Commit graph

93 commits

Author SHA1 Message Date
zijunzhao
02c4ef4d78 Nullability check for string module
Bugs: b/245972273
Test: adb shell
Change-Id: I4c71bca1ff72553b27805722c3076ed105612a21
2023-02-14 20:47:10 +00:00
Elliott Hughes
0d64243407 Add C23's memset_explicit().
https://open-std.org/jtc1/sc22/wg14/www/docs/n2897.htm

Test: treehugger
Change-Id: Ia0cfc72bdf3c22eda6a4fc9adaa4c0ca0ff9a7c8
2022-08-10 23:36:16 +00:00
Elliott Hughes
95c6cd753f Stop using the __ANDROID_API_x__ constants.
Historically we've made a few mistakes where they haven't matched the
right number. And most non-Googlers are much more familiar with the
numbers, so it seems to make sense to rely more on them. Especially in
header files, which we actually expect real people to have to read from
time to time.

Test: treehugger
Change-Id: I0d4a97454ee108de1d32f21df285315c5488d886
2019-12-20 13:26:14 -08:00
Elliott Hughes
0d1a8a5b0b Reland "Retire GCC FORTIFY."
This reverts commit 4dbe8fc22f.

The angler/bullhead builds are now dead, so this can go in.

Bug: https://issuetracker.google.com/74404306
Change-Id: I130cdcd6375b6125cb8a1e63a4a540b0dbe41ceb
2018-07-24 19:36:51 +00:00
Elliott Hughes
4dbe8fc22f Revert "Retire GCC FORTIFY."
This reverts commit 067bdc9546.

The angler/bullhead builds still use GCC, so I'll wait until they're turned down.

Bug: https://issuetracker.google.com/74404306
Change-Id: I777b08dd6ab5250d532b4b5cc56e9a790c13db20
2018-07-24 18:54:16 +00:00
Elliott Hughes
067bdc9546 Retire GCC FORTIFY.
NDK r18 (which removes GCC) is about to ship. We don't need this any more.

The immediate motivation for removing this right now is that the test
fails whenever we add Clang-only flags to the build system.

While we're here, clean up <stdatomic.h> too.

Bug: https://issuetracker.google.com/74404306
Test: ran tests
Change-Id: Iaad5d634d1ba76f0b6f19ad32cc27b2533771a4a
2018-07-23 17:22:58 -07:00
George Burgess IV
9024235005 Remove __overloadable/__RENAME_CLANG
Now that we have a clang that supports transparent overloads, we can
kill all of this cruft, and restore our upstream sources to their
untouched glory. Woohoo!

Bug: 12231437
Test: Built aosp_marlin; no obvious patch-related aosp_mips issues.
Change-Id: I520a19d014f12137f80e43f973dccd6711c571cd
2018-02-06 13:35:56 -08:00
Josh Gao
8e13b67c64 versioner: properly handle extern "C", "C++".
extern "C" and "C++" are parsed as a LinkageSpecDecl with the real Decl
as a child node. This leads to the preprocessor sticking its guard
between the extern specifier and the declaration.

Update the AST visitor to add a special-case for calculating the
SourceRange on a LinkageSpecDecl, and add a test.

Bug: https://github.com/android-ndk/ndk/issues/440
Test: python run_tests.py
Change-Id: I76445fe366cef46cfd2f16fb93d534d410c5edca
2017-11-06 17:23:36 -08:00
Elliott Hughes
df9a489b2b Add more const-correct C++ overloads.
libc++ actually provides overloads for all the standard C library stuff,
so we just need to handle the POSIX and GNU extensions, of which there
are just two more: memrchr and strcasestr.

Bug: http://b/22768375
Test: builds
Change-Id: Ie9ed1fbcc794e14a0c9bba13b5307ad677949613
2017-08-23 14:34:40 -07:00
Elliott Hughes
684c31a267 Name function arguments in libc headers for Studio.
Third batch of headers...

Bug: http://b/64613623
Test: builds
Change-Id: I32d8467a0bd22ba94d76476397f4f7dc51003886
2017-08-18 15:07:41 -07:00
Dan Albert
3f7e65e66e Add guards for things the versioner can't catch.
The versioner doesn't handle C++ blocks yet, so these guards won't be
added and it will appear as though the functions are always available
in C++, but based on API level in C.

