If the alignment of a TLS segment in a shared object is invalid, return
an error through dlerror() rather than aborting the process.
Bug: http://b/78026329
Test: bionic unit tests
Change-Id: I60e589ddd8ca897f485d55af089f08bd3ff5b1fa
This implementation simply iterates over each static TLS module and
copies its initialization image into a new thread's static TLS block.
Bug: http://b/78026329
Test: bionic unit tests
Change-Id: Ib7edb665271a07010bc68e306feb5df422f2f9e6
Replace reserve_tcb with reserve_exe_segment_and_tcb, which lays out both
the TCB and the executable's TLS segment, accounting for the difference in
layout between variant 1 and variant 2 targets.
The function isn't actually called with a non-null TlsSegment* yet.
Bug: http://b/78026329
Test: bionic unit tests
Change-Id: Ibd6238577423a7d0451f36da7e64912046959796
The function searches for a TLS segment in a ElfXX_Phdr table.
Bug: http://b/78026329
Test: bionic unit tests
Change-Id: I221b13420d1a2da33fc2174b7dd256589f6ecfdb
As of the switch to clang-r346389c, it has been replaced with
TLS_SLOT_SANITIZER(6). lld reserves 8 words beyond the TP on arm/arm64, so
Bionic can't use anything beyond 7.
The DTV and bionic_tls slots on x86 haven't been part of a release yet,
and they should be strictly internal to Bionic anyway, so shift them down.
Bug: http://b/78026329
Test: bionic unit tests
Change-Id: Ifb3b2d8d85efe1417ee9a10b657b665ec6f2fd3d
For ELF TLS "local-exec" accesses, the static linker assumes that an
executable's TLS segment is located at a statically-known offset from the
thread pointer (i.e. "variant 1" for ARM and "variant 2" for x86).
Because these layouts are incompatible, Bionic generally needs to allocate
its TLS slots differently between different architectures.
To allow per-architecture TLS slots:
- Replace the TLS_SLOT_xxx enumerators with macros. New ARM slots are
generally negative, while new x86 slots are generally positive.
- Define a bionic_tcb struct that provides two things:
- a void* raw_slots_storage[BIONIC_TLS_SLOTS] field
- an inline accessor function: void*& tls_slot(size_t tpindex);
For ELF TLS, it's necessary to allocate a temporary TCB (i.e. TLS slots),
because the runtime linker doesn't know how large the static TLS area is
until after it has loaded all of the initial solibs.
To accommodate Golang, it's necessary to allocate the pthread keys at a
fixed, small, positive offset from the thread pointer.
This CL moves the pthread keys into bionic_tls, then allocates a single
mapping per thread that looks like so:
- stack guard
- stack [omitted for main thread and with pthread_attr_setstack]
- static TLS:
- bionic_tcb [exec TLS will either precede or succeed the TCB]
- bionic_tls [prefixed by the pthread keys]
- [solib TLS segments will be placed here]
- guard page
As before, if the new mapping includes a stack, the pthread_internal_t
is allocated on it.
At startup, Bionic allocates a temporary bionic_tcb object on the stack,
then allocates a temporary bionic_tls object using mmap. This mmap is
delayed because the linker can't currently call async_safe_fatal() before
relocating itself.
Later, Bionic allocates a stack-less thread mapping for the main thread,
and copies slots from the temporary TCB to the new TCB.
(See *::copy_from_bootstrap methods.)
Bug: http://b/78026329
Test: bionic unit tests
Test: verify that a Golang app still works
Test: verify that a Golang app crashes if bionic_{tls,tcb} are swapped
Merged-In: I6543063752f4ec8ef6dc9c7f2a06ce2a18fc5af3
Change-Id: I6543063752f4ec8ef6dc9c7f2a06ce2a18fc5af3
(cherry picked from commit 1e660b70da)
Having a constexpr constructor should guarantee that the static
`globals` variable in __libc_shared_globals is initialized statically
(as opposed to dynamically), which is important because
__libc_shared_globals is called very early (before the linker has
relocated itself). With the constructor, though, the fields can safely
have in-line default initializers.
Bug: none
Test: bionic unit tests
Change-Id: Icde821557369625734a4d85d7ff55428bad5c247
* Add explicit to conversion constructors/operators
Bug: 28341362
Test: make with WITH_TIDY=1 DEFAULT_GLOBAL_TIDY_CHECKS=-*,google-explicit-constructor
Change-Id: Id1ad0327c1b8c6f094bcbb3ae599bc1f716b3f2f
This slot will replace TLS_SLOT_TSAN, which needs to be removed for ELF
TLS compatibility. The platform has both slots reserved until compiler-rt
can be updated. See:
- https://reviews.llvm.org/D53906
- discussion on AOSP change Idf25d2ee457a5d26d0bdd6281cee72c345c8b755
Bug: http://b/78026329
Test: m
Change-Id: Ifd5aeb5711dc88266e7350cb022146dd87cfd7be
This change is intended to allow native-bridge to use independent
TLS memory for host and guest environments, while still sharing a
thread-local errno between the two.
Bug: http://b/78026329
Test: bionic unit tests
Change-Id: I838cd321e159add60760bc12a8aa7e9ddc960c33
Merged-In: I838cd321e159add60760bc12a8aa7e9ddc960c33
(cherry picked from commit a9c7c55462)
Instead of passing the address of a KernelArgumentBlock to libc.so for
initialization, use __loader_shared_globals() to initialize globals.
Most of the work happened in the previous CLs. This CL switches a few
KernelArgumentBlock::getauxval calls to [__bionic_]getauxval and stops
routing the KernelArgumentBlock address through the libc init functions.
