Right now, when we read a system property, we first (assuming we've
already looked up the property's prop_info) read the property's serial
number; if we find that the low bit (the dirty bit) in the serial
number is set, we futex-wait for that serial number to become
non-dirty. By doing so, we spare readers from seeing partially-updated
property values if they race with the property service's non-atomic
memcpy to the property value slot. (The futex-wait here isn't
essential to the algorithm: spinning while dirty would suffice,
although it'd be somewhat less efficient.)
The problem with this approach is that readers can wait on the
property service process, potentially causing delays due to scheduling
variance. Property reads are not guaranteed to complete in finite time
right now.
This change makes property reads wait-free and ensures that they
complete in finite time in all cases. In the new approach, we prevent
value tearing by backing up each property we're about to modify and
directing readers to the backup copy if they try to read a property
with the dirty bit set.
(The wait freedom is limited to the case of readers racing against
*one* property update. A writer can still delay readers by rapidly
updating a property --- but after this change, readers can't hang due
to PID 1 scheduling delays.)
I considered adding explicit atomic access to short property values,
but between binary compatibility with the existing property database
and the need to carefully handle transitions of property values
between "short" (compatible with atomics) and "long" (incompatible
with atomics) length domains, I figured the complexity wasn't worth it
and that making property reads wait-free would be adequate.
Test: boots
Bug: 143561649
Change-Id: Ifd3108aedba5a4b157b66af6ca0a4ed084bd5982
aosp/144287300 set it to a global cppflag.
The compiler upgrade can now check for this warning in C code.
This patch should be reverted once the BSD sources with instances of
-Wimplicit-fallthrough have been fixed.
Remove it from cflags, so that it's not re-enabled for C code until
fixed.
Bug: 139945549
Bug: 144287300
Test: mm
Change-Id: Ieca0d5b41634636477392e5209a41807f9b44bd4
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
libc++ poisons `__out` because it's #defined on Windows. Rather than
hack libc++, let's just avoid that name. "src" and "dst" are far more
widely used than "in" and "out" for this purpose anyway.
Test: treehugger
Change-Id: I0db9997fd5f06f626dbf0ee967b52145395466b4
I have no idea why I used the iterate name internally which is
completely unlike every other function name. Change this to match
everyone else so that it's now malloc_iterate everywhere.
This is probably the last chance to change this before mainline
modules begin, so make everything consistent.
Test: Compiles, unit tests passes.
Change-Id: I56d293377fa0fe1a3dc3dd85d6432f877cc2003c
This reverts commit d7e11b8853.
Reason for revert: Breaks aosp_x86_64-eng. Will look into it and
unbreak when it's not almost midnight. :)
Change-Id: I21f76efe4d19c70d0b14630e441376d359a45b49
When using a FILE object for some malloc debug functions, calling
fprintf will trigger an allocation to be put in the object. The problem
is that these allocations were not allocated by the malloc debug
wrapper and they get freed during the fclose as if they are malloc
debug allocation. In most cases, the code will detect the bad pointer
and leak the memory, but it might also cause a crash.
The fix is to avoid using fprintf so that no allocations are made
in the object that survive and need to be freed in the fclose call.
Change the MallocXmlElem.h to use a file decsriptor not a FILE object.
Add new unit and system tests to detect this case.
Bug: 143742907
Test: Ran unit and system tests.
Test: Ran bionic unit tests.
Change-Id: I524392de822a29483aa5be8f14c680e70033eba2
Using ifuncs allows the linker to select faster versions of libc functions
like strcmp, making linking faster.
The linker continues to first initialize TLS, then call the ifunc
resolvers. There are small amounts of code in Bionic that need to avoid
calling functions selected using ifuncs (generally string.h APIs). I've
tried to compile those pieces with -ffreestanding. Maybe it's unnecessary,
but maybe it could help avoid compiler-inserted memset calls, and maybe
it will be useful later on.
The ifuncs are called in a special early pass using special
__rel[a]_iplt_start / __rel[a]_iplt_end symbols. The linker will encounter
the ifuncs again as R_*_IRELATIVE dynamic relocations, so they're skipped
on the second pass.
Break linker_main.cpp into its own liblinker_main library so it can be
compiled with -ffreestanding.