Test: make checkbuild
Bug: https://github.com/android-ndk/ndk/issues/440
Change-Id: I31a20fa1596d836b280ffc6d7feb863afccca6c7
2017-08-15 14:42:31 -07:00
Elliott Hughes
3f66e74b90 Remove nullability specifications.
Bug: http://b/64251432
Test: builds
Change-Id: I5b1613484783f7478d30b5e694007f77fa626659
2017-08-01 13:24:40 -07:00
Elliott Hughes
ec6850d849 Remove restrict/__restrict.
We've never really used __restrict: only <string.h> and <stdio.h> (which
are still very similar to upstream BSD headers) consistently have these
annotations. Neither clang nor GCC warns for trivial cases, and there's
little obvious documentation benefit.

Bug: http://b/30833514
Test: builds
Change-Id: I3e4384281865475d0c55d764b546d8166419ee31
2017-08-01 08:28:46 -07:00
George Burgess IV
b97049c039 libc: Split FORTIFY into its own headers
This patch cleans up our standard headers by moving most of the FORTIFY
cruft out in to its own sandbox. In order to include the *_chk and
*_real declarations, you can either enable FORTIFY, or `#define
__BIONIC_DECLARE_FORTIFY_HELPERS`.

Both sys/select.h and strings.h are explicitly ignored by this patch.
Both of these files have very small __BIONIC_FORTIFY blocks, and don't
define any actual FORTIFY'ed functions (just macros, and 3 *_chk
functions).

This patch also makes the versioner ignore the FORTIFY implementation
headers, since we're guaranteed to pick the FORTIFY'ed headers up when
looking at the regular headers. (...Not to mention that making the
FORTIFY'ed headers freestanding would be annoying to do and maintain for
~no benefit).

We bake the knowledge of where FORTIFY headers live directly into the
versioner. We could go with a more general approach (e.g. adding an -X
IGNORED_FILE flag that tells the versioner to ignore
$HEADER_PATH/$IGNORED_FILE), but we'd then have to repeat that for every
test, every manual invocation of the versioner, etc. for no benefit
that's obvious to me.

Bug: 12231437
Test: m checkbuild on bullhead internal master + CtsBionicTestCases. no
new errors.

Change-Id: Iffc0cc609009b33d989cdaddde0a809282131a5b
2017-07-27 17:00:13 -07:00
Josh Gao
16d9ba808b Add version info for C++ versions of basename, strchrnul.
These still won't get guards added by the preprocessor, because it
compiles with C-only.

Bug: https://github.com/android-ndk/ndk/issues/440
Test: treehugger
Change-Id: I893b345e528ed1b761e0db00700037411bbb8b78
2017-06-30 13:21:25 -07:00
George Burgess IV
31e5a35f3d libc: fix typo in __RENAME macro
Apparently __strncpy_real redirects to strcpy instead of strncpy for GCC
builds. This is bad, and it confused a project compiled by GCC that uses
strcpy.

I audited all of the FORTIFY-related __RENAMEs both manually and with a
script I hacked together; they all look correct aside from this one.

FWIW, with the cleaned up clang FORTIFY, lots of the `void foo()
__RENAME(foo)` will just become `void foo()` if this last thing I'm
working on gets through review.

Bug: 35329524
Test: Previously broken project now seems to work. Bullhead and Ryu
both build + boot.

Change-Id: Ib18ee3535ae31eb7e8ae846dc012f9b64cac80bf
2017-04-19 18:46:44 +00:00
Treehugger Robot
278d31d36e Merge "libc: add const-correct string.h overloads" 2017-04-05 23:57:13 +00:00
George Burgess IV
19710f761b libc: remove newlines in prototypes in string.h
This gives more useful diagnostics if clang needs to mention these
functions (or a parameter of them).

Bug: 36984245
Test: m on bullhead completes successfully.
Change-Id: I17c2b624d08bc9dd3f08185b30029ed0c49ebb08
2017-04-05 13:30:52 -07:00
George Burgess IV
bd3d2088d9 libc: add const-correct string.h overloads
libcxx provides const-correct overloads for a few string.h functions.
These overloads use clang's enable_if attribute, so they're preferred
over our FORTIFY'ed equivalents.

This weakens _FORTIFY_SOURCE=2 when used with some of these functions,
since clang needs to see __pass_object_size in order to pass an accurate
result for __builtin_object_size(s, 1) at a callsite. Since those
functions don't have __pass_object_size on their params, clang can't do
that. This makes LLVM lower the __builtin_object_size calls, which means
we get the same result as __builtin_object_size(s, 0).