Bug: none
Test: bionic unit tests
Change-Id: I96c7b02c21d55c454558b7a5a9243c682782f2dd
Merged-In: I96c7b02c21d55c454558b7a5a9243c682782f2dd
(cherry picked from commit 746ad15912)
Make getauxval() work in .preinit_array. It still won't be usable for
ifuncs unless we can guarantee that the __loader_shared_globals relocation
is resolved before the ifunc calls [__bionic_]getauxval.
Define __bionic_getauxval for use in replacing calls to
KernelArgumentBlock::getauxval, which doesn't (and sometimes isn't allowed
to) access TLS variables like errno.
Bug: http://b/25751302
Test: bionic unit tests
Change-Id: I461feeaed7f43cfa2a2b6c34147194f0df82b516
Merged-In: I461feeaed7f43cfa2a2b6c34147194f0df82b516
(cherry picked from commit bdab4a2b97)
Split __libc_init_main_thread into __libc_init_main_thread_early and
__libc_init_main_thread_late. The early function is called very early in
the startup of the dynamic linker and static executables. It initializes
the global auxv pointer and enough TLS memory to do system calls, access
errno, and run -fstack-protector code (but with a zero cookie because the
code for generating a cookie is complex).
After the linker is relocated, __libc_init_main_thread_late finishes
thread initialization.
Bug: none
Test: bionic unit tests
Change-Id: I6fcd8d7587a380f8bd649c817b40a3a6cc1d2ee0
Merged-In: I6fcd8d7587a380f8bd649c817b40a3a6cc1d2ee0
(cherry picked from commit 39bc44bb0e)
Initialize the __progname and environ global variables using
libc_shared_globals rather than KernelArgumentBlock.
Also: suppose the linker is invoked on an executable:
linker prog [args...]
The first argument passed to main() and constructor functions is "prog"
rather than "linker". For consistency, this CL changes the BSD
__progname global from "linker" to "prog".
Bug: none
Test: bionic unit tests
Change-Id: I376d76953c9436706dbc53911ef6585c1acc1c31
__libc_shared_globals() is available in dynamic modules as soon as
relocation has finished (i.e. after ifuncs run). Before ifuncs have run,
the android_set_abort_message() function already doesn't work because it
calls public APIs via the PLT. (If this matters, we can use a static
bool variable to enable android_set_abort_message after libc
initialization).
__libc_shared_globals() is hidden, so it's available in the linker
immediately (i.e. before relocation). TLS memory (e.g. errno) currently
isn't accessible until after relocation, but a later patch fixes that.
Bug: none
Test: bionic unit tests
Change-Id: Ied4433758ed2da9ee404c6158e319cf502d05a53
Previously, the address of the global variable was communicated from the
dynamic linker to libc.so using a field of KernelArgumentBlock, which is
communicated using the TLS_SLOT_BIONIC_PREINIT slot.
As long as this function isn't called during relocations (i.e. while
executing an ifunc), it always return a non-NULL value. If it's called
before its PLT entry is relocated, I expect a crash.
I removed the __libc_init_shared_globals function. It's currently empty,
and I don't think there's one point in libc's initialization where
shared globals should be initialized.
Bug: http://b/25751302
Test: bionic unit tests
Change-Id: I614d25e7ef5e0d2ccc40d5c821dee10f1ec61c2e
remove android_open_proxy and use dns_open_proxy instead of it.
dns_open_proxy is in libnetd_client and
it does the same thing as android_open_proxy except return value.
It returns fd directly now.
Test: build, dns works fine
Change-Id: I984743fb50b23eeb9a7d24e9fc347832acfe2afe
This lets us do two things:
1) Make setjmp and longjmp compatible with shadow call stack.
To avoid leaking the shadow call stack address into memory, only the
lower log2(SCS_SIZE) bits of x18 are stored to jmp_buf. This requires
allocating an additional guard page so that we're guaranteed to be
able to allocate a sufficiently aligned SCS.
2) SCS overflow detection. Overflows now result in a SIGSEGV instead
of corrupting the allocation that comes after it.
Change-Id: I04d6634f96162bf625684672a87fba8b402b7fd1
Test: bionic-unit-tests
Also move this and android_get_device_api_level into <android/api-level.h>
so that they're always available.
This involves cleaning up <sys/cdefs.h> slightly.
Bug: N/A
Test: builds
Change-Id: I25435c55f3549cd0d827a7581bee75ea8228028b
Use <android-base/macros.h> instead where possible, and move the bionic
macros out of the way of the libbase ones. Yes, there are folks who manage
to end up with both included at once (thanks OpenGL!), and cleaning that
up doesn't seem nearly as practical as just making this change.
Bug: N/A
Test: builds
Change-Id: I23fc544f39d5addf81dc61471771a5438778895b
Tests: Ran malloc_debug_unit_tests
Tests: Flashed to walleye, sent signal, observed
"Unable to open shared library: heapprofd.so".
Change-Id: Ia8ce216837e29e3edbda8789ca28023d53fa1fda
There's little value to having strings for these, but we may as well
for consistency. There's no ELASTERRNO constant we can use to check
whether we've fallen behind again, but these were added in 2009 and
2011 respectively, so we're not likely to have to deal with any more
new errno values any time soon...
Bug: http://b/117755069
Test: ran tests
Change-Id: I5b7155c22cad92c2fe03a0b4c7cae415c37fa186
The executable can be inside a zip file using the same syntax used for
shared objects: path.zip!/libentry.so.
The linker currently requires an absolute path. This restriction could be
loosened, but it didn't seem important? If it allowed non-absolute paths,
we'd need to decide how to handle:
- foo/bar (relative to CWD?)
- foo (search PATH / LD_LIBRARY_PATH, or also relative to CWD?)
- foo.zip!/bar (normalize_path() requires an absolute path)
The linker adjusts the argc/argv passed to main() and to constructor
functions to hide the initial linker argument, but doesn't adjust the auxv
vector or files like /proc/self/{exe,cmdline,auxv,stat}. Those files will
report that the kernel loaded the linker as an executable.
