.
The following values may be set:
1. 'off' -> No MTE, uses TBI on compatible devices.
2. 'sync' -> SYNC MTE.
3. 'async' -> ASYNC MTE.
The following methods can be used to launch a process (sanitizer-status)
with configurable values:
1. adb shell MEMTAG_OPTIONS=async sanitizer-status
2. adb shell setprop arm64.memtag.process.sanitizer-status async && \
adb shell sanitizer-status
Note: The system server will require some special handing in the zygote
pre-fork to check the sysprops. The zygote should always have the ELF
note. TODO in a subsequent patch.
Bug: 135772972
Bug: 172365548
Test: Launching sanitizer-status above using both the settings.
Change-Id: Ic1dbf3985a3f23521ec86725ec482c8f6739c182
Android S devices must support eBPF.
Test: builds, atest, TreeHugger
Bug: 167500195
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I84a8d00f786fca8113dd3d555af279a1029f66f2
Now that the feature guarded by this flag has landed in Linux 5.10
we no longer need the flag, so we can remove it.
Bug: 135772972
Change-Id: I02fa50848cbd0486c23c8a229bb8f1ab5dd5a56f
I realize that we can probably clean up more of our half-forked code by
reusing the same *-compat.h headers we use for the clean upstream code,
but I'll come back and do that later.
Bug: http://b/177003648
Test: treehugger
Change-Id: I081255aaafd62718b85956c5502911a1cc80225d
Technically, std::atomic does not have an operator(). Previously, this
code was relying on an implicit behavior of our C++ standard library in
order to compile. When compiling this code against a different C++
standard library, I encountered a compiler error on these lines.
This CL makes the std::atomic load() operation explicit, makes it
clearer what this code is actually doing and makes it conform better to
the C++ standard library spec rather than a particular implmentation.
Change-Id: I7f255dffc0a3d8e07c973c18e9ba4098c4b5843e
Technically, C requires that all source files end with a newline. In
practice, most compilers will accept source files without a newline, but
it does trigger the -Wnewline-eof warning.
Change-Id: I64a92b82f4d5724cd8b45821cfd59eb3de39514b
Use a note in executables to specify
(none|sync|async) heap tagging level. To be extended with (heap x stack x
globals) in the future. A missing note disables all tagging.
Bug: b/135772972
Test: bionic-unit-tests (in a future change)
Change-Id: Iab145a922c7abe24cdce17323f9e0c1063cc1321
Test: source build/envsetup.sh && lunch 16 && source
build/soong/bazel/bazelenv.sh && m, then verify ninja
file was based on intermediates from bazel-out
Change-Id: I89f320dd58083710012ea1f8e3902e723602ea37
Soft-limits apps from calling bind() on NETLINK_ROUTE sockets, and
getting link info through getifaddrs(), while still allowing apps on the
allowlist to temporarily perform these actions.
This is different from existing behavior, where apps targeting an API
level < 30 were exempted from this restriction.
Actual enforcement will happen through SELinux (as is currently the
case for apps targeting API >= 30). This temporary change will then be
reverted.
If you arrived at this change due to an app showing unexpected behavior,
please file a bug at go/netlink-bug.
Bug: 170188668
Bug: 170214442
Test: Call bind() on NETLINK_ROUTE for an app on the allowlist.
Test: Call bind() on NETLINK_ROUTE for an app not on the allowlist.
Test: Call getifaddrs() for an app on the allowlist.
Test: Call getifaddrs() for an app not on the allowlist.
Test: Call bind() on a AF_UNIX socket with its protocol set to
NETLINK_ROUTE, confirm it can succeed.
Test: Verify that previously broken apps are no longer broken.
Change-Id: I8738f7912fdc816e0d30205557728ff9e84bf7e6
Kernel headers coming from:
Git: https://android.googlesource.com/kernel/common/
Branch: android-mainline
Tag: android-mainline-5.10
Test: Built cuttlefish and flame images. Ran bionic unit tests on both.
Change-Id: I37ffc850970adcce1febbe2269c202632fce763a
Revert "Updates CTS tests for MAC address restrictions."
Revert submission 1518603-soft-restrict-mac
Reason for revert: Missing type check
Reverted Changes:
I0488932de:Soft-enable MAC address restrictions with allowlis...
Idb9d940e4:Updates CTS tests for MAC address restrictions.
