Add a no_recover option that allows specifying which sanitizers in
diagnostics modes shouldn't recover. This can help debugging as we test
enabling sanitizers in new libraries since it'll cause tombstones to be
generated along with the diagnostics information.
Bug: 80195448
Bug: 110791537
Test: Compiled test module with this flag, checked compiler command.
Test: Test module crashed, tombstone contained diagnostics information.
Change-Id: Ie938923ef95716c2d49d6cd719ee223ad62755c6
Current implementation does not play nice with -gc-sections.
Bug: 120673911
Test: make SANITIZE_TARGET=hwaddress recovery-persist
Change-Id: I36cd37fb41c0c26c7e747e2c1dd5fadf7a31f4e7
* Add -fno-sanitize=implicit-integer-sign-change when
there is any integer related sanitizer, and this check
is not explicitly specified.
Android core does not boot with this new sanitizer yet.
* Filter out -fno-sanitize=implicit-integer-sign-change
from tooling flags.
Bug: 119329758
Bug: 119557795
Test: make checkbuild, boot, go/clang-r346389-testing
Change-Id: I709de569cb73d070fc4958e2b4387f4041bc5438
Make sanitized targets in recovery depend on ".recovery" flavor of
sanitizer runtime library. This forces installation of the runtime
library in recovery image as long as at least one target depends on it.
Test: hwasan build can boot into recovery
Bug: 112438058
Bug: 119582521
Change-Id: I1b7f9fa4ff5f29acb03c27074512ea24467a3d37
Shadow call stack (SCS) is a security mitigation that uses a
separate stack (the SCS) for return addresses.
The effect of setting sanitize.scs on a shared library is to build
the library and all of its static library dependencies with SCS. This
is similar to CFI and the other sanitizers.
Bug: 112907825
Bug: 119557795
Change-Id: I82fb2b38b10eac911c4d2d120b74fea4af0622ad
HWASan is disabled in recovery strictly for code size, not for
correctness. With this change, HWASan binaries and libraries can be
used in recovery.
The real reason is the make build system which has no idea of the big
picture, and makes it hard to disable HWASan in _all_ recovery modules
recursively. A few static libraries have sneaked in.
Bug: 119582521
Test: sideload an OTA onto a hwasan device
Change-Id: I6536cc7bf5bfb37f939b585545a23c2068fbd47f
llvm-ar takes a --plugin argument but it is ignored for compatibility,
so passing it has no effect.
Change-Id: I4fc51d226d66cf2a43462d3d4ccc12e6e5ebb226
This reverts commit 98d8580c3a.
Change no longer needed with the new LLVM toolchain update.
Bug: 112907825
Bug: 111759196
Change-Id: Ife3ce47a602dd850ac84bb51abc70c0ca157776e
This is achieved via the compiler flag -ffixed-x18 for non-LTO builds
and the linker flag -plugin-opt -mattr=+reserve-x18 for LTO builds.
This change should be reverted once we upgrade past LLVM r340889
which does this by default on Android.
Bug: 112907825
Bug: 111759196
Change-Id: I05473ddbb98319d87d442425b4d715647eae3a38
Scudo is now compatible with the -fsanitize-minimal-runtime, and offers a new
dynamic library that doesn't bundle UBSan.
This patch adds support for this new library in Soong, preferring it over the
full one, unless a UBSan or diagnostic dependency is found.
Test: aosp compiled with m -j
Test: local test enabling Scudo for tombstoned
Change-Id: I17794131db148b33f8a8710ac43302cadf1af314
Make sure that the minimal runtime gets applied to the rest
of the sanitizers we might use from ubsan.
Bug: 80195448
Test: Build success and checked build flags.
Change-Id: I31b211b80bb1068c153a9b65454a2605933c9568
Clang is always used now, so we can remove all the GCC checks. Removing
GCC-specific configuration will happen in the next CL.
Test: m
Change-Id: I4835ecf6062159315d0dfb07b098e60bff033a8a
It allows use of sanitizer preprocessor macros (like __has_feature())
in assembly files.
Bug: 112438058
Test: SANITIZE_TARGET=hwaddress
Change-Id: Id3fed5492ab9473cbb13cd6c0485302412e8b1de
This is a new sanitizer similar to ASan, but with a few differences
from the build system perspective:
* Only runs on AArch64.
* Supports static binaries.
* Bionic itself will be built with HWASan.
* Does not have any "if a library is sanitized than the binary must
be, too" requirements unlike ASan. Even better, individual static
libraries can be freely sanitized or not. We propagate "nosanitize"
from binaries to static libraries anyway, because otherwise there
is no good way to disable hwasan on a binary as a whole.
Same a CFI, we export a list of sanitized static libraries to make.
In fact, we export separate lists for vendor and regular libraries,
because it is possible for one to be sanitized without the other
(i.e. there can be mylib.hwasan.vendor w/o mylib.hwasan or vice
versa).
Bug: 112438058, 112709969
Test: manual, part of a bigger patch set
Change-Id: Ie4fdeb522ac03cf9684526882e84dfee3807b6a7
VisitDepsDepthFirst is almost never correct, as it can't query
dependency tags of multiple dependencies between the same two modules.
