It's possible for malloc to return a pointer that is not going to
crash with __cfi_slowpath. It's possible to modify the cfi code
to avoid this problem, but I'm not convinced that this will be any
better at catching problems. So I'm just modifying the test so that
it will eventually allocate a pointer that does not overlap.
This previous version of the test failed on jemalloc svelte config,
but there is nothing that would not result in a failure on scudo
leading to a failure every once in a while.
Bug: 142556796
Bug: 140079007
Test: Ran bionic unit tests with jemalloc and scudo.
Change-Id: Iff45bd950d2eb33ff56dc700a2d739b5b578e090
These solves the issue that targetting non-profilable apps crashed them.
There is still a race condition between starting the app and the SIG_IGN
being installed, but that will be fixed in follow-ups.
This also does not cover programs that statically link libc, but those are
rare.
This might be reverted if we find a more general solution to
b/151835887.
Bug: 151328035
Test: java profile sysui, doesn't crash
Test: atest CtsBionicTestCases
Change-Id: I6b99352ed50afe15a609f7ddb85312c2676ddf11
POSIX added these GNU extensions for issue 8.
I've made these always inline without the usual "until API level X"
proviso because they're single instructions that the compiler can inline
and there's really no point providing these if they add function call
overhead --- everyone should just use __builtin_ffs() and friends
instead in that case.
Bug: https://austingroupbugs.net/view.php?id=617
Test: treehugger
Change-Id: I33fc4b8648ea25917329e81c1b4c60eb9a66d667
This should make it less likely that the writer finishes before the
reader even starts. It makes the test run longer, but devices have
gotten faster suince this test was written.
Bug: 152218463
Test: Treehugger
Change-Id: I409e59071991095fb17e067760f2a5f29ede0ba2
I can't reproduce locally, but treehugger is seeing 6% flake in the
signal.sigwait64_SIGRTMIN test. It's the only test in the file with a
sleep() in it, which always makes me suspicious, and we aren't having
trouble with the (in principle) very similar sigwaitinfo() tests, so
switch over to their style.
Bug: http://b/149934069
Test: treehugger
Change-Id: I2a1193b0cbec50f6548badf7dc7175bb6a49e45f
We had two copies of this function, one (not quite correct) in tests/utils.h
and another in bionic/macros.h. Delete the former and have the users include
the latter.
Also, create an overload of the function that takes a uintptr_t, which will
be useful for out-of-process scenarios such as the MTE support in debuggerd.
Bug: 135772972
Change-Id: Ia3c2652c97797663146b3f05fa786afe09f7ea97
This causes failures in signal handler tests, because it looks like clang
doesn't understand how to enable the stack protection in a signal handler.
Clang winds up scribbling on the real stack.
Bug: 149934069
Bug: 151372823
Test: Ran all unit tests on bonito/taimen and the signal handler tests pass.
Change-Id: If73f55e7505b6d7f35b340be0b03c798b21e2829
Simplify:
- Use a single memory-mapped region to hold the table of destructors.
Double its capacity each time it is expanded.
- Add a recompaction pass at the end of __cxa_finalize that shifts
entries forward and uses madvise to clean pages.
Bug: http://b/148055738
Test: bionic-unit-tests
Change-Id: Ieb9da2b88640a8a5277d217b43826b5b7e246781
If an alternate signal stack is set and the frame record is in bounds of
that stack, we need to use the top of the alternate signal stack for bounds
checking rather than the normal stack.
Bug: 150215618
Change-Id: I78b760d61b27da44f8e0cfee3fe94a791011fe58
This change adds standard branch protection to bionic unit tests
for arm64 targets. For more information see
https://developer.arm.com/search#q=branch-protection
Both Armv8.3-A Pointer Authentication (using the A-key) hint-space
instructions and Armv8.5-A Branch Target Identification hint-space
landing pads are added to the generated code.
Test: 1. Tested on flame
2. Tested on FVP
Change-Id: Ice991c538a9101448dea64c357f3f6bfb93877eb
The tag level may now be async, which is now the default. When the tag level
is set to none, memory tagging is disabled in the allocator using the new
API proposed in https://reviews.llvm.org/D70762 .
Bug: 135772972
Change-Id: I847f5822a70913c446ed9ffa13792177bbfc96af
An upcoming change to scudo will cause us to start calling
android_unsafe_frame_pointer_chase() from within the allocator. Since this
function uses ScopedDisableMTE, this would otherwise make it unsafe to use
the allocator from within ScopedDisableMTE. This seems like an unreasonable
restriction, so make ScopedDisableMTE save the PSTATE.TCO state in the
constructor and restore it in the destructor.
Bug: 135772972
Change-Id: I47e18d5fb2929efd5a58676488180cd85731007b
XOM is no longer supported by the build system, so remove these
properties.
Bug: 123034666
Bug: 147300048
Test: Build succeeds.
Change-Id: I77efc98241f45b1a78b1cca5560f64eef5ef22f4
The mips/mips64 targets were never able to pass these tests, and the
supported architectures don't need any of these workarounds.
Test: treehugger
Change-Id: I640a8b7a98ae13d9d9cdb09b0fbef61d31d4c79a
Scudo implemented malloc_info for the primary allocator, so add some
small amount of validation.
Test: Ran the malloc_info tests and verified they pass.
Change-Id: Ib7c609e46cc1ed73fa5c042df92fa9b568880f21
GWP-ASan is part of the native allocator, and may allocate some memory.