I9461f287e:Return anonymized MAC for apps targeting SDK < 30
Change-Id: I7e8e593518088ff5c8f6083b34e6966852475b9b
This was a little confusing because a quick glance suggested that
'err' was getting the value of getsockopt(), when actually it was
getting the result of the '<' operation. Since 'err' wasn't
being used, we clarify by just removing it altogether.
Test: TreeHugger
Change-Id: I1ff80812b460973e9d512a558623e0c44c2ecf09
Soft-limits apps from calling bind() on NETLINK_ROUTE sockets, and
getting link info through getifaddrs(), while still allowing apps on the
allowlist to temporarily perform these actions.
This is different from existing behavior, where apps targeting an API
level < 30 were exempted from this restriction.
Actual enforcement will happen through SELinux (as is currently the
case for apps targeting API >= 30). This temporary change will then be
reverted.
If you arrived at this change due to an app showing unexpected behavior,
please file a bug at go/netlink-bug.
Bug: 170188668
Bug: 170214442
Test: Call bind() on NETLINK_ROUTE for an app on the allowlist.
Test: Call bind() on NETLINK_ROUTE for an app not on the allowlist.
Test: Call getifaddrs() for an app on the allowlist.
Test: Call getifaddrs() for an app not on the allowlist.
Change-Id: I0488932deea2a7211e55a24bc33bfa3cfb16fba2
They're both obsolescent in POSIX.1-2008, and you really shouldn't be
using them, but since we can't actually delete them...
This change makes them both obey $TMPDIR if set, and fall back to
/data/local/tmp otherwise. That's as good as we've managed for anything
else such as tmpfile(3).
Also add some tests.
Bug: http://b/174682340
Test: treehugger
Change-Id: Ieef99dcc2062f84b2b7cbae046787fdfe975e772
We can sometimes fail to link a static executable because of
duplicate definitions of std::nothrow in bionic/libc/bionic/new.cpp
and external/libcxx/src/new.cpp. Fix it by making our definition
weak since it doesn't matter which one ends up being chosen.
Change-Id: Iec02ae89f4a3d2ffe298817240f404e54b109a52
Add a make distclean for each supported arch before generating headers
and at the end so these files are not left hanging around in the
kernel directory.
Bug: 174795055
Test: Verified all generated files are deleted after running.
Test: Verified this generates the exact same files as before this change.
Change-Id: I0f66f580af2ea50c190eb532032017e782d7cae6
aosp/1484976 introduced a breaking change where
DisableMemoryMitigations() now indiscriminately turns tagged pointers
off. When android_mallopt(M_DISABLE_MEMORY_MITIGATIONS) is called, the
correct behaviour is:
- In SYNC/ASYNC MTE mode -> disable all tagged pointers.
- If all tagged pointers are already disabled -> nop.
- If we're in TBI mode -> nop (keep the TBI mode as-is).
In order to do that we have to allow probing of the current heap tagging
mode. In order to prevent TOCTOU between GetHeapTaggingLevel() and
SetHeapTaggingLevel(), we expose a global mutex that should be held when
calling these functions.
Bug: 174263432
Test: atest CtsTaggingHostTestCases on Flame
Change-Id: Ia96f7269d542c9041270458806aee36766d2fbbb
Unnecessary include, and the file was deleted with upstream changes.
Bug: N/A
Test: cd external/gwp_asan && atest
Change-Id: Id8facff0c5e382aa639ce158b7b5862ce157aa25
- Make it apply to every thread, and thus remove the restriction
that it must be called while the program is single threaded.
- Make it change TCF0 itself (on all threads), instead of requiring
callers to do it themselves, which can be error prone.
And update all of the call sites.
Change the implementation of
android_mallopt(M_DISABLE_MEMORY_MITIGATIONS) to call
android_mallopt(M_SET_HEAP_TAGGING_LEVEL) internally. This avoids
crashes during startup that were observed when the two mallopts
updated TCF0 unaware of each other.
I wouldn't expect there to be any out-of-tree callers at this point,
but it's worth noting that the new interface is backwards compatible
with the old one because it strictly expands the set of situations in
which the API can be used (i.e. situations where there are multiple
threads running or where TCF0 hadn't been updated beforehand).
Bug: 135772972
Change-Id: I7746707898ff31ef2e0af01c4f55ba90b72bef51
259776d8ff
The original change was reverted due to InterfaceParamsTest failing.
