Hilariously, our blog post didn't actually say how to turn it on :-) Bug: N/A Test: N/A Change-Id: I6e773e88c32a70b0f8b8b6d105fce74d68ebf5cd
8.4 KiB
Android bionic status
Bionic function availability
POSIX
You can see the current status with respect to POSIX in the form of tests: https://android.googlesource.com/platform/bionic/+/master/tests/headers/posix/
Some POSIX functionality is not supported by the Linux kernel, and
is guarded with tests for __linux__
. Other functionality is not
supported by bionic or glibc, and guarded with tests for __BIONIC__
and __GLIBC__
. In other cases historical accidents mean 32-bit
bionic diverged but 64-bit bionic matches POSIX; these are guarded with
__LP64__
.
Most bionic-only diversions should be accompanied by an explanatory comment.
Missing functions are either obsolete or explicitly disallowed by SELinux:
a64l
/l64a
confstr
crypt
/encrypt
/setkey
gethostid
shm_open
/shm_unlink
sockatmark
Missing functionality:
<aio.h>
<wordexp.h>
- Thread cancellation
- Robust mutexes
Run ./libc/tools/check-symbols-glibc.py
in bionic/ for the current
list of POSIX functions implemented by glibc but not by bionic.
libc
Current libc symbols: https://android.googlesource.com/platform/bionic/+/master/libc/libc.map.txt
New libc functions in P:
__freading
/__fwriting
(completing <stdio_ext.h>)endhostent
/endnetent
/endprotoent
/getnetent
/getprotoent
/sethostent
/setnetent
/setprotoent
(completing <netdb.h>)fexecve
fflush_unlocked
/fgetc_unlocked
/fgets_unlocked
/fputc_unlocked
/fputs_unlocked
/fread_unlocked
/fwrite_unlocked
getentropy
/getrandom
(adding <sys/random.h>)getlogin_r
glob
/globfree
(adding <glob.h>)hcreate
/hcreate_r
/hdestroy
/hdestroy_r
/hsearch
/hsearch_r
(completing <search.h>)iconv
/iconv_close
/iconv_open
(adding <iconv.h>)pthread_attr_getinheritsched
/pthread_attr_setinheritsched
/pthread_setschedprio
pthread_mutexattr_getprotocol
/pthread_mutexattr_setprotocol
(mutex priority inheritance)- <signal.h> support for
sigaction64_t
andsigset64_t
allowing LP32 access to real-time signals - <spawn.h>
swab
syncfs
New libc behavior in P:
%C
and%S
support in the printf family (previously only the wprintf family supported these)%mc
/%ms
/%m[
support in the scanf family%s
support in strptime (strftime already supported it)
New libc functions in O:
sendto
FORTIFY support__system_property_read_callback
/__system_property_wait
- legacy
bsd_signal
catclose
/catgets
/catopen
(adding <nl_types.h>)ctermid
- all 6 <grp.h>/<pwd.h> (get|set|end)(gr|pw)ent functions
futimes
/futimesat
/lutimes
getdomainname
/setdomainname
getsubopt
hasmntopt
mallopt
mblen
- 4 <sys/msg.h>
msg*
functions - <langinfo.h>
nl_langinfo
/nl_langinfo_l
pthread_getname_np
- 2 new Linux system calls
quotactl
andsync_file_range
- 4 <sys/sem.h>
sem*
functions - 4 <sys/shm.h>
shm*
functions - 5 legacy <signal.h> functions:
sighold
/sigignore
/sigpause
/sigrelse
/sigset
strtod_l
/strtof_l
/strtol_l
/strtoul_l
- <wctype.h>
towctrans
/towctrans_l
/wctrans
/wctrans_l
New libc functions in N:
- more FORTIFY support functions (
fread
/fwrite
/getcwd
/pwrite
/write
) - all remaining
_FILE_OFFSET_BITS=64
functions, completing_FILE_OFFSET_BITS=64
support in bionic (8) - all 7
pthread_barrier*
functions - all 5
pthread_spin*
functions lockf
/preadv
/pwritev
/scandirat
andoff64_t
variantsadjtimex
/clock_adjtime
getifaddrs
/freeifaddrs
/if_freenameindex
/if_nameindex
getgrgid_r
/getgrnam_r
- GNU extensions
fileno_unlocked
/strchrnul
- 32-bit
prlimit
libc function count over time: G 803, H 825, I 826, J 846, J-MR1 873, J-MR2 881, K 896, L 1116, M 1181, N 1226, O 1278
ndk-r17$ for i in `ls -1v platforms/android-*/arch-arm/usr/lib/libc.so` ; do \
echo $i; nm $i | grep -vw [AbdNnt] | grep -vw B | wc -l ; done
libm
Current libm symbols: https://android.googlesource.com/platform/bionic/+/master/libm/libm.map.txt
0 remaining missing POSIX libm functions.