I think the linker_logger.cpp change guarding against (g_argv == NULL)
isn't actually necessary, but it seemed like a good idea given that I'm
delaying initialization of g_argv until after C++ constructors have run.
Bug: http://b/112050209
Test: bionic unit tests
Change-Id: I846faf98b16fd34218946f6167e8b451897debe5
Previously, we were zeroing out the reserved signals, when we actually
wanted to have TIMER_SIGNAL always be blocked, and the other signals
always be unblocked. This resulted in process termination when a
SIGEV_THREAD timer callback calls sigprocmask(SIG_SETMASK, ...) with
any signal mask value, and then subsequently fails to complete its
callback and reach the sigtimedwait in bionic before the next timer
iteration triggers.
Add a how argument to filter_reserved_signals to appropriately
block/unblock our reserved signals.
Bug: http://b/116783733
Test: bionic-unit-tests32/64
Change-Id: Ie5339682cdeb914711cd4089cd26ee395704d0df
Convert abort's inline_tgkill to do the equivalent of
pthread_sigqueue(pthread_self(), ...), so that we can use it in fdsan
as well.
Test: bionic-unit-tests
Test: debuggerd_test32
Test: debuggerd_test64
Change-Id: I92a7b84e2f00ce021b4043ed8a3bd8683d77fe9c
We've copied & pasted these to too many places. And if we're going to
have another go at upstreaming these, that's probably yet another reason
to have the *values* in just one place. (Even if upstream wants different
names, we'll likely keep the legacy names around for a while for source
compatibility.)
Bug: http://b/111903542
Test: ran tests
Change-Id: I8ccc557453d69530e5b74f865cbe0b458c84e3ba
libc had some -Wimplicit-fallthrough warnings. They all seem to be
benign. We're trying to enable this flag globally, so we need to
annotate these breaks here.
Bug: 112564944
Test: Builds
Change-Id: I5afae694cc4cf26ad1a61e2c8ae91f00cda7c733
Make it easier for other code to parse the fdsan table themselves by
making it so that they can include the bionic_fdsan.h header to get a
struct definition with the layout without bringing in other
dependencies.
Test: treehugger
Change-Id: I3583ef113991234aa83cd193a4eb139ad06737c7
Add two functions to allow objects that own a file descriptor to
enforce that only they can close their file descriptor.
Use them in FILE* and DIR*.
Bug: http://b/110100358
Test: bionic_unit_tests
Test: aosp/master boots without errors
Test: treehugger
Change-Id: Iecd6e8b26c62217271e0822dc3d2d7888b091a45
pclose(3) is now an alias for fclose(3). We could add a FORTIFY check
that you use pclose(3) if and only if you used popen(3), but there seems
little value to that when we can just do the right thing.
This patch also adds the missing locking to _fwalk --- we need to lock
both the global list of FILE*s and also each FILE* we touch. POSIX says
that "The popen() function shall ensure that any streams from previous
popen() calls that remain open in the parent process are closed in the
new child process", which we implement via _fwalk(fclose) in the child,
but we might want to just make *all* popen(3) file descriptors O_CLOEXEC
in all cases.
Ignore fewer errors in popen(3) failure cases.
Improve popen(3) test coverage.
Bug: http://b/72470344
Test: ran tests
Change-Id: Ic937594bf28ec88b375f7e5825b9c05f500af438
As for others targets, it is better to align function text by minimim
cacheline size. This patch changes arm __bionic_asm_align to 16.
Test: bionic tests on aarch64.
Change-Id: Ib121663c65493d33d6803e2c5139d247a8cae858
__libc_sysinfo is hidden, so accessing it doesn't require a relocated GOT.
It is important not to have a relocatable initializer on __libc_sysinfo,
because if it did have one, and if we initialized it before relocating the
linker, then on 32-bit x86 (which uses REL rather than RELA), the
relocation step would calculate the wrong addend and overwrite
__libc_sysinfo with garbage.
Asides:
* It'd be simpler to keep the __libc_sysinfo initializer for static
executables, but the loader pulls in libc_init_static (even though it
uses almost none of the code in that file, like __libc_init).
* The loader has called __libc_init_sysinfo three times by the time it
has relocated itself. A static executable calls it twice, while libc.so
calls it only once.
Bug: none
Test: lunch aosp_x86-userdebug ; emulator
Test: adb shell /data/nativetest/bionic-unit-tests/bionic-unit-tests
Test: adb shell /data/nativetest/bionic-unit-tests-static/bionic-unit-tests-static
Change-Id: I5944f57847db7191608f4f83dde22b49e279e6cb
Require that users and groups found in /vendor/etc/{passwd,group}
start with vendor_. This is needed to compliance with Treble as
without this prefix, it is possible for a new system image to create a
user/group name that a vendor has already used, causing a collision.
Bug: 79528966
Test: new unit test
Change-Id: I07500641e165f41526a8101592d83fa174e7a711
It seems clearer to include FD_SETSIZE in the message. set_size
is sizeof(fd_set) so there's an extra mental hoop to jump if that's
in the error message.
Test: make
Change-Id: I5cdb62465b658ac0eaeccbfb826d135820cf613a
We saw crashes from pthread_exit+debuggerd on LP32
(https://issuetracker.google.com/72291624), and it seems like the
equivalent problem should exist with system(3). I fixed posix_spawn(3)
as part of that bug, so the easiest fix is probably to reuse that.
Bug: http://b/72470344
Test: ran tests
Change-Id: I05f838706f2b4a14ac3ee21292833e6c8579b0d4
Add the capability to read /etc/passwd and /etc/group for getpw* and
getgr* functions.
