For ELF TLS "local-exec" accesses, the static linker assumes that an
executable's TLS segment is located at a statically-known offset from the
thread pointer (i.e. "variant 1" for ARM and "variant 2" for x86).
Because these layouts are incompatible, Bionic generally needs to allocate
its TLS slots differently between different architectures.
To allow per-architecture TLS slots:
- Replace the TLS_SLOT_xxx enumerators with macros. New ARM slots are
generally negative, while new x86 slots are generally positive.
- Define a bionic_tcb struct that provides two things:
- a void* raw_slots_storage[BIONIC_TLS_SLOTS] field
- an inline accessor function: void*& tls_slot(size_t tpindex);
For ELF TLS, it's necessary to allocate a temporary TCB (i.e. TLS slots),
because the runtime linker doesn't know how large the static TLS area is
until after it has loaded all of the initial solibs.
To accommodate Golang, it's necessary to allocate the pthread keys at a
fixed, small, positive offset from the thread pointer.
This CL moves the pthread keys into bionic_tls, then allocates a single
mapping per thread that looks like so:
- stack guard
- stack [omitted for main thread and with pthread_attr_setstack]
- static TLS:
- bionic_tcb [exec TLS will either precede or succeed the TCB]
- bionic_tls [prefixed by the pthread keys]
- [solib TLS segments will be placed here]
- guard page
As before, if the new mapping includes a stack, the pthread_internal_t
is allocated on it.
At startup, Bionic allocates a temporary bionic_tcb object on the stack,
then allocates a temporary bionic_tls object using mmap. This mmap is
delayed because the linker can't currently call async_safe_fatal() before
relocating itself.
Later, Bionic allocates a stack-less thread mapping for the main thread,
and copies slots from the temporary TCB to the new TCB.
(See *::copy_from_bootstrap methods.)
Bug: http://b/78026329
Test: bionic unit tests
Test: verify that a Golang app still works
Test: verify that a Golang app crashes if bionic_{tls,tcb} are swapped
Merged-In: I6543063752f4ec8ef6dc9c7f2a06ce2a18fc5af3
Change-Id: I6543063752f4ec8ef6dc9c7f2a06ce2a18fc5af3
(cherry picked from commit 1e660b70da)
This change makes it easier to move the location of the pthread keys
(e.g. into the bionic_tls struct).
Bug: http://b/78026329
Test: bionic unit tests
Test: disassembly of libc.so doesn't change
Merged-In: Ib75d9dab8726de96856af91ec3daa2c5cdbc2178
Change-Id: Ib75d9dab8726de96856af91ec3daa2c5cdbc2178
(cherry picked from commit ecad24fad9)
The only 2019 android copyright is coming from a test file, which is
not included in our normal notice.
Test: Can upload.
Change-Id: Ie22332f927b99c28eb71c1daf5615adfef8c5d11
The current version has these bugs:
- Adding a semicolon after a function results in the removal of structures
following the function.
- Function like macros get removed on accident rather than on purpose.
- It removes extern "C" { completely, which might not be a bug, but doesn't
seem right.
I couldn't easily fix any of these problems because the code depends heavily
on the header being correct.
New unit tests added for the function to cover all of these cases.
A follow-on CL will include the updated headers.
Bug: 112290385
Test: Passes all new unit tests.
Test: When run on the current kernel headers, the generated headers are
Test: nearly the same, missing data is being added.
Change-Id: Ib22a5f2e78873544e8a9d54e385af1156b2a72bb
Track movement of ICU .dat file into the runtime module
This reverts commit b9e7b699a2.
This is a reapply of commit 68c6bd8b43
Bug: 120853401
Bug: 119293618
Test: build / boot
Change-Id: I69e0dde2756da64ac0b17f1726145dccacf5961f
PR_SET_VMA takes mmap_sem, which can cause contention and reduce
performance any time many threads are created at the same time,
like app startup.
Test: camera launch performance
Bug: 122471935
Change-Id: If7fa7ad99654c01d503f694976fd92bfd30d2afd
By default, Clang uses this arm32 function to read the thread pointer,
either for ELF TLS or via __builtin_thread_pointer(). It's probably better
to inline the cp15 access using -mtp=cp15, but that's not the default yet.
See https://reviews.llvm.org/D34878?id=114573.
Bug: http://b/78026329
Test: bionic unit tests
Change-Id: I93b8926075f0b2cea8df9ef518d54f2820a8ff5b
The "if defined(__ANDROID__)" else branch is there to support
bionic when running on host environments.
The code now checks the
${ANDROID_RUNTIME_ROOT}/etc/tz/tzdata path as well.
This is similar to the current on-device expectations.
Eventually, we may remove the /system / ANDROID_ROOT cases.
Bug: 119293618
Test: build only
Change-Id: I8310f7b5a1c14567a648673970c636c7c84ff818
Following additional symbols are temporarily exposed from the runtime APEX
to satisfy the dependencies from other non-AOSP modules. This will be
reverted when the modules are built with the boostrap bionic libraries.
Bug: 120266448
Test: m
Change-Id: I39ac40a40545723ea2aeb185b9cd293d511f802f
Bionic libs are part of the runtime APEX (com.android.runtime). In order
to be able to update the runtime APEX independetly from the platform, we
have to prevent things outside of the APEX from using bionic symbols
that are not guaranteed to be stable. Otherwise, platform could break
when a symbol is removed from the libs via the APEX update.