19 new libm functions in O: complex trig/exp/log functions.
libm function count over time: G 158, J-MR2 164, L 220, M 265, O 284
Target API level behavioral differences
Most bionic bug fixes and improvements have been made without checks for
the app's targetSdkVersion
. As of O there were exactly two exceptions,
but there are likely to be more in future because of Project Treble.
Invalid pthread_t
handling (targetSdkVersion >= O)
As part of a long-term goal to remove the global thread list,
and in an attempt to flush out racy code, we changed how an invalid
pthread_t
is handled. For pthread_detach
, pthread_getcpuclockid
,
pthread_getschedparam
/pthread_setschedparam
, pthread_join
, and
pthread_kill
, instead of returning ESRCH when passed an invalid
pthread_t
, if you're targeting O or above, they'll abort with the
message "attempt to use invalid pthread_t".
Note that this doesn't change behavior as much as you might think: the
old lookup only held the global thread list lock for the duration of
the lookup, so there was still a race between that and the dereference
in the caller, given that callers actually need the tid to pass to some
syscall or other, and sometimes update fields in the pthread_internal_t
struct too.
We can't check a thread's tid against 0 to see whether a pthread_t
is still valid because a dead thread gets its thread struct unmapped
along with its stack, so the dereference isn't safe.
To fix your code, taking the affected functions one by one:
-
pthread_getcpuclockid
andpthread_getschedparam
/pthread_setschedparam
should be fine. Unsafe calls to those seem highly unlikely. -
Unsafe
pthread_detach
callers probably want to switch topthread_attr_setdetachstate
instead, or usepthread_detach(pthread_self());
from the new thread's start routine rather than calling detach in the parent. -
pthread_join
calls should be safe anyway, because a joinable thread won't actually exit and unmap until it's joined. If you're joining an unjoinable thread, the fix is to stop marking it detached. If you're joining an already-joined thread, you need to rethink your design! -
Unsafe
pthread_kill
calls aren't portably fixable. (And are obviously inherently non-portable as-is.) The best alternative on Android is to usepthread_gettid_np
at some point that you know the thread to be alive, and then callkill
/tgkill
with signal 0 (which checks whether a process exists rather than actually sending a signal). That's still not completely safe because if you're too late the tid may have been reused, but your code is inherently unsafe without a redesign anyway.
Interruptable sem_wait
(targetSdkVersion >= N)
POSIX says that sem_wait
can be interrupted by delivery of a
signal. This wasn't historically true in Android, and when we fixed this
bug we found that existing code relied on the old behavior. To preserve
compatibility, sem_wait
can only return EINTR on Android if the app
targets N or later.
FORTIFY
The _FORTIFY_SOURCE
macro can be used to enable extra
automatic bounds checking for common libc functions. If a buffer
overrun is detected, the program is safely aborted as in this
(example)[https://source.android.com/devices/tech/debug/native-crash#fortify].
Note that in recent releases Android's FORTIFY has been extended to
cover other issues. It can now detect, for example, passing O_CREAT
to open(2) without specifying a mode. It also performs some checking
regardless of whether the caller was built with FORTIFY enabled. In P,
for example, calling a pthread_mutex_
function on a destroyed mutex,
calling a <dirent.h>
function on a null pointer, using %n
with the
printf(3) family, or using the scanf(3) m
modifier incorrectly will
all result in FORTIFY failures even for code not built with FORTIFY.
More background information is available in our (FORTIFY in Android)[https://android-developers.googleblog.com/2017/04/fortify-in-android.html] blog post.
The Android platform is built with -D_FORTIFY_SOURCE=2
, but NDK users
need to manually enable FORTIFY by setting that themselves in whatever
build system they're using. The exact subset of FORTIFY available to
NDK users will depend on their target ABI level, because when a FORTIFY
check can't be guaranteed at compile-time, a call to a run-time _chk
function is added.