History log of /bionic/tools/versioner/current/string.h
Revision Date Author Comments
90242350053e6fd2c03640d3f9b37864d18c414d 06-Feb-2018 George Burgess IV <gbiv@google.com> Remove __overloadable/__RENAME_CLANG

Now that we have a clang that supports transparent overloads, we can
kill all of this cruft, and restore our upstream sources to their
untouched glory. Woohoo!

Bug: 12231437
Test: Built aosp_marlin; no obvious patch-related aosp_mips issues.
Change-Id: I520a19d014f12137f80e43f973dccd6711c571cd
8e13b67c64df389ce72bcb02ab3e1888da48f254 07-Nov-2017 Josh Gao <jmgao@google.com> versioner: properly handle extern "C", "C++".

extern "C" and "C++" are parsed as a LinkageSpecDecl with the real Decl
as a child node. This leads to the preprocessor sticking its guard
between the extern specifier and the declaration.

Update the AST visitor to add a special-case for calculating the
SourceRange on a LinkageSpecDecl, and add a test.

Bug: https://github.com/android-ndk/ndk/issues/440
Test: python run_tests.py
Change-Id: I76445fe366cef46cfd2f16fb93d534d410c5edca
df9a489b2bfcc224943a12b447e9cf00db81d9e0 23-Aug-2017 Elliott Hughes <enh@google.com> Add more const-correct C++ overloads.

libc++ actually provides overloads for all the standard C library stuff,
so we just need to handle the POSIX and GNU extensions, of which there
are just two more: memrchr and strcasestr.

Bug: http://b/22768375
Test: builds
Change-Id: Ie9ed1fbcc794e14a0c9bba13b5307ad677949613
684c31a2676772ad1fa2005941dcb6f6493b7dfc 19-Aug-2017 Elliott Hughes <enh@google.com> Name function arguments in libc headers for Studio.

Third batch of headers...

Bug: http://b/64613623
Test: builds
Change-Id: I32d8467a0bd22ba94d76476397f4f7dc51003886
3f7e65e66e63113d2556df517647c812d21f8817 15-Aug-2017 Dan Albert <danalbert@google.com> Add guards for things the versioner can't catch.

The versioner doesn't handle C++ blocks yet, so these guards won't be
added and it will appear as though the functions are always available
in C++, but based on API level in C.

Test: make checkbuild
Bug: https://github.com/android-ndk/ndk/issues/440
Change-Id: I31a20fa1596d836b280ffc6d7feb863afccca6c7
3f66e74b903905e763e104396aff52a81718cfde 01-Aug-2017 Elliott Hughes <enh@google.com> Remove nullability specifications.

Bug: http://b/64251432
Test: builds
Change-Id: I5b1613484783f7478d30b5e694007f77fa626659
ec6850d849746ffbafaaf9b993c5dbb74a014b3f 01-Aug-2017 Elliott Hughes <enh@google.com> Remove restrict/__restrict.

We've never really used __restrict: only <string.h> and <stdio.h> (which
are still very similar to upstream BSD headers) consistently have these
annotations. Neither clang nor GCC warns for trivial cases, and there's
little obvious documentation benefit.

Bug: http://b/30833514
Test: builds
Change-Id: I3e4384281865475d0c55d764b546d8166419ee31
b97049c0390cb1a11b9cb0b14391972e69398ce5 25-Jul-2017 George Burgess IV <gbiv@google.com> libc: Split FORTIFY into its own headers

This patch cleans up our standard headers by moving most of the FORTIFY
cruft out in to its own sandbox. In order to include the *_chk and
*_real declarations, you can either enable FORTIFY, or `#define
__BIONIC_DECLARE_FORTIFY_HELPERS`.

Both sys/select.h and strings.h are explicitly ignored by this patch.
Both of these files have very small __BIONIC_FORTIFY blocks, and don't
define any actual FORTIFY'ed functions (just macros, and 3 *_chk
functions).

This patch also makes the versioner ignore the FORTIFY implementation
headers, since we're guaranteed to pick the FORTIFY'ed headers up when
looking at the regular headers. (...Not to mention that making the
FORTIFY'ed headers freestanding would be annoying to do and maintain for
~no benefit).

We bake the knowledge of where FORTIFY headers live directly into the
versioner. We could go with a more general approach (e.g. adding an -X
IGNORED_FILE flag that tells the versioner to ignore
$HEADER_PATH/$IGNORED_FILE), but we'd then have to repeat that for every
test, every manual invocation of the versioner, etc. for no benefit
that's obvious to me.

Bug: 12231437
Test: m checkbuild on bullhead internal master + CtsBionicTestCases. no
new errors.

Change-Id: Iffc0cc609009b33d989cdaddde0a809282131a5b
16d9ba808b64a2af8a10b5710bea7c4b63e989db 30-Jun-2017 Josh Gao <jmgao@google.com> Add version info for C++ versions of basename, strchrnul.

These still won't get guards added by the preprocessor, because it
compiles with C-only.

Bug: https://github.com/android-ndk/ndk/issues/440
Test: treehugger
Change-Id: I893b345e528ed1b761e0db00700037411bbb8b78
07e75fe9a1cbf323b5de168448583ed66211efe0 19-Apr-2017 George Burgess IV <gbiv@google.com> libc: fix typo in __RENAME macro

Apparently __strncpy_real redirects to strcpy instead of strncpy for GCC
builds. This is bad, and it confused a project compiled by GCC that uses
strcpy.

I audited all of the FORTIFY-related __RENAMEs both manually and with a
script I hacked together; they all look correct aside from this one.

FWIW, with the cleaned up clang FORTIFY, lots of the `void foo()
__RENAME(foo)` will just become `void foo()` if this last thing I'm
working on gets through review.

Bug: 35329524
Test: Previously broken project now seems to work. Bullhead and Ryu
both build + boot.