To achive this goal, this change adds stubs variant to the bionic libs.
With this, things outside of the runtime APEX (i.e. other APEXes and the
platform) are built with the stubs variants that provide only the
symbols that are guaranteed to be stable.
The set of symbols are basically the same as the symbols available to
NDK clients. However, there are a few additional symbols that are not
available for NDK but should be made available for platform components.
They are marked with "# apex" tag. Symbols with that tag are not exposed
to apps (via NDK stubs) or vendors (via LLNDK stubs).
Note that the stubs is a build-time only artifact. It is used just to
break the build when private symbols are used outside of the runtime
APEX. At runtime, the real library in the APEX is used.
Bug: 120266448
Test: m
Test: m bionic-unit-tests
Change-Id: I7b8d75830c81d7d7d54e2fca21a85b3417531b47
Having a constexpr constructor should guarantee that the static
`globals` variable in __libc_shared_globals is initialized statically
(as opposed to dynamically), which is important because
__libc_shared_globals is called very early (before the linker has
relocated itself). With the constructor, though, the fields can safely
have in-line default initializers.
Bug: none
Test: bionic unit tests
Change-Id: Icde821557369625734a4d85d7ff55428bad5c247
We could cause illegal memory access due to not checking the scanddir
return value.
Test: run linux-bionic dex2oat to build boot.oat
Bug: 119332362
Change-Id: Ic5824e0373b9b99d8f892b4fcf22e742c6f792da
* Add explicit to conversion constructors/operators
Bug: 28341362
Test: make with WITH_TIDY=1 DEFAULT_GLOBAL_TIDY_CHECKS=-*,google-explicit-constructor
Change-Id: Id1ad0327c1b8c6f094bcbb3ae599bc1f716b3f2f
When the linker was changed so that it put a read-only map and
read-execute map, this code incorrectly computed the relative pc and
offset. Modify to look for the actual start map in this case.
Also, change the load_base name to load_bias.
Bug: 120613266
Test: Dumped logcat while dumping backtraces.
Change-Id: I6628694c5222ea34d63217af3d138707d4900004
This slot will replace TLS_SLOT_TSAN, which needs to be removed for ELF
TLS compatibility. The platform has both slots reserved until compiler-rt
can be updated. See:
- https://reviews.llvm.org/D53906
- discussion on AOSP change Idf25d2ee457a5d26d0bdd6281cee72c345c8b755
Bug: http://b/78026329
Test: m
Change-Id: Ifd5aeb5711dc88266e7350cb022146dd87cfd7be
This change is intended to allow native-bridge to use independent
TLS memory for host and guest environments, while still sharing a
thread-local errno between the two.
Bug: http://b/78026329
Test: bionic unit tests
Change-Id: I838cd321e159add60760bc12a8aa7e9ddc960c33
Merged-In: I838cd321e159add60760bc12a8aa7e9ddc960c33
(cherry picked from commit a9c7c55462)
This reverts commit 68c6bd8b43.
Reason for revert: Broke ART test environments and emulator devices.
Bug: 119293618
Change-Id: I1b0531d13c6565ce83801d93c78813af592eec1a
Look for the tzdata file in the runtime module before looking
in /system. It is still an open question how the removal of
tzdata will be handled, if at all. Until it is worked out it
will be duplicated.
Bug: 119293618
Bug: 119390260
Test: build / boot
Change-Id: I7e14ef41d0ec226caa595c56be61df5ecf50c382
The same prebuilts will be used in both runtime and time zone
modules. Having the rules put the files in etc/tz/ will make
them more appropriate for the runtime module.
Bug: 119026403
Test: build /boot only
Change-Id: Ia1370457e9d1547b35ed56bb385213d3727c8b9a
* changes:
Replace TLS_SLOT_BIONIC_PREINIT w/ shared globals
Use shared globals so getauxval works earlier
Split main thread init into early+late functions
Add filegroups for libc sources not included in component static
libraries.
Bug: http://b/120406045
Bug: http://b/114470065
Test: make
Change-Id: I2045f14d6636e0da4eb741bfd2de3312475e20e3
Instead of passing the address of a KernelArgumentBlock to libc.so for
initialization, use __loader_shared_globals() to initialize globals.
Most of the work happened in the previous CLs. This CL switches a few
KernelArgumentBlock::getauxval calls to [__bionic_]getauxval and stops
routing the KernelArgumentBlock address through the libc init functions.
Bug: none
Test: bionic unit tests
Change-Id: I96c7b02c21d55c454558b7a5a9243c682782f2dd
Merged-In: I96c7b02c21d55c454558b7a5a9243c682782f2dd
(cherry picked from commit 746ad15912)
Make getauxval() work in .preinit_array. It still won't be usable for
ifuncs unless we can guarantee that the __loader_shared_globals relocation
is resolved before the ifunc calls [__bionic_]getauxval.
Define __bionic_getauxval for use in replacing calls to
KernelArgumentBlock::getauxval, which doesn't (and sometimes isn't allowed
to) access TLS variables like errno.