On walleye, this change fixes a recent 2.3% linker64 start-up time
regression (156.6ms -> 160.2ms), but it also helps the 32-bit time by
about 1.9% on the same benchmark. I'm measuring the run-time using a
synthetic benchmark based on loading libandroid_servers.so.
Test: bionic unit tests, manual benchmarking
Bug: none
Merged-In: Ieb9446c2df13a66fc0d377596756becad0af6995
Change-Id: Ieb9446c2df13a66fc0d377596756becad0af6995
(cherry picked from commit 772bcbb0c2)
The shadowing of `ai` meant that the freeaddrinfo() call outside the
loop would never see anything but NULL.
Bug: https://issuetracker.google.com/143928781
Test: treehugger
Change-Id: I1bf137f7933201eb8024603bfd569ff7bbc7f9b7
The underlying descriptor is supposed to be closed when the ScopedFd
goes out of scope but due to a typo in reset() that never happens.
This change was inspired by an earlier implementation of ScopedFd in:
04dc91ae7 Load library using file handle.
Issue: 143918215
Test: Manual (verify fd usage on device)
Change-Id: I5664fa82d3e732113732e34a7ae6df3ca79d3cee
Also remove the __INTRODUCED_IN(16)s, since we don't support anything
lower than 16.
Test: treehugger
Change-Id: I2cbd023d211a0f0ddf27251071caa29839c671a8
Remove some __INTRODUCED_IN(16)s, since we don't support anything lower
than 16, so that's a no-op. And add the missing doc comments to those
headers while we're there.
Test: treehugger
Change-Id: I0328c530675564f0f1124bd483da05ad06df3507
In configs like ASAN, we can't use _chk functions. This CL builds off of
previous work to allow us to still emit diagnostics in conditions like
these.
Wasn't 100% sure what a good test story would look like here. Opinions
appreciated.
Bug: 141267932
Test: checkbuild on internal-master
Change-Id: I8d4f77d7b086a8128a18a0a0389243d7fa05b00f
This will activate code in bionic that uses the experimental MTE
userspace interface.
Bug: 135772972
Change-Id: I9ac641b9528de5376cdb920bee0e900a1b1fa9c2
This is actually for the new change I'm working on, but let's retrofit
it first to separate any bugs in these changes from those in the new
change...
Test: treehugger
Change-Id: I890aeb61f9792810a77ad0da3f9674c9cc5db7bb
This flag prevents the compiler from inserting calls to libc functions in
the ifunc resolver code, which will definitely cause problems if the libc
function is itself an ifunc, but other calls that use the PLT may also be
affected, since libc may not have been fully resolved yet. As it turns out,
newer versions of clang will insert calls to memcmp in the body of the
init_cpu_variant() function in arch-arm/dynamic_function_dispatch.cpp.
Change-Id: I91f18d450835adc4b74565e9f48d5834f594a0c4
r334928 | kib | 2018-06-10 10:54:44 -0700 (Sun, 10 Jun 2018) | 16 lines
libc qsort(3): stop aliasing.
Qsort swap code aliases the sorted array elements to ints and longs in
order to do swap by machine words. Unfortunately this breaks with the
full code optimization, e.g. LTO.
See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83201 which seems to
reference code directly copied from libc/stdlib/qsort.c.
PR: 228780
Reported by: mliska@suse.cz
Reviewed by: brooks
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
Differential revision: https://reviews.freebsd.org/D15714
Test: treehugger
Change-Id: Iac608b13bbf8a2dcb48c935a7871c0d2f05bff79
As it turns out, our "generic" arm64 implementations of certain string.h
functions are not actually generic, since they will eagerly read memory
possibly outside of the bounds of an MTE granule, which may lead to a segfault
on MTE-enabled hardware. Therefore, move the implementations into a "default"
directory and use ifuncs to select between them and a new set of "mte"
implementations, conditional on whether the hardware and kernel support MTE.
The MTE implementations are currently naive implementations written in C
but will later be replaced with a set of optimized assembly implementations.
Bug: 135772972
Change-Id: Ife37c4e0e6fd60ff20a34594cc09c541af4d1dd7
r293856 | brooks | 2016-01-13 13:50:08 -0800 (Wed, 13 Jan 2016) | 10 lines
Avoid reading pass the end of the source buffer when it is not NUL
terminated.