We have to provide all of the overloads in Bionic, since enable_if is
only used to disambiguate overloads with (otherwise) the same type. In
other words:

// overload 1
char *strchr(const char *, int s) __attribute__((enable_if(1, "")));
// overload 2
char *strchr(char *, int s);

void foo() {
  char cs[1] = {};
  strchr(static_cast<const char *>(cs), '\0'); // calls overload #1.
  strchr(cs, '\0'); // calls overload #2.
}

Bug: 34747525
Test: m checkbuild on bullhead internal master + AOSP. vts -m
BionicUnitTests passes on both. Surprisingly, the only code that this
seems to break is contained in Bionic.

Change-Id: Ie406f42fb3d1c5bf940dc857889876fc39b57c90
2017-04-05 13:17:07 -07:00
George Burgess IV
bce9a7d518 libc: use __bos instead of __bos0 for strchr.
I dunno why I used __bos0 in the first place; clang's strrchr (and
GCC's strchr+strrchr) both use __bos.

Bug: 34747525
Test: m. Device still boots. cts -m BionicUnitTests shows no new
failures.
Change-Id: Ifec0e05a6a1144fa3e3ac70562af3ec57c09c194
2017-04-04 11:12:18 -07:00
Dan Albert
9c2094f3c5 Fixup API level guards for new fortify functions.
Test: tools/update_headers.sh && make checkbuild
Bug: None
Change-Id: I9d06ea8a5ee9dc27d957f59e6e84150651ed1c76
2017-02-14 22:22:13 -08:00
Dan Albert
8b154b1e82 Guard the GNU strerror_r with an API check.
The deprecated headers have always had only the POSIX definition
available (and it's always been available). With the unified headers
as they are now, we actually make it unavailable for C++ users (C++
implies _GNU_SOURCE) targeting below M. Adding this guard means that
pre-M users will still at least get the POSIX one.

It's not great that moving to M as your target API will actually
change the signature of your strerror_r, but I don't see a better
option here (not until we have the compatibility library, anyway).

Test: make checkbuild
Bug: None
Change-Id: I2d15702467533a826c4ec10fd973ee929d2b562a
2017-02-14 19:29:31 -08:00
George Burgess IV
156d5a8ae9 Match __bos0 to __pass_object_size0 in FORTIFY
pass_object_size(N) forwards the result of __builtin_object_size(param,
N) to a function. So, a function that looks like:

  size_t foo(void *const p __pass_object_size) { return __bos0(p); }
  int bar = foo(baz);

would effectively be turned into

  size_t foo(void *const p, size_t sz) { return sz; }
  int bar = foo(baz, __bos(baz)); // note that this is not __bos0

This is bad, since if we're using __bos0, we want more relaxed
objectsize checks.

__bos0 should be more permissive than __bos in all cases, so this
change Should Be Fine™.

This change also makes GCC and clang share another function's
implementation (recv). I just realized we need to add special
diagnostic-related overloads bits for clang to it, but I can do that in
another patch.

Bug: None
Test: Bullhead builds and boots; CtsBionicTestCases passes.
Change-Id: I6818d0041328ab5fd0946a1e57321a977c1e1250
2017-02-10 18:14:43 -08:00
George Burgess IV
7cc779f15c libc: add clang FORTIFY support
This patch adds clang-style FORTIFY to Bionic. For more information on
FORTIFY, please see https://goo.gl/8HS2dW . This implementation works
for versions of clang that don't support diagnose_if, so please see the
"without diagnose_if" sections. We plan to swap to a diagnose_if-based
FORTIFY later this year (since it doesn't really add any features; it
just simplifies the implementation a lot, and it gives us much prettier
diagnostics)

Bug: 32073964
Test: Builds on angler, bullhead, marlin, sailfish. Bionic CTS tests
pass on Angler and Bullhead.

Change-Id: I607aecbeee81529709b1eee7bef5b0836151eb2b
2017-02-09 15:49:32 -08:00
Elliott Hughes
5bc78c8bcd Add and use constants for the Android API levels.
Test: bionic tests still pass
Change-Id: If1b619cfc9db1d3f5d91f14f2ace71058dca0c4a
2016-11-16 16:55:42 -08:00
Dan Albert
a3ce418ca6 Revert "Add legacy inlines for locale aware APIs."
We can't really add these to the unified headers yet since we're
still using the old headers as well, and libandroid_support needs to
work with both. These functions are already defined in
libandroid_support, so when using unified headers we'll get duplicate
definitions.

This was only going to be a temporary solution anyway. Instead we'll
just rely on libandroid_support (and eventually its rewrite) to handle
these.