Bug: http://b/25751302
Test: bionic unit tests
Change-Id: I461feeaed7f43cfa2a2b6c34147194f0df82b516
Merged-In: I461feeaed7f43cfa2a2b6c34147194f0df82b516
(cherry picked from commit bdab4a2b97)
Split __libc_init_main_thread into __libc_init_main_thread_early and
__libc_init_main_thread_late. The early function is called very early in
the startup of the dynamic linker and static executables. It initializes
the global auxv pointer and enough TLS memory to do system calls, access
errno, and run -fstack-protector code (but with a zero cookie because the
code for generating a cookie is complex).
After the linker is relocated, __libc_init_main_thread_late finishes
thread initialization.
Bug: none
Test: bionic unit tests
Change-Id: I6fcd8d7587a380f8bd649c817b40a3a6cc1d2ee0
Merged-In: I6fcd8d7587a380f8bd649c817b40a3a6cc1d2ee0
(cherry picked from commit 39bc44bb0e)
It was discovered that we were building some objects inconsistently due
to an optimization in cc_library to only build objects once and use them
for both the static and shared libraries. But static libraries didn't
get system_shared_libs set automatically, and we didn't notice that we
would have built the objects differently.
So static libraries now get the default system_shared_libs, we allow
adjusting that for static vs shared in a cc_library, and we disable the
optimization if the linked libraries are configured differently between
static and shared in a single cc_library.
This triggers dependency cycles for static libraries that libc/libdl
use, so fix those cycles here.
Test: treehugger
Change-Id: I3cf7fda161a05ec32e0c1e871999720d12a4d38e
Because we also want to profile Java applications, which have longer
names, the character limit of comm is a problem. To avoid complexity, it
is preferable to apply the same logic for finding running processes
(which includes Java apps), and determining whether to profile a process
from startup.
Test: m
Test: flash sailfish
Test: setprop heapprofd.enable 1
setprop heapprofd.enable.ls 1
ls
/system/bin/ls
/system/bin/ls /
Bug: 120175590
Change-Id: Id0859d4a333efcb05883e611ea6a31a51468f82c
Did this for fun but turns out it generates better assembly code.
With a C implementation, compiler can expand both the comparison
loop and cpu_variant_names array. Results in a decision tree like
structure. For example the "cortex-a" prefix common in many variants
will only be compared once.
Test: run bionic unit tests.
Test: use debugger to check which variant is used.
Change-Id: Id70e5536f968161f20b18f35d46430457c338f0f
* changes:
Use shared globals to init __progname + environ
Move the abort message to libc_shared_globals
Expose libc_shared_globals to libc.so with symbol
Initialize the __progname and environ global variables using
libc_shared_globals rather than KernelArgumentBlock.
Also: suppose the linker is invoked on an executable:
linker prog [args...]
The first argument passed to main() and constructor functions is "prog"
rather than "linker". For consistency, this CL changes the BSD
__progname global from "linker" to "prog".
Bug: none
Test: bionic unit tests
Change-Id: I376d76953c9436706dbc53911ef6585c1acc1c31
__libc_shared_globals() is available in dynamic modules as soon as
relocation has finished (i.e. after ifuncs run). Before ifuncs have run,
the android_set_abort_message() function already doesn't work because it
calls public APIs via the PLT. (If this matters, we can use a static
bool variable to enable android_set_abort_message after libc
initialization).
__libc_shared_globals() is hidden, so it's available in the linker
immediately (i.e. before relocation). TLS memory (e.g. errno) currently
isn't accessible until after relocation, but a later patch fixes that.
Bug: none
Test: bionic unit tests
Change-Id: Ied4433758ed2da9ee404c6158e319cf502d05a53
Previously, the address of the global variable was communicated from the
dynamic linker to libc.so using a field of KernelArgumentBlock, which is
communicated using the TLS_SLOT_BIONIC_PREINIT slot.
As long as this function isn't called during relocations (i.e. while
executing an ifunc), it always return a non-NULL value. If it's called
before its PLT entry is relocated, I expect a crash.
I removed the __libc_init_shared_globals function. It's currently empty,
and I don't think there's one point in libc's initialization where
shared globals should be initialized.
Bug: http://b/25751302
Test: bionic unit tests
Change-Id: I614d25e7ef5e0d2ccc40d5c821dee10f1ec61c2e
Other minor changes:
* document assignment that relies on _Atomic assignments to use
atomic_store.
* consistently use atomic_store when assigning to atomics.
* remove incorrect comment.
Test: m
Test: flash & boot sailfish
Change-Id: I4789c08f7ac28a2de8d6925d03af354514bfd9d7
These modules have issues running with execute-only memory. Disable it
in them until we can resolve the issues.
Bug: 77958880
Test: No more XOM-related crashes in these binaries
Change-Id: Ie6c957731155566c2bbe7dbb7a91b9583d9aff93
__sanitize_environment_variables is only called when getauxval(AT_SECURE)
is true.
Instead of scanning __libc_auxv, reuse getauxval. If the entry is missing,
getauxval will set errno to ENOENT.
Reduce the number of times that __libc_sysinfo and __libc_auxv are
initialized. (Previously, __libc_sysinfo was initialized 3 times for the
linker's copy). The two variables are initialized in these places:
- __libc_init_main_thread for libc.a (including the linker copy)
- __libc_preinit_impl for libc.so
- __linker_init: the linker's copy of __libc_sysinfo is still initialized
twice, because __libc_init_main_thread runs after relocation. A later
CL consolidates the linker's two initializations.
Bug: none
Test: bionic unit tests
Change-Id: I196f4c9011b0d803ee85c07afb415fcb146f4d65
Previous change was reverted in 9690b121e3.
