Enabling cfi for 32-bit arch; b/35157333 seems to have been resolved in b/67507331.
Bug: 158010610
Test: manual interaction with Wimbley device: youtube video, chrome
navigations, gmail
MPTS testing on Sargo
Change-Id: I9eb034deed9938710f0f7b690fa57108d9bc5669
Change-Id: I434748ede352f998e64a6639de6ba162762ee7f0
Snapshots storead global sets of modules that should be replaced with
vendor snapshot modules. Move the data instead to a vendor_snapshot
or recovery_snapshot module type that depends on all the modules in
the snapshot, and then have modules that should use the snaphsot
depend on it to query for the set of modules that should be replaced.
Bug: 177098205
Test: vendor_snapshot_test.go
Change-Id: I2826adacfb473e9139b5ea93ba83b8a54cc1a56b
cc_test without sanitize:memtag_heap acts as if it has implicit
sanitize{memtag_heap:true, diag:{memtag_heap:true}}. This is unaffected
by SANITIZE_TARGET.
Refactor the test to cover all permutations.
Change memtag include lists to act similar to SANITIZE_TARGET_DIAG: the
the sync include list upgrades async targets to sync, unless diag is
explicitly set to false in the target definition.
Bug: b/135772972
Test: cc_test.go
Change-Id: I6a969f2f5804cd5f47fc4e93a20e3b99ea5fa111
Memtag_heap adds an ELF note that enables MTE heap tagging in
bionic/scudo. Ignored on non-executables. With diagnostic
(diag:{memtag_heap:true}) enables the SYNC mode, otherwise - ASYNC mode.
Memtag_heap defaults to set (with diag) on cc_test targets, unset
otherwise. Ignored on non MTE-compatible hardware.
Bug: b/135772972
Test: soong tests
Change-Id: I88fd0f159e609e17bd13487749980a1ba02cb91c
Adds a PlatformSanitizable interface which both CC and Rust can
implement so that the sanitizer mutators in CC can sanitize Rust
shared/static libraries appropriately.
Bug: 147140513
Test: m nothing
Change-Id: Ib31103b6c4902a4d5df2565c0d7c981298d100a3
Also suppress a clang-tidy warning and a ubsan check to pass compilation.
Bug: 171348143
Test: build.
Change-Id: Ie5162c15df172cefd7cff9776e54531fd620bc23
To avoid adding ubsan to the apex allowed_dep list, this commit adds a
check on depedency tags to see if apex check should be skipped.
The check is only used on sharedLib dependencies when diag mode are enabled
for sanitizers.
Bug: 158010610
Test: make build for aosp-sargo and aosp_cf_x86_phone-userdebug
Change-Id: I3d7dbb70d8c80ffae1854819cf8cf9e6b0b15c00
Rewriting LLNDK dependencies with .llndk suffix requries referencing
a global data structure to determine if a given library is an LLNDK
library and therefore needs the .llndk suffix. References to
global data structures from mutators must be removed to support
incremental Soong analysis. Instead, move the LLNDK stubs rules
into the vendor variant of the implementing cc_library so that
the original name can be used.
As an incremental step, the llndk_library modules are left in
place, and the properties are copied into the cc_library via
the dependency specified by the llndk_stub property. A followup
will move the LLNDK properties directly into the cc_library and
delete the llndk_library modules.
The global list of LLNDK libraries is kept for now as it is used
to generate the vndk.libraries.txt file.
Bug: 170784825
Test: m checkbuild
Test: compare Soong outputs
Test: all Soong tests
Change-Id: I2a942b21c162541a49e27b2e5833c9aebccff1d0
Allow for different arch to specify sanitizer options.
Bug: 158010610
Test: Compiles with build options
Change-Id: I4db72f682e920e3c1a6d55473f316e56567636e6
This commit adds an new option to the sanitizer build config to enable CFI with the
"-fno-sanitize-cfi-canonical-jump-tables" flag in order to provide more
support for assembly heavy libraries.
Bug: 158010610
Test: Compile with option enabled in libaom and libvpx
Change-Id: I7d0d3ed6ff876582043fd72b687757426e3dc5aa
Add vendor_ramdisk_available and vendor_ramdisk attribute to
various rules. When a vendor_ramdisk variant of a module is
generated, it is installed to $OUT/vendor-ramdisk.