This test has now been fixed in r.android.com/1498525.
The original change message is below.
Updates getifaddrs() to behave as if RTM_GETLINK requests are not
allowed for non-system apps. This is different from previous behavior,
where apps targeting an API level < 30 were exempted from this
restriction.
Actual enforcement happens in SELinux. This change:
- Soft-enables the behavior until SELinux changes are in place
- Prevents logspam from SELinux denials after they are in place
Bug: 170188668
Test: atest bionic-unit-tests-static
Test: atest NetworkInterfaceTest
Test: Connect to Wi-Fi network
Test: Call getifaddrs() directly from within an app.
Test: Call NetworkInterface#getNetworkInterfaces() from within an app.
Change-Id: Ia9f61819f8fdf878c0e67e57de7e893fb3b1c233
Revert "Enforce RTM_GETLINK restrictions on all 3p apps"
Revert "Updates tests for untrusted app MAC address restrictions"
Revert submission 1450615-mac-address-restrictions
Reason for revert: DroidMonitor: Potential culprit for Bug 173243616 - verifying through Forrest before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted
Reverted Changes:
I08c709b2b:Enforce RTM_GETLINK restrictions on all 3p apps
I95d124ae8:Soft-enables new MAC address restrictions.
I5392f8339:Updates tests for untrusted app MAC address restri...
I9d214c5d0:Return anonymized MAC for apps targeting SDK < 30
Change-Id: If09920b24370077d647d60cfda7fc0a110b77851
"vendor_available" modules were available to product modules.
However, not all "vendor_available" modules are required to be
available to product modules. Some modules want to be available only
to product modules but not vendor modules.
To cover the requirement, we separate "product_available" from
"vendor_available".
"vendor_available" will not provide product available module.
Bug: 150902910
Test: build
Change-Id: I13b8222e191333c6c2cb7794ef3344fdcc6ebe98
A constructor or destructor function with an integral priority is
placed in an .init_array or .fini_array section with the priority
suffixed to the section name:
- __attribute__((constructor)) ==> .init_array
- __attribute__((constructor(42))) ==> .init_array.42
The suffixed init/fini sections appear before the unsuffixed sections,
so the prioritized functions appeared before the __{INIT,FINI}_ARRAY__
symbols and were dropped when the symbols were used.
The (static) linker doesn't recognize priority suffixes on
.preinit_array.
This bug affected .init_array and .fini_array for static executables.
For dynamic executables, only .fini_array was affected, because
.init_array is handled by the dynamic loader instead, which uses
DT_INIT_ARRAY[SZ]. For DSOs, neither is affected, because the two
sections are only handled by the dynamic loader.
This patch also fixes a minor inconsistency where dynamic init/preinit
were passed argc/argv/envp, but static were not.
Bug: http://b/170983066
Test: bionic-unit-tests
Change-Id: I0fffa776e5d9bdb6f8af06b4c1af148236742fef
The functions now read /etc/group and /etc/passwd on host machines.
Android-specific IDs are not recognized in the host.
getpwent and getgrent are still not working though. They require a
bigger refactoring to sequentially advance in the database files.
Bug: 171718702
Test: run assemble_cvd in aosp_cf_arm64_phone
Change-Id: Ie8da382a467bbd0bffac7b4b8592cd871db80181
/system/bin/sh exists only on Android. When Bionic is built for the
host, use the standard /bin/sh.
Bug: 159685774
Test: run aosp_cf_arm64_phone on rockpi4
Change-Id: Idf4028c134abc128f203fc4d3be591f06b8fe8ff
When an array element is added or removed, make only the relevant page
writable, rather than the entire array. The entire array is still made
writable during recompaction and expansion.
This change fixes most of a large regression in __cxa_atexit runtime
(blueline, taskset 10, performance governor, 100000 registrations,
times are in seconds)
- Q: _Exit=0.292380, exit=0.626801
- R: _Exit=28.435082, exit=95.785110
- new: _Exit=0.352285, exit=0.713893
Test: bionic unit tests
Test: adb shell taskset 10 \
/data/benchmarktest64/bionic-spawn-benchmarks/bionic-spawn-benchmarks \
--benchmark_filter='atexit' \
--benchmark_display_aggregates_only=true \
--benchmark_repetitions=10
Bug: http://b/168043760
Change-Id: I88cc15c29c9890b422b7f621f29f98a03ca1f886
Instead of assuming a module with the .llndk suffix exists, add an
llndk_stubs property to every cc_library module that has a
corresponding llndk_library. Also rename the llndk_library to have
an explicit .llndk suffix.