This change added .arch directive to kryo/ to avoid invalid instruction error.
Test: Run bionic unit test.
Test: Use gdb to make sure the right function is selected.
Test: Build previously failed target: make PRODUCT-sdk_phone_arm64-sdk
Change-Id: I14de41851121fc1a0b38c98fda5eb844b6a9695c
- Insert /apex/com.android.runtime/lib(64) before /system/lib(64)
in the default library search paths (`kDefaultLdPaths`,
`kAsanDefaultLdPaths`).
- Insert apex/com.android.runtime/bin before /system/bin in the
default shell search path (`_PATH_DEFPATH`).
Test: Device boot test with Android Runtime APEX.
Test: Device boot test without Android Runtime APEX.
Bug: 113373927
Change-Id: I9ae6bfe6939f63e7d76e7b3c9b21d8b698bd8fda
This reverts commit ce4ff9c44d.
Reason for revert: broke master in ab/5138164 target sdk_phone_armv7-sdk
Change-Id: Ia4b0c7e6117a37df694509078116963f41d7865e
remove android_open_proxy and use dns_open_proxy instead of it.
dns_open_proxy is in libnetd_client and
it does the same thing as android_open_proxy except return value.
It returns fd directly now.
Test: build, dns works fine
Change-Id: I984743fb50b23eeb9a7d24e9fc347832acfe2afe
This lets us do two things:
1) Make setjmp and longjmp compatible with shadow call stack.
To avoid leaking the shadow call stack address into memory, only the
lower log2(SCS_SIZE) bits of x18 are stored to jmp_buf. This requires
allocating an additional guard page so that we're guaranteed to be
able to allocate a sufficiently aligned SCS.
2) SCS overflow detection. Overflows now result in a SIGSEGV instead
of corrupting the allocation that comes after it.
Change-Id: I04d6634f96162bf625684672a87fba8b402b7fd1
Test: bionic-unit-tests
Also move this and android_get_device_api_level into <android/api-level.h>
so that they're always available.
This involves cleaning up <sys/cdefs.h> slightly.
Bug: N/A
Test: builds
Change-Id: I25435c55f3549cd0d827a7581bee75ea8228028b
Instead of allocating the stack within a 16MB guard region as we
were doing before, just allocate the stack on its own. This isn't
as secure as with the guard region (since it means that an attacker
who can read the pthread_internal_t can determine the address of the
SCS), but it will at least allow us to discover more blockers until
a solution to b/118642754 is decided on.
Bug: 112907825
Bug: 118642754
Change-Id: Ibe5dffbad1b4700eaa0e24177eea792e7c329a61
Landing this change separately to the change that implements SCS
because it needs to land at the same time as an internal change. This
will simplify the situation in case SCS needs to be reverted again.
Change-Id: Ibe18750829665b6dcf6e36628a5e5bbdd1a0dd4f
Merged-In: Ibe18750829665b6dcf6e36628a5e5bbdd1a0dd4f
Adds libc_common_static and libc_common_shared targets. So that static
and shared objects can use different libraries.
In following changes I'll add dynamic dispatch code to
libc_common_shared.
Test: compile and run bionic unit test.
Change-Id: I056742fdf8af76ed7deb274c515951656b176fcb
Memory leak happen when Android data framework updates identical DNS
information to netd.
(cherrypick of c466fe95dc641d879683700aea4233ffd42bc762.)
Bug: 115595601
Test: netd_unit_test, netd_integration_test
Change-Id: Idcc0956729286563603f482258f488a1ccd75e6a
The signal stack is sufficiently large for a single invocation of the
signal handler, but in cases where the signal handler needs to recurse,
(e.g. if our address space is limited by RLIMIT_AS), it's too small for
us to get to the part where we recognize that we've recursed and bail
out.
Bug: http://b/118772392
Test: /data/nativetest64/debuggerd_test/debuggerd_test64 --gtest_filter=CrasherTest.seccomp_crash_oom
Change-Id: Ic7a2cf8b01b3f7ea7f4a2318a3ec22a0c3649da6
The package name in the manifest.json is changing to
remove apex so the hardcoded path must change.
Bug: 119026403
Test: build
Change-Id: I906b595a1325b40f8af8c37d7d08cd543c988cc8
This commit adds "include" (full path: "bionic/libc/include") to
exported_include_dirs for libc. Without this change,
header-abi-checker will strip all functions from ABI dumps.
Bug: 117963950
Test: libc.so.lsdump has a non-empty functions array
Change-Id: I192a4ec0251f1320ced56c6201818076ebd2a2da
Currently, getnameinfo() will never issue a reverse DNS lookup if the first
byte of the IPv6 address is 0x00. This means it is not possible to do a
reverse DNS lookup for a NAT64 address if the NAT64 prefix is the well-known
prefix. Make this possible by treating the well-known prefix specially. This
is not needed for unicast NAT64 prefixes because they do not start with 0x00.
Bug: 78545619
Test: netd_{unit,integration}_test pass
Test: bionic-unit-tests --gtest_filter='net*' pass
Change-Id: I176d30dcf411a5ffe1eec110db99cd73b48e956f
The changes needed to pick up time zone data files from
a mounted APEX directory. Code that looks for time zone
data now looks in a new location after checking for
data installed by the time zone updates via APK feature.