It is similar to a ramdisk image.
Test: m nothing -j
Change-Id: Ib2d16459f3094dbe21c3bdb7c016cb4b2bf62765
The hwasan runtime has stubs, make the function to add all version
variants of a shared library available to the sanitizer mutator.
Test: m checkbuild
Change-Id: Ie4124022140f8520834d7bf7b59f0499cd381083
liblog snapshot needs to sanitizer.address=false to avoid cycle in asan
builds. Adding that separately in library_sdk_member.go would start to
feel like whack-a-mole, so the snapshot generation is instead extended
to handle nested property structs.
This uses the BpPropertySet.AddProperty extension in
https://r.android.com/1423510, and common value optimisation now
recurses into non-anonymous structs, instead of comparing them as a
whole.
Test: m nothing
Test: `m SANITIZE_TARGET=address nothing` with prebuilts/runtime
present in the manifest and a fresh snapshot made with this
Bug: 151303681
Change-Id: I472554117a488e6c800045cb2ed59377778571a4
When building a vendor snapshot, the general rule the
build system uses to select a module for inclusion into
the vendor snapshot is if it's a framework module.
However, there are cases where a partner may modify the
framework module, thereby assuming control of that
module.
This change adds the exclude_from_vendor_snapshot
property allowing the partner to mark a module that
would normally be included in the vendor snapshot for
exclusion. This module is then built from source when
building the vendor image against the vendor snapshot.
Bug: 165705527
Test: m nothing
Test: build partner code against vendor snapshot
Change-Id: I6c5c15f13eeeb8f29717a4abd84b65fa72096889
AddFarVariationDependencies was broken, which allowed sdk modules to
request dependencies using image and version variations, even for
host modules that do not have image or version variations. Make
the image and version variations conditional on device sdk modules.
Test: go test ./sdk
Change-Id: I59b7a32a3782254fd5feb828a5258ee13d4db812
CFI modules can't link against non-CFI static libraries, and vice versa.
So without capturing both CFI and non-CFI static libraries, vendor
modules won't be able to use CFI, which will be a critical security
hole.
This captures both CFI and non-CFI variants of all static libraries for
vendor snapshot, except for those whose cfi are explicitly disabled.
For example, suppose that "libfoo" is defined as follows.
cc_library_static {
name: "libfoo",
vendor_available: true,
}
As it doesn't have cfi disabled, two libraries "libfoo.a" and
"libfoo.cfi.a" will be captured. When installed, vendor snapshot module
for "libfoo" will look like:
vendor_snapshot_static {
name: "libfoo",
src: "libfoo.a",
cfi: {
src: "libfoo.cfi.a",
},
}
The build system will recognize the "cfi" property, and will create both
CFI and non-CFI variant, allowing any modules to link against "libfoo"
safely, no matter whether CFI is enabled or not.
Two clarification:
1) The reason why we don't create separate modules is that DepsMutator
runs before sanitize mutators. CFI and non-CFI variant of a library
should exist in a single module.
2) We can't capture CFI variant if the source module explicitly disables
cfi variant by specifying the following.
sanitize: {
cfi: false,
}
In this case, only non-CFI variant will be created for the vendor
snapshot module.
Bug: 65377115
Test: m dist vendor-snapshot && install && build against snapshot
Change-Id: Idbf3e3205d581800d6093c8d6cf6152374129ba4
Dependencies of makefile modules are being redirected according to
SOONG_CFI_STATIC_LIBRARIES and SOONG_HWASAN_STATIC_LIBRARIES. But the
variables are shared among all variants (e.g. core, vendor, product,
arch), which can cause build error.
This splits the Makefile variables into several lists, one list per each
arch and each image variant, to correctly make the redirection.
Bug: 162476652
Test: build and inspect ninja
Change-Id: Icc753382f1c53de8468cc85243a6954e1986297a
All uses of this property have been migrated to 'blocklist' instead.
Update language to comply with Android’s inclusive language guidance
See https://source.android.com/setup/contribute/respectful-code for
reference
Bug: 161896447
Bug: 162245450
Test: TH
Change-Id: I4b83b41ad5a4b2caf1166b1acece9537f545aaad
dependencyTag uses a set of predefined tags to identify different types
of dependencies. There are already multiple bits of metadata stored
in the dependency tag (Library, Shared, ReexportFlags), and supporting
them all requires a combinatorial explosion of predefined tags and
causes issues when using equality comparisons if a new bit of metadata
is added.