If this buffer is adjacent to an unmapped page or a version of C with
bounds checked is used this may result in a crash.
PR: 206178
Submitted by: Alexander Cherepanov <cherepan@mccme.ru>
MFC after: 1 week
and
r293855 | brooks | 2016-01-13 13:49:01 -0800 (Wed, 13 Jan 2016) | 10 lines
Avoid reading pass the end of the source buffer when it is not NUL
terminated.
If this buffer is adjacent to an unmapped page or a version of C with
bounds checked is used this may result in a crash.
PR: 206177
Submitted by: Alexander Cherepanov <cherepan@mccme.ru>
MFC after: 1 week
Test: treehugger
Change-Id: I3f7b9e6d0648574d2836f7721dfe47c1bae146de
r342757 | kevans | 2019-01-03 19:13:24 -0800 (Thu, 03 Jan 2019) | 19 lines
getopt_long(3): fix case of malformed long opt
When presented with an arg string like '-l-', getopt_long will successfully
parse out the 'l' short option, then proceed to match '--' against the first
longopts entry as it later does a strncmp with len=0. This latter bit is
arguably another bug in itself, but presumably not a practical issue as all
callers of parse_long_options are already doing the right thing (except this
one pointed out).
An opt string like '-l-' should be considered malformed and throw a bad
argument rather than behaving as if '--' were passed. It cannot possibly do
what the invoker expects, and it's probably the result of a typo (ls -l- a)
rather than any intent.
Reported by: Tony Overfield <toverfield@yahoo.com>
Reviewed by: imp
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D18616
Test: treehugger
Change-Id: I593713bc35d70eb1975c9d7587528f2b3f9731af
r325389 | kib | 2017-11-04 03:52:58 -0700 (Sat, 04 Nov 2017) | 7 lines
C++17 requires quick_exit(3) to be async-signal safe.
Make it safe, and update man page with the useful information.
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Test: treehugger
Change-Id: Idf84b1f1e360c031b0e39d5f6e80d17308db1940
Upstream keeps rearranging the deckchairs for these, so let's just
switch to the [roughly] one-liners rather than track that...
Test: treehugger
Change-Id: If655cf7a7f316657de44d41fadd43a8c55ee6f23
In order for an ifunc resolver to detect the presence of certain CPU features,
access to getauxval(AT_HWCAP) or getauxval(AT_HWCAP2) may be required. In order
for getauxval() to work, it needs to access the pointer to the auxiliary vector
stored by the linker in the libc shared globals data structure. Accessing the
shared globals requires libc to call the __libc_shared_globals() function
exported by the linker. However, in order to call this function, libc must
be fully relocated, which is not guaranteed to be the case at the point when
ifunc resolvers are called.
glibc solves this problem by passing the values of getauxval(AT_HWCAP)
(and getauxval(AT_HWCAP2) on aarch64) as arguments to the ifunc resolver.
Since this seems to be not only the most straightforward way to solve the
problem but also improves our compatibility with glibc, we adopt their
calling convention.
This change is ABI compatible with old resolvers because the arguments are
passed in registers, so the old resolvers will simply ignore the new arguments.
Bug: 135772972
Change-Id: Ie65bd6e7067f0c878df3d348c815fda61dc12de2
arm32 has two special APIs to find exidx exception handling info,
dl_unwind_find_exidx and __gnu_Unwind_Find_exdix. The two functions have
identical behavior and function prototypes. libgcc's arm32 unwinder calls
__gnu_Unwind_Find_exdix, whereas LLVM's libunwind previously called
__gnu_Unwind_Find_exdix, but switched to dl_unwind_find_exidx as a result
of three patches (D30306, D30681, D39468).
In Bionic, for dynamic linking, __gnu_Unwind_Find_exdix in libc.so calls
dl_unwind_find_exidx in libdl.so.
For static executables, though, __gnu_Unwind_Find_exdix in libc.a used the
__exidx_* symbols, while dl_unwind_find_exidx in libdl.a(libdl_static.o)
was a return-0 no-op.
To fix the LLVM unwinder, replace the no-op dl_unwind_find_exidx in
libdl.a with a real function in libc.a(exidx_static.o), and have the GNU
function call the dl function for more consistency with dynamic linking.
dl_iterate_phdr follows a similar pattern, where the function exists in
libc.a and libdl.so (not libc.so or libdl.a).