Bug: 27999086
Test: pwd, grp, grp_pwd_file unit tests
Test: Read in custom users/groups from /etc/{passwd,group}
Change-Id: Idc1f054af8a7ca34743a90493495f0ccc775a0d8
This doesn't address `struct sigaction` and `sigaction`. That will
come later.
Bug: http://b/72493232
Test: ran tests
Change-Id: I4134346757ce3a4dac6feae413361cec16223386
The main motivation here is that the sigprocmask in pthread_exit wasn't
actually blocking the real-time signals, and debuggerd (amongst other
things) is using them. I wasn't able to write a test that actually won
that race but I did write an equivalent one for posix_spawn.
This also fixes all the uses of sigset_t where the sigset_t isn't
exposed to the outside (which we can't easily fix because it would be
an ABI change).
Bug: https://issuetracker.google.com/72291624
Test: ran tests
Change-Id: Ib6eebebc5a7b0150079f1cb79593247917dcf750
Bug: http://b/29177606
Test: run bionic-unit-tests on walleye.
Test: run bionic-unit-tests-glibc on host.
Change-Id: Iac349284aa73515f384e7509445f87434757f59e
There were a bunch more unreasonable/incorrect ones, but these ones
seemed legit. Nothing very interesting, though.
Bug: N/A
Test: ran tests, benchmarks
Change-Id: If66971194d4a7b4bf6d0251bedb88e8cdc88a76f
This is also slightly faster for the no VDSO case (56ns vs 66ns).
Bug: N/A
Test: ran tests, benchmarks
Change-Id: I2b0edd06ee6942eb57c32678279278a53ca5ee9b
Currently, getpwnam, getpwent, etc return successfully for any uid
from AID_APP_START (10000) to AID_USER_OFFSET (100000) for each user.
This is not correct however, as only specific ranges above
AID_APP_START are reserved as valid ranges. This change corrects this.
This is particularly important as the newly added AID_OVERFLOWUID is
65534, which is above AID_APP_START but not in any reserved range,
collided with the faulty returned values.
Bug: 69119022
Bug: 69128408
Test: pwd/grp bionic unit tests
Change-Id: I3dae97a90597915fa30a88fe27cda88b107e9c35
To make it easier for Native Bridge implementations
to override these symbols.
Bug: http://b/67993967
Test: make
Change-Id: I4c53e53af494bca365dd2b3305ab0ccc2b23ba44
Move all the new checks over to the existing __fortify_fatal.
Bug: http://b/67455242
Test: ran tests
Change-Id: Idb899c58c32d52d3b423caf1a91feb7defcba9b3
I'm skeptical about the usefulness of this, but it's in POSIX, it's
in glibc (but not iOS), and it is used in some internal source (test
runners and container code).
Bug: N/A
Test: ran tests
Change-Id: I92c5398f2a679b21a33fba92bc8e67e3ae2eb76f
We store a pointer to the long ro. property within the shared property
area, as we know that this pointer will never change locations or be
invalidated and it saves us from needing to allocate arbitrarily sized
storage for the property.
Bug: 23102347
Bug: 34954705
Test: bionic-unit-tests
Change-Id: I9f9147a2f951f20f51e4664c6faf9ff7f6a9502a
This fixes mips and mips64 build failures.
Test: successful aosp_mips-eng and aosp_mips64-eng builds
Change-Id: I6648b9cae876cda13369cf10edf61ce9fdca342c
<machine/asm.h> was internal use only.
<machine/fenv.h> is quite large, but can live in <bits/...>.
<machine/regdef.h> is trivially replaced by saying $x instead of x in
our assembler.
<machine/setjmp.h> is trivially inlined into <setjmp.h>.
<sgidefs.h> is unused.
Bug: N/A
Test: builds
Change-Id: Id05dbab43a2f9537486efb8f27a5ef167b055815
While this was never an inline, this function alone has caused most of
the bug reports related to _FILE_OFFSET_BITS=64. Providing an inline
for it should allow a lot more code to build with _FILE_OFFSET_BITS=64
when targeting pre-L.
Test: make checkbuild
Test: built trivial cc_binary for LP32 against API 14 with
_FILE_OFFSET_BITS=64 set
Bug: lots
Change-Id: I8479d34af4da358c11423bee43d45b59e9d4143e
On aarch64/x86/x86_64 add a macro that inserts a cfi directive that will
stop unwinding.
For arm, clang doesn't allow emitting .cantunwind, so add a comment and
leave it the same as it current is.
Add this macro to __libc_init and __start_thread.
Also, remove duplicate compilation of libc_init_static.cpp that already
includes the static library that includes that file.
Bug: 15469122
Test: Did unwinds using new unwinder tool (unwind) and debuggerd -b
Test: and verified new unwinder works on aarch64/x86/x86_64.
Test: Verified that it works on old unwinder for aarch64/x86, but
Test: x86_64 doesn't work properly, but as well as before.
Change-Id: I77302e8f6c7ba1549d98a4a164106ee82c9ecadc
pthread's and semaphore's default behavior is to use CLOCK_REALTIME,
however this behavior is essentially never intended, as that clock is
prone to change discontinuously.
What users really intend is to use CLOCK_MONOTONIC, however only
pthread_cond_timedwait() provides this as an option and even there, a
large amount of existing code does not opt into CLOCK_MONOTONIC.
We have seen numerous bugs directly attributable to this difference.
Therefore, we provide this general workaround to always use
CLOCK_MONOTONIC for waiting, regardless of what the input timespec
is.
