They're both obsolescent in POSIX.1-2008, and you really shouldn't be
using them, but since we can't actually delete them...
This change makes them both obey $TMPDIR if set, and fall back to
/data/local/tmp otherwise. That's as good as we've managed for anything
else such as tmpfile(3).
Also add some tests.
Bug: http://b/174682340
Test: treehugger
Change-Id: Ieef99dcc2062f84b2b7cbae046787fdfe975e772
These cover the parts of fnmatch() that I think I understand. Missing
FNM_LEADING_DIR because I still haven't understood that yet. All the
descriptions of its behavior that I've seen are slightly (or very)
inconsistent, and it seems like the implementations are genuinely
different too.
Test: treehugger
Change-Id: I1284c406639bef1bfe74db3cad45965c8ab29c2b
- Make it apply to every thread, and thus remove the restriction
that it must be called while the program is single threaded.
- Make it change TCF0 itself (on all threads), instead of requiring
callers to do it themselves, which can be error prone.
And update all of the call sites.
Change the implementation of
android_mallopt(M_DISABLE_MEMORY_MITIGATIONS) to call
android_mallopt(M_SET_HEAP_TAGGING_LEVEL) internally. This avoids
crashes during startup that were observed when the two mallopts
updated TCF0 unaware of each other.
I wouldn't expect there to be any out-of-tree callers at this point,
but it's worth noting that the new interface is backwards compatible
with the old one because it strictly expands the set of situations in
which the API can be used (i.e. situations where there are multiple
threads running or where TCF0 hadn't been updated beforehand).
Bug: 135772972
Change-Id: I7746707898ff31ef2e0af01c4f55ba90b72bef51
Not sure what the problem is yet, and can't guarantee I'll have time to
look this week, so let's disable this for now...
Bug: http://b/172465723
Test: treehugger
Change-Id: I052c2ed876504581cb89e49f1c65c3232d213eb5
A constructor or destructor function with an integral priority is
placed in an .init_array or .fini_array section with the priority
suffixed to the section name:
- __attribute__((constructor)) ==> .init_array
- __attribute__((constructor(42))) ==> .init_array.42
The suffixed init/fini sections appear before the unsuffixed sections,
so the prioritized functions appeared before the __{INIT,FINI}_ARRAY__
symbols and were dropped when the symbols were used.
The (static) linker doesn't recognize priority suffixes on
.preinit_array.
This bug affected .init_array and .fini_array for static executables.
For dynamic executables, only .fini_array was affected, because
.init_array is handled by the dynamic loader instead, which uses
DT_INIT_ARRAY[SZ]. For DSOs, neither is affected, because the two
sections are only handled by the dynamic loader.
This patch also fixes a minor inconsistency where dynamic init/preinit
were passed argc/argv/envp, but static were not.
Bug: http://b/170983066
Test: bionic-unit-tests
Change-Id: I0fffa776e5d9bdb6f8af06b4c1af148236742fef
With native_bridge, native and emulated parts exchange data, including
pointers. If tagging on native architecture is different from tagging on
emulated architecture, all the pointers in the data exchange must be
identified and marshalled, which is hardly feasible.
Disable MTE tests with native_bridge.
Bug: 135772972
Bug: 159352723
Test: bionic-unit-tests --gtest_filter=*mte*
Change-Id: Icba90636173e9e71036def5302c7d0a09dd8873b
(cherry picked from commit ed51fb9a07)
Introduce an android_mallopt(M_DISABLE_MEMORY_MITIGATIONS) API call
that may be used to disable zero- or pattern-init on non-MTE hardware,
or memory tagging on MTE hardware. The intent is that this function
may be called at any time, including when there are multiple threads
running.
Disabling zero- or pattern-init is quite trivial, we just need to set
a global variable to 0 via a Scudo API call (although there will be
some separate work required on the Scudo side to make this operation
thread-safe).
It is a bit more tricky to disable MTE across a process, because
the kernel does not provide an API for disabling tag checking in all
threads in a process, only per-thread. We need to send a signal to each
of the process's threads with a handler that issues the required prctl
call, and lock thread creation for the duration of the API call to
avoid races between thread enumeration and calls to pthread_create().
Bug: 135772972
Change-Id: I81ece86ace916eb6b435ab516cd431ec4b48a3bf
It's possible for malloc to return a pointer that is not going to
crash with __cfi_slowpath. It's possible to modify the cfi code
to avoid this problem, but I'm not convinced that this will be any
better at catching problems. So I'm just modifying the test so that
it will eventually allocate a pointer that does not overlap.
This previous version of the test failed on jemalloc svelte config,
but there is nothing that would not result in a failure on scudo
leading to a failure every once in a while.
Bug: 142556796
Bug: 140079007
Test: cts -m CtsBionicTestCases
Change-Id: Ibf12a286c411e0bdc9f81589f2f66fd0ccd7f07a
(cherrypick of f322483b3f)
A downstream user of bionic has a test that requires the sizes and
offsets of various fields in pthread_internal_t to be consistent
between x86 and arm32, and between x86_64 and arm64, by checking that
the sizes and offsets match hardcoded constants. Since this test often
makes it difficult to update bionic's internal data structures, add
a test to bionic that does the same thing so that we can remove the
downstream test and make it easier to change internal data structures
in bionic.
Change-Id: Id5bd3f9fae00aa3b50d1b1267e782e26fe6c8369
android_filesystem_config.h is found since system/core/include is on
the include path for all projects and contains a symlink to the real
android_filesystem_config.h. This is fragile and the below bug seeks
to remove this symlink and have users correctly depend on
libcutils_headers.
In bionic, libcutils_headers header library cannot be used due to
cyclic dependencies, so it gets the actual include path instead, which
is less bad than depending on the build system injecting the for all
modules.
Bug: 165825252
Test: build
Change-Id: Id43bdea9553b1174ceb3efc2a3ed505888619c62
The test reserves all memory but the minimum required to create a
thread. However, after the thread is created, native_bridge needs more
memory to translate and run the thread function.
This might be prevented by native_bridge preallocating a memory buffer
to be used for translation. But, first, this complication seems to be
needed just for this kind of tests, and, second, it is pretty flaky
regarding changes both in native_bridge and bionic.
Looks better to disable this test with native_bridge.
Bug: 67745607
Bug: 148608153
Bug: 157394871
Test: bionic-unit-tests --gtest_filter=pthread.pthread_create__mmap_failures
Change-Id: I42ce2b5a01a7d9f10d952a5fc7b75d51fa89072a
(cherry picked from commit b4f7aaac5c)
Except they are the same on arm32/arm64, so we hadn't really noticed. x86
and x86-64 are quite different though, presumably by historical accident.
Fix the definitions and add some static asserts.
Bug: https://github.com/android/ndk/issues/1347
Test: treehugger
Change-Id: Ic27b172066cf3443749463b9b73c912d204f9516
I made toybox use strptime %Z recently (so that it can parse the default
POSIX date(1) output), forgetting that bionic's strptime(3) doesn't
support %Z. Neither does glibc, for that matter; the toybox change works
on glibc effectively by accident --- glibc just ignores the next word
when parsing %Z and assumes that the current time zone ($TZ) is
appropriate. Which it is for the only obvious use case of "round trip
date(1) output".
The related %z is potentially quite a bit more useful in general (parsing
any valid RFC822 time zone), though sadly not useful for the toybox case
that prompted.
Every time I touch this file I promise that I'll actually get us back in
sync with upstream, and every time I fail to get round to it. Maybe
2020 or 2021 will finally be the year...
Also add corresponding tests.
Bug: https://b/167455975
Test: treehugger
Change-Id: I13a7fb7e3ad01ae855750b9314d2eec661fe034f
bionic/tests/fortify_test.cpp:207:31: error: format specifies type 'char *' but the argument has type 'void *' [-Werror,-Wformat]
ASSERT_FORTIFY(printf("%s", memchr(myfoo.a, 'a', asize)));
~~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~
Bug: http://b/155835175
Test: atest for bionic
Change-Id: I0fa4e63deadffb7391e66ab834ff11e4f1d6dba6
Mostly from extra test cases, but also:
* Move the fgets size < 0 assertion into fgets.
* Use ELF aliases for strtoq/strtouq rather than duplicating code.
* Don't check uname() succeeded, since it can't fail.
Test: treehugger
Change-Id: I2e6b3b88b0a3eb16bd68be68b9bc9f40d8043291
(Based on proposal at https://sourceware.org/glibc/wiki/ThreadPropertiesAPI)
This includes API to:
- locate static and dynamic TLS
- register thread-exit and dynamic TLS creation/destruction callbacks
Change-Id: Icd9d29a5b2f47495395645e19d3b2c96826f19c8
This is not actually a property that is guaranteed by the bionic
implementation of CFI shadow. Since the gaps between libraries are not
completely inaccessible, it is possible for a stack mapping to sneak in,
which would cause the callback to register in the test library.