(cherry picked from commit 31e5a35f3d403ffa4ffe0215f9664d08fb749ada)

Change-Id: I790a42f2cf2f7b8e003faa4df9135db22a2e20db
31e5a35f3d403ffa4ffe0215f9664d08fb749ada 19-Apr-2017 George Burgess IV <gbiv@google.com> libc: fix typo in __RENAME macro

Apparently __strncpy_real redirects to strcpy instead of strncpy for GCC
builds. This is bad, and it confused a project compiled by GCC that uses
strcpy.

I audited all of the FORTIFY-related __RENAMEs both manually and with a
script I hacked together; they all look correct aside from this one.

FWIW, with the cleaned up clang FORTIFY, lots of the `void foo()
__RENAME(foo)` will just become `void foo()` if this last thing I'm
working on gets through review.

Bug: 35329524
Test: Previously broken project now seems to work. Bullhead and Ryu
both build + boot.

Change-Id: Ib18ee3535ae31eb7e8ae846dc012f9b64cac80bf
19710f761b4134d653936fde88f3c4477ab2128e 05-Apr-2017 George Burgess IV <gbiv@google.com> libc: remove newlines in prototypes in string.h

This gives more useful diagnostics if clang needs to mention these
functions (or a parameter of them).

Bug: 36984245
Test: m on bullhead completes successfully.
Change-Id: I17c2b624d08bc9dd3f08185b30029ed0c49ebb08
bd3d2088d99f45babb8a73192b53b6fd91930af3 05-Apr-2017 George Burgess IV <gbiv@google.com> libc: add const-correct string.h overloads

libcxx provides const-correct overloads for a few string.h functions.
These overloads use clang's enable_if attribute, so they're preferred
over our FORTIFY'ed equivalents.

This weakens _FORTIFY_SOURCE=2 when used with some of these functions,
since clang needs to see __pass_object_size in order to pass an accurate
result for __builtin_object_size(s, 1) at a callsite. Since those
functions don't have __pass_object_size on their params, clang can't do
that. This makes LLVM lower the __builtin_object_size calls, which means
we get the same result as __builtin_object_size(s, 0).

We have to provide all of the overloads in Bionic, since enable_if is
only used to disambiguate overloads with (otherwise) the same type. In
other words:

// overload 1
char *strchr(const char *, int s) __attribute__((enable_if(1, "")));
// overload 2
char *strchr(char *, int s);

void foo() {
char cs[1] = {};
strchr(static_cast<const char *>(cs), '\0'); // calls overload #1.
strchr(cs, '\0'); // calls overload #2.
}

Bug: 34747525
Test: m checkbuild on bullhead internal master + AOSP. vts -m
BionicUnitTests passes on both. Surprisingly, the only code that this
seems to break is contained in Bionic.

Change-Id: Ie406f42fb3d1c5bf940dc857889876fc39b57c90
bce9a7d51898f73d8e3cef2c4a437bf08698430f 04-Apr-2017 George Burgess IV <gbiv@google.com> libc: use __bos instead of __bos0 for strchr.

I dunno why I used __bos0 in the first place; clang's strrchr (and
GCC's strchr+strrchr) both use __bos.

Bug: 34747525
Test: m. Device still boots. cts -m BionicUnitTests shows no new
failures.
Change-Id: Ifec0e05a6a1144fa3e3ac70562af3ec57c09c194
9c2094f3c527301068f2049eefd9e684a7995352 15-Feb-2017 Dan Albert <danalbert@google.com> Fixup API level guards for new fortify functions.

Test: tools/update_headers.sh && make checkbuild
Bug: None
Change-Id: I9d06ea8a5ee9dc27d957f59e6e84150651ed1c76
8b154b1e8233e1d34a6a66b72369f05f8655b653 15-Feb-2017 Dan Albert <danalbert@google.com> Guard the GNU strerror_r with an API check.

The deprecated headers have always had only the POSIX definition
available (and it's always been available). With the unified headers
as they are now, we actually make it unavailable for C++ users (C++
implies _GNU_SOURCE) targeting below M. Adding this guard means that
pre-M users will still at least get the POSIX one.

It's not great that moving to M as your target API will actually
change the signature of your strerror_r, but I don't see a better
option here (not until we have the compatibility library, anyway).

Test: make checkbuild
Bug: None
Change-Id: I2d15702467533a826c4ec10fd973ee929d2b562a
156d5a8ae93c6515919dd6706481991c7c0dc600 10-Feb-2017 George Burgess IV <gbiv@google.com> Match __bos0 to __pass_object_size0 in FORTIFY

pass_object_size(N) forwards the result of __builtin_object_size(param,
N) to a function. So, a function that looks like:

size_t foo(void *const p __pass_object_size) { return __bos0(p); }
int bar = foo(baz);

would effectively be turned into

size_t foo(void *const p, size_t sz) { return sz; }
int bar = foo(baz, __bos(baz)); // note that this is not __bos0

This is bad, since if we're using __bos0, we want more relaxed
objectsize checks.

__bos0 should be more permissive than __bos in all cases, so this
change Should Be Fineā„¢.

This change also makes GCC and clang share another function's
implementation (recv). I just realized we need to add special
diagnostic-related overloads bits for clang to it, but I can do that in
another patch.

Bug: None
Test: Bullhead builds and boots; CtsBionicTestCases passes.
Change-Id: I6818d0041328ab5fd0946a1e57321a977c1e1250
7cc779f15c524e1622f7d5b1c7e82e6ffc6677fd 09-Feb-2017 George Burgess IV <gbiv@google.com> libc: add clang FORTIFY support

This patch adds clang-style FORTIFY to Bionic. For more information on
FORTIFY, please see https://goo.gl/8HS2dW . This implementation works
for versions of clang that don't support diagnose_if, so please see the
"without diagnose_if" sections. We plan to swap to a diagnose_if-based
FORTIFY later this year (since it doesn't really add any features; it
just simplifies the implementation a lot, and it gives us much prettier
diagnostics)

Bug: 32073964
Test: Builds on angler, bullhead, marlin, sailfish. Bionic CTS tests
pass on Angler and Bullhead.