This change makes unwinding work with an updated libunwind_llvm on arm32,
and it helps to allow unwinding in static executables without libdl.a.
Bug: https://github.com/android/ndk/issues/1094
Bug: http://b/141485154
Test: NDK tests, bionic unit tests
Change-Id: Ieeeb9b39a0e28544e21f9afe6fe51ef10d7c828c
At heart a revert of "Don't #define __ANDROID_NDK__ for the platform build!",
which was commit eb61430374.
The original change was insufficiently motivated, and meant that the
NDK -- not just the platform -- no longer defines __ANDROID_NDK__. Which
then broke at least building toybox with NDK r19.
Change-Id: Ic616688e4d17d25714a9ef381269d7431deac9b0
* changes:
libc: remove now-unused FORTIFY functions
fortify: remove last uses of __bos_trivially_not*
fortify(string): emit diagnostics regardless of API level
fortify(fcntl): emit diagnostics regardless of API level
As of I2037548cc2061e46c379931588194c21dfe234b4, these are no longer
used. Since they're new in R, we can remove them instead of keeping
backwards compat 'forever'. Take that opportunity now.
Bug: 141267932
Test: TreeHugger
Change-Id: I13f94cdcff6e75ad19b964be76445f113f79559b
Since we're using the gt/ge ones a lot now, having `not` versions
probably just adds to confusion. Swap out their remaining uses and
delete them.
Bug: 141267932
Test: m checkbuild on internal-master
Change-Id: I2107ae65007a4995e4fa23371fefe4db7547f43b
HWASan-instrumented code needs TLS_SLOT_SANITIZER set up to run, and
that is not done until the new thread calls __hwasan_thread_enter. Block
all signals until that time to prevent hwasan-instrumented signal
handlers running (and crashing) on the new thread.
Bug: 141893397
Test: seq 0 10000000 | xargs -n 1 -P 200 adb shell am instrument \
-w -r -e command grant-all \
com.android.permissionutils/.PermissionInstrumentation
(cherry picked from commit d181585dd5)
Change-Id: Id65fae836edcacdf057327ccf16cf0b5e0f9474a
The libs are not available for platform. Thus removing
'//apex_available:platform' from the apex_available property. However,
since there are test modules that statically links the libs, we
exceptionally make the static variant of the libs available to the
platform.
Test: m
Test: mm under bionic does not create
out/target/product/<name>/system/lib[64]/libc_malloc_[debug|hooks].so
Change-Id: Ia6d473658c4231b04b5db511f9dacbbdf0f207b0
The bionic libs are now restricted to be in the runtime APEX and the
platform (for bootstrapping). It can still be referenced from other
APEXes but can't be included there.
Bug: 139870423
Test: m
Change-Id: I7f99eef27ccf75844ca5c9a7ea866496841b738f
The NDK doesn't support anything older than API level 16, so remove some
more clutter.
Test: builds
Change-Id: If257a27841396af001b089b7ae0fbd8c3e0128e4
The NDK only supports >= 16, so remove anything older than that to avoid
giving the misleading impression that such old targets are still
supported.
(This change doesn't touch <unistd.h>. I'll follow up with that once the
outstanding FORTIFY changes to that file are in.)
Test: builds
Change-Id: I6cc6ecdb99fe228a4afa71f78e5fd45309ba9786
Refactor some of the definitions to separate out all of the native
allocator pieces into one place that can be changed easily. This
should fix a few static libraries that appear to have accidentally
included jemalloc wrapper functions. For example, I verified that
libc_nomalloc.a no longer has references to any je_XXX functions.
Modify the bionic_libc_platform_headers to not include any libraries.
If this isn't updated, soong thinks there are cycles when used by
libscudo.
To enable scudo, change the libc_native_allocator_defaults defaults
from libc_jemalloc5_defaults to libc_scudo_defaults and comment out
the defaults: ["libc_scudo_wrapper_defaults"], line for the shared
library libc_scudo.
To do a final switch to scudo, it will be necessary to clean up
some code in other parts of the tree, but this allows a single cl
to enable or disable.
Bug: 137795072
Test: Builds with jemalloc or scudo with a small change.
Test: Ran bionic unit tests.