This is not a correctness issue in CFI as the actual __cfi_check
callback will reject such address anyway, at a small CPU cost.
Bug: 156218352
Test: CtsBionicTestCases-cfi_test#basic
Change-Id: I8d04fb7132e1eac2a8abfbc48a37c8eac6e25a09
Merged-In: I8d04fb7132e1eac2a8abfbc48a37c8eac6e25a09
(cherry picked from commit 0f6b504e0c)
Now we're being marked down for our poor coverage, we may as well remove
more broken cruft. Despite the amount of effort that seems to have gone
into pututline(), it wasn't working with the other utmp.h functions (in
particular, utmpname()), and wasn't declared in the header file!
Test: treehugger
Change-Id: I1a583984189c751168c11c01431433f96f8c548b
Similar to the musl strstr. This patch also increases test coverage for
memmem, again similar to the strstr tests.
Test: treehugger
Change-Id: I7f4a2ab93a610cb692994d06d2512976e657ae9f
Bug: http://b/157081822
- Disable coverage for libtest_check_rtld_next_from_library to make
dlfcn.rtld_next_from_library to pass.
- The coverage runtime sets an environment variable to prevent
clobbering of the coverage data on disk. Include that variable as well
when checking `printenv` output. This is done at runtime by checking
for LLVM_PROFILE_FILE environment variable.
- dl.preinit_system_calls still fails after this change.
Test: bionic tests with libc coverage turned on.
Change-Id: I3ea2b0800886d8c0984969a4ee8bfb0da03c33b0
Update a comment in android-changes-for-ndk-developers.md about the
removed debug.ld.greylist_disabled system property.
Update language to comply with Android's inclusive language guidance
#inclusivefixit
See https://source.android.com/setup/contribute/respectful-code for reference
Bug: http://b/162536543
Test: bionic-unit-tests
Change-Id: I760ee14bce14d9d799926c43d2c14fd8ffbc6968
This was initially just to try on "pty" and "tty" for size, while
discussing with other projects to try to align on vocabulary, but -- in
the implemention and tests at least -- but these work out so well that
I'm tempted to go with them anyway if we can't come to a concensus. We
can always come back and change them again later.
What I really like is that you pass the pty to functions like ptsname()
and grantpt() with a 'p' in the name, and the tty to functions like
ttyname() and tcsetattr() with just 't's.
The use of "parent" and "child" in forkpty() seems helpful too.
Also fix the documentation of forkpty(), which wasn't quite right.
Test: treehugger
Change-Id: Ic010c4b669f6528591c653e3701f4e41e0d0df9e
https://reviews.llvm.org/D75225 changed the way that orphan sections are
retained, breaking this test. The test relied on these sections being
merged in an implementation-defined order that no longer holds true. We
can use custom sections to place the symbols we want more precisely.
Bug: http://b/161943302
Test: adb shell /data/nativetest64/bionic-unit-tests/bionic-unit-tests --gtest_filter=dlfcn.segment_gap --no_isolate
Change-Id: I65656080e39be16833191cb92d3d4c41e409b216
This is not actually a property that is guaranteed by the bionic
implementation of CFI shadow. Since the gaps between libraries are not
completely inaccessible, it is possible for a stack mapping to sneak in,
which would cause the callback to register in the test library.
This is not a correctness issue in CFI as the actual __cfi_check
callback will reject such address anyway, at a small CPU cost.
Bug: 156218352
Test: CtsBionicTestCases-cfi_test#basic
Change-Id: I8d04fb7132e1eac2a8abfbc48a37c8eac6e25a09
(cherry picked from commit 0f6b504e0c)
The comment and pragma for GCC genuinely don't seem to be needed for
Clang.
Clarify the comment about the two ways in which clang_fortify_tests.cpp
is used.
Test: treehugger
Change-Id: Icb48a5848c005104ab2d2456da3978bbaf7e158c
This is not actually a property that is guaranteed by the bionic
implementation of CFI shadow. Since the gaps between libraries are not
completely inaccessible, it is possible for a stack mapping to sneak in,
which would cause the callback to register in the test library.
This is not a correctness issue in CFI as the actual __cfi_check
callback will reject such address anyway, at a small CPU cost.
Bug: 156218352
Test: CtsBionicTestCases-cfi_test#basic
Change-Id: I8d04fb7132e1eac2a8abfbc48a37c8eac6e25a09
R GSI on P product tests fail since pw_shell has changed. This value
has no practical use on Android, so we ignore testing it for older
vendor images.
Bug: 160937247
Test: this test does/doesn't run appropriately
Merged-In: Ie485bd019b3826e71ad19131effcbb002f888d52
Change-Id: Ie485bd019b3826e71ad19131effcbb002f888d52
(cherry picked from commit b9fa04d805)
R GSI on P product tests fail since pw_shell has changed. This value
has no practical use on Android, so we ignore testing it for older
vendor images.
Bug: 160937247
Test: this test does/doesn't run appropriately
Change-Id: Ie485bd019b3826e71ad19131effcbb002f888d52
With native_bridge, native and emulated parts exchange data, including
pointers. If tagging on native architecture is different from tagging on
emulated architecture, all the pointers in the data exchange must be
identified and marshalled, which is hardly feasible.
Disable MTE tests with native_bridge.
Bug: 135772972
Bug: 159352723
Test: bionic-unit-tests --gtest_filter=*mte*
Change-Id: Icba90636173e9e71036def5302c7d0a09dd8873b
This replaces a single 2Gb readable memory region with a bunch of tiny
regions, and leaves the bulk of 2Gb mapped but unaccessible. This makes
it harder to defeat ASLR by probing for the CFI shadow region.
Sample CFI shadow mapping with this change:
7165151000-716541f000 ---p 00000000 00:00 0 [anon:cfi shadow]
716541f000-7165420000 r--p 00000000 00:00 0 [anon:cfi shadow]
7165420000-71654db000 ---p 00000000 00:00 0 [anon:cfi shadow]
71654db000-71654dc000 r--p 00000000 00:00 0 [anon:cfi shadow]
71654dc000-71654dd000 r--p 00000000 00:00 0 [anon:cfi shadow]
71654dd000-71654f0000 ---p 00000000 00:00 0 [anon:cfi shadow]
71654f0000-71654f1000 r--p 00000000 00:00 0 [anon:cfi shadow]
71654f1000-71e5151000 ---p 00000000 00:00 0 [anon:cfi shadow]
This change degrades CFI diagnostics for wild jumps and casts (i.e. when
the target of a CFI check is outside of any known library bounds). This
is acceptable, because CFI does not have much to tell about those cases
anyway. Such bugs will show up as SEGV_ACCERR crashes inside
__cfi_slowpath in libdl.so from now on.
Bug: 158113540
Test: bionic-unit-tests/cfi_test.*
Test: adb shell cat /proc/$PID/maps | grep cfi
Change-Id: I57cbd0d3f87eb1610ad99b48d98ffd497ba214b4
Merged-In: I57cbd0d3f87eb1610ad99b48d98ffd497ba214b4
The test reserves all memory but the minimum required to create a
thread. However, after the thread is created, native_bridge needs more
memory to translate and run the thread function.
This might be prevented by native_bridge preallocating a memory buffer
to be used for translation. But, first, this complication seems to be
needed just for this kind of tests, and, second, it is pretty flaky
regarding changes both in native_bridge and bionic.
Looks better to disable this test with native_bridge.
Bug: 67745607
Bug: 148608153
Bug: 157394871
Test: bionic-unit-tests --gtest_filter=pthread.pthread_create__mmap_failures
Change-Id: I42ce2b5a01a7d9f10d952a5fc7b75d51fa89072a
This replaces a single 2Gb readable memory region with a bunch of tiny
regions, and leaves the bulk of 2Gb mapped but unaccessible. This makes
it harder to defeat ASLR by probing for the CFI shadow region.
Sample CFI shadow mapping with this change:
7165151000-716541f000 ---p 00000000 00:00 0 [anon:cfi shadow]
716541f000-7165420000 r--p 00000000 00:00 0 [anon:cfi shadow]
7165420000-71654db000 ---p 00000000 00:00 0 [anon:cfi shadow]
71654db000-71654dc000 r--p 00000000 00:00 0 [anon:cfi shadow]
71654dc000-71654dd000 r--p 00000000 00:00 0 [anon:cfi shadow]
71654dd000-71654f0000 ---p 00000000 00:00 0 [anon:cfi shadow]
71654f0000-71654f1000 r--p 00000000 00:00 0 [anon:cfi shadow]
71654f1000-71e5151000 ---p 00000000 00:00 0 [anon:cfi shadow]
This change degrades CFI diagnostics for wild jumps and casts (i.e. when
the target of a CFI check is outside of any known library bounds). This
is acceptable, because CFI does not have much to tell about those cases
anyway. Such bugs will show up as SEGV_ACCERR crashes inside
__cfi_slowpath in libdl.so from now on.
Bug: 158113540
Test: bionic-unit-tests/cfi_test.*
Test: adb shell cat /proc/$PID/maps | grep cfi
Change-Id: I57cbd0d3f87eb1610ad99b48d98ffd497ba214b4
If an alternate signal stack is set and the frame record is in bounds of
that stack, we need to use the top of the alternate signal stack for bounds
checking rather than the normal stack.