This hasn't been tested in combination with a real APEX but
it shouldn't do anything bad if the new path does not exist.
Bug: 115612964
Test: CTS: run cts-dev -m CtsBionicTests
Test: Build / boot without APEX support
Change-Id: I56ae50e26f2cbfa0e537029a0e6f679fa2394327
The golang runtime currently expects to find the pthread key data after
the tls slots.
Bug: http://b/78026329
Bug: http://b/118381796
Test: run a golang-based app, bionic unit tests
Change-Id: Idc777d809b803093e1c81d9a2ce4eafcc7d61f8d
Merged-In: Idc777d809b803093e1c81d9a2ce4eafcc7d61f8d
(cherry picked from commit a2c30723da)
This reverts commit da1bc79f93.
Reason for revert: Caused OOM in media process
Bug: 112907825
Bug: 118593766
Change-Id: I545663871d75889b209b9fd2131cdaa97166478f
When a construct like:
if defined(something)
blocks1
elif 1
blocks2
else
blocks3
endif
The parser would put the first clause but then simply omit the elif and
put all of blocks2 without a terminating #endif. The code also did
something similar when the #else was an #endif.
Also convert all of the unit tests to real unit tests and only run
them if you run cpp.py by itself. Added new unit tests to cover the
new cases.
Test: Ran cpp.py unit tests.
Test: Reran update_all.py and verified nothing changed, and that running
Test: it on the new kernel headers that exposed this problem.
Change-Id: Ie168511303c4e15afdb60c37baef75a966ca29a8
* changes:
libc: Match header annotations to version script
versioner: Build SymbolDatabase from version scripts
versioner: Add 28 to version list
libc: Add default __STRING implementation
With ELF TLS, the static linker assumes that an executable's TLS segment
is at a known offset from the thread pointer (i.e. __get_tls()). The
segment can be located prior to the TP (variant 2, x86[_64], sparc) or
after it (variant 1, arm{32,64}, ppc, mips, ia64, riscv).
We can't make our pthread_internal_t exactly follow the ordinary arm64
ABI (at least) because TP[5] is used for clang's -fstack-protector on
Android. Instead, reserve extra space after the TP (up to 16 words), which
will be followed by the executable's TLS segment.
Bug: http://b/78026329
Test: boot device, bionic unit tests
Change-Id: I0f3b270b793f9872ba0effeac03f4dec364438d6
Merged-In: I0f3b270b793f9872ba0effeac03f4dec364438d6
(cherry picked from commit f397317e96)
Use <android-base/macros.h> instead where possible, and move the bionic
macros out of the way of the libbase ones. Yes, there are folks who manage
to end up with both included at once (thanks OpenGL!), and cleaning that
up doesn't seem nearly as practical as just making this change.
Bug: N/A
Test: builds
Change-Id: I23fc544f39d5addf81dc61471771a5438778895b
According to `libc.map.txt`, `pselect64()` was introduced since API
level 28. This commit adds the annotations to `sys/select.h`.
Bug: 113263746
Test: ./bionic/tools/versioner/run_tests.py
Change-Id: I70ea4b23cef92857f1654cebb660e0219238fc95
This commit defines a default `__STRING()` definition. There should be
a default definition because the unit test cases of versioner will
include `android/versioning.h` directly. We cannot include
`sys/cdefs.h` in `android/versioning.h` either because that will lead to
circular inclusion.
Bug: 113263746
Test: ./bionic/tools/versioner/run_tests.py
Change-Id: Ie99c0eef4414fd687347baf3a2d295468877464f
Fixes a build error when PLATFORM_SDK_VERSION is not set.
Bug: 31559095
Test: attempt to build host bionic
Change-Id: I9cbdcea206ef1239c330a5adafbfa5cc797fef5e
Add a new mallopt flag that purges any pending decaying pages.
Test: boots and works
bug 117795621
Change-Id: Ib250ae2b705b6a368c1efb801d6a7be54e075acb
(cherry pciekd from commit 5083e833a6)
Tests: Ran malloc_debug_unit_tests
Tests: Flashed to walleye, sent signal, observed
"Unable to open shared library: heapprofd.so".
Change-Id: Ia8ce216837e29e3edbda8789ca28023d53fa1fda
Previously, we were callign tgkill(pid, 0, signal) instead, which would
fail with EINVAL instead.
Test: bionic-unit-tests
Change-Id: I25b127dcf347e0223274502b0516a950b6c2093e
Caused an ODR violation trying to build current ToT of toybox.
Bug: N/A
Test: can successfully build code with `#ifdef __ANDROID_NDK__`
Change-Id: Ia80b8889b267779ee01f6257744e1794db0ebc65
There's little value to having strings for these, but we may as well
for consistency. There's no ELASTERRNO constant we can use to check
whether we've fallen behind again, but these were added in 2009 and
2011 respectively, so we're not likely to have to deal with any more
new errno values any time soon...
Bug: http://b/117755069
Test: ran tests
Change-Id: I5b7155c22cad92c2fe03a0b4c7cae415c37fa186
When error_level != ANDROID_FDSAN_ERROR_LEVEL_FATAL, fdsan_error()
traverses the varargs twice. Each traversal needs its own
va_start()/va_end() pair. Otherwise async_safe_format_buffer_va_list()
will start consuming arguments where async_safe_format_log_va_list()
stopped, ironically causing the sanitizer runtime to perform bad memory
accesses.