This reverts commit 6576a3749b.

Test: ./tools/update_headers.py && make ndk && make native
      # Copied into working directory for unified headers NDK work.
      ndk/checkbuild.py
      ndk/run_tests.py --force-unified-headers
Bug: None

Change-Id: I5762e815e2030c89d7f2540df08dd67b6c2d10a5
2016-10-31 16:47:22 -07:00
Elliott Hughes
95fa061678 Rename __pure, __pure2, and __purefunc.
These names were pretty misleading (aka "backwards"), so switch to the
same obvious names glibc uses.

Test: build.
Change-Id: Ia98c9dbbccd0820386116562347654e84669034a
2016-09-28 12:36:38 -07:00
Josh Gao
6cd9fb080c Fix warnings (and errors) in static inline headers.
Bug: http://b/31676510
Change-Id: Idcbc544e498f7e6bbe99c2bf7dc557a5681e96c4
Test: preupload hook
2016-09-23 14:34:03 -07:00
Dan Albert
6576a3749b Add legacy inlines for locale aware APIs.
Test: make checkbuild tests
Bug: http://b/31639993
Change-Id: Ic43d690dff3c6960d7826bd0b064640a3ea0e883
2016-09-22 00:44:37 -07:00
Dan Albert
e5dd632e43 Move strncpy fortify into android-21.
__strncpy_chk2 wasn't added until android-21.

Test: make checkbuild
Bug: None
Change-Id: I527f88aca55ef5010e12ece18abbdce3d54ce252
2016-09-08 13:08:47 -07:00
Dan Albert
dfa6bbb54b Guard fortify inlines with __ANDROID_API__.
Test: make checkbuild with libc ndk_library patches applied
Change-Id: Ic5e248994c4f2702b0f4d6dfeda787187ea86017
2016-08-05 16:33:32 -07:00
Elliott Hughes
5470c18361 Make it possible to build bionic with -I instead of -isystem.
Various things:

* work around -Wnullability-completeness.
* use C++ casts in C++ and C casts in C.
* stop using attributes clang doesn't support (such as `warning`).
* remove duplicate definitions of XATTR_CREATE and XATTR_REPLACE.

Change-Id: I07649e46275b28a23ca477deea119fe843999533
2016-07-22 13:12:53 -07:00
Josh Gao
46b44160e9 Update header versions for NDK platform fixes.
Bug: http://b/28178111
Change-Id: Icd638673b409aa43a91490f77c6b4d79c9ea20d9
2016-06-02 13:40:35 -07:00
Dan Albert
baa2a973bd Use clang's nullability instead of nonnull.
http://clang.llvm.org/docs/AttributeReference.html#nonnull

_Nonnull is similar to the nonnull attribute in that it will instruct
compilers to warn the user if it can prove that a null argument is
being passed. Unlike the nonnull attribute, this annotation indicated
that a value *should not* be null, not that it *cannot* be null, or
even that the behavior is undefined. The important distinction is that
the optimizer will perform surprising optimizations like the
following:

    void foo(void*) __attribute__(nonnull, 1);

    int bar(int* p) {
      foo(p);

      // The following null check will be elided because nonnull
      // attribute means that, since we call foo with p, p can be
      // assumed to not be null. Thus this will crash if we are called
      // with a null pointer.
      if (src != NULL) {
        return *p;
      }
      return 0;
    }

    int main() {
      return bar(NULL);
    }

Note that by doing this we are no longer attaching any sort of
attribute for GCC (GCC doesn't support attaching nonnull directly to a
parameter, only to the function and naming the arguments
positionally). This means we won't be getting a warning for this case
from GCC any more. People that listen to warnings tend to use clang
anyway, and we're quickly moving toward that as the default, so this
seems to be an acceptable tradeoff.

Change-Id: Ie05fe7cec2f19a082c1defb303f82bcf9241b88d
2016-05-05 17:11:54 -07:00
Josh Gao
14adff1cfa Add versioning information to symbols.
Bug: http://b/28178111
Change-Id: I46bf95accd819f4521afb1173d8badcc5e9df31c
2016-04-29 16:39:50 -07:00
Josh Gao
c3cec27ad7 Extract strcasecmp and friends to <bits/strcasecmp.h>.
Bug: http://b/28067717
Change-Id: I76bab098d4c35d07a7a108055c43c820087f9253
2016-04-07 18:01:59 -07:00
Josh Gao
eb9b925012 Fix GNU/POSIX basename headers.
Including glibc's <libgen.h> will result in the user getting the POSIX
version of basename always, regardless of when it is included relative
to <string.h>. Prior to this patch, our implementation would result in
the one that's included first winning.