Bug: 150215618
Change-Id: I78b760d61b27da44f8e0cfee3fe94a791011fe58
Merged-In: I78b760d61b27da44f8e0cfee3fe94a791011fe58
So the message gets flushed before the following abort.
Test: bionic-unit-tests without bionic-loader-test-libs at the expected
relative path shows the error message.
Change-Id: I53bb27a88b73c9d8f4bb76560752f99a104d71ca
This reverts commit 01fb8d7120.
Reason for revert: Re-land the test after fixing b/156397945
Bug: 156397945
Change-Id: Ie9ec5fef7a308e28d512c6438c5c06758bdbcf06
Our various fd debugging facilities get extremely confused by a vforked
process closing file descriptors in preparation to exec: fdsan can
abort, and fdtrack will delete backtraces for any file descriptors that
get closed. Keep track of whether we're in a vforked child in order to
be able to detect this.
Bug: http://b/153926671
Test: 32/64-bit bionic-unit-tests on blueline, x86_64 emulator
Change-Id: I8a082fd06bfdfef0e2a88dbce350b6f667f7df9f
(cherry picked from commit 2303283740)
Our various fd debugging facilities get extremely confused by a vforked
process closing file descriptors in preparation to exec: fdsan can
abort, and fdtrack will delete backtraces for any file descriptors that
get closed. Keep track of whether we're in a vforked child in order to
be able to detect this.
Bug: http://b/153926671
Test: 32/64-bit bionic-unit-tests on blueline, x86_64 emulator
Change-Id: I8a082fd06bfdfef0e2a88dbce350b6f667f7df9f
Change the location set in the linker
Bug: 130219528
Bug: 138994281
Test: atest CtsBionicTestCases
Test: atest CtsJniTestCases
Change-Id: I215a8e023ccc4d5ffdd7df884c809f8d12050c8f
The SYNC tagging level enables stack trace collection for allocations and
deallocations, which allows allocation and deallocation stack traces to
appear in tombstones when encountering a tag check fault in synchronous tag
checking mode.
Bug: 135772972
Change-Id: Ibda9f51b29d2c8e2c993fc74425dea7bfa23ab1e
Looks like the arguments were unintentionally swapped?
Bug: 155526611
Change-Id: I39d49f94387cfd337c89becb5eb6f85ca638bef1
Signed-off-by: Alistair Delva <adelva@google.com>
accept creates an additional socket behind the scenes to communicate
with netd. Filter out events for temporarily created, but then closed
fds to allow for this.
Bug: https://issuetracker.google.com/154450436
Test: bionic-unit-tests
Change-Id: I2168ddc60f307278e3257ffcdf591272d61d45bb
When doing checkbuild for make_fortify_compile_test.mk:
bionic/tests/clang_fortify_tests.cpp
error: 'error' diagnostics seen but not expected:
Line 171: 'mempcpy' will always overflow; destination buffer has size 8, but size argument is 9
1 error generated.
Bug: 149839606
Test: run checkbuild.
Change-Id: I97371600f6183b5cee8c2a6b976f5bf33e1f781d
(cherry picked from commit ae1745d375)
Add tests for all of our existing wrappers (with one commented out,
because it's unexpectedly generating multiple events).
Bug: https://issuetracker.google.com/154450436
Test: bionic-unit-tests
Change-Id: I552692aef952237c2eee0dabec61b7ea7fd230e3
(cherry picked from commit 9d512402d4)
Add tests for all of our existing wrappers (with one commented out,
because it's unexpectedly generating multiple events).
Bug: https://issuetracker.google.com/154450436
Test: bionic-unit-tests
Change-Id: I552692aef952237c2eee0dabec61b7ea7fd230e3
The triggering reason for this change is that the SDK snapshot
generation cannot readily handle header libraries that are required for
targets that the SDK itself isn't available for. However, these include
files shouldn't be used without Bionic anyway.
Relanding unchanged - the build problem was due to a split topic.
Test: m checkbuild (on aosp_taimen)
Test: m (on aosp_taimen_hwasan)
Test: atest CtsBionicTestCases
Test: lunch fvp-userdebug && mmm bionic
Bug: 152255951
Change-Id: Iaf49597ea265e6f2a042de5ee873238073b2e545
Reason for revert: Breaks rvc-d1-dev-plus-aosp: http://ab/6443190
Reverted Changes:
Ide447b89a:bionic_libc_platform_headers is only available whe...
Ia93cd3ec8:bionic_libc_platform_headers is only available whe...
Icdc495588:Make bionic_platform_headers available only for Bi...
Idfd7c87dc:bionic_libc_platform_headers is only available whe...
Bug: 152255951
Bug: 155269399
Change-Id: I214f1165bb0a7e59d3b35a13b3cceb1965be922b
The triggering reason for this change is that the SDK snapshot
generation cannot readily handle header libraries that are required for
targets that the SDK itself isn't available for. However, these include
files shouldn't be used without Bionic anyway.
Test: m checkbuild (on aosp_taimen)
Test: m (on aosp_taimen_hwasan)
Test: atest CtsBionicTestCases
Test: lunch fvp-userdebug && mmm bionic
Bug: 152255951
Change-Id: Icdc49558893c5355860f78d23275c49ba0119900
It's possible for malloc to return a pointer that is not going to
crash with __cfi_slowpath. It's possible to modify the cfi code
to avoid this problem, but I'm not convinced that this will be any
better at catching problems. So I'm just modifying the test so that
it will eventually allocate a pointer that does not overlap.
This previous version of the test failed on jemalloc svelte config,
but there is nothing that would not result in a failure on scudo
leading to a failure every once in a while.
Bug: 142556796
Bug: 140079007
Test: Ran bionic unit tests with jemalloc and scudo.
Change-Id: Iff45bd950d2eb33ff56dc700a2d739b5b578e090
Merged-In: Iff45bd950d2eb33ff56dc700a2d739b5b578e090
(cherry picked from commit f322483b3f)
When doing checkbuild for make_fortify_compile_test.mk:
bionic/tests/clang_fortify_tests.cpp
error: 'error' diagnostics seen but not expected:
Line 171: 'mempcpy' will always overflow; destination buffer has size 8, but size argument is 9
1 error generated.
Bug: 149839606
Test: run checkbuild.
Change-Id: I97371600f6183b5cee8c2a6b976f5bf33e1f781d
This actually breaks *all* the tests, because the bionic-unit-tests
binary crashes while running this ifunc before hwasan is set up.
A longer term fix would be to have the compiler insert a call to
__hwasan_init at the start of any ifunc resolvers.
Bug: 135772972
Test: ran tests on a hwasan build
Change-Id: I424b3035e1f76aa4b98c11346825b9ed140584ba
Previously, these tests would fail if vendors modified
private/android_filesystem_config.h to add their custom AIDs, but we
did not have a good alternative that vendors could use, so we added a
special case to ignore the vendor AID ranges.
We've had a proper solution since P for this range, so it's long past
time to remove this special case.
Test: add system, vendor, odm, product, and system_ext AIDs to
config.fs, ensure that they've taken effect on cuttlefish,
pass these unit tests
Change-Id: I6c9c2bf5e895c25805222da018188b269777171c
1) "fix the system properties design" is written for the old protocol,
so we've already changed the design. There are no other further
planned changes.
2) "don't drag in all the macros, just the types." is not likely to
happen or be particularly impactful.
3) "Find a location suitable for these functions ..." is refering to
legacy code. More likely that this code will be removed before we
find a serious reason to fix this TODO.
4) "(73062966) We still don't have a good way ..." is stale; we fixed
this bug and added the appropriate mechanism.
Test: n/a
Change-Id: I23991692cdeb81ad00844a6a1680900ff384208b
The test was failing due to a kernel vDSO that was linked without
--eh-frame-hdr. The kernel bug is fixed for at least the goldfish and
cuttlefish devices.
3d4b1ffc7eb66f198bf3
Bug: http://b/132763120
Test: bionic unit tests, on goldfish and cuttlefish
Change-Id: I5e1d819b604a4baf5b9208f0b19471f9abbcfe75
It's possible for malloc to return a pointer that is not going to
crash with __cfi_slowpath. It's possible to modify the cfi code
to avoid this problem, but I'm not convinced that this will be any
better at catching problems. So I'm just modifying the test so that
it will eventually allocate a pointer that does not overlap.
This previous version of the test failed on jemalloc svelte config,
but there is nothing that would not result in a failure on scudo
leading to a failure every once in a while.
Bug: 142556796
Bug: 140079007
Test: Ran bionic unit tests with jemalloc and scudo.
Change-Id: Iff45bd950d2eb33ff56dc700a2d739b5b578e090
The question of why the unit tests need the bootstrap bionic came up
while I was working on http://b/152572170.