Test: debuggerd_test32
Test: debuggerd_test64
Change-Id: Ic85ca94501e55e9a435410fab89edb273c381a5a
Signed-off-by: Greg Hackmann <ghackmann@google.com>
A76 still uses A55 as little core. It should be ok to use the same
setting as A75 for now.
Bug: 117125298
Test: run bionic tests
Change-Id: Idfd15424c20ae60becb6539f6ae855f3e7c264cd
The executable can be inside a zip file using the same syntax used for
shared objects: path.zip!/libentry.so.
The linker currently requires an absolute path. This restriction could be
loosened, but it didn't seem important? If it allowed non-absolute paths,
we'd need to decide how to handle:
- foo/bar (relative to CWD?)
- foo (search PATH / LD_LIBRARY_PATH, or also relative to CWD?)
- foo.zip!/bar (normalize_path() requires an absolute path)
The linker adjusts the argc/argv passed to main() and to constructor
functions to hide the initial linker argument, but doesn't adjust the auxv
vector or files like /proc/self/{exe,cmdline,auxv,stat}. Those files will
report that the kernel loaded the linker as an executable.
I think the linker_logger.cpp change guarding against (g_argv == NULL)
isn't actually necessary, but it seemed like a good idea given that I'm
delaying initialization of g_argv until after C++ constructors have run.
Bug: http://b/112050209
Test: bionic unit tests
Change-Id: I846faf98b16fd34218946f6167e8b451897debe5
Previously, we were zeroing out the reserved signals, when we actually
wanted to have TIMER_SIGNAL always be blocked, and the other signals
always be unblocked. This resulted in process termination when a
SIGEV_THREAD timer callback calls sigprocmask(SIG_SETMASK, ...) with
any signal mask value, and then subsequently fails to complete its
callback and reach the sigtimedwait in bionic before the next timer
iteration triggers.
Add a how argument to filter_reserved_signals to appropriately
block/unblock our reserved signals.
Bug: http://b/116783733
Test: bionic-unit-tests32/64
Change-Id: Ie5339682cdeb914711cd4089cd26ee395704d0df
glibc and musl both have these as synonyms for one another, so we may
as well do the same and get backwards compatibility on old OS releases.
Bug: N/A
Test: ran tests
Change-Id: I6bf38ea446560e1b11022ff539f07eb67c157049
I failed to convince the compiler/linker to just refrain (via factoring out,
attribute `noinline`, or meddling with `--icf=none`), but luckily I noticed
that we should have CHECK_FP in each function for a better error message,
and the distinct error messages keep the two functions apart.
(Also add a missing CHECK_FP to `clearerr_unlocked`.)
Bug: http://b/116969207
Test: manual with a modified `crasher`
Change-Id: Ic122e90e94f7e22f486be57d3dac7137a225d682
During the review of the script that generates /vendor/etc/passwd, it
was suggested that the shell be /vendor/bin/sh instead of the typical
/system/bin/sh. This has subsequently caused bionic unit tests to
fail, since they always check that the shell is set to /system/bin/sh.
In the spirit of that review, libc is modified to return
/vendor/bin/sh for the OEM AID ranges and the test is updated to
expect this.
Test: bionic unit tests
Change-Id: Ie7c1c48fde8a71b3df1aa0ef112d42ab7bd3baec
cc_objects are getting support for STL headers, disable them for
crt objects to avoid a circular dependency through libc++.
Test: m checkbuild
Change-Id: I4e0f4a2193ce98ec4b8802492add9014ec0dba98
Originally a BSD extension, now in glibc too. We've used it internally
for a while.
(cherry-pick of e4b13f7e3ca68edfcc5faedc5e7d4e13c4e8edb9.)
Bug: http://b/112163459
Test: ran tests
Change-Id: I813c3a62b13ddb91ba41e32a5a853d09207ea6bc
Merged-In: I813c3a62b13ddb91ba41e32a5a853d09207ea6bc
Make sure that TLS_SLOT_TSAN is always available and correctly set up in
HWASan-instrumented functions by setting up the tls register and running hwasan
initialization (__hwasan_init in the main thread and __hwasan_thread_enter in
secondary) early enough.
This is needed to accomodate a change in HWASan: https://reviews.llvm.org/D52249
Bug: 112438058
Test: boot with SANITIZE_TARGET=hwaddress, run bionic-tests
Change-Id: Icd909a4ea0da6c6c1095522bcc28debef5f2c63d
I stumbled across this because I was looking at the various locks in libc.
Bug: N/A
Test: ran tests
Change-Id: I77c9954f49aaae7519ea7f4917bbe6f138b841ad
These system calls are required by Breakpad for crash reporting.
WebViews are spawned from the webview_zygote, which itself is spawned
from the app_process zygote. The webview_zygote gets the SYSTEM seccomp
policy applied because it is not an app, and so the WebView sandboxed
processes inherit that policy.
In Ifd8a85b0de2eb6f2a76a6458570fc03b020a90ab, these system calls were
moved from COMMON to APP, which breaks Breakpad/crash reporting for
WebView sandboxed processes.
Bug: 112572914
Test: `am start com.android.settings/.SettingsLicenseActivity`
Test: Get the pid of the sandboxed_process0 for the license viewer.
Test: Send the process SIGABRT and check logcat for "google-breakpad"
error messages.