Bug: http://b/25459151
Change-Id: Id4aaf1670dad317d6bbc05763a84ee87596e8e59
2015-11-04 14:19:55 -08:00
Elliott Hughes
7ac3c128bb Add strchrnul.
Bug: http://b/18374026
Change-Id: Iea923309c090a51a2d41c5a83320ab3789f40f1c
2015-08-26 09:59:29 -07:00
Daniel Micay
4ae773633a add fortified memchr/memrchr implementations
Change-Id: I38c473cc0c608b08f971409a95eb8b853cb2ba1c
2015-04-17 21:17:12 -04:00
Elliott Hughes
3cfb52aab2 Add GNU extensions mempcpy and wmemcpy.
Used by elfutils. On the bright side, they stopped using __mempcpy.

Bug: 18374026
Change-Id: Id29bbe6ef1c5ed5a171bb6c32182f129d8332abb
2015-02-18 22:02:56 -08:00
Elliott Hughes
5038b19cef Break two incorrect transitive includes.
Change-Id: I95519caa5258cf5c6b8053f1c7e08ade2a824e49
2015-01-29 20:12:13 -08:00
Elliott Hughes
76f8916b90 Clean up <stdlib.h> slightly.
Interestingly, this mostly involves cleaning up our implementation of
various <string.h> functions.

Change-Id: Ifaef49b5cb997134f7bc0cc31bdac844bdb9e089
2015-01-26 14:28:41 -08:00
Elliott Hughes
b20c24456e Implement all the POSIX _l functions.
Strictly speaking, this only implements the _l variants of the functions
we actually have. We're still missing nl_langinfo_l, for example, but we
don't have nl_langinfo either.

Change-Id: Ie711c7b04e7b9100932a13f5a5d5b28847eb4c12
2014-11-06 15:52:22 -08:00
Dan Albert
658727e111 Inline helpers need to be exported unmangled.
__open_2() is used by the fortify implementation of open(2) in
fcntl.h, and as such needs an unmangled C name. For some reason
(inlining?), this doesn't cause problems at the default optimization
level, but does for -O0.

The rest of these didn't cause build failures, but they look suspect
and probably will, we just haven't caught them yet.

Bug: 17784968
Change-Id: I7391a7a8999ee204eaf6abd14a3d5373ea419d5b
2014-10-07 16:46:47 -07:00
Nick Kralevich
b84f667e93 further cleanup memcpy fortify implementation
Change-Id: I0380f3c8ca8f9bb8a206accd839c32c9daf13c56
2014-10-05 06:52:24 -07:00
Nick Kralevich
48be71d02b string.h: remove unused variable
Change-Id: I08b7dab1b374ad427fcbee4183f2c7d93d0199a9
2014-10-04 15:20:00 -07:00
Elliott Hughes
416d7ddaff Add GNU-compatible strerror_r.
We already had the POSIX strerror_r, but some third-party code defines
_GNU_SOURCE and expects to get the GNU strerror_r instead.

This exposed a bug in the libc internal logging functions where unlike
their standard brethren they wouldn't return the number of bytes they'd
have liked to have written.

Bug: 16243479
Change-Id: I1745752ccbdc569646d34f5071f6df2be066d5f4
2014-08-28 16:37:09 -07:00
Elliott Hughes
09c39d6df0 Implement the GNU basename(3) in addition to the POSIX one.
Code like perf(1) needs this.

Bug: 11860789
Change-Id: I907eb448052a7b165e4012d74303330d32328cb2
2014-08-19 14:30:30 -07:00
Elliott Hughes
2cfb4e8e2e Improve <sys/cdefs.h>.
Fix and use __RENAME (and lose ___RENAME --- two underscores should be
enough for anybody). This was the point of this change, because I want
to use __RENAME to support the two basename variants and the two
strerror_r variants.

Lose a bunch of macros that weren't being used.

Lose three dead files from the DNS code.

Change-Id: I3ef645c566b16a52217bc2e68c7d54b37c7c9522
2014-08-18 14:45:42 -07:00
Dehao Chen
28285f85a1 Workaround b/16818336 which fails build under aggressive inlining.
(cherry-pick of 7aa27e1c1a53afe28f6180fd1fc50d096cabea7b.)

Change-Id: Ifcd596714c427a2ec39502b9c0af9082ded91884
2014-08-06 11:43:38 -07:00