Specifically this impacts the below APIs:
pthread_mutex_timedlock()
pthread_cond_timedwait()
pthread_rwlock_timedrdlock()
pthread_rwlock_timedwrlock()
sem_timedwait()
Test: boot bullhead, boot sailfish
Test: bionic pthread/semaphore unit tests
Test: check that pthread_cond_timedwait() timeouts are uneffected by
CLOCK_REALTIME time changes
Bug: 64694413
Bug: 64623895
Bug: 35756266
Bug: 35678943
Change-Id: Ibba98f5d88be1c306d14e9b9366302ecbef6d534
This reverts commit ea3df0c52b, and
increases the address limit on non-aarch64 64-bit platforms as well.
RLIMIT_AS problem fixed in a different commit.
Bug: 63141434, 64293803
Test: device boots
Change-Id: I1284c4196cc1f0c9d97c3ced97a19de328050d21
...by inlining them.
Also fix a couple of harmless bugs in passing. I've added tests, but in
both cases I don't think it was actually possible to hit the bad behavior:
we'd hit another test and fail immediately after in an externally
indistinguishable way.
Bug: N/A
Test: readelf
Change-Id: I8466050b0bfe2b7b94c76b383cf10c1d9d28debd
This reverts commit ae735163e5.
QA claims this causes:
AndroidRuntime: java.lang.NullPointerException: Attempt to invoke virtual method 'void android.media.MediaPlayer.setSurface(android.view.Surface)' on a null object reference
AndroidRuntime: at com.android.setupwizardlib....
Bug: http://b/63141434
Change-Id: I05a6849471623d4cde8b254b1020b0ccbd84b699
Starting from Linux 4.7, arm64's defconfig enables 48-bit VAs, see:
https://git.kernel.org/torvalds/c/211102d8
On arm64, the CFI shadow configuration currently assumes that VAs
are 39-bit long, and as expected this results in a segfault on a
(defconfig) 4.7+ kernel, when linking a CFI-enabled library.
Consequently, this change increases the max target address to
account for the new max VA size.
Change-Id: I3fb808563fa77a457c65e9663da0613117332072
File libc/SYSCALLS.TXT is updated to generate bionic's system call wrappers
for clock_gettime() & gettimeofday() that will be called if kernel vdso
implementations fail to execute.
The system call wrappers are generated using a python script gensyscalls.py.
Since all architectures support vdso now, there is no more need for conditional
statements regarding supported architectures in libc/bionic/vdso.cpp &
libc/private/bionic_vdso.h files.
Test: builds
Change-Id: I7213f29c179a7929851499d78a72900638ae861a
Signed-off-by: Goran Ferenc <goran.ferenc@imgtec.com>
Add the mallopt function, and only a single option so far.
Bug: 36401135
Test: Built and booted bullhead.
Test: Ran jemalloc unit tests.
Test: Ran bionic unit tests.
Test: Ran a test that allocated and free'd a large piece of memory,
Test: and verified that after changing the parameter, the PSS
Test: sticks around (decay timer set to 1), the PSS is purged (decay
Test: timer set to 0).
Change-Id: I6927929b0c539c1023d34772d9e26bb6a8a45877
This library is used by a number of different libraries in the system.
Make it easy for platform libraries to use this library and create
an actual exported include file.
Change the names of the functions to reflect the new name of the library.
Run clang_format on the async_safe_log.cpp file since the formatting is
all over the place.
Bug: 31919199
Test: Compiled for angler/bullhead, and booted.
Test: Ran bionic unit tests.
Test: Ran the malloc debug tests.
Change-Id: I8071bf690c17b0ea3bc8dc5749cdd5b6ad58478a
This is the last bionic caller that was manually trying to cache
property values.
Bug: N/A
Test: builds and boots
Change-Id: Id66c0a05d8448f08c39dbf7189241e75615d44b4
Also document that the caller should provide locking at an
appropriate scope.
Bug: N/A
Test: ran tests
Change-Id: Ib84802fd8b9dbe69f98feab80edef05549a3f73e
Useful for testing whether apps have actually stopped using greylisted
libraries even if they still have references to them in their apk to support
old Android releases but also haven't bumped their targetSdkVersion yet.
Since we already have two expensive __system_property_get calls and this
would add a third, optimize two (but leave the third since it's not
obviously amenable to optimization). None of this matters for user builds,
but I don't want userdebug/eng to have distractingly different performance.
(cherrypick of 7933bec2872aa1c3430149c7649726333c0ac9d8.)
Bug: http://b/36106661
Test: ran "can you escape 5" with and without this property
Change-Id: Id9a804695c1dca9b4be2ebd0e72f01817bb13cba
libc_logging is getting statically linked into the crash handler
library, resulting in two copies of the abort message code existing in
processes, one in the linker, and one in the crash handler.
Move android_set_abort_message to its own file to solve this.
Bug: http://b/36862204
Test: /data/nativetest/debuggerd_test/debuggerd_test32
Change-Id: Ie198c5a3bb07645aa43296915c9a6752693f14a9
__system_property_set sometimes produces broken_pipe error
when trying to write a property.
This change improves error messages and uses writev() instead
of sequence of send() calls.
Bug: http://b/35381074
Test: bionic-unit-tests --gtest_filter=prop*
Change-Id: I7a5b169c015db4e6b720370e58662de8206d1086
Thread local buffers were using pthread_setspecific for storage with
lazy initialization. pthread_setspecific shares TLS slots between the
linker and libc.so, so thread local buffers being initialized in a
different order between libc.so and the linker meant that bad things
would happen (manifesting as snprintf not working because the
locale was mangled)
Bug: http://b/20464031
Test: /data/nativetest64/bionic-unit-tests/bionic-unit-tests
everything passes
Test: /data/nativetest/bionic-unit-tests/bionic-unit-tests
thread_local tests are failing both before and after (KUSER_HELPERS?)
Test: /data/nativetest64/bionic-unit-tests-static/bionic-unit-tests-static
no additional failures
Change-Id: I9f445a77c6e86979f3fa49c4a5feecf6ec2b0c3f
Some of the function pointer types were wrong, and x86 cares if you
say `int` when you meant `int8_t` (because it feels at liberty to
leave the top bits dirty and ignore them, both sides need to agree
which they're dealing with).