Test: none
Change-Id: I08651200e2193c6ea4d3a734b59f022d69e5f154
These solves the issue that targetting non-profilable apps crashed them.
There is still a race condition between starting the app and the SIG_IGN
being installed, but that will be fixed in follow-ups.
This also does not cover programs that statically link libc, but those are
rare.
This might be reverted if we find a more general solution to
b/151835887.
Bug: 151328035
Test: java profile sysui, doesn't crash
Test: atest CtsBionicTestCases
This is a cherry-pick of 96272df35c
Change-Id: I6b99352ed50afe15a609f7ddb85312c2676ddf11
Merged-In: I6b99352ed50afe15a609f7ddb85312c2676ddf11
These solves the issue that targetting non-profilable apps crashed them.
There is still a race condition between starting the app and the SIG_IGN
being installed, but that will be fixed in follow-ups.
This also does not cover programs that statically link libc, but those are
rare.
This might be reverted if we find a more general solution to
b/151835887.
Bug: 151328035
Test: java profile sysui, doesn't crash
Test: atest CtsBionicTestCases
Change-Id: I6b99352ed50afe15a609f7ddb85312c2676ddf11
POSIX added these GNU extensions for issue 8.
I've made these always inline without the usual "until API level X"
proviso because they're single instructions that the compiler can inline
and there's really no point providing these if they add function call
overhead --- everyone should just use __builtin_ffs() and friends
instead in that case.
Bug: https://austingroupbugs.net/view.php?id=617
Test: treehugger
Change-Id: I33fc4b8648ea25917329e81c1b4c60eb9a66d667
This should make it less likely that the writer finishes before the
reader even starts. It makes the test run longer, but devices have
gotten faster suince this test was written.
Bug: 152218463
Test: Treehugger
Change-Id: I409e59071991095fb17e067760f2a5f29ede0ba2
I can't reproduce locally, but treehugger is seeing 6% flake in the
signal.sigwait64_SIGRTMIN test. It's the only test in the file with a
sleep() in it, which always makes me suspicious, and we aren't having
trouble with the (in principle) very similar sigwaitinfo() tests, so
switch over to their style.
Bug: http://b/149934069
Test: treehugger
Change-Id: I2a1193b0cbec50f6548badf7dc7175bb6a49e45f
We had two copies of this function, one (not quite correct) in tests/utils.h
and another in bionic/macros.h. Delete the former and have the users include
the latter.
Also, create an overload of the function that takes a uintptr_t, which will
be useful for out-of-process scenarios such as the MTE support in debuggerd.
Bug: 135772972
Change-Id: Ia3c2652c97797663146b3f05fa786afe09f7ea97
This causes failures in signal handler tests, because it looks like clang
doesn't understand how to enable the stack protection in a signal handler.
Clang winds up scribbling on the real stack.
Bug: 149934069
Bug: 151372823
Test: Ran all unit tests on bonito/taimen and the signal handler tests pass.
Change-Id: If73f55e7505b6d7f35b340be0b03c798b21e2829
Simplify:
- Use a single memory-mapped region to hold the table of destructors.
Double its capacity each time it is expanded.
- Add a recompaction pass at the end of __cxa_finalize that shifts
entries forward and uses madvise to clean pages.
Bug: http://b/148055738
Test: bionic-unit-tests
Change-Id: Ieb9da2b88640a8a5277d217b43826b5b7e246781
(cherry picked from commit afa983c8d4)
Simplify:
- Use a single memory-mapped region to hold the table of destructors.
Double its capacity each time it is expanded.
- Add a recompaction pass at the end of __cxa_finalize that shifts
entries forward and uses madvise to clean pages.
Bug: http://b/148055738
Test: bionic-unit-tests
Change-Id: Ieb9da2b88640a8a5277d217b43826b5b7e246781
If an alternate signal stack is set and the frame record is in bounds of
that stack, we need to use the top of the alternate signal stack for bounds
checking rather than the normal stack.
Bug: 150215618
Change-Id: I78b760d61b27da44f8e0cfee3fe94a791011fe58
This change adds standard branch protection to bionic unit tests
for arm64 targets. For more information see
https://developer.arm.com/search#q=branch-protection
Both Armv8.3-A Pointer Authentication (using the A-key) hint-space
instructions and Armv8.5-A Branch Target Identification hint-space
landing pads are added to the generated code.
Test: 1. Tested on flame
2. Tested on FVP
Change-Id: Ice991c538a9101448dea64c357f3f6bfb93877eb
The tag level may now be async, which is now the default. When the tag level
is set to none, memory tagging is disabled in the allocator using the new
API proposed in https://reviews.llvm.org/D70762 .
Bug: 135772972
Change-Id: I847f5822a70913c446ed9ffa13792177bbfc96af
An upcoming change to scudo will cause us to start calling
android_unsafe_frame_pointer_chase() from within the allocator. Since this
function uses ScopedDisableMTE, this would otherwise make it unsafe to use
the allocator from within ScopedDisableMTE. This seems like an unreasonable
restriction, so make ScopedDisableMTE save the PSTATE.TCO state in the
constructor and restore it in the destructor.
Bug: 135772972
Change-Id: I47e18d5fb2929efd5a58676488180cd85731007b
XOM is no longer supported by the build system, so remove these
properties.
Bug: 123034666
Bug: 147300048
Test: Build succeeds.
Change-Id: I77efc98241f45b1a78b1cca5560f64eef5ef22f4
The mips/mips64 targets were never able to pass these tests, and the
supported architectures don't need any of these workarounds.
Test: treehugger
Change-Id: I640a8b7a98ae13d9d9cdb09b0fbef61d31d4c79a
Scudo implemented malloc_info for the primary allocator, so add some
small amount of validation.
Test: Ran the malloc_info tests and verified they pass.
Change-Id: Ib7c609e46cc1ed73fa5c042df92fa9b568880f21
GWP-ASan is part of the native allocator, and may allocate some memory.
When GWP-ASan is enabled, the malloc tests need to look inside of
GWP-ASan regions as well for native allocations.
Bug: 135634846
Test: atest bionic-unit-tests
Change-Id: Ibb78f9c9e7e96a437cffce013facd18708799b0e
GWP-ASan introduces two Initial-Exec thread-local variables into
libc.so. This causes the ELF TLS test to understandably fail, and needs
to be patched up.
Bug: 148606979
Test: atest bionic-unit-test
Change-Id: I77500a00edb55cb7bcd3cd3faffb76d2339ab42c
When a library is present in a namespace via the secondary_namespaces
list (i.e. the executable, LD_PRELOAD, DF_1_GLOBAL, or
android_create_namespace inheritance), then we want to search that
library's symbols, but not the symbols of its dependencies. Otherwise,
we want to search the dependencies to handle cross-NS dependency.
Bug: http://b/148569846
Test: bionic unit tests
Change-Id: If798d69de28ed5c0f1a155e4ff85c7e08934e531
This function will be used by Scudo and GWP-ASan to efficiently collect
stack traces for frames built with frame pointers.
Bug: 135634846
Bug: 135772972
Change-Id: Ic63efdbafe11dfbb1226b5b4b403d53c4dbf28f3
Merged-In: Ic63efdbafe11dfbb1226b5b4b403d53c4dbf28f3
Add a hook that's called upon file descriptor creation to libc, and a
library that uses it to capture backtraces for file descriptor creation,
to make it easier to hunt down file descriptor leaks.
Currently, this doesn't capture all of the ways of creating a file
descriptor, but completeness isn't required for this to be useful as
long as leaked file descriptors are created with a function that is
tracked. The primary unhandled case is binder, which receives file
descriptors as a payload in a not-trivially-parsable byte blob, but
there's a chance that the leak we're currently trying to track down
isn't of a file descriptor received over binder, so leave that for
later.
Bug: http://b/140703823
Test: manual
Change-Id: I308a14c2e234cdba4207157b634ab6b8bc539dd9
(cherry picked from commit b7eccd4b15)
mte_supported() lets code efficiently detect the presence of MTE, and
ScopedDisableMTE lets code disable MTE RAII-style in a particular region
of code.
Bug: 135772972
Change-Id: I628a054b50d79f67f39f35d44232b7a2ae166afb
On Android, fcntl is always implemented by fcntl64(2). This means that
an LP32 binary can `fcntl(F_SETLK, struct flock)` (because fcntl64(2)
passes through to the 32-bit fcntl(2) to handle F_SETLK), and it can
also `fcntl(F_SETLK64, struct flock64)`. What it can't do before this
patch is set _FILE_OFFSET_BITS=64 and then `fcntl(F_SETLK, struct
flock)` where that `struct flock` is actually implicitly `struct
flock64`.
Move the kernel uapi structs out of the way, define them ourselves based
on __LP64__ and _FILE_OFFSET_BITS, and fix up the relevant F_ constants.
(Also add a .clang-format to turn off clang-format in libc/include/.)