Bug: 170784825
Test: no changes to build.ninja (excluding comments) or Android-${TARGET_PRODUCT}.mk
Change-Id: Ib5453472a09ebc64818ceb69bcbe1184720ce86a
pthread_cond_pulse would unconditionally call futex, which meant that
a number of processes were spending a significant amount of time in
pthread_cond_broadcast and pthread_cond_signal when there were no
threads waiting on that pthread_cond_t.
This change adds a counter to the 64-bit pthread_cond_t struct and
only calls futex() in cases where there is a nonzero waiter count. The
32-bit pthread_cond_t is unchanged due to compatibility reasons.
Test: no pthread_cond_broadcast/signal stacks without try_to_wake_up
in SurfaceFlinger
bug: 168831708
Change-Id: I105e1345cd2a3a75f98cd0acf316e790ba1716f0
In order to disable memory initialization for a process, the following
command can be used:
android_mallopt(M_DISABLE_MEMORY_MITIGATIONS, nullptr, 0);
Since this is needed in vendor processes, this is exposing this
functionality to llndk. For convenience (and adding standard logging),
a helper function is being added into libcutils in order to use this,
w/o having to get into so many details.
Bug: 166675194
Test: use function from libcutils
Change-Id: Ia816089a9f3469c50c70afaa7244abeac5a51dcd
Introduce an android_mallopt(M_DISABLE_MEMORY_MITIGATIONS) API call
that may be used to disable zero- or pattern-init on non-MTE hardware,
or memory tagging on MTE hardware. The intent is that this function
may be called at any time, including when there are multiple threads
running.
Disabling zero- or pattern-init is quite trivial, we just need to set
a global variable to 0 via a Scudo API call (although there will be
some separate work required on the Scudo side to make this operation
thread-safe).
It is a bit more tricky to disable MTE across a process, because
the kernel does not provide an API for disabling tag checking in all
threads in a process, only per-thread. We need to send a signal to each
of the process's threads with a handler that issues the required prctl
call, and lock thread creation for the duration of the API call to
avoid races between thread enumeration and calls to pthread_create().
Bug: 135772972
Change-Id: I81ece86ace916eb6b435ab516cd431ec4b48a3bf
Updates getifaddrs() to behave as if RTM_GETLINK requests are not
allowed for non-system apps. This is different from previous behavior,
where apps targeting an API level < 30 were exempted from this
restriction.
Actual enforcement happens in SELinux. This change:
- Soft-enables the behavior until SELinux changes are in place
- Prevents logspam from SELinux denials after they are in place
Bug: 170188668
Test: atest bionic-unit-tests-static
Test: atest NetworkInterfaceTest
Test: Connect to Wi-Fi network
Test: Call getifaddrs() directly from within an app.
Test: Call NetworkInterface#getNetworkInterfaces() from within an app.
Change-Id: I95d124ae81bcb26583db5ad01d95d441d52f973c
There are multiple build breakages with bionic when we enable ThinLTO
globally. Opt bionic out of ThinLTO for now.
#global-thinlto-opt-out
Test: TreeHugger
Bug: 169004486
Change-Id: I546a8074f9c3e0ddbd01d3b7cd730e215e3c0c49
In native build of libc it would be inlined and in native bridge mode
it's noinline, extern "C" and thus could be easily intercepted.
Test: m (without weak symbols in native bridge mode x86+arm build would be broken)
Change-Id: I67759858a5bc2174dce1db9732fdbd89ba7689cc
Now, when we can detect native bridge mode is sources we can do that.
Test: m (without weak symbols in native bridge mode x86+arm build would be broken)
Change-Id: I360e7df8211d03636bbe716dc14655ee8d765493
malloc_debug can use libunwind and libunwindstck to unwind backtrace,
if libc.debug.malloc.options contains the string of "backtrace_full",
malloc_debug will use libunwindstck, and if libc.debug.malloc.options
contains the string of "backtrace=*", malloc_debug will use libunwind.
The result of libunwindstck is normal, but the result of libuniwnd
is abnormal, there is a offset between the rel_cp and the correct value,
so addr2line can't decode the right line number.