Also slightly improve the wcstoimax and wcstoumax tests, since my
investigation started there.
Bug: http://b/33451822
Test: tests pass on x86, arm, and arm64
Change-Id: I553193962f0cb993666f9f8e415990bba5b669e1
Let the caller know when libc has an entropy source and arc4random is safe.
This is useful for the callers that want entropy, but don't absolutely need it.
Bug: http://b/27729263
Test: booted angler-userdebug w/ safestack
Change-Id: Iab3050bd19f23518e1676629573eebc656ba1090
Pretty useless, because the POSIX APIs are useless for actually
internationalization, but it lets us put this to bed for good.
Bug: http://b/18492914
Test: bionic tests
Change-Id: I4dd0aff66c44b5547039be3ffea806c865b9014a
When arc4random can get entropy (which is true for basically everyone
but init on kernels that don't support getrandom), use it instead of
AT_RANDOM.
Bug: http://b/29622562
Change-Id: I6932803af2c477e65562ff531bd959f199fad1df
This change implements the following property:
Any 2**N aligned memory region on size 2**N contains no more than one DSO.
The value N can be configured, with 16 or 18 looking like a good choice.
Additionally, DSOs are loaded at random page-aligned address inside these large
regions.
This change has dual purpose:
1. Larger values of N allow a lot more compact CFI shadow implementation.
See change I14dfea630de468eb5620e7f55f92b1397ba06217.
For example, CFI shadow for the system_server process has the following size (RSS, KB):
152 for N = 12, 32 for N = 16, 16 for N = 18.
2. Extra randomization is good for security.
This change does not result in extra RAM usage, because everything is still page-aligned.
It does result in a bit more VM fragmentation because of the gaps between shared libraries.
As it turns out, this fragmentation is barely noticeable because the kernel creates new mapping
at the highest possible address, and we do enough small mappings to almost completely fill the
gaps (ex. in the Zygote the gaps are filled with .ttf file mappings and thread stacks).
I've measured VM fragmentation as the sum of all VM gaps (unmapped regions) that are larger
than 1MB according to /proc/$PID/maps. On aosp_angler-userdebug, the numbers are (in GB):
| N = 12 | N = 18
system_server | 521.9 | 521.1
zygote64 | 522.1 | 521.3
zygote32 | 2.55 | 2.55
mediaserver | 4.00 | 4.00
Change-Id: Ia6df840dd409c82837efd1f263be420d9723c84a
Before, dynamic executables would initialize the global stack protector
twice, once for the linker, and once for the executable. This worked
because the result was the same for both initializations, because it
used getauxval(AT_RANDOM), which won't be the case once arc4random gets
used for it.
Bug: http://b/29622562
Change-Id: I7718b1ba8ee8fac7127ab2360cb1088e510fef5c
Test: ran the stack protector tests on angler (32/64bit, static/dynamic)
And clang won't let you have a function declaration where some arguments
have nullability specifiers and others don't.
Change-Id: I450b0221a3f7f068d5fe971dfbc0ba91d25710e8
Previously, arc4random would register a fork-detecting pthread_atfork
handler to not have to call getpid() after a fork. pthread_atfork uses
pthread_mutex_lock, which requires the current thread to be initialized,
preventing the use of arc4random for initializing the global stack guard,
which needs to happen before the main thread has been initialized.
Extract the arc4random fork-detection flag and use the existing
arc4random fork handler to set it.
Bug: http://b/29622562
Change-Id: I98c9329fa0e489c3f78cad52747eaaf2f5226b80
This function only exists for backwards compatibility, so leave it as it was.
Bug: http://b/26944282
Change-Id: I31973d1402660933103ee2d815649ab9569e4dfc
This patch uses __kernel_vsyscall instead of "int 0x80"
as the syscall entry point. AT_SYSINFO points to
an adapter to mask the arch specific difference and gives a
performance boost on i386 architecture.
Change-ID: Ib340c604d02c6c25714a95793737e3cfdc3fc5d7
Signed-off-by: Mingwei Shi <mingwei.shi@intel.com>
Our FORTIFY _chk functions' implementations were very repetitive and verbose
but not very helpful. We'd also screwed up and put the SSIZE_MAX checks where
they would never fire unless you actually had a buffer as large as half your
address space, which probably doesn't happen very often.
Factor out the duplication and take the opportunity to actually show details
like how big the overrun buffer was, or by how much it was overrun.
Also remove the obsolete FORTIFY event logging.
Also remove the unused __libc_fatal_no_abort.
This change doesn't improve the diagnostics from the optimized assembler
implementations.
Change-Id: I176a90701395404d50975b547a00bd2c654e1252
Add backtrace_string to convert a malloc_debug backtrace to a string.
Also move the backtrace functions to libc_malloc_debug_backtrace so that
libmemunreachable can reuse them.
Change-Id: I5ad67001c0b4d184903c762863a8588181d4873b
The major components of the rewrite:
- Completely remove the qemu shared library code. Nobody was using it
and it appears to have broken at some point.
- Adds the ability to enable/disable different options independently.
- Adds a new option that can enable the backtrace on alloc/free when
a process gets a specific signal.
- Adds a new way to enable malloc debug. If a special property is
set, and the process has an environment variable set, then debug
malloc will be enabled. This allows something that might be
a derivative of app_process to be started with an environment variable
being enabled.
- get_malloc_leak_info() used to return one element for each pointer that
had the exact same backtrace. The new version returns information for
every one of the pointers with same backtrace. It turns out ddms already
automatically coalesces these, so the old method simply hid the fact
that there where multiple pointers with the same amount of backtrace.