Bug: N/A
Test: treehugger (and strace!)
Change-Id: Iccd6c83d9133e1efcf93a7b49a6ae0f1bbd3d58b
The alloc after fork is a test that should pass, but jemalloc
doesn't right now. Leave the test disabled until the native
allocator can pass this.
Test: Ran the test 1000 times on glibc to verify it passes.
Test: On device, verified it does not run.
Change-Id: I482af4db2fee81c947ac081c7a6f25a2aff80350
Test (a) that we can load the library, but also (b) that readelf thinks
it contains the relocation encoding we were expecting. Do this for all
four of RELR, ANDROID_RELR, relocation packer, and the original ELF
relocation encoding.
Bug: http://b/147452927
Test: treehugger
Change-Id: I5fab72f99d46991c1b206a1c15c76e185b7148b3
Until now we've only supported RELR with our own OS-private-use
constants. Add support for the official numbers (while maintaining
support for the historical numbers).
Add tests to ensure we continue to support both indefinitely.
We can't yet flip the build system over to using the official constants
because the old GNU binutils objcopy we still use in most cases (for the
mini-debug section) only supports the historical constants.
Bug: http://b/147452927
Test: treehugger
Change-Id: If214fce7fade4316115947e90b78ab40864b61f2
This patch introduces tagged pointers to bionic. We add a static tag to
all pointers on arm64 compatible platforms (needs requisite
top-byte-ignore hardware feature and relevant kernel patches).
We dynamically detect TBI-compatible devices (a device with the TBI feature and
kernel support) at process start time, and insert an implementation-dependent
tag into the top byte of the pointer for all heap allocations. We then check
that the tag has not been truncated when deallocating the memory.
If an application incorrectly writes to the top byte of the pointer, we
terminate the process at time of detection. This will allow MTE-incompatible
applications to be caught early.
Bug: 135754954
Bug: 147147490
Test: cd bionic && atest .
Change-Id: Ie424325ba1e3c4443040ac265aeaa28d9e405d28
setprogname() does a basename, but we were initializing __progname
directly. Stop doing that, and add some tests.
Test: treehugger
Change-Id: I06f306ade4161b2f0c7e314a3b1b30c9420117b7
Use O_PATH like musl to let the kernel do the hard work, rather than the
traditional BSD manual scheme.
Also add the most obvious missing tests from reading the man page, plus
a non-obvious test for deleted files.
Bug: http://b/131435126
Test: treehugger
Change-Id: Ie8a8986fea55f045952a81afee377ce8288a49d5
This reverts commit 43d5f9d4dd.
Bug: 135754954
Bug: 147147490
Exempt-From-Owner-Approval: clean revert
Reason for revert: Breaks ART gtest, see:
https://ci.chromium.org/p/art/builders/ci/angler-armv8-non-gen-cc/561
The crash happens on mprotect of a page, the test crashes with ENOMEM.
Change-Id: I52eea1abbfaf8d8e2226f92d30aa55aba3810528
Bug: 122332847
Bug: 130734182
Test: mmm bionic/tests; same files installed before & after
Test: m cts; same files in cts before & after
Test: `objdump -x <files> | grep NEEDED` is identical
Test: `objdump -x <files> | grep RUNPATH` difference make sense
(additional lib64 entries from soong, minimal reorder)
Test: treehugger
Change-Id: I6eea4c3f9c0040efeba64e2b47c7b573767cd386
This patch introduces tagged pointers to bionic. We add a static tag to
all pointers on arm64 compatible platforms (needs requisite
top-byte-ignore hardware feature and relevant kernel patches).
We dynamically detect TBI-compatible devices (a device with the TBI feature and
kernel support) at process start time, and insert an implementation-dependent
tag into the top byte of the pointer for all heap allocations. We then check
that the tag has not been truncated when deallocating the memory.
If an application incorrectly writes to the top byte of the pointer, we
terminate the process at time of detection. This will allow MTE-incompatible
applications to be caught early.
Bug: 135754954
Bug: 147147490
Test: cd bionic && atest .
Change-Id: I6e5b809fc81f55dd517f845eaf20f3c0ebd4d86e
This patch refactors heapprofd_malloc to make it easier to reuse the
reserved signal for multiple purposes. We define a new generic signal
handler for profilers, which dispatches to more specific logic based on
the signal's payload (si_value).
The profiler signal handler is installed during libc preinit, after
malloc initialization (so races against synchronous heapprofd
initialization need not be considered). In terms of code organization, I
copied the existing approach with a loosely referenced function in
bionic_globals.h. Do tell if you'd rather a different approach here.
The profileability of a process is quite tied to the malloc
files/interfaces in bionic - in particular, it's set through
android_mallopt. I do not change that, but instead introduce a new
android_mallopt option to be able to query profileability of the
process (which is now used by the new profiler signal handler). As part
of that, gZygoteChildProfileable is moved from heapprofd_malloc to
common (alongside gZygoteChild).
I've removed the masking and reraising of the heapprofd signal when
racing against malloc_limit init. We're ok with taking a simpler
approach and dropping the heapprofd signal in such an unlikely race.
Note: this requires a corresponding change in heapprofd to use sigqueue()
instead of kill(), as the latter leaves the si_value uninitialized(?) on
the receiving side.
Bug: 144281346
Change-Id: I93bb2e82cff5870e5ca499cf86439860aca9dfa5
Bug: 146576216
Test: Ran the test on jemalloc and glibc.
Test: Ran the test on scudo and verified that failed without the align
Test: change.
Change-Id: I31a96f8672c6bce2423210300288a13df1eda42a
Before, the helper method for this test had two local variables:
char buf[128];
volatile char* p;
Then the test wrote zeros into the buffer and one past the buffer end.
This relied on the fact that the compiler constructed the stack frame
with 'p' first and then the buffer (and also optimized away the 'size'
variable).
However, some compiler options (namely -ftrivial-auto-var-init=pattern)
result in the stack frame being reordered so that 'p' is actually after
buf, and the test cannot pass.
Fixes: 132780819
Test: bionic-unit-tests-static (w/ w/o flag)
Change-Id: Icc87c02add211c2afb7c96ae22701ec27990364c
Historically we've made a few mistakes where they haven't matched the
right number. And most non-Googlers are much more familiar with the
numbers, so it seems to make sense to rely more on them. Especially in
header files, which we actually expect real people to have to read from
time to time.
Test: treehugger
Change-Id: I0d4a97454ee108de1d32f21df285315c5488d886
The executable flag might not be present for the executable segment
if the code is being handled by native bridge implementation. Old
heuristics for this case was to assume first segment is executable.
This doesn't stand any more. Instead, look for segment that contains
the function test is going to call.
Test: bionic-unit-tests --gtest_filter=dlext.ns_anonymous
Change-Id: I960bebba86e225d739b73f6d093e145fff17b4a8
'kill(pid, sig)' sends signal to arbitrary thread within a process, thus
test was occasionally sending signal to the killing thread, not to the
waiting thread. Use 'tgkill(pid, tid, sig)' instead.
Test: bionic-unit-tests --gtest_filter=signal.sigwait64_SIGRTMIN
Change-Id: I80377295e2362cb87eb4fb4de2489c51c520ea77
With previous sleep time, if unlucky, newly started thread can send
signal before main thread starts sigwait.
Test: bionic-unit-tests --gtest_filter=signal.sigwait64_SIGRTMIN
Change-Id: I63d7825a695988e388903c7951e2435cb69773a1
The code was checking PTRACE_GETREGSET output even in case of error.
This seems not correct. Though ptrace can still write some output in
case of EINVAL, implementation should still check updated iov_len before
reading it.
Change the code to avoid checking output in case of error at all.
Test: bionic-unit-tests --gtest_filter=sys_ptrace.watchpoint_stress
Change-Id: I7b1ca18ac64f81055ff89f56b453aff0ce8e1057
dl#exec_linker* tests are failing on devices with emulated
architecture due to hardcoded path to linker.
Test: bionic-unit-tests --gtest_filter=dl.exec_linker*
Bug: b/141914915
Change-Id: Id6d8d3ee7114e70b07e44034aa62dce0a3e0760e
Signed-off-by: Dmytro Chystiakov <dmytro.chystiakov@intel.com>
(cherry picked from commit 595c381841)
64bit libraries should be located in /system/lib64 directory
instead of /system/lib for platforms with emulated arhitecture.
This patch updated ALTERNATE_PATH_TO_SYSTEM_LIB for 64bit values
Test: run cts -m CtsBionicTestCases -t dlfcn.dladdr_libc
Bug: 129389761
Change-Id: I29d6d36d15d7e61818c7ed1cfd0786745d9ae6a2
Signed-off-by: Dmytro Chystiakov <dmytro.chystiakov@intel.com>
(cherry picked from commit e712cd185f)
dl#exec_linker* tests are failing on devices with emulated
architecture due to hardcoded path to linker.