Libunwind and libunbiwndpack calculate load_bias is different, so malloc_debug
get load_bias alignment with libunwindstack.
Bug: 169539402
Change-Id: I640fb5db39af622a0bb52abf2c107984065a89d5
Let the assembler handle the low-level details of generating .eh_frame,
and use .cfi_escape to output the DWARF3 DW_CFA_def_cfa_expression and
DW_CFA_expression instructions.
Explicitly output a nop instruction between the FDE start
(.cfi_startproc) and the trampoline symbol.
x86_64: remove the rsp instruction, which is redundant with the CFA
itself.
Bug: http://b/169383888
Test: compare `objdump -Wf` output before and after
Test: bionic-unit-tests
Change-Id: Ie2a6d111cb473596be8c9f4fd64534e91d88f2a1
* changes:
libc: Add Armv8.3-A PAuth and Armv8.5-A BTI compatibility to *.S
Update crtbegin.c and crt*.S to support Armv8.5-A BTI
libm: Add Armv8.3-A PAuth and Armv8.5-A BTI support to assembly files
libc: Prepare support for Armv8.3-A PAuth and Armv8.5-A BTI in *.S
Every architecture that uses .eh_frame needs a terminator at the end to
ensure that an unwinder library doesn't read past the end of the
section. This can happen when the unwinder looks up a PC that doesn't
have a matching FDE. Both LLVM libunwind and libgcc fall back to an
.eh_frame scan if the .eh_frame_hdr search table scan fails.
By convention, this terminator section is aligned to 4, even on 64-bit
targets. e.g. Both libgcc and compiler-rt have a crtend with 4-byte
.eh_frame alignment on arm64 and x86_64.
In practice, lld strips off the terminator from input object files and
adds one unconditionally to the output, but bfd/gold still require a
crtend with a terminator.
References:
- https://reviews.llvm.org/D86256
- https://reviews.llvm.org/D87750
- https://sourceware.org/bugzilla/show_bug.cgi?id=2655
Test: examine crtend.o and crtend_so.o with `readelf -SW` and \
`objdump -Wf`
Change-Id: Ib8478ee446ad806898aa7147a6208d384c7516d5
The latest LLVM update to r399163 has exposed an issue with optimization
of `aligned_alloc()` at -O2. Invalid inputs are treated as valid, which
results in assertions being hit. This WAR is to make sure that the test
keeps running while we fix the issue upstream.
Bug: http://b/169206016
Bug: http://b/155835175
Test: atest malloc_hooks_system_tests:malloc_hooks_system_tests.MallocHooksTest#aligned_alloc_hook_error -- --abi x86
Change-Id: I74b290b73826481c62db3a99ac1a690c8a8a8db3
This patch adds support to load BTI-enabled objects.
According to the ABI, BTI is recorded in the .note.gnu.property section.
The new parser evaluates the property section, if exists.
It searches for .note section with NT_GNU_PROPERTY_TYPE_0.
Once found it tries to find GNU_PROPERTY_AARCH64_FEATURE_1_AND.
The results are cached.
The main change in linker is when protection of loaded ranges gets
applied. When BTI is requested and the platform also supports it
the prot flags have to be amended with PROT_BTI for executable ranges.
Failing to add PROT_BTI flag would disable BTI protection.
Moreover, adding the new PROT flag for shared objects without BTI
compatibility would break applications.
Kernel does not add PROT_BTI to a loaded ELF which has interpreter.
Linker handles this case too.
Test: 1. Flame boots
2. Tested on FVP with BTI enabled
Change-Id: Iafdf223b74c6e75d9f17ca90500e6fe42c4c1218
android_filesystem_config.h is found since system/core/include is on
the include path for all projects and contains a symlink to the real
android_filesystem_config.h. This is fragile and the below bug seeks
to remove this symlink and have users correctly depend on
libcutils_headers.
In bionic, libcutils_headers header library cannot be used due to
cyclic dependencies, so it gets the actual include path instead, which
is less bad than depending on the build system injecting the for all
modules.
Bug: 165825252
Test: build
Change-Id: Id43bdea9553b1174ceb3efc2a3ed505888619c62
It was originally based on fdlibm, but it's been through two different
projects since then, and `git blame` shows basically nothing remaining
from those days. Seems worth leaving something to explain the unusual
copyright header though!
Test: treehugger
Change-Id: I8e7252a755704b866e7f36c8e97adc021fa3cdad