Change-Id: I607aecbeee81529709b1eee7bef5b0836151eb2b
5bc78c8bcd0c1e634c04029309ede3ec05f2d424 16-Nov-2016 Elliott Hughes <enh@google.com> Add and use constants for the Android API levels.

Test: bionic tests still pass
Change-Id: If1b619cfc9db1d3f5d91f14f2ace71058dca0c4a
a3ce418ca6ad440d19c98e15132a76a877eb0bdc 01-Nov-2016 Dan Albert <danalbert@google.com> Revert "Add legacy inlines for locale aware APIs."

We can't really add these to the unified headers yet since we're
still using the old headers as well, and libandroid_support needs to
work with both. These functions are already defined in
libandroid_support, so when using unified headers we'll get duplicate
definitions.

This was only going to be a temporary solution anyway. Instead we'll
just rely on libandroid_support (and eventually its rewrite) to handle
these.

This reverts commit 6576a3749bd3805508294bfcac3d9658fc0f8d6e.

Test: ./tools/update_headers.py && make ndk && make native
# Copied into working directory for unified headers NDK work.
ndk/checkbuild.py
ndk/run_tests.py --force-unified-headers
Bug: None

Change-Id: I5762e815e2030c89d7f2540df08dd67b6c2d10a5
95fa061678400315ee757758bf5f9146176d47a0 28-Sep-2016 Elliott Hughes <enh@google.com> Rename __pure, __pure2, and __purefunc.

These names were pretty misleading (aka "backwards"), so switch to the
same obvious names glibc uses.

Test: build.
Change-Id: Ia98c9dbbccd0820386116562347654e84669034a
6cd9fb080caca2d0d8fcb8f400c1ec466e7b2466 23-Sep-2016 Josh Gao <jmgao@google.com> Fix warnings (and errors) in static inline headers.

Bug: http://b/31676510
Change-Id: Idcbc544e498f7e6bbe99c2bf7dc557a5681e96c4
Test: preupload hook
6576a3749bd3805508294bfcac3d9658fc0f8d6e 21-Sep-2016 Dan Albert <danalbert@google.com> Add legacy inlines for locale aware APIs.

Test: make checkbuild tests
Bug: http://b/31639993
Change-Id: Ic43d690dff3c6960d7826bd0b064640a3ea0e883
e5dd632e43dd81f293afdb93a6556d40d7007765 08-Sep-2016 Dan Albert <danalbert@google.com> Move strncpy fortify into android-21.

__strncpy_chk2 wasn't added until android-21.

Test: make checkbuild
Bug: None
Change-Id: I527f88aca55ef5010e12ece18abbdce3d54ce252
dfa6bbb54bd9ab2a71df4c066427ea804608e20b 03-Aug-2016 Dan Albert <danalbert@google.com> Guard fortify inlines with __ANDROID_API__.

Test: make checkbuild with libc ndk_library patches applied
Change-Id: Ic5e248994c4f2702b0f4d6dfeda787187ea86017
5470c183611737af5ec954984e4bdb5da8c99b73 22-Jul-2016 Elliott Hughes <enh@google.com> Make it possible to build bionic with -I instead of -isystem.

Various things:

* work around -Wnullability-completeness.
* use C++ casts in C++ and C casts in C.
* stop using attributes clang doesn't support (such as `warning`).
* remove duplicate definitions of XATTR_CREATE and XATTR_REPLACE.

Change-Id: I07649e46275b28a23ca477deea119fe843999533
46b44160e9e4c466be0faf1bb8d6ec70ecc83273 27-May-2016 Josh Gao <jmgao@google.com> Update header versions for NDK platform fixes.

Bug: http://b/28178111
Change-Id: Icd638673b409aa43a91490f77c6b4d79c9ea20d9
baa2a973bd776a51bb05a8590ab05d86eea7b321 14-Aug-2015 Dan Albert <danalbert@google.com> Use clang's nullability instead of nonnull.

http://clang.llvm.org/docs/AttributeReference.html#nonnull

_Nonnull is similar to the nonnull attribute in that it will instruct
compilers to warn the user if it can prove that a null argument is
being passed. Unlike the nonnull attribute, this annotation indicated
that a value *should not* be null, not that it *cannot* be null, or
even that the behavior is undefined. The important distinction is that
the optimizer will perform surprising optimizations like the
following:

void foo(void*) __attribute__(nonnull, 1);

int bar(int* p) {
foo(p);

// The following null check will be elided because nonnull
// attribute means that, since we call foo with p, p can be
// assumed to not be null. Thus this will crash if we are called
// with a null pointer.
if (src != NULL) {
return *p;
}
return 0;
}

int main() {
return bar(NULL);
}

Note that by doing this we are no longer attaching any sort of
attribute for GCC (GCC doesn't support attaching nonnull directly to a
parameter, only to the function and naming the arguments
positionally). This means we won't be getting a warning for this case
from GCC any more. People that listen to warnings tend to use clang
anyway, and we're quickly moving toward that as the default, so this
seems to be an acceptable tradeoff.

Change-Id: Ie05fe7cec2f19a082c1defb303f82bcf9241b88d
14adff1cfa06a3d4d3281a9bf7848b556d84c20d 29-Apr-2016 Josh Gao <jmgao@google.com> Add versioning information to symbols.