When GWP-ASan is enabled, the malloc tests need to look inside of
GWP-ASan regions as well for native allocations.
Bug: 135634846
Test: atest bionic-unit-tests
Change-Id: Ibb78f9c9e7e96a437cffce013facd18708799b0e
GWP-ASan introduces two Initial-Exec thread-local variables into
libc.so. This causes the ELF TLS test to understandably fail, and needs
to be patched up.
Bug: 148606979
Test: atest bionic-unit-test
Change-Id: I77500a00edb55cb7bcd3cd3faffb76d2339ab42c
When a library is present in a namespace via the secondary_namespaces
list (i.e. the executable, LD_PRELOAD, DF_1_GLOBAL, or
android_create_namespace inheritance), then we want to search that
library's symbols, but not the symbols of its dependencies. Otherwise,
we want to search the dependencies to handle cross-NS dependency.
Bug: http://b/148569846
Test: bionic unit tests
Change-Id: If798d69de28ed5c0f1a155e4ff85c7e08934e531
This function will be used by Scudo and GWP-ASan to efficiently collect
stack traces for frames built with frame pointers.
Bug: 135634846
Bug: 135772972
Change-Id: Ic63efdbafe11dfbb1226b5b4b403d53c4dbf28f3
Merged-In: Ic63efdbafe11dfbb1226b5b4b403d53c4dbf28f3
Add a hook that's called upon file descriptor creation to libc, and a
library that uses it to capture backtraces for file descriptor creation,
to make it easier to hunt down file descriptor leaks.
Currently, this doesn't capture all of the ways of creating a file
descriptor, but completeness isn't required for this to be useful as
long as leaked file descriptors are created with a function that is
tracked. The primary unhandled case is binder, which receives file
descriptors as a payload in a not-trivially-parsable byte blob, but
there's a chance that the leak we're currently trying to track down
isn't of a file descriptor received over binder, so leave that for
later.
Bug: http://b/140703823
Test: manual
Change-Id: I308a14c2e234cdba4207157b634ab6b8bc539dd9
(cherry picked from commit b7eccd4b15)
mte_supported() lets code efficiently detect the presence of MTE, and
ScopedDisableMTE lets code disable MTE RAII-style in a particular region
of code.
Bug: 135772972
Change-Id: I628a054b50d79f67f39f35d44232b7a2ae166afb
On Android, fcntl is always implemented by fcntl64(2). This means that
an LP32 binary can `fcntl(F_SETLK, struct flock)` (because fcntl64(2)
passes through to the 32-bit fcntl(2) to handle F_SETLK), and it can
also `fcntl(F_SETLK64, struct flock64)`. What it can't do before this
patch is set _FILE_OFFSET_BITS=64 and then `fcntl(F_SETLK, struct
flock)` where that `struct flock` is actually implicitly `struct
flock64`.
Move the kernel uapi structs out of the way, define them ourselves based
on __LP64__ and _FILE_OFFSET_BITS, and fix up the relevant F_ constants.
(Also add a .clang-format to turn off clang-format in libc/include/.)
Bug: N/A
Test: treehugger (and strace!)
Change-Id: Iccd6c83d9133e1efcf93a7b49a6ae0f1bbd3d58b
The alloc after fork is a test that should pass, but jemalloc
doesn't right now. Leave the test disabled until the native
allocator can pass this.
Test: Ran the test 1000 times on glibc to verify it passes.
Test: On device, verified it does not run.
Change-Id: I482af4db2fee81c947ac081c7a6f25a2aff80350
Test (a) that we can load the library, but also (b) that readelf thinks
it contains the relocation encoding we were expecting. Do this for all
four of RELR, ANDROID_RELR, relocation packer, and the original ELF
relocation encoding.
Bug: http://b/147452927
Test: treehugger
Change-Id: I5fab72f99d46991c1b206a1c15c76e185b7148b3
Until now we've only supported RELR with our own OS-private-use
constants. Add support for the official numbers (while maintaining
support for the historical numbers).
Add tests to ensure we continue to support both indefinitely.
We can't yet flip the build system over to using the official constants
because the old GNU binutils objcopy we still use in most cases (for the
mini-debug section) only supports the historical constants.
Bug: http://b/147452927
Test: treehugger
Change-Id: If214fce7fade4316115947e90b78ab40864b61f2
This patch introduces tagged pointers to bionic. We add a static tag to
all pointers on arm64 compatible platforms (needs requisite
top-byte-ignore hardware feature and relevant kernel patches).
We dynamically detect TBI-compatible devices (a device with the TBI feature and
kernel support) at process start time, and insert an implementation-dependent
tag into the top byte of the pointer for all heap allocations. We then check
that the tag has not been truncated when deallocating the memory.
If an application incorrectly writes to the top byte of the pointer, we
terminate the process at time of detection. This will allow MTE-incompatible
applications to be caught early.
Bug: 135754954
Bug: 147147490
Test: cd bionic && atest .
Change-Id: Ie424325ba1e3c4443040ac265aeaa28d9e405d28
setprogname() does a basename, but we were initializing __progname
directly. Stop doing that, and add some tests.
Test: treehugger
Change-Id: I06f306ade4161b2f0c7e314a3b1b30c9420117b7
Use O_PATH like musl to let the kernel do the hard work, rather than the
traditional BSD manual scheme.
Also add the most obvious missing tests from reading the man page, plus
a non-obvious test for deleted files.
Bug: http://b/131435126
Test: treehugger
Change-Id: Ie8a8986fea55f045952a81afee377ce8288a49d5