Test: bionic-unit-tests --gtest_filter=dl.exec_linker*
Bug: b/141914915
Change-Id: Id6d8d3ee7114e70b07e44034aa62dce0a3e0760e
Signed-off-by: Dmytro Chystiakov <dmytro.chystiakov@intel.com>
In configs like ASAN, we can't use _chk functions. This CL builds off of
previous work to allow us to still emit diagnostics in conditions like
these.
Wasn't 100% sure what a good test story would look like here. Opinions
appreciated.
Bug: 141267932
Test: checkbuild on internal-master. TreeHugger for x86_64.
Change-Id: I65da9ecc9903d51a09f740e38ab413b9beaeed88
For reasons explained in the code comment, go back to roughly our old
code. The "new" tests are just the old tests resurrected.
This also passes the current toybox xargs tests, which were the
motivation for going back on our earlier decision.
Test: bionic and toybox tests
Change-Id: I33cbcc04107efe81fdbc8166dc9ae844e471173e
Right now, when we read a system property, we first (assuming we've
already looked up the property's prop_info) read the property's serial
number; if we find that the low bit (the dirty bit) in the serial
number is set, we futex-wait for that serial number to become
non-dirty. By doing so, we spare readers from seeing partially-updated
property values if they race with the property service's non-atomic
memcpy to the property value slot. (The futex-wait here isn't
essential to the algorithm: spinning while dirty would suffice,
although it'd be somewhat less efficient.)
The problem with this approach is that readers can wait on the
property service process, potentially causing delays due to scheduling
variance. Property reads are not guaranteed to complete in finite time
right now.
This change makes property reads wait-free and ensures that they
complete in finite time in all cases. In the new approach, we prevent
value tearing by backing up each property we're about to modify and
directing readers to the backup copy if they try to read a property
with the dirty bit set.
(The wait freedom is limited to the case of readers racing against
*one* property update. A writer can still delay readers by rapidly
updating a property --- but after this change, readers can't hang due
to PID 1 scheduling delays.)
I considered adding explicit atomic access to short property values,
but between binary compatibility with the existing property database
and the need to carefully handle transitions of property values
between "short" (compatible with atomics) and "long" (incompatible
with atomics) length domains, I figured the complexity wasn't worth it
and that making property reads wait-free would be adequate.
Test: boots
Bug: 143561649
Change-Id: Ifd3108aedba5a4b157b66af6ca0a4ed084bd5982
This reverts commit d7e11b8853.
Reason for revert: Breaks aosp_x86_64-eng. Will look into it and
unbreak when it's not almost midnight. :)
Change-Id: I21f76efe4d19c70d0b14630e441376d359a45b49
When using a FILE object for some malloc debug functions, calling
fprintf will trigger an allocation to be put in the object. The problem
is that these allocations were not allocated by the malloc debug
wrapper and they get freed during the fclose as if they are malloc
debug allocation. In most cases, the code will detect the bad pointer
and leak the memory, but it might also cause a crash.
The fix is to avoid using fprintf so that no allocations are made
in the object that survive and need to be freed in the fclose call.
Change the MallocXmlElem.h to use a file decsriptor not a FILE object.
Add new unit and system tests to detect this case.
Bug: 143742907
Test: Ran unit and system tests.
Test: Ran bionic unit tests.
Change-Id: I524392de822a29483aa5be8f14c680e70033eba2
This change makes it easier to diagnose mistakes in linker
configuration that result in a library being accidentally loaded in
multiple namespaces without its dependencies available everywhere.
Test: manually tested the error message
Test: bionic-unit-tests
Change-Id: I03a20507f8fc902c2445a7fbbf59767ffffd5ebf
In configs like ASAN, we can't use _chk functions. This CL builds off of
previous work to allow us to still emit diagnostics in conditions like
these.
Wasn't 100% sure what a good test story would look like here. Opinions
appreciated.
Bug: 141267932
Test: checkbuild on internal-master
Change-Id: I8d4f77d7b086a8128a18a0a0389243d7fa05b00f
Upstream keeps rearranging the deckchairs for these, so let's just
switch to the [roughly] one-liners rather than track that...
Test: treehugger
Change-Id: If655cf7a7f316657de44d41fadd43a8c55ee6f23
In order for an ifunc resolver to detect the presence of certain CPU features,
access to getauxval(AT_HWCAP) or getauxval(AT_HWCAP2) may be required. In order
for getauxval() to work, it needs to access the pointer to the auxiliary vector
stored by the linker in the libc shared globals data structure. Accessing the
shared globals requires libc to call the __libc_shared_globals() function
exported by the linker. However, in order to call this function, libc must
be fully relocated, which is not guaranteed to be the case at the point when
ifunc resolvers are called.
glibc solves this problem by passing the values of getauxval(AT_HWCAP)
(and getauxval(AT_HWCAP2) on aarch64) as arguments to the ifunc resolver.
Since this seems to be not only the most straightforward way to solve the
problem but also improves our compatibility with glibc, we adopt their
calling convention.
This change is ABI compatible with old resolvers because the arguments are
passed in registers, so the old resolvers will simply ignore the new arguments.
Bug: 135772972
Change-Id: Ie65bd6e7067f0c878df3d348c815fda61dc12de2
This patch decreases created threads to 50 (instead of 90)
on devices with 2 cores CPU. It is a second decrease as this
test case started to fail on same devices after kernel uprev
Bug: b/142210680
Test: Run CtsBionic module on 2 core device with command
"run cts -m CtsBionicTestCases
Change-Id: I4f73363b342b38c92d64aaf213071f899e5b52ac
Signed-off-by: Dmytro Chystiakov <dmytro.chystiakov@intel.com>
I plan to add tests to this test binary that take a long time to run.
The first is a malloc test that demonstrates that jemalloc appears
to be leaking memory slowly over time.
Test: Ran the bionic-stress-tests on host and verified it runs forever,
Test: but doesn't display RSS/VSS data.
Test: Ran the bionic-stress-tests on a taimen and verified it runs forever,
Test: and does display RSS/VSS data.
Change-Id: Ic612e4181ffea898d4d83af097939cd517a180ee
Scudo creates a large map on 64 bit which can cause a slow down trying
to get the usage stats for all maps. Since the test only really cares
about a small subset of maps, only get the usage stats for those maps.
Test: Ran unit tests on scudo and jemalloc based systems.
Change-Id: Iba3cff1487ca304083aac323a3971b9f939f5c11
As the first pass, the malloc_info for scudo doesn't return anything.
This feature is hardly ever used, so this seems fine for the first
revision.
Bug: 137795072
Test: Ran unit tests on a taimen using scudo and a taimen using jemalloc.
Change-Id: I675386ae17ba5505c27bd9da12c60242d795464a
There are places in frameworks and art code that directly included
private bionic header files. Move these files to the new platform
include files.
This change also moves the __get_tls.h header file to tls.h and includes
the tls defines header so that there is a single header that platform
code can use to get __get_tls and the defines.
Also, simplify the visibility rules for platform includes.
Bug: 141560639
Test: Builds and bionic unit tests pass.
Change-Id: I9e5e9c33fe8a85260f69823468bc9d340ab7a1f9
Merged-In: I9e5e9c33fe8a85260f69823468bc9d340ab7a1f9
(cherry picked from commit 44631c919a)
Bug: 141358530
Test: Forced a skip and verified it registers as a skip.
Change-Id: I9915c67ebae4389a26f28e16375ad4a41f3e4837
(cherry picked from commit 103b998a52)
A kernel update broke three clock_getres tests, so disable
them while the kernel is fixed.
Bug: 141515847
Test: All tests pass on cuttlefish.
Change-Id: I7db789b2b8ba0bc5f8b13bb06e85711031735925
This was necessary because we weren't doing -Werror=fortify-source
everywhere. As of I2715ea411ef067f801534dab4d306fef5431f290, we should
be doing this.
Bug: 131861088
Test: mma
Change-Id: I00d499938ae24c3870760470576d6be603fbecd1
Clang recently grew its own diagnostics for memcpy and such. These are
generally higher-quality than what we can do with diagnose_if, since
clang is happy to include e.g., sizes of things per-callsite. Move to
those instead where applicable.
Bug: 131861088, 123644155
Test: blueline internal-master checkbuild; treehugger
Change-Id: I701f5a8b247ba2948ca47fdc60ff5198b564c03e
Instead of having platform directories directly include the
private header, create a platform header directory and export it.
Bug: 130763340
Test: Builds.
Change-Id: Ie0f092b3fe077a3de8b90266c0b28bfbc20d0dfa
Merged-In: Ie0f092b3fe077a3de8b90266c0b28bfbc20d0dfa
(cherry picked from commit 8f582ef2f8)
Add a test for the new flag and add a test for the EFD_CLOEXEC flag.
Test: New unit tests pass on glibc and target.
Change-Id: Ib7a6ea4aadbd67ba8a523b6114a49fb8d6a43f12
This avoids issues where an allocation could create a map while trying
to check data from the maps and running malloc_iterate.