Change-Id: I1cf56ae85b1a67ec91e979bc7e0f941726a9cc0e
The alleged improvement consists in making the detection actually work
when netd is spawned by init, which of course uses the full path.
I had tested the previous logic by running netd from the shell, which
worked because argv[0] was just set to "netd". My bad -_-
Test: flash, boot and grep logcat for "Skipping libnetd_client init"
Change-Id: Ie5f11436dfa2a9347721147dc2b980144452404a
This change adds a 128-bit magic value just before the abort message
(and its length). This allows Chrome OS crash collector (which cannot
reliably correlate a crash with its corresponding tombstone) to extract
the abort message from the core dump.
Bug: 62387553
Test: /data/nativetest{,64}/debuggerd_test/*
Test: /data/nativetest{,64}/bionic-unit-tests{,-static}/*
Change-Id: I69ff021d773b3a10081ab16ddf6f23233320fb02
There's TLS space used for unknown errno values, and a call to printf
shouldn't clobber that. No-one will ever hit this in real life, but
since it's easily fixed...
Bug: http://b/112776560
Test: ran tests
Change-Id: I8c2437f2e5214e652119791d4e162a197b049d5b
Allows ART JIT use membarrier to invalidate instruction
pipelines.
Bug: 66095511
Test: bionic-unit-tests
Change-Id: I8cf83929f00baf5a3c440a899d2667a992bda8e2
HWASan needs to re-tag the newly unallocated stack space to match SP.
Bug: 112438058
Test: SANITIZE_TARGET=hwaddress
Change-Id: I4dddef542d802d63bdea59e32a03425a2c4f870b
Netd looping connections to itself via the libnetd_client connect()
wrapper has always unintended, although it worked until now. Once we
move the resolver into netd, the frequency of connect() calls will
increase, which makes it less acceptable.
There are several ways to detect if the calling process is netd.
Checking both uid == 0 and the argv[0] == netd makes it hard for
non-system components to spoof as netd.
Test: flash a device and check that netd logs the "Skipping..." message
Test: atest netd_integration_test
Change-Id: I9506facb4aa3094b16a98a913a1e2394056ce91a
Convert abort's inline_tgkill to do the equivalent of
pthread_sigqueue(pthread_self(), ...), so that we can use it in fdsan
as well.
Test: bionic-unit-tests
Test: debuggerd_test32
Test: debuggerd_test64
Change-Id: I92a7b84e2f00ce021b4043ed8a3bd8683d77fe9c
Conditional branch has limited range (1MB) and can not be extended by
the linker. The current distance (in walleye build) is 500KB, about
half of the maximum. HWASan pushes it over the limit.
Replace conditional branch with regular branch, which has longer
range (26 vs 19 bits offset) and can be extended in the linker if
needed.
Bug: 112437884
Bug: 12231437
Test: SANITIZE_TARGET=hwaddress
Change-Id: Idc083fb557ab3a859541beb009809992406a6703
* Some callers, e.g. external/curl/lib/select.c, do
poll(NULL, 0, ...) and get clang-diagnostic-nonnull check error.
Test: build with WITH_TIDY=1
Bug: 111850071
Change-Id: I7ea433d185cb84011a954f05964181b5518febd4
* changes:
fdsan: provide abort message in warning tombstones.
Implement pthread_sigqueue.
Stringify api_level in <android/versioning.h>.
Delete archaic pre-ANSI C support.
In particular, document the fact that they only affect the calling thread
on Android.
Bug: http://b/13134174
Test: ran tests
Change-Id: Ica6af451400d47e24358f59495ded63b2110eb8b
Make it so that we can use __ANDROID_API_<letter>__ constants in
__INTRODUCED_IN macros.
Test: treehugger
Change-Id: I0929c01e23e58f51d12f73200e1daf5ef484ea5d
In retrospect, allocating tag types from both ends will just make the
future creation of user-defined tags harder, because constants that are
introduced, and then used in previous versions might collide with
user-defined tags. Move all of the tag values to the front, so that we
can allocate from the end to minimize this.
Test: bionic_unit_tests
Change-Id: I5063adf8301b1063bd4931a6ce8b70dfe2411efd
Make it easier to write tests in users of fdsan by exposing functions
to allow users to get and interpret the tags.
Test: bionic_unit_tests
Change-Id: Iafa9bcaeb5e4db230f3dfec6f483274f34602694
We've copied & pasted these to too many places. And if we're going to
have another go at upstreaming these, that's probably yet another reason
to have the *values* in just one place. (Even if upstream wants different
names, we'll likely keep the legacy names around for a while for source
compatibility.)
Bug: http://b/111903542
Test: ran tests
Change-Id: I8ccc557453d69530e5b74f865cbe0b458c84e3ba
* Allow sanitization of libc (excluding existing global sanitizers)
and disallow sanitization of linker. The latter has not been
necessary before because HWASan is the first sanitizer to support
static binaries (with the exception of CFI, which is not used
globally).
* Static binary startup: initialize HWASan shadow very early so that
almost entire libc can be sanitized. The rest of initialization is
done in a global constructor; until that is done sanitized code can
run but can't report errors (will simply crash with SIGTRAP).
* Switch malloc_common from je_* to __sanitizer_*.
* Call hwasan functions when entering and leaving threads. We can not
intercept pthread_create when libc depends on libclang_rt.hwasan.