Bug: http://b/28178111
Change-Id: I46bf95accd819f4521afb1173d8badcc5e9df31c
c3cec27ad75544fdd1a5efc78260404a7de564bf 07-Apr-2016 Josh Gao <jmgao@google.com> Extract strcasecmp and friends to <bits/strcasecmp.h>.

Bug: http://b/28067717
Change-Id: I76bab098d4c35d07a7a108055c43c820087f9253
eb9b9250122080df4a11293b9b6679e0b63ae2dd 04-Nov-2015 Josh Gao <jmgao@google.com> Fix GNU/POSIX basename headers.

Including glibc's <libgen.h> will result in the user getting the POSIX
version of basename always, regardless of when it is included relative
to <string.h>. Prior to this patch, our implementation would result in
the one that's included first winning.

Bug: http://b/25459151
Change-Id: Id4aaf1670dad317d6bbc05763a84ee87596e8e59
7ac3c128bb5df83cb001cb50b6a5ee4da9a0b0e0 26-Aug-2015 Elliott Hughes <enh@google.com> Add strchrnul.

Bug: http://b/18374026
Change-Id: Iea923309c090a51a2d41c5a83320ab3789f40f1c
4ae773633aac9ceba5ec62bb8e1aa22c3c56ebde 18-Apr-2015 Daniel Micay <danielmicay@gmail.com> add fortified memchr/memrchr implementations

Change-Id: I38c473cc0c608b08f971409a95eb8b853cb2ba1c
3cfb52aab2548df635e9672218cc433e14922fd3 19-Feb-2015 Elliott Hughes <enh@google.com> Add GNU extensions mempcpy and wmemcpy.

Used by elfutils. On the bright side, they stopped using __mempcpy.

Bug: 18374026
Change-Id: Id29bbe6ef1c5ed5a171bb6c32182f129d8332abb
5038b19cef207b526f9993951e4a04c8df91ce1d 29-Jan-2015 Elliott Hughes <enh@google.com> Break two incorrect transitive includes.

Change-Id: I95519caa5258cf5c6b8053f1c7e08ade2a824e49
76f8916b904db14facf811ae44e1265261349702 26-Jan-2015 Elliott Hughes <enh@google.com> Clean up <stdlib.h> slightly.

Interestingly, this mostly involves cleaning up our implementation of
various <string.h> functions.

Change-Id: Ifaef49b5cb997134f7bc0cc31bdac844bdb9e089
b20c24456e43df430ec5626a68e5dc0dc6929344 07-Nov-2014 Elliott Hughes <enh@google.com> Implement all the POSIX _l functions.

Strictly speaking, this only implements the _l variants of the functions
we actually have. We're still missing nl_langinfo_l, for example, but we
don't have nl_langinfo either.

Change-Id: Ie711c7b04e7b9100932a13f5a5d5b28847eb4c12
55ee845b8ec0861d09197b32fbb5f2d34320155d 07-Oct-2014 Dan Albert <danalbert@google.com> Inline helpers need to be exported unmangled.

__open_2() is used by the fortify implementation of open(2) in
fcntl.h, and as such needs an unmangled C name. For some reason
(inlining?), this doesn't cause problems at the default optimization
level, but does for -O0.

The rest of these didn't cause build failures, but they look suspect
and probably will, we just haven't caught them yet.

(cherry-pick of 658727e111ed6dee7be5239494f0764f7b1b02f8 with conflicts
in stdio.h and string.h.)

Bug: 17784968
Change-Id: I7391a7a8999ee204eaf6abd14a3d5373ea419d5b
658727e111ed6dee7be5239494f0764f7b1b02f8 07-Oct-2014 Dan Albert <danalbert@google.com> Inline helpers need to be exported unmangled.

__open_2() is used by the fortify implementation of open(2) in
fcntl.h, and as such needs an unmangled C name. For some reason
(inlining?), this doesn't cause problems at the default optimization
level, but does for -O0.

The rest of these didn't cause build failures, but they look suspect
and probably will, we just haven't caught them yet.

Bug: 17784968
Change-Id: I7391a7a8999ee204eaf6abd14a3d5373ea419d5b
d87d401ab134996d1f25f5b63cefb48b5b5877c8 18-Aug-2014 Elliott Hughes <enh@google.com> Improve <sys/cdefs.h>.

Fix and use __RENAME (and lose ___RENAME --- two underscores should be
enough for anybody). This was the point of this change, because I want
to use __RENAME to support the two basename variants and the two
strerror_r variants.

Lose a bunch of macros that weren't being used.

Lose three dead files from the DNS code.

Bug: 17784968

(cherry picked from commit 2cfb4e8e2e217ef0e4140dcbf9b3da809781158c)

Change-Id: I5e96146f92c0521248c78c0933bec5e9a9818222
db408bf421faffe6c0623ca652844edfffa3726c 05-Oct-2014 Nick Kralevich <nnk@google.com> further cleanup memcpy fortify implementation

Bug: 17784968

(cherry picked from commit b84f667e9312611536a564700daea11c12b6fcfa)

Change-Id: I68fc2cc0a1ee7f0887edf3681eb83ef678de1383
7ad2147a08b000e4bb6101bd24f055552f7a41aa 05-Oct-2014 Nick Kralevich <nnk@google.com> string.h: remove unused variable

(cherry picked from commit 48be71d02b6cc4e6493d38cdd6b7779032c38901)

Bug: 17784968
Change-Id: Iac7732fb4f7fe42977cb9f62472bb636e17e5232
b84f667e9312611536a564700daea11c12b6fcfa 05-Oct-2014 Nick Kralevich <nnk@google.com> further cleanup memcpy fortify implementation

Change-Id: I0380f3c8ca8f9bb8a206accd839c32c9daf13c56
48be71d02b6cc4e6493d38cdd6b7779032c38901 05-Oct-2014 Nick Kralevich <nnk@google.com> string.h: remove unused variable

Change-Id: I08b7dab1b374ad427fcbee4183f2c7d93d0199a9
416d7ddaff0946d480b6aa945a741b3eeaca5569 19-Aug-2014 Elliott Hughes <enh@google.com> Add GNU-compatible strerror_r.