Bug: 137795072
Test: Runs in unit tests.
Change-Id: If8509845d86dd9d002aeac3aa9278fbcf026af17
Previously, Bionic's dl_phdr_info only included the first four
dl_iterate_phdr fields. Several other libc's have these additional fields:
unsigned long long dlpi_adds -- incremented when a library is loaded
unsigned long long dlpi_subs -- incremented when a library is unloaded
size_t dlpi_tls_modid -- TLS module ID
void* dlpi_tls_data -- pointer to current thread's TLS block or NULL
These extra fields are also exposed by glibc, musl, and FreeBSD. The
unwinder in libgcc.a, linked into shipping Android DSOs, has a
PC->eh_frame cache that activates if dl_phdr_info has the dlpi_adds and
dlpi_subs fields (indicated at run-time by a sufficiently-large size
argument to the callback).
Bug: https://github.com/android-ndk/ndk/issues/1062
Test: bionic unit tests
Change-Id: I6f0bab548cf8c828af2ddab9eb01c5c6d70cd81f
The test starts failing in the upcoming lld update. The root cause is
that no relro section is specified by the linker script, and the orphan
placement algorithm decides to place them after .text which is a
misaligned place.
Test: bionic-unit-tests
Bug: 139089152
Bug: 131328001
Change-Id: I2140d8a9fd7c712f1d31a541a3b4a10788385e98
The call to the load hook needs to be moved before the call to link_image()
because the latter calls ifunc resolvers which might access global
variables. This fixes a bunch of ifunc tests.
The dlfcn.segment_gap test is currently failing. One problem is that the name
of the .bss.end_of_gap section changes as a result of global instrumentation.
Add some wildcards in so that we match both names. The other problem seems
to be the same as b/139089152.
It turns out that we need to untag pointers in a few more places. Since we have
quite a few of these now it seems worth creating a function for it.
Test: bionic-unit-tests
Change-Id: I44e2b0904faacdda7cc0c5e844ffc09de01dea2d
Host includes are updated now, so we always must include
bits/stdatomic.h
Bug: 137876753
Bug: 138701943
Test: not yet
Change-Id: Ib2ce34ae5dace8f9a114fa8c04f864cd7f41a5d9
If one of our threads exits and a new process shows up with the same
tid, we would previously loop until that process exits, leading to
flakiness in tests.
Also fix use of uninitialized memory that happens when threads_count !=
kThreadCount.
Bug: http://b/139315254
Test: /data/nativetest/bionic-unit-tests/bionic-unit-tests --gtest_filter="pthread_leak.detach" on cuttlefish
Change-Id: I2aad7f3f105aeba87c3929bfce53ef08e1484b2d
These are old enough now that the latest devices will have kernels that
support them.
Also add basic doc comments to <sys/mman.h>.
Test: treehugger
Change-Id: I1b5ff5db0b6270f5c374287cac1d6a751a0259f5
https://reviews.llvm.org/D58797 added several new compile time
_FORTIFY_SOURCE diagnostics. This broke clang_fortify_tests:
FAILED: out/target/product/walleye/obj/STATIC_LIBRARIES/bionic-compile-time-tests2-clang++_intermediates/clang_fortify_tests.o
error: 'warning' diagnostics seen but not expected:
Line 159: 'memcpy' will always overflow; destination buffer has size 8, but size argument is 9
Line 161: 'memmove' will always overflow; destination buffer has size 8, but size argument is 9
Line 165: 'memset' will always overflow; destination buffer has size 8, but size argument is 9
Line 183: 'strncpy' size argument is too large; destination buffer has size 8, but size argument is 9
Line 185: 'stpncpy' size argument is too large; destination buffer has size 8, but size argument is 9
Line 189: 'strncat' size argument is too large; destination buffer has size 8, but size argument is 9
Line 227: 'strncpy' size argument is too large; destination buffer has size 4, but size argument is 5
Line 232: 'stpncpy' size argument is too large; destination buffer has size 4, but size argument is 5
Line 242: 'strncat' size argument is too large; destination buffer has size 4, but size argument is 5
Line 490: 'snprintf' size argument is too large; destination buffer has size 8, but size argument is 9
Line 495: 'vsnprintf' size argument is too large; destination buffer has size 8, but size argument is 9
error: 'note' diagnostics seen but not expected:
File bionic/libc/include/bits/fortify/fcntl.h Line 50: 'open' has been explicitly marked unavailable here
File bionic/libc/include/bits/fortify/fcntl.h Line 102: 'open64' has been explicitly marked unavailable here
File bionic/libc/include/bits/fortify/fcntl.h Line 75: 'openat' has been explicitly marked unavailable here
File bionic/libc/include/bits/fortify/fcntl.h Line 121: 'openat64' has been explicitly marked unavailable here
File bionic/libc/include/bits/fortify/stdio.h Line 68: 'sprintf' has been explicitly marked unavailable here
16 errors generated.
Bug: 131328001
Bug: 138701853
Test: Build with r365631 toolchain
Change-Id: I103ecb7b3abcf4b5cfc4f36ccab69e03d0976275
The previous check was causing some problems with platform builds
using the NDK. The new check is more accurate.
Move the C definitions from stdatomic.h to bits/stdatomic.h since
with the new check, we no longer can use the #undef trick to test
them.
Test: build platform NDK with stdatomic.h in pthread.h header
Test: stdatomic bionic-unit-tests
Change-Id: Ia0bc3cc8344f2ba4e6e55a52248fb6efee799d1d
A bit of over-reliance on implementing pthread_cond_clockwait() in
terms of existing functions ended up with a bug that if the condition
variable was initialized to use CLOCK_MONOTONIC, then
pthread_cond_clockwait() would do the wrong thing.
This change corrects that and adds a test for this case.
Test: new and existing tests pthread_cond unit tests
Change-Id: I708d5dfbef95a67678db56dceda011f2f8fd1c5c
Note that unlike the oem_ range that is used for the vendor
partitions, we do not create oem_<n> entries for these new reserved
ranges; they will only appear in getpwent()/getgrent() if there is an
entry in the corresponding passwd/group file.
Bug: 73062966
Test: can load AIDs from partitions other than vendor
Test: bionic-unit-tests
Change-Id: Ifcbbf202894adff948eaaba2a59e25c993611140
This might let us get to using toybox grep for the build faster than if
we have to implement PCRE support.
Test: builds
Change-Id: Idaf24cfefbf18fdc442871f24fe4fe9b2152359a
__builtin_*_chk will emit warnings when things are trivially broken.
Emitting errors instead is probably better (and we can be a bit smarter
about how we emit code for trivially safe cases.)
Bug: 131861088
Test: checkbuild + bionic-unit-tests on blueline
Change-Id: I33957ad419922d0760304758ecb9bc8ad33e0b64
In order for cts to enumerate tests, even tests that are not supported
need to run and be skipped. Make this true for pvalloc/valloc
tests.
Change-Id: I863a179ee6810824a7117f44cc9aa3f86d01eb5b
Test: Ran tests in 32 bit and 64 bit and verified tests are skipped in
Test: 64 bit and run properly in 32 bit.
This also adds _2-variants for these functions, for extra glorious
checking
Bug: 131861088
Test: mma
Change-Id: I80475ff4bb220c0c47894e9532426f53412f176f
We should only be calling _real versions of the functions that use this
if the input size is verifiably <= SSIZE_MAX. Otherwise, just fall
through to _chk and let that handle it.
Bug: 131861088
Test: mma && bionic-unit-tests
Change-Id: Iba04e486ef91ea1b3539ab6df6260429264e66b4
As it says on the box.
Since realpath isn't a function definition, any attributes it provides
here just add to the "regular" realpath.
__wur is being added to realpath because it returns NULL on failure, and
the contents of the input buffer are undefined in that case. A blueline
checkbuild showed 0 complaints about this new __wur, so it seems
harmless to add.
Bug: 131861088
Test: mma
Change-Id: If5f47e0e290d86df69c0888711e29775c390fca4
This CL allows us to diagnose string functions that get an explicit size
passed into them, and string functions that are trivially misused.
Bug: 131861088
Test: mma
Change-Id: I894aec99420a75c6474cfd7d5010f0cf2f10ab21
My declval hack failed on x86_64 with:
```
substitution failure [with T = __va_list_tag [1]]: function cannot
return array type '__va_list_tag [1]'
```
...Because the type of va_list is compiler magic, it's fine for it to be
whatever the compiler wants it to be. Thankfully, pointers to arrays can
be returned, so let's use those instead.
Bug: 135210098
Test: mma on aosp_blueline-eng and aosp_x86_64-eng; the latter was
failing before this patch.
Change-Id: Iefd57c0f8e823653fd70633fb6ee75cfc0022430
Chrome OS has a fairly extensive FORTIFY test suite for both
compile-time and run-time diagnostics. It covers tons of edge cases, and
conveniently centralizes diagnostic and death testing.