Replace VisitDepsDepthFirst with WalkDeps in sanitize.go and
python.go. Also verify the dependency tag before continuing to
recurse to ensure that they don't recurse through genrules and into
unrelated modules.
Test: m checkbuild
Change-Id: I2f7560126f56b51a40ec39dfbdcc18b5891489f7
Scudo is a hardened usermode allocator that is part of LLVM's compiler-rt
project (home of the Sanitizers). clang allows for -fsanitize=scudo as a
possible command line option to link the shared Scudo library to a binary.
This patch add Scudo as a potential sanitize option. Scudo is not compatible
with ASan and TSan and will be disabled if either is enabled.
Bug: 72112048
Test: aosp compiled with m -j
Test: local experiment with scudo: true to ensure that a test target
(tombstoned) could be linked with scudo.
Change-Id: I76bb6c60891d4782f6665a112c4c2bf7c31645da
The SetSanitizer() method in cc/sanitize.go was also enabling
diagnostics for CFI when invoked from the sanitizer mutator. We
shouldn't be doing this, so this CL disables that.
Bug: 79785496
Test: strings libziparchive.so | grep 'ubsan'
Change-Id: Iffe0d4e9c333ac5dfbec3f48e381c232ce5d4463
The current VNDK ABI snapshot expects that CFI is disabled for
components that either in the include paths (from cfi-common.mk) OR
enabled directly in the makefile/blueprint. However, on non-arm64
architectures, the build system was only disabling CFI for vendor
components in the include paths.
This topic corrects it by (a) removing the include paths check to
disable CFI for vendor variants (this CL), and (b) inheriting the CFI
include paths in all product configs to ensure that when we update the
ABI we're able to move to relying exclusively
on (PRODUCT_)CFI_INCLUDE_PATHS.
Bug: 66301104
Test: ABI matches for all architectures.
Change-Id: I648edf13346b18fd88b623682e8590ed44709e0d
This CL restricts CFI_INCLUDE_PATHS and PRODUCT_CFI_INCLUDE_PATHS to
Arm64 only.
Bug: 66301104
Test: x86 targets do not respect the include paths variables
Change-Id: I66ec2fb05435535aaf5d59fdfc7a170a4fdd4f26
Enabling CFI changes the VNDK ABI from the frozen snapshot, so the
only solution for now is to temporarily disable CFI on all vendor
variants for the sake of compatibility.
Bug: 66301104
Test: ABI is consistent.
Change-Id: Ie7dca41e0f647808b08adede09a30f3c746e6bda
When linking in the UBSan minimal runtime, don't export the symbols.
This was resulting in an edge case where symbols were sometimes
undefined at runtime on address sanitized builds if static library
dependencies were integer overflow sanitized.
Bug: 78766744
Test: readelf on libraries show either inclusion of the shared library
or no undefined symbols related to the minimal runtime.
Change-Id: Ide85c8c6b53b400ce9166ccaf96d250797fe4b24
Merged-In: Ide85c8c6b53b400ce9166ccaf96d250797fe4b24
(cherry picked from commit 59fdea2ac2)
When linking in the UBSan minimal runtime, don't export the symbols.
This was resulting in an edge case where symbols were sometimes
undefined at runtime on address sanitized builds if static library
dependencies were integer overflow sanitized.
Bug: 78766744
Test: readelf on libraries show either inclusion of the shared library
or no undefined symbols related to the minimal runtime.
Change-Id: Ide85c8c6b53b400ce9166ccaf96d250797fe4b24
Previously abi diffs were allowed only on unsanitized variants of vndk
libraries. This CL allows them on all sanitized variants which go onto
production devices, eg: cfi variants.
Bug: 66301104
Test: Without this change, for arm64 libstagefright_foundation doesn't
get an lsdump file since we don't build an unsanitized variant
(aosp_arm64_ab).
Test: With this change, for arm64 libstagefright_foundation does
get an lsdump file (aosp_arm64_ab)
Merged-In: I94f82fd84fc898e4980c3f3619df9677ed723c32
Change-Id: I94f82fd84fc898e4980c3f3619df9677ed723c32
(cherry picked from commit b7e08ca830)
Previously abi diffs were allowed only on unsanitized variants of vndk
libraries. This CL allows them on all sanitized variants which go onto
production devices, eg: cfi variants.
Bug: 66301104
Test: Without this change, for arm64 libstagefright_foundation doesn't
get an lsdump file since we don't build an unsanitized variant
(aosp_arm64_ab).
Test: With this change, for arm64 libstagefright_foundation does
get an lsdump file (aosp_arm64_ab)
Change-Id: I94f82fd84fc898e4980c3f3619df9677ed723c32
This extends the minimal runtime dependency mutator to allow signed
and unsigned integer overflow diagnostics in static libraries and
binaries. This also enables the integer_overflow flag for static
libraries and binaries.
Note compilation will fail if the static library is a dependency
of a Make module that does not also have diagnostics enabled.
Bug: 66952339
Bug: 73283972
Test: make SANITIZE_TARGET{,_DIAG}=integer_overflow
Test: Enabled diagnostics in a static lib, saw results in logcat.