We already had the POSIX strerror_r, but some third-party code defines
_GNU_SOURCE and expects to get the GNU strerror_r instead.

This exposed a bug in the libc internal logging functions where unlike
their standard brethren they wouldn't return the number of bytes they'd
have liked to have written.

Bug: 16243479
Change-Id: I1745752ccbdc569646d34f5071f6df2be066d5f4
09c39d6df0e952620f8c1751377b559a04e023aa 19-Aug-2014 Elliott Hughes <enh@google.com> Implement the GNU basename(3) in addition to the POSIX one.

Code like perf(1) needs this.

Bug: 11860789
Change-Id: I907eb448052a7b165e4012d74303330d32328cb2
2cfb4e8e2e217ef0e4140dcbf9b3da809781158c 18-Aug-2014 Elliott Hughes <enh@google.com> Improve <sys/cdefs.h>.

Fix and use __RENAME (and lose ___RENAME --- two underscores should be
enough for anybody). This was the point of this change, because I want
to use __RENAME to support the two basename variants and the two
strerror_r variants.

Lose a bunch of macros that weren't being used.

Lose three dead files from the DNS code.

Change-Id: I3ef645c566b16a52217bc2e68c7d54b37c7c9522
7aa27e1c1a53afe28f6180fd1fc50d096cabea7b 06-Aug-2014 Dehao Chen <dehao@google.com> Workaround b/16818336 which fails build under aggressive inlining.

Change-Id: Ifcd596714c427a2ec39502b9c0af9082ded91884
28285f85a1c15c5b500b78ed63f12dd8eddb8ac9 06-Aug-2014 Dehao Chen <dehao@google.com> Workaround b/16818336 which fails build under aggressive inlining.

(cherry-pick of 7aa27e1c1a53afe28f6180fd1fc50d096cabea7b.)

Change-Id: Ifcd596714c427a2ec39502b9c0af9082ded91884
dfb5ce42bcc5a275af49211c0bbe64c5ec3d2668 10-Jul-2014 Dan Albert <danalbert@google.com> Revert "Revert "Add locale aware APIs.""

This reverts commit 063e20c26943ec82ef1d53a544545e79054e93d3.

Change-Id: Ib8c9004efefe75a5346b3af50dfe37952d91eb21
e087eac404b0e30de427392065e2750acf92bd4a 09-Jul-2014 Dan Albert <danalbert@google.com> Add locale aware APIs.

Since we only support the C locale, we can just forward all of these to
their non-locale equivalents for correct behavior.

Change-Id: Ib7be71b7f636309c0cc3be1096a4c1f693f04fbb
063e20c26943ec82ef1d53a544545e79054e93d3 10-Jul-2014 Dan Albert <danalbert@google.com> Revert "Add locale aware APIs."

Accidentally verified against a dirty tree. Needs the companion change to libc++ to land upstream before I can submit this.

This reverts commit e087eac404b0e30de427392065e2750acf92bd4a.

Change-Id: I317ecd0923114f415eaad7603002f77feffb5e3f
40fca0f08b1eb87e283d6f634d9759ed3161f517 04-Jun-2014 Dan Albert <danalbert@google.com> Removes index() from bionic.

This function has been removed from POSIX.

Unfortunately, we can't leave #define index(a, b) strchr((a), (b)) in its place
because defining a preprocessor macro for index() breaks a whole lot of code.

Bug: 13935372
Change-Id: Ifda348acde06da61c12e7ee2f8fe6950a3174dd1
950a58e24d1019eb9d814dbb16f111a6b61e3f23 04-Apr-2014 Christopher Ferris <cferris@google.com> Add stpcpy/stpncpy.

Add tests for the above.

Add the fortify implementations of __stpcpy_chk and __stpncpy_chk.

Modify the strncpy test to cover more cases and use this template for
stpncpy.

Add all of the fortify test cases.

Bug: 13746695
Change-Id: I8c0f0d4991a878b8e8734fff12c8b73b07fdd344
152b9de19ade833ada124390ef153e53d3d3e2ed 10-Mar-2014 Elliott Hughes <enh@google.com> Remove non-standard memswap.

Change-Id: I06548dda339987b755ef7139c590ca3e1f9fe0a9
53e43292aac91bf62995788cd5ca2ceb7caea283 25-Feb-2014 Elliott Hughes <enh@google.com> More OpenBSD cleanup (primarily string).

This patch removes the string/ and wchar/ directories.

Change-Id: Ia489904bc67047e4bc79acb1f3eec21aa3fe5f0d
d13c2b1ba6681fdbee73a044d988c3f9e1172d30 27-Sep-2013 Nick Kralevich <nnk@google.com> Fix unnecessary call to __strncpy_chk2

If "n" is smaller than the size of "src", then we'll
never read off the end of src. It makes no sense to call
__strncpy_chk2 in those circumstances.

For example, consider the following code:

int main() {
char src[10];
char dst[5];
memcpy(src, "0123456789", sizeof(src));
strncpy(dst, src, sizeof(dst));
dst[4] = '\0';
printf("%s\n", dst);
return 0;
}

In this code, it's clear that the strncpy will never read off
the end of src.

Change-Id: I9cf58857a0c5216b4576d21d3c1625e2913ccc03
3c4b50fd8cce143d9ba8f03a93f0fccba4e54d14 26-Jul-2013 Pavel Chupin <pavel.v.chupin@intel.com> Fix strchr for basic non-sse case on x86

Fix source location. Move declaration of __strchr_chk out of
ifdef __BIONIC_FORTIFY which should be available for strchr.cpp
compilation when __BIONIC_FORTIFY is not defined.