A fair amount of it has been ifdef'ed out, since Bionic doesn't yet
diagnose (or crash on) some of these things. The intent is to explicitly
declare defeat on the things we don't care to FORTIFY, and slowly fix
the rest in easier-to-digest CLs.
Once that's done, we might be able to look into retiring some of the
FORTIFY testing that we don't share with the CrOS folks.
Bug: 131861088
Test: mma + bionic-unit-tests on blueline
Change-Id: I16734ea0769e03cf658ef10532d64f28fdb36a89
Cleanup of references to 'coverage' in build files. Part of a larger
cleanup to make fuzzing work again in the Android build tree.
Also fixed a test issue with emulated TLS with the new changes, and
removed libc.so fuzzer support until a linked bug is fixed
(b/132640749).
Bug: 121042685
Test: With all patches in the bug merged: mmma bionic
Change-Id: I592352fe9210ff811a2660a88cbbfe48d70a1e57
Merged-In: I592352fe9210ff811a2660a88cbbfe48d70a1e57
In an attempt to make bionic's reporting of users and groups more
accurate, this change makes the user / group functions do the
following:
1) Fail to query a uid/gid for a secondary user when the uid/gid
doesn't exist. Currently bionic would return successfully but with
a empty string for the name.
2) Fail to query a platform uid/gid, except a limited pre-allocated
set for a secondary user, as these are not used by second users.
3) Fail to query uids for all users for the GID-only app ranges:
CACHE_GID, EXT_GID, EXT_CACHE_GID, SHARED_GID.
4) Fail to query gids in SHARED_GID range for secondary users, as
these GIDs are only allocated for the first user.
5) Use "u#_a#_ext" and u#_a#_ext_cache" for EXT_GID and EXT_CACHE_GID
ranges. This both allows querying based on these names and
returning these names for the appropriate uids/gids.
This also consolidates the tests for better readability.
Test: these unit tests, boot
Change-Id: I59a1af0792e7806d423439582e56ce7f9f801c94
Cleanup of references to 'coverage' in build files. Part of a larger
cleanup to make fuzzing work again in the Android build tree.
Also fixed a test issue with emulated TLS with the new changes, and
removed libc.so fuzzer support until a linked bug is fixed
(b/132640749).
Bug: 121042685
Test: With all patches in the bug merged: mmma bionic
This is the qt-dev-plus-aosp cherrypick of aosp/954684. See the AOSP
commit for further information.
Change-Id: I592352fe9210ff811a2660a88cbbfe48d70a1e57
On cf_x86_phone-userdebug, both of the unwind through signal
tests fail. This has been failing forever, but seems to have suddenly
become an issue, so disable while I try to figure out why this is happening.
Bug: 132763120
Test: Ran on emulator and verified tests are skipped.
Change-Id: Iafc227d972a7783e94c701d73078c9570cea288e
Merged-In: Iafc227d972a7783e94c701d73078c9570cea288e
(cherry picked from commit d424fafbce)
(cherry picked from commit fe0fbcff7f)
A proposed set of changes:
https://android-review.googlesource.com/q/topic:"no-dup-hwasans"
will cause the HWASAN runtime to be moved from /system/lib64 to
/system/lib64/bootstrap. This causes a problem in the case where libc is built
with HWASAN but init is not built with HWASAN. In this case, libc.so will have
a DT_NEEDED dependency on the HWASAN runtime but init will not. Currently,
init and other bootstrap executables arrange to load bootstrap libraries by
setting rpath, but rpath only has an effect on libraries directly depended
on by the main executable, not libraries indirectly depended on by it. This
means that the loading of the HWASAN runtime will fail.
Instead of relying on rpath to find the bootstrap libraries, modify the
bootstrap linker so that it searches the bootstrap library directory after
searching the rpath.
Change-Id: I297be32e04ecd316ee12b8e694588e1249e2bb89
On cf_x86_phone-userdebug, both of the unwind through signal
tests fail. This has been failing forever, but seems to have suddenly
become an issue, so disable while I try to figure out why this is happening.
Bug: 132763120
Test: Ran on emulator and verified tests are skipped.
Change-Id: Iafc227d972a7783e94c701d73078c9570cea288e
Merged-In: Iafc227d972a7783e94c701d73078c9570cea288e
(cherry picked from commit d424fafbce)
getpwnam_r() and getpwuid_r() clobber the storage used by getpwnam()
and getpwuid(). This isn't likely to be a big issue, but since we do
this right for the group functions, fix this as well as add a test.
Both use more space in buf than is actually required, but well below
their sysconf() suggested values, so we accept that to keep the code
concise.
Add tests for dealing with unaligned input buffers, particularly for
getgrnam_r() and getgrgid_r(), as they require alignment but this
wasn't being tested.
Refactor common initialization code for both passwd and group state
structs.
Remove extraneous null pointer checks; the values they were testing
were offsets of a previous pointer, so guaranteed to never actually be
null. If the underlying pointer is actually null, we're beyond repair
anyway, so accept that we'll crash.
Test: pwd/grp unit tests
Change-Id: I60c4d00e9ab3cf55daf8314c5029fd914025b696
This patch decreases created threads to 90 (instead of 100)
on devices with 2 cores CPU. This test can fail with timeout
on such devices.
Bug: b/129924384
Test: Run CtsBionic module on 2 core device with command
"run cts -m CtsBionicTestCases"
Change-Id: Ic770006a324748d7d6dfbe8d4fb301e21e494ff9
Signed-off-by: Dmytro Chystiakov <dmytro.chystiakov@intel.com>
Without pulling in <linux/fs.h>, the UAPI source of these constants,
because it's full of pollution, in particular a macro called BLOCK_SIZE
that breaks a lot of stuff.
Test: treehugger
Change-Id: I7258ec57e91c67645c2b4d0ce44850d757c4bb12
The locking can fail in a couple of ways:
- A concurrent fread from an unbuffered or line-buffered file flushes
the output of other line-buffered files, and if _fwalk locks every
file, then the fread blocks until other file reads have completed.
- __sfp can initialize a file lock while _fwalk is locking/unlocking it.
For now, revert to the behavior Bionic had in previous releases. This
commit reverts the file locking parts of commit
468efc80da.
Bug: http://b/131251441
Bug: http://b/130189834
Test: bionic unit tests
Change-Id: I9e20b9cd8ccd14e7962f7308e174f08af72b56c6
(cherry picked from commit c485cdb024)
Clang uses this for its own diagnostic tests. The nice feature it adds
here is that it fails if clang emits a diagnostic that we don't expect
(and we get to drop a dependency on FileCheck).
This also tweaks and renames file-check-cxx to reflect its new job.
Bug: 131861088
Test: mma
Change-Id: I77f7ce77869edaa23e2401e622ad7007d2fee06c
The locking can fail in a couple of ways:
- A concurrent fread from an unbuffered or line-buffered file flushes
the output of other line-buffered files, and if _fwalk locks every
file, then the fread blocks until other file reads have completed.
- __sfp can initialize a file lock while _fwalk is locking/unlocking it.
For now, revert to the behavior Bionic had in previous releases. This
commit reverts the file locking parts of commit
468efc80da.
Bug: http://b/131251441
Bug: http://b/130189834
Test: bionic unit tests
Change-Id: I9e20b9cd8ccd14e7962f7308e174f08af72b56c6
Also change the names of some of the functions to make it very obvious
that the functions being called are in je code.
Write new test to make sure mallinfo and malloc_info match.
Bug: 131864803
Test: New unit tests pass (along with all other bionic unit tests).
Change-Id: I26eda7e64f57a8c56cc8d70e3ed6a29dcb87f630
Merged-In: I26eda7e64f57a8c56cc8d70e3ed6a29dcb87f630
(cherry picked from commit 125d32cb46)
Also change the names of some of the functions to make it very obvious
that the functions being called are in je code.
Write new test to make sure mallinfo and malloc_info match.
Bug: 131864803
Test: New unit tests pass (along with all other bionic unit tests).
Change-Id: I26eda7e64f57a8c56cc8d70e3ed6a29dcb87f630
This was broken by all the mainline modules stuff. It's quite a bit
hairier to set up now, given that we don't have an apexd on the host.
An alternative might be to actually set up a fake /apex that points to
the bootstrap directories?
Test: ./benchmarks/run-on-host.sh 64
Test: ./tests/run-on-host.sh 64
Change-Id: If2c277ba492c7c443cdf51526ea42f56568e2ea6
FreeBSD, glibc, and musl have all implemented C11 threads at this
point. POSIX is looking at how to align with it. Probably time to jump
on the bandwagon ourselves...
Implemented in the same style as <termios.h> so we can provide this
functionality even on older API levels. This does mean that this is
strictly more expensive than calling pthread functions directly.
Although this isn't in POSIX yet, assume that it's going to be basically
the same as C11 and add the header test anyway. We should revisit this
when POSIX actually adds <threads.h>.
Test: new tests
Change-Id: I8602d67ce71ca7f8ed1529daa0a8ea1feb083dd6