- Moved all of the malloc debug specific code into the library.
Nothing related to the malloc debug data structures remains in libc.
- Removed the calls to the debug malloc cleanup routine. Instead, I
added an atexit call with the debug malloc cleanup routine. This gets
around most problems related to the timing of doing the cleanup.
The new properties and environment variables:
libc.debug.malloc.options
Set by option name (such as "backtrace"). Setting this to a bad value
will cause a usage statement to be printed to the log.
libc.debug.malloc.program
Same as before. If this is set, then only the program named will
be launched with malloc debug enabled. This is not a complete match,
but if any part of the property is in the program name, malloc debug is
enabled.
libc.debug.malloc.env_enabled
If set, then malloc debug is only enabled if the running process has the
environment variable LIBC_DEBUG_MALLOC_ENABLE set.
Bug: 19145921
Change-Id: I7b0e58cc85cc6d4118173fe1f8627a391b64c0d7
Exactly which functions get a stack protector is up to the compiler, so
let's separate the code that sets up the environment stack protection
requires and explicitly build it with -fno-stack-protector.
Bug: http://b/26276517
Change-Id: I8719e23ead1f1e81715c32c1335da868f68369b5
Correct the comment, and remove the unused functionality. getauxval(3) does
now set errno to let you know it failed to find anything, but since none of
this function's callers care anyway it seems safer to leave errno untouched
until we actually have a demonstrated need for it.
Bug: https://code.google.com/p/android/issues/detail?id=198111
Change-Id: I232a42dc5a02c8faab94c7d69bef610408276c23
The BIONIC_ROUND_UP_POWER_OF_2 macro did not have parentheses around
the whole expression. This lead to the wrong value being computed when
used as part of a mathematical expression such as this:
value = BIONIC_ROUND_UP_POWER_OF_2(value) - 1;
This only happens on 64 bit abis.
Change-Id: I6f8afbdaf16fe64a88fa0246d074b3534c9159c1
It actually means "crash immediately". Well, it's an error. And callers are
much more likely to realize their mistake if we crash immediately rather
than return EINVAL. Historically, glibc has crashed and bionic -- before
the recent changes -- returned EINVAL, so this is a behavior change.
Change-Id: I0c2373a6703b20b8a97aacc1e66368a5885e8c51
In order to run tsan unit tests, we need to support pthread spin APIs.
Bug: 18623621
Bug: 25392375
Change-Id: Icbb4a74e72e467824b3715982a01600031868e29
It removes calling to pthread_mutex_lock() at the beginning of new
thread, which helps to support thread sanitizer.
Change-Id: Ia3601c476de7976a9177b792bd74bb200cee0e13
For the __release and __release_rt functions, the previous macros
would add a dwarf cfi entry for the function with no values. This works
with libunwind since it always tries the arm unwind information first.
This change removes those entries by creating a no dwarf version of the
assembler macro.
Change-Id: Ib93e42fff5a79b8d770eab0071fdee7d2afa988d
Read /proc/stat to count online cpus is not correct for all android
kernels. Change to reading /sys/devices/system/cpu/online instead.
Bug: 24376925
Change-Id: I3785a6c7aa15a467022a9a261b457194d688fb38
I'm removing the TODO on the assumption that being compatible with glibc
is more useful than BSD. The new internal "bionic_page.h" header factors
out some duplication between libc and the linker.
Bug: http://b/22735893
Change-Id: I4aec4dcba5886fb6f6b9290a8f85660643261321
According to the comments in Posix_close(), TEMP_FAILURE_RETRY() should
not be used with close():
462bdac45c%5E%21/#F12
Kill ScopedFd by simplifying the single caller.
Change-Id: I248c40b8c2fc95f1938a6edfc245c81847fc44af
Signed-off-by: Spencer Low <CompareAndSwap@gmail.com>
Previous implementation of rwlock contains four atomic variables, which
is hard to maintain and change. So I make following changes in this CL:
1. Add pending flags in rwlock.state, so we don't need to synchronize
between different atomic variables. Using compare_and_swap operations
on rwlock.state is enough for all state change.
2. Add pending_lock to protect readers/writers waiting and wake up
operations. As waiting/wakeup is not performance critical, using a
lock is easier to maintain.
3. Add writer preference option.
4. Add unit tests for rwlock.
Bug: 19109156
Change-Id: Idcaa58d695ea401d64445610b465ac5cff23ec7c
Found by the toybox id(1) which calls both getpwuid(3) and getgrgid(3) before
looking at either result. The use of a shared buffer in this code meant that
even on a single thread, the data for any of the passwd functions would be
clobbered by the data for any of the group functions (or vice versa).
This might seem like an insufficient fix, but POSIX explicitly says (for
getpwnam) that the result "might be overwritten by a subsequent call to
getpwent(), getpwnam(), or getpwuid()" and likewise for other members of
that group, plus equivalent text for the group-related functions.
Change-Id: I2272f47e91f72e043fdaf7c169fa9f6978ff4370
POSIX specifies that pthread_kill(3) and pthread_sigmask(3) are
supposed to live in signal.h rather than pthread.h.
Since signal.h now needs pthread_t and pthread_attr_t, I've moved
those defintions into include/machine/pthread_types.h to keep the
namespace clean. I also sorted some includes. The combination of these
two things seems to have exploded into a cascade of missing includes,
so this patch also cleans up all those.
Change-Id: Icfa92a39432fe83f542a797e5a113289d7e4ad0c
Make the definition of DISALLOW_COPY_AND_ASSIGN conditional. This is
so that the projects that include libnativehelper and bionic macros
do not have to be careful in which order those projects are included.
Bug: 18334516
Change-Id: Ib12a2c2b7ad2e360edcf3b26cb1be626540fadc1
Enable the -std=gnu++11 flag for libstdc++ static and
dynamic libs.