Change-Id: I552a6e16656e59b276b322886cfbf57bbfb2e6a7
Signed-off-by: Pavel Chupin <pavel.v.chupin@intel.com>
bd8e6749b78567af62ec126d7cc057386ebee25a 28-Aug-2013 Nick Kralevich <nnk@google.com> cdefs.h: introduce __bos0

Introduce __bos0 as a #define for __builtin_object_size((s), 0).
This macro is intended to be used for places where the standard
__bos macro isn't appropriate.

memcpy, memmove, and memset deliberately use __bos0. This is done
for two reasons:

1) I haven't yet tested to see if __bos is safe to use.
2) glibc uses __bos0 for these methods.

Change-Id: Ifbe02efdb10a72fe3529dbcc47ff647bde6feeca
93501d3ab81156bcef251bb817a49e9ca46a6ec1 28-Aug-2013 Nick Kralevich <nnk@google.com> FORTIFY_SOURCE: introduce __strncpy_chk2

This change detects programs reading beyond the end of "src" when
calling strncpy.

Change-Id: Ie1b42de923385d62552b22c27b2d4713ab77ee03
a6cde392765eb955cb4be5faa6ee62dcf77e8aa5 29-Jun-2013 Nick Kralevich <nnk@google.com> More FORTIFY_SOURCE functions under clang

* bzero
* umask
* strlcat

Change-Id: I65065208e0b8b37e10f6a266d5305de8fa9e59fc
8bafa7452ec0892572b0b49f86022ce945c5e908 20-Jun-2013 Nick Kralevich <nnk@google.com> libc: enable FORTIFY_SOURCE clang strlcpy

Change-Id: Idcfe08f5afc3dde592416df9eba83f64e130c7c2
16d1af167f8e36a9aa4a07ae77034ad519b00463 17-Jun-2013 Nick Kralevich <nnk@google.com> libc: add limited FORTIFY_SOURCE support for clang

In 829c089f83ddee37203b52bcb294867a9ae7bdbc, we disabled all
FORTIFY_SOURCE support when compiling under clang. At the time,
we didn't have proper test cases, and couldn't easily create targeted
clang tests.

This change re-enables FORTIFY_SOURCE support under clang for a
limited set of functions, where we have explicit unittests available.
The functions are:

* memcpy
* memmove
* strcpy
* strncpy
* strcat
* strncat
* memset
* strlen (with modifications)
* strchr (with modifications)
* strrchr (with modifications)

It may be possible, in the future, to enable other functions. However,
I need to write unittests first.

For strlen, strchr, and strrchr, clang unconditionally calls the
fortified version of the relevant function. If it doesn't know the
size of the buffer it's dealing with, it passes in ((size_t) -1),
which is the largest possible size_t.

I added two new clang specific unittest files, primarily copied
from fortify?_test.cpp.

I've also rebuild the entire system with these changes, and didn't
observe any obvious problems.

Change-Id: If12a15089bb0ffe93824b485290d05b14355fcaa
b24c0637d06fe0980b9e13a8d0c3e6f4dbda9cd5 18-Jun-2013 Nick Kralevich <nnk@google.com> libc: Introduce __errordecl()

Define __errordecl and replace __attribute__((__error__("foo")))
with __errordecl. Make sure __errordecl is a no-op on clang, as it
generates a compile time warning.

Change-Id: Ifa1a2d3afd6881de9d479fc2adac6737871a2949
cf870199d576bdfc339b7fb016c9f6fe7f2c87ed 31-May-2013 Nick Kralevich <nnk@google.com> FORTIFY_SOURCE: strcat / strncat optimize

__strcat_chk and __strncat_chk are slightly inefficient,
because they end up traversing over the same memory region
two times.

This change optimizes __strcat_chk / __strncat_chk so they
only access the memory once. Although I haven't benchmarked these
changes, it should improve the performance of these functions.

__strlen_chk - expose this function, even if -D_FORTIFY_SOURCE
isn't defined. This is needed to compile libc itself without
-D_FORTIFY_SOURCE.

Change-Id: Id2c70dff55a276b47c59db27a03734d659f84b74
1c462b7a04fc6afc99d8544728dd6d8f2a471fa2 07-May-2013 Nick Kralevich <nnk@google.com> Use restrict pointers for various libc functions.

All the cool kids say this is the best thing since sliced bread.
http://cellperformance.beyond3d.com/articles/2006/05/demystifying-the-restrict-keyword.html

For the most part, these changes match what glibc does.

Change-Id: I176268f27f82800162fe5f2515b08d5469ea2dfe
3b2e6bc9acf5223db6e9967e46066219c76ee56f 30-Apr-2013 Nick Kralevich <nnk@google.com> libc: upgrade strrchr to FORTIFY_SOURCE=2

Change-Id: I4c34c2ce22c5092c4446dc1ab55f37604c1c223f
9020fd503c9eb073f70dbc239a212f8ece19359d 30-Apr-2013 Nick Kralevich <nnk@google.com> libc: upgrade some libc functions to _FORTIFY_SOURCE=2

Upgrade the following functions:

* vsnprintf
* vsprintf
* snprintf
* fgets
* strcpy
* strcat
* strncat
* strlcpy
* strlcat
* strlen
* strchr

Change-Id: Icc036fc7f0bb317e05f7c051617887a1601271aa
1aae9bd170883805f2e7975cd3dbd2502b083cc1 29-Apr-2013 Nick Kralevich <nnk@google.com> strncpy: implement _FORTIFY_SOURCE=2

Add support for fortify source level 2 to strncpy.
This will enable detection of more areas where strncpy
is used inappropriately. For example, this would have detected
bug 8727221.

Move the fortify_source tests out of string_test.cpp, and
put it into fortify1_test.cpp.