Test: Checked showcommands output for ubsan runtime library inclusion.
Change-Id: Ic52881a0f74cdcac0e4a15335df493b59b002ae5
This CL changes PRODUCT_CFI_INCLUDE_PATHS to be included in all
product configs by default. To maintain the status quo, the sanitizer
logic has been modified to only respect this product config for Arm64
devices (where this was previously enabled).
Bug: 63926619
Test: m -j60 # the device still has CFI enabled thanks to the default
opt-in
Change-Id: Ia613aec545ad3e544dea41a6dbdb4112aef4afab
cfiExportsMap was reinitialized for every module, which caused
data races. Create the path from the string on each use
instead.
Bug: 77234104
Test: m nothing with race detector turned on
Change-Id: Ibca3149dcbe8a9d4d9f7ec6dd0b164697e7ae5cd
Merged-In: Ibca3149dcbe8a9d4d9f7ec6dd0b164697e7ae5cd
(cherry picked from commit 1218a19f0d)
cfiExportsMap was reinitialized for every module, which caused
data races. Create the path from the string on each use
instead.
Bug: 77234104
Test: m nothing with race detector turned on
Change-Id: Ibca3149dcbe8a9d4d9f7ec6dd0b164697e7ae5cd
* Suppress more noisy new warnings at global level.
* Add -no-pie to partial link .o files, with -r.
* Revert workaround of b/72706604, no need of
-Wl,-plugin-opt,-emulated-tls
* Filter out clang 7.0 unknown flag "-Wno-extended-offsetof"
Bug: 72706604
Bug: 72412006
Test: make checkbuild
Change-Id: I7ff45465c4bd771991f42b40f68dc35586045656
Adds Soong support for -fsanitze-minimal-runtime when using
the integer overflow sanitizers. This makes the crashes due to these
sanitizers less mysterious.
Bug: 64091660
Test: Compiled and checked the generated compiler commands
Test: Checked program that overflows for the abort reason
Change-Id: Ieeceaf6c35c8371592952d3b8b977aefc11601c5
Merged-In: Ieeceaf6c35c8371592952d3b8b977aefc11601c5
(cherry picked from commit 30c5db2f47)
Adds Soong support for -fsanitze-minimal-runtime when using
the integer overflow sanitizers. This makes the crashes due to these
sanitizers less mysterious.
Bug: 64091660
Test: Compiled and checked the generated compiler commands
Test: Checked program that overflows for the abort reason
Change-Id: Ieeceaf6c35c8371592952d3b8b977aefc11601c5
LLVM-AR does not allow passing --plugin options more than once. The
--plugin ARFLAGS that lto want to add, may already exist if sanitizer is
also turned on.
Fixed this by adding a new bool Flags.ArGoldPlugin. Set this variable to
true whenever LLVM gold plugin is needed for ArFlags. In function
TransformObjToStaticLib(), add this option to arFlags using global value
${config.LLVMGoldPlugin} if the bool value is true.
Bug: http://b/73160350
Test: build the image with make and succeeded.
Change-Id: I62785829b0a4b663225926e4aed98defc1b6da2c
(cherry picked from commit 4917049f6e)
LLVM-AR does not allow passing --plugin options more than once. The
--plugin ARFLAGS that lto want to add, may already exist if sanitizer is
also turned on.
Fixed this by adding a new bool Flags.ArGoldPlugin. Set this variable to
true whenever LLVM gold plugin is needed for ArFlags. In function
TransformObjToStaticLib(), add this option to arFlags using global value
${config.LLVMGoldPlugin} if the bool value is true.
Bug: http://b/73160350
Test: build the image with make and succeeded.
Change-Id: I62785829b0a4b663225926e4aed98defc1b6da2c
-fsanitize=cfi requires LTO. Normally, the Clang driver automatically
enables emutls, but it's broken with -flto, so work around it by passing
-Wl,-plugin-opt=-emulated-tls.
See https://buganizer.corp.google.com/issues/72706604#comment15
Enable the workaround with ctx.Device(), which is the same condition used
in the existing I18acac41aac885fc6635fbd55f96ba7c845eb5e7 workaround.
Bug: b/72706604
Bug: https://github.com/android-ndk/ndk/issues/498
Test: m libaudioflinger (on internal master); \
readelf -sW symbols/system/lib64/libaudioflinger.so | grep tlNBLogWriter
check that __emutls_t.tlNBLogWriter exists
check that no symbols of type TLS exist
Change-Id: I2cf65574c52476843cc017ee176a7d6777e2ce0b
Handle paths variable provided from Make about where integer overflow
sanitization should be enabled by default, and prepare to enable minimal
runtime diagnostics for integer overflow sanitizers in userdebug/eng builds.
This provides Soong support for on-by-default paths from Make for
integer overflow sanitization.
Bug: 30969751
Bug: 63927620
Test: Include paths passed from Make are being sanitized.
Test: Compilation succeeds with and without diagnostics enabled.
Test: See Make patch for further test notes.
Change-Id: I803a75646cc27ef5b4b5b74b8eb2981c39f8a6a3