ScopeGuard uses DISABLE_ macros instead of '= delete';
Change-Id: I07e21b306f95fffd49345f7fa136cfdac61e0225
This patch fixes the problem with symbol search order
for dlsym(RTLD_DEFAULT/RTLD_NEXT, .) by loading libraries
and ld_preloads in correct order.
Bug: https://code.google.com/p/android/issues/detail?id=74255
Change-Id: If1ba5c807322409faa914e27ecb675e2c4541f0d
Attempt: 2
This patch fixes the problem with symbol search order
for dlsym(RTLD_DEFAULT/RTLD_NEXT, .) by loading libraries
and ld_preloads in correct order.
Bug: https://code.google.com/p/android/issues/detail?id=74255
Change-Id: I4cf84c70dbaabe99310230dfda12385ae5401859
On most architectures the kernel subtracts a random offset to the stack
pointer in create_elf_tables by calling arch_align_stack before writing
the auxval table and so on. On all but x86 this doesn't cause a problem
because the random offset is less than a page, but on x86 it's up to two
pages. This means that our old technique of rounding the stack pointer
doesn't work. (Our old implementation of that technique was wrong too.)
It's also incorrect to assume that the main thread's stack base and size
are constant. Likewise to assume that the main thread has a guard page.
The main thread is not like other threads.
This patch switches to reading /proc/self/maps (and checking RLIMIT_STACK)
whenever we're asked.
Bug: 17111575
Signed-off-by: Fengwei Yin <fengwei.yin@intel.com>
Change-Id: I1d4dbffe7bc7bda1d353c3a295dbf68d29f63158
Removes the leading underscores from __android_set_abort_message() and
moves its declaration into a public header file.
Bug: 17059126
Change-Id: I470c79db47ec783ea7a54b800f8b78ecbe7479ab
bionic_systrace.h contains an implementation of tracing that
can be used with systrace.py and its associated viewer. pthread_mutex
now uses this tracing to track pthread_mutex contention, which can be
enabled by using the "bionic" command line option to systrace.
Bug: 15116468
Change-Id: I30ed5b377c91ca4c36568a0e647ddf95d4e4a61a
The getentropy_linux.c is lightly modified to build on Android, but we're now
completely in sync with upstream OpenBSD's arc4random implementation.
Change-Id: If32229fc28aba908035fb38703190d41ddcabc95
Also remove __bionic_name_mem which has exactly one caller, and is only
ever expected to be used in this one place.
Change-Id: I833744f91e887639f5b2d1269f966ee9032af207
There were two bugs here:
- For 64 bit values, this did not properly round up.
- The macro rounded to the power of 2 less than value, not to the power
of 2 greater than value.
Change-Id: If8cb41536a9d2f5c1bc213676f1e67a7903a36b0
It's okay for a program to choose to drag in stdio, but it's unfortunate
if even the minimal "int main() { return 42; }" drags in stdio...
This brings the minimal static binary on ARM down from 78KiB to 46KiB.
Given that we don't have a separate -lpthread it's not obvious to me that
we can shave this down any further. I'm not sure whether this is a worthwhile
change for that reason. (And the fact that dynamic binaries, the usual case,
are unaffected either way.)
Change-Id: I02f91dcff37d14354314a30b72fed2563f431c88
This is actually revision 1.33, which is no longer the latest, but it's
as close to head as we can currently reasonably get. I've also switched
to the OpenBSD getentropy_linux.c implementation of getentropy, lightly
modified to try to report an error on failure.
Bug: 14499627
Change-Id: Ia7c561184b1f366c9bf66f248aa60f0d53535fcb
This allows an easier way to share config parameters between unit tests
and the bionic code.
It also fixes a problem where the 32 bit bionic tests based on glibc, or
the cts list executable did not have the pvalloc,valloc tests.
Change-Id: Ib47942cb8a278252faa7498a6ef23e9578db544f
mbrtoc32 and c32rtomb get their implementations from mbrtowc and wcrtomb. The
wc functions now simply call the c32 functions.
Bug: 14646575
Change-Id: I49d4b95fed0f9d790260c996c4d0f8bfd1686324
The problem with the original patch was that using syscall(3) means that
errno can be set, but pthread_create(3) was abusing the TLS errno slot as
a pthread_mutex_t for the thread startup handshake.
There was also a mistake in the check for syscall failures --- it should
have checked against -1 instead of 0 (not just because that's the default
idiom, but also here because futex(2) can legitimately return values > 0).
This patch stops abusing the TLS errno slot and adds a pthread_mutex_t to
pthread_internal_t instead. (Note that for LP64 sizeof(pthread_mutex_t) >
sizeof(uintptr_t), so we could potentially clobber other TLS slots too.)
I've also rewritten the LP32 compatibility stubs to directly reuse the
code from the .h file.
This reverts commit 75c55ff84e.
Bug: 15195455
Change-Id: I6ffb13e5cf6a35d8f59f692d94192aae9ab4593d
This reverts commit ced906c849.
Causes issues on art / dalvik due to a broken return value
check and other undiagnosed issues.
bug: 15195455
Change-Id: I5d6bbb389ecefb0e33a5237421a9d56d32a9317c
Also hide part of the system properties compatibility code, since
we needed to touch that to keep it building.
I'll remove __futex_syscall4 and futex in a later patch.
Bug: 11156955
Change-Id: Ibbf42414c5bb07fb9f1c4a169922844778e4eeae
To use jemalloc, add MALLOC_IMPL = jemalloc in a board config file
and you get the new version automatically.
Update the pthread_create_key tests since jemalloc uses a few keys.
Add a new test to verify memalign works as expected.
Bug: 981363
Change-Id: I16eb152b291a95bd2499e90492fc6b4bd7053836