Create a new fortify2_test.cpp file, which copies all
the tests in fortify1_test.cpp, and adds fortify_source level
2 specific tests.

Change-Id: Ica0fba531cc7d0609e4f23b8176739b13f7f7a83
890c8ed6ef773160cd6840a92e0d469fe530871f 22-Mar-2013 Elliott Hughes <enh@google.com> Fix builds where _FORTIFY_SOURCE is off.

Also add a more intention-revealing guard so we don't have loads of
places checking whether our inlining macro is defined.

Change-Id: I168860cedcfc798b07a5145bc48a125700265e47
538f6fc202b07219ce78de54c0e05ab81e937154 22-Feb-2013 Elliott Hughes <enh@google.com> Stop advertising rindex(3), which is both deprecated and unimplemented.

Change-Id: I3c775d9974e49c3f76a53e46e022659657b89034
a44e9afdd16105d6f36319cb538666d9cc78435a 18-Jan-2013 Nick Kralevich <nnk@google.com> FORTIFY_SOURCE: optimize

Don't do the fortify_source checks if we can determine, at
compile time, that the provided operation is safe.

This avoids silliness like calling fortify source on things like:

size_t len = strlen("asdf");
printf("%d\n", len);

and allows the compiler to optimize this code to:

printf("%d\n", 4);

Defer to gcc's builtin functions instead of pointing our code
to the libc implementation.

Change-Id: I5e1dcb61946461c4afaaaa983e39f07c7a0df0ae
57874753900865312d7d265d2ca15cb4edb00ef2 07-Dec-2012 Nick Kralevich <nnk@google.com> FORTIFY_SOURCE: remove memcpy overlap checks

These checks haven't been as useful as I hoped, and it's
causing a false positive finding. Remove the overlap
compile time checks.

Change-Id: I5d45dde10ae4663d728230d41fa904adf20acaea
9a4d305340e6ce2fc6c3f371f2d7ede446f8c6d4 03-Dec-2012 Nick Kralevich <nnk@google.com> FORTIFY_SOURCE: fortify strrchr

This change compliments 049e58369c37fdeacd0380a6bf1e078d9baf819f

Change-Id: I27d015d70a520713c7472558a3c427f546d36ee4
049e58369c37fdeacd0380a6bf1e078d9baf819f 01-Dec-2012 Nick Kralevich <nnk@google.com> FORTIFY_SOURCE: fortify strchr

Detect when strchr reads off the end of a buffer.

Change-Id: I0e952eedcff5c36d646a9c3bc4e1337b959224f2
829c089f83ddee37203b52bcb294867a9ae7bdbc 29-Aug-2012 Nick Kralevich <nnk@google.com> disable _FORTIFY_SOURCE under clang

Clang and _FORTIFY_SOURCE are just plain incompatible with
each other. First of all, clang doesn't understand the
__attribute__((gnu_inline)) header. Second of all,
Clang doesn't have support for __builtin_va_arg_pack()
and __builtin_va_arg_pack_len() (see
http://clang.llvm.org/docs/UsersManual.html#c_unimpl_gcc)

Until we can resolve these issues, don't even try using
_FORTIFY_SOURCE under clang.

Change-Id: I81c2b8073bb3276fa9a4a6b93c427b641038356a
f4497e15b78383b06d59ce244255fc7625beaec5 06-Aug-2012 Shih-wei Liao <sliao@google.com> When compiling with clang, don't "fortify_source" the strlcpy and
strlcat.

Change-Id: I91f58322f28e425ab9d22b51c23fcd6b772ede97
a72246d67e309de62c26aca970fff65dfb86eb7c 06-Aug-2012 Shih-wei Liao <sliao@google.com> When compiling with clang, don't "fortify_source" the strlen.

At this point, FORTIFY_SOURCE and clang are just plain incompatible.
Need to solve the underlying incompatibility first.

Change-Id: I3366477d19461e1ec93b1c30e0c7e8145b391b9b
d600617645e85435cf98fc30139a6945aaadc1ca 06-Aug-2012 Shih-wei Liao <sliao@google.com> When compiling with clang, don't "fortify_source" the strlcpy and
strlcat.

Change-Id: I91f58322f28e425ab9d22b51c23fcd6b772ede97
9a3d53fad062cdadb4df81f6998a5e09336c637b 06-Aug-2012 Shih-wei Liao <sliao@google.com> When compiling with clang, don't "fortify_source" the strlen.

At this point, FORTIFY_SOURCE and clang are just plain incompatible.
Need to solve the underlying incompatibility first.

Change-Id: I3366477d19461e1ec93b1c30e0c7e8145b391b9b
761ba27d62a67c098a3323fb37175a7274ee5f19 16-Jul-2012 Nick Kralevich <nnk@google.com> Merge "FORTIFY_SOURCE: revert memcpy changes."
c37fc1ab6a3ac3956a8c9ba3ac089d41969815ed 14-Jul-2012 Nick Kralevich <nnk@google.com> FORTIFY_SOURCE: revert memcpy changes.

Performance regressions. Hopefully this is a temporary
rollback.

Bug: 6821003
Change-Id: I84abbb89e1739d506b583f2f1668f31534127764
9b6cc223a36835c4367a036d4cfeff14d25bc742 13-Jul-2012 Nick Kralevich <nnk@google.com> FORTIFY_SOURCE: introduce __BIONIC_FORTIFY_UNKNOWN_SIZE macro

Replace all occurances of "(size_t) -1" with a
__BIONIC_FORTIFY_UNKNOWN_SIZE macro.

Change-Id: I0b188f6cf31417d2dbef0e1bd759de3f9782873a
260bf8cfe00f83bc579dfe81c78b75bd9973f051 13-Jul-2012 Nick Kralevich <nnk@google.com> FORTIFY_SOURCE: strlen check.