An alternative to this would be a callback interface like requested
here:
https://sourceware.org/glibc/wiki/ThreadPropertiesAPI
All of the above is behind a compile-time check
__has_feature(hwaddress_sanitizer). This means that HWASan actually
requires libc to be instrumented, and would not work otherwise. It's
an implementation choice that greatly reduces complexity of the tool.
Instrumented libc also guarantees that hwasan is present and
initialized in every process, which allows piecemeal sanitization
(i.e. library w/o main executable, or even individual static
libraries), unlike ASan.
Change-Id: If44c46b79b15049d1745ba46ec910ae4f355d19c
libc had some -Wimplicit-fallthrough warnings. They all seem to be
benign. We're trying to enable this flag globally, so we need to
annotate these breaks here.
Bug: 112564944
Test: Builds
Change-Id: I5afae694cc4cf26ad1a61e2c8ae91f00cda7c733
This runs through the trace of the allocations in a sql benchmark app
executed in the benchmark thread.
Add one benchmark with decay time set to 0 and another with decay time
set to 1.
Include a script that can generate a header file that can be used to
regenerate the data.
Bug: 112317428
Test: Builds, ran unit tests, ran benchmarks.
Change-Id: I62e287cc06b74b74bcc5a4bbee71b0fac0a196fd
This change allows the use of read(2) and getdents(2) so that UBSan can
work correctly on x86_64.
Bug: 111999822
Test: CtsWrapWrapDebugTestCases
Change-Id: I44aac17fffdffc5c3f5d87fb3d876af28c8044b2
This is currently a non-functional change, because base_timeout_msec is
never set to a non-default value (other than in unit tests).
Test: netd_unit_test --gtest_filter='ResolverTest.*'
Change-Id: I21989bab5cc9f55ee1392e30965eb405d720a28e
The primary motivation is speeding up tests for non-responsive
nameservers. It's also base infrastructure for future work to compute
retry timeouts dynamically.
Using default timeouts (RES_TIMEOUT = 5 seconds):
ResolverTest.GetAddrInfoV6_nonresponsive (45141 ms)
With base_timeout_msec=100:
ResolverTest.GetAddrInfoV6_nonresponsive (1264 ms)
Test: executed unsubmitted test from aosp/713993
Change-Id: Id902089ca69ca8d28032180ba51e8937262ef490
Let the debuggerd handler get the address of the fdsan table so that
crash_dump can parse it and print it out in tombstones.
Test: debuggerd `pidof adbd`
Change-Id: I2297200cae52d0ff24479dba55d1ab4938583501
Make it easier for other code to parse the fdsan table themselves by
making it so that they can include the bionic_fdsan.h header to get a
struct definition with the layout without bringing in other
dependencies.
Test: treehugger
Change-Id: I3583ef113991234aa83cd193a4eb139ad06737c7
This change avoids having to run the genseccomp.py script every time a
policy file is edited, and instead generates these files at
compile-time.
Bug: None
Test: m
Test: find out/soong/ -name x86_64_global_policy.cpp # Shows files
Test: generated policies are equivalent to original policies
Change-Id: I12461fe0c5fb02c008c1b2503fbb994b8aa2f56b
POSIX says "The popen() function shall ensure that any streams from
previous popen() calls that remain open in the parent process are closed
in the new child process". It doesn't appear to disallow all popen(3) file
descriptors from being O_CLOEXEC, and it's not obvious why anyone would want
them inherited. Let's see if we can make the stricter guarantee...
Bug: N/A
Test: ran tests
Change-Id: I2c85170d730b211637afb8ba10df150ca3237262
Add handling for all 4 cases of failure of exchange_owner_tag. Also,
mask off and sign extend the type byte of the owner tag, and add a
test for that.
Test: bionic_unit_tests
Change-Id: Ic7c49f0ee5498623f05c49b5b4cd055db48a4b9f
This change makes it possible to invoke this tool without having to
fiddle with the path.
Bug: None
Test: ./bionic/libc/tools/genseccomp.py # Succeeded
Change-Id: Ib24d70abc973fe774cda4209e46a5b66ae7617be
This change allows the use of readlink(2) so that UBSan can work
correctly on x86_64.
Bug: 111999822
Test: CtsWrapWrapDebugTestCases
Change-Id: I7f3013c712e3e41567a0d8e1bbb9d378c04b4433
arm32: Add a relocation for TLS descriptors (e.g. gcc's
-mtls-dialect=gnu2).
arm64: Add all the dynamic TLS relocations.
Two of the relocations here are obsolete:
- ARM documents R_ARM_SWI24 as an obsolete static relocation without
saying what it did. It's been replaced by R_ARM_TLS_DESC, a dynamic
relocation. We could probably remove it, but I left it because arm32
is old, and I see the macro in other libc's. It's probably analogous
to R_ARM_THM_SWI8, which is also an obsolete relocation reserved for
a future dynamic relocation.
- I couldn't find any ARM documentation at all for
R_AARCH64_TLS_DTPREL32. It seems to have been part of three
relocations:
- R_AARCH64_TLS_DTPREL32 1031
- R_AARCH64_TLS_DTPMOD32 1032
- R_AARCH64_TLS_TPREL32 1033
Bug: b/78026329
Test: run bionic unit tests
Change-Id: I5e7432f6e3e906152dc489be5e812fd8defcbafd