Change-Id: I07bb5432a0d2b2f405f92412e8d04fb9c9e51b31
Merged-In: I07bb5432a0d2b2f405f92412e8d04fb9c9e51b31
(cherry picked from commit ccff1b19ef)
The tables in the BSD tolower/toupper are slower for ASCII than just
doing the bit twiddling.
We can't actually remove the tables on LP32, so move them into the
"cruft" we keep around for backwards compatibility (but remove them for
LP64 where they were never exposed).
I noticed that the new bit-twiddling tolower(3) was performing better
on arm64 than toupper(3). The 0xdf constant was requiring an extra MOV,
and there isn't a BIC that takes an immediate value. Since we've already
done the comparison to check that we're in the right range (where the
bit is always set), though, we can EOR 0x20 to get the same result as
the missing BIC 0x20 in just one instruction.
I've applied that same optimization to towupper(3) too.
Before:
BM_ctype_tolower_n 3.30 ns 3.30 ns 212353035
BM_ctype_tolower_y 3.31 ns 3.30 ns 211234204
BM_ctype_toupper_n 3.30 ns 3.29 ns 214161246
BM_ctype_toupper_y 3.29 ns 3.28 ns 207643473
BM_wctype_towupper_ascii_n 3.53 ns 3.53 ns 195944444
BM_wctype_towupper_ascii_y 3.48 ns 3.48 ns 199233248
After:
BM_ctype_tolower_n 2.93 ns 2.92 ns 242373703
BM_ctype_tolower_y 2.88 ns 2.87 ns 245365309
BM_ctype_toupper_n 2.93 ns 2.93 ns 243049353
BM_ctype_toupper_y 2.89 ns 2.89 ns 245072521
BM_wctype_towupper_ascii_n 3.34 ns 3.33 ns 212951912
BM_wctype_towupper_ascii_y 3.29 ns 3.29 ns 214651254
(Why do both the "y" and "n" variants speed up with the EOR
change? Because the compiler transforms the code so that we
unconditionally do the bit twiddling and then use CSEL to decide whether
or not to actually use the result.)
We also save 1028 bytes of data in the LP64 libc.so.
Test: ran the bionic benchmarks and tests
Change-Id: I7829339f8cb89a58efe539c2a01c51807413aa2d
There are places in frameworks and art code that directly included
private bionic header files. Move these files to the new platform
include files.
This change also moves the __get_tls.h header file to tls.h and includes
the tls defines header so that there is a single header that platform
code can use to get __get_tls and the defines.
Also, simplify the visibility rules for platform includes.
Bug: 141560639
Test: Builds and bionic unit tests pass.
Change-Id: I9e5e9c33fe8a85260f69823468bc9d340ab7a1f9
Merged-In: I9e5e9c33fe8a85260f69823468bc9d340ab7a1f9
(cherry picked from commit 44631c919a)
The accompanying soong change causes sanitize attributes to be allowed on
cc_object targets and propagates sanitize attributes into dependencies. This
is problematic for the crt objects in sanitizer builds because everything
depends on them including the sanitizer runtime, so a circular dependency
would otherwise be created. Furthermore, some of the code in these objects
runs before sanitizer initialization so it is unlikely that sanitizing them
would work anyway. Therefore, disable sanitization on these objects.
Change-Id: I25380dfc8eed5db34b034ba127a9d6b5674032fa
We're going to have to add ifuncs to libm, and there will be some SVE
ones for arm64 soon too, so let's start sharing the absolute minimum...
Test: builds
Change-Id: Idbb9dd9477291ed3c15dc3902f65e593b766dfb9
Clang recently grew its own diagnostics for memcpy and such. These are
generally higher-quality than what we can do with diagnose_if, since
clang is happy to include e.g., sizes of things per-callsite. Move to
those instead where applicable.
Bug: 131861088, 123644155
Test: blueline internal-master checkbuild; treehugger
Change-Id: I701f5a8b247ba2948ca47fdc60ff5198b564c03e
Instead of having platform directories directly include the
private header, create a platform header directory and export it.
Bug: 130763340
Test: Builds.
Change-Id: Ie0f092b3fe077a3de8b90266c0b28bfbc20d0dfa
Merged-In: Ie0f092b3fe077a3de8b90266c0b28bfbc20d0dfa
(cherry picked from commit 8f582ef2f8)