This test is designed to detect code such as:

int main() {
char buf[10];
memcpy(buf, "1234567890", sizeof(buf));
size_t len = strlen(buf); // segfault here with _FORTIFY_SOURCE
printf("%d\n", len);
return 0;
}

or anytime strlen reads beyond an object boundary. This should
help address memory leakage vulnerabilities and make other
unrelated vulnerabilities harder to exploit.

Change-Id: I354b425be7bef4713c85f6bab0e9738445e00182
f3913b5b68347ce9a4cb17977df2c33f1e8f6000 13-Jul-2012 Nick Kralevich <nnk@google.com> FORTIFY_SOURCE: enhanced memcpy protections.

Two changes:

1) Detect memory read overruns.

For example:

int main() {
char buf[10];
memcpy(buf, "abcde", sizeof(buf));
sprintf("%s\n", buf);
}

because "abcde" is only 6 bytes, copying 10 bytes from it is a bug.
This particular bug will be detected at compile time. Other similar
bugs may be detected at runtime.

2) Detect overlapping buffers on memcpy()

It is a bug to call memcpy() on buffers which overlap. For
example, the following code is buggy:

char buf3[0x800];
char *first_half = &buf3[0x400];
char *second_half = &buf3[1];
memset(buf3, 0, sizeof(buf3));
memcpy(first_half, second_half, 0x400);
printf("1: %s\n", buf3);

We now detect this at compile and run time.

Change-Id: I092bd89f11f18e08e8a9dda0ca903aaea8e06d91
cb228fb4a91bdccfd974b8a4f45e2b6002e90728 27-Jun-2012 Nick Kralevich <nnk@google.com> libc: cleanups

Prefix private functions with underscores, to prevent name
conflicts.

Use __error__ instead of error, since occasionally programs will
create their own "#define error ...".

Change-Id: I7bb171df58aec5627e61896032a140db547fd95d
8df49ad2467ec2d48f94a925162185c34bf6e68b 14-Jun-2012 Nick Kralevich <nnk@google.com> FORTIFY_SOURCE: add strlcpy / strlcat support

Add strlcpy / strlcat support to FORTIFY_SOURCE. This allows
us to do consistency checks on to ensure we don't overflow buffers
when the compiler is able to tell us the size of the buffer we're
dealing with.

Unlike previous changes, this change DOES NOT use the compiler's
builtin support. Instead, we do everything the compiler would
normally do.

Change-Id: I47c099a911382452eafd711f8e9bfe7c2d0a0d22
71a18dd435e96564539b5af71b8ea5093a2109a1 07-Jun-2012 Nick Kralevich <nnk@google.com> _FORTIFY_SOURCE: add memset / bzero support

Add _FORTIFY_SOURCE support for the following functions:

* memset
* bzero

Move the __BIONIC_FORTIFY_INLINE definition to cdefs.h so it
can be used from multiple header files.

Change-Id: Iead4d5e35de6ec97786d58ee12573f9b11135bb7
0a2301598c207fd1b50015984942fee5e8511593 05-Jun-2012 Nick Kralevich <nnk@google.com> libc: implement some FORTIFY_SOURCE functions

Add initial support for -D_FORTIFY_SOURCE to bionic for the
following functions:

* memcpy
* memmove
* strcpy
* strcat
* strncpy
* strncat

This change adds a new version of the above functions which passes
the size of the destination buffer to __builtin___*_chk.

If the compiler can determine, at compile time, that the destination
buffer is large enough, or the destination buffer can point to an object
of unknown size, then the check call is bypassed.

If the compiler can't make a compile time decision, then it calls
the __*_chk() function, which does a runtime buffer size check

These options are only enabled if the code is compiled with
-D_FORTIFY_SOURCE=1 or 2, and only when optimizations are enabled.

Please see
* http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html
* http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html

for additional details on FORTIFY_SOURCE.

Testing: Compiled the entire Android tree with -D_FORTIFY_SOURCE=1,
and verified that everything appears to be working properly.
Also created a test buffer overflow, and verified that it was
caught by this change.

Change-Id: I4fddb445bafe92b16845b22458d72e6dedd24fbc
a677907ee8ecca034318fdb97902fa73e7392c4f 21-Mar-2012 Nick Kralevich <nnk@google.com> string.h: add __attribute__ ((pure)) to string functions

cdefs.h: Introduce the __purefunc attribute, which allows us to mark
certain functions as being "pure".

http://gcc.gnu.org/onlinedocs/gcc/Function-Attributes.html

Many functions have no effects except the return value and their
return value depends only on the parameters and/or global variables.
Such a function can be subject to common subexpression elimination
and loop optimization just as an arithmetic operator would be.

string.h: Mark many commently used string functions as "pure", to
allow for additional compiler optimizations.

Change-Id: I42961f90f822b6dbcbc3fd72cdbe774a7adc8785
1dc9e472e19acfe6dc7f41e429236e7eef7ceda1 04-Mar-2009 The Android Open Source Project <initial-contribution@android.com> auto import from //depot/cupcake/@135843
1767f908af327fa388b1c66883760ad851267013 04-Mar-2009 The Android Open Source Project <initial-contribution@android.com> auto import from //depot/cupcake/@135843
9f65adf2ba3bb15feb8b7a7b3eef788df3fd270e 11-Feb-2009 The Android Open Source Project <initial-contribution@android.com> auto import from //branches/cupcake/...@130745
6d6c82c7a0a6b9a89f61b61c66f9b90d9c7177dc 10-Jan-2009 The Android Open Source Project <initial-contribution@android.com> auto import from //branches/cupcake/...@125939
a27d2baa0c1a2ec70f47ea9199b1dd6762c8a349 21-Oct-2008 The Android Open Source Project <initial-contribution@android.com> Initial Contribution