Add a new libraryDependencyTag type that will contain the metadata
bits, and replace the quality comparisons with checks on the metadata
bits.
There are 5 TODOs where modifying the checks identified problems with
the existing checks. These were left in place to produce identical
build output and will be fixed separately.
Bug: 162437057
Test: no change to build.ninja or {Android,make_vars,late}-${TARGET_PRODUCT}.mk
Change-Id: I72d4207dcf381c07c92e00e5a03968ebb5ed8d30
Bug: 162024969
Test: Successfully builds targets for both host and device
"writeonly" flag in SANITIZE_(HOST|TARGET) enables it with "address"
and "hwaddress"
Change-Id: Ia89d43230deef15a67dee09ed015fea14f0717ff
This will eventually replace the Blacklist property.
Update language to comply with Android’s inclusive language guidance
See https://source.android.com/setup/contribute/respectful-code for
reference
Bug: 161896447
Bug: 162245450
Test: build topic
Change-Id: I3c2609c791c27b8ba3bcb55f79304b78bce1f518
There're two ways to enable hwasan:
- global setting: TARGET_SANITIZE=hwaddress
- individual setting: sanitize: { hwaddress: true }
This change covers both cases by looking up if com.android.runtime is
hwaddress santized or not.
Bug: 156678661
Test: m (soong test added)
Change-Id: I67c382c3e76a06f4b27f221eebd153c698647227
This was causing build breaks when different devices moved to Android.bp
at different times.
Bug: 150878976
Test: build *_hwasan targets
Change-Id: I68912bb6a5696809c318d1ec816a1bcfbe2df245
Merged-In: I68912bb6a5696809c318d1ec816a1bcfbe2df245
(cherry picked from commit 7b6af23db6)
This was causing build breaks when different devices moved to Android.bp
at different times.
Bug: 150878976
Test: build *_hwasan targets
Change-Id: I68912bb6a5696809c318d1ec816a1bcfbe2df245
Also remove a deprecated flag -fsanitize-hwaddress-abi=platform.
Switching to the new pass manager reduces size of the "lib64" directory
by almost 6%.
Bug: 135298400
Test: objdump -d path/to/symbols/system/lib64/*.so | grep __hwasan_check_
Test: adb shell sanitizer-status
Change-Id: I327ee982e20c02b3b2126d93189048d9f4bfb301
Only disable CFI on incompatible variants rather than the base module.
Bug: 142157676
Test: Manual llvm-cfi-verify checks
Change-Id: I999e1dbcccc1ffb102b2fe01c47f1bda4df5e601
Merged-In: I999e1dbcccc1ffb102b2fe01c47f1bda4df5e601
(cherry picked from commit 4774a81c0f)
Host binaries by default use the UBSan runtime whether or not
diagnostics are requested in the module definition. The rest of the code
assumes the runtime is only needed when diag properties are set.
This makes sure to add the runtime to the dependency graph of host
binaries that are UBSanitized.
Bug: 150336284
Test: ./art/tools/dist_linux_bionic.sh com.android.art.host
Test: runtime appropriately identified as a dependency of libziparchive
Change-Id: I2704aaba4abc7f4e6d96747917c77b5147fd1d56
Merged-In: I2704aaba4abc7f4e6d96747917c77b5147fd1d56
(cherry picked from commit f3b190f8e7)
Host binaries by default use the UBSan runtime whether or not
diagnostics are requested in the module definition. The rest of the code
assumes the runtime is only needed when diag properties are set.
This makes sure to add the runtime to the dependency graph of host
binaries that are UBSanitized.
Bug: 150336284
Test: ./art/tools/dist_linux_bionic.sh com.android.art.host
Test: runtime appropriately identified as a dependency of libziparchive
Change-Id: I2704aaba4abc7f4e6d96747917c77b5147fd1d56
Only disable CFI on incompatible variants rather than the base module.
Bug: 142157676
Test: Manual llvm-cfi-verify checks
Change-Id: I999e1dbcccc1ffb102b2fe01c47f1bda4df5e601
