Enabling CFI changes the VNDK ABI from the frozen snapshot, so the
only solution for now is to temporarily disable CFI on all vendor
variants for the sake of compatibility.
Bug: 66301104
Test: ABI is consistent.
Change-Id: Ie7dca41e0f647808b08adede09a30f3c746e6bda
When linking in the UBSan minimal runtime, don't export the symbols.
This was resulting in an edge case where symbols were sometimes
undefined at runtime on address sanitized builds if static library
dependencies were integer overflow sanitized.
Bug: 78766744
Test: readelf on libraries show either inclusion of the shared library
or no undefined symbols related to the minimal runtime.
Change-Id: Ide85c8c6b53b400ce9166ccaf96d250797fe4b24
Merged-In: Ide85c8c6b53b400ce9166ccaf96d250797fe4b24
(cherry picked from commit 59fdea2ac2)
When linking in the UBSan minimal runtime, don't export the symbols.
This was resulting in an edge case where symbols were sometimes
undefined at runtime on address sanitized builds if static library
dependencies were integer overflow sanitized.
Bug: 78766744
Test: readelf on libraries show either inclusion of the shared library
or no undefined symbols related to the minimal runtime.
Change-Id: Ide85c8c6b53b400ce9166ccaf96d250797fe4b24
Previously abi diffs were allowed only on unsanitized variants of vndk
libraries. This CL allows them on all sanitized variants which go onto
production devices, eg: cfi variants.
Bug: 66301104
Test: Without this change, for arm64 libstagefright_foundation doesn't
get an lsdump file since we don't build an unsanitized variant
(aosp_arm64_ab).
Test: With this change, for arm64 libstagefright_foundation does
get an lsdump file (aosp_arm64_ab)
Merged-In: I94f82fd84fc898e4980c3f3619df9677ed723c32
Change-Id: I94f82fd84fc898e4980c3f3619df9677ed723c32
(cherry picked from commit b7e08ca830)
Previously abi diffs were allowed only on unsanitized variants of vndk
libraries. This CL allows them on all sanitized variants which go onto
production devices, eg: cfi variants.
Bug: 66301104
Test: Without this change, for arm64 libstagefright_foundation doesn't
get an lsdump file since we don't build an unsanitized variant
(aosp_arm64_ab).
Test: With this change, for arm64 libstagefright_foundation does
get an lsdump file (aosp_arm64_ab)
Change-Id: I94f82fd84fc898e4980c3f3619df9677ed723c32
This extends the minimal runtime dependency mutator to allow signed
and unsigned integer overflow diagnostics in static libraries and
binaries. This also enables the integer_overflow flag for static
libraries and binaries.
Note compilation will fail if the static library is a dependency
of a Make module that does not also have diagnostics enabled.
Bug: 66952339
Bug: 73283972
Test: make SANITIZE_TARGET{,_DIAG}=integer_overflow
Test: Enabled diagnostics in a static lib, saw results in logcat.
Test: Checked showcommands output for ubsan runtime library inclusion.
Change-Id: Ic52881a0f74cdcac0e4a15335df493b59b002ae5
This CL changes PRODUCT_CFI_INCLUDE_PATHS to be included in all
product configs by default. To maintain the status quo, the sanitizer
logic has been modified to only respect this product config for Arm64
devices (where this was previously enabled).
Bug: 63926619
Test: m -j60 # the device still has CFI enabled thanks to the default
opt-in
Change-Id: Ia613aec545ad3e544dea41a6dbdb4112aef4afab
cfiExportsMap was reinitialized for every module, which caused
data races. Create the path from the string on each use
instead.
Bug: 77234104
Test: m nothing with race detector turned on
Change-Id: Ibca3149dcbe8a9d4d9f7ec6dd0b164697e7ae5cd
Merged-In: Ibca3149dcbe8a9d4d9f7ec6dd0b164697e7ae5cd
(cherry picked from commit 1218a19f0d)
cfiExportsMap was reinitialized for every module, which caused
data races. Create the path from the string on each use
instead.
Bug: 77234104
Test: m nothing with race detector turned on
Change-Id: Ibca3149dcbe8a9d4d9f7ec6dd0b164697e7ae5cd
* Suppress more noisy new warnings at global level.
* Add -no-pie to partial link .o files, with -r.
* Revert workaround of b/72706604, no need of
-Wl,-plugin-opt,-emulated-tls
* Filter out clang 7.0 unknown flag "-Wno-extended-offsetof"
Bug: 72706604
Bug: 72412006
Test: make checkbuild
Change-Id: I7ff45465c4bd771991f42b40f68dc35586045656
Adds Soong support for -fsanitze-minimal-runtime when using
the integer overflow sanitizers. This makes the crashes due to these
sanitizers less mysterious.
Bug: 64091660
Test: Compiled and checked the generated compiler commands
Test: Checked program that overflows for the abort reason
Change-Id: Ieeceaf6c35c8371592952d3b8b977aefc11601c5
Merged-In: Ieeceaf6c35c8371592952d3b8b977aefc11601c5
(cherry picked from commit 30c5db2f47)
Adds Soong support for -fsanitze-minimal-runtime when using
the integer overflow sanitizers. This makes the crashes due to these
sanitizers less mysterious.
Bug: 64091660
Test: Compiled and checked the generated compiler commands
Test: Checked program that overflows for the abort reason
Change-Id: Ieeceaf6c35c8371592952d3b8b977aefc11601c5
LLVM-AR does not allow passing --plugin options more than once. The
--plugin ARFLAGS that lto want to add, may already exist if sanitizer is
also turned on.
Fixed this by adding a new bool Flags.ArGoldPlugin. Set this variable to
true whenever LLVM gold plugin is needed for ArFlags. In function
TransformObjToStaticLib(), add this option to arFlags using global value
${config.LLVMGoldPlugin} if the bool value is true.
Bug: http://b/73160350
Test: build the image with make and succeeded.
Change-Id: I62785829b0a4b663225926e4aed98defc1b6da2c
(cherry picked from commit 4917049f6e)
LLVM-AR does not allow passing --plugin options more than once. The
--plugin ARFLAGS that lto want to add, may already exist if sanitizer is
also turned on.
Fixed this by adding a new bool Flags.ArGoldPlugin. Set this variable to
true whenever LLVM gold plugin is needed for ArFlags. In function
TransformObjToStaticLib(), add this option to arFlags using global value
${config.LLVMGoldPlugin} if the bool value is true.
Bug: http://b/73160350
Test: build the image with make and succeeded.
Change-Id: I62785829b0a4b663225926e4aed98defc1b6da2c
-fsanitize=cfi requires LTO. Normally, the Clang driver automatically
enables emutls, but it's broken with -flto, so work around it by passing
-Wl,-plugin-opt=-emulated-tls.
See https://buganizer.corp.google.com/issues/72706604#comment15
Enable the workaround with ctx.Device(), which is the same condition used
in the existing I18acac41aac885fc6635fbd55f96ba7c845eb5e7 workaround.
Bug: b/72706604
Bug: https://github.com/android-ndk/ndk/issues/498
Test: m libaudioflinger (on internal master); \
readelf -sW symbols/system/lib64/libaudioflinger.so | grep tlNBLogWriter
check that __emutls_t.tlNBLogWriter exists
check that no symbols of type TLS exist
Change-Id: I2cf65574c52476843cc017ee176a7d6777e2ce0b
Handle paths variable provided from Make about where integer overflow
sanitization should be enabled by default, and prepare to enable minimal
runtime diagnostics for integer overflow sanitizers in userdebug/eng builds.
This provides Soong support for on-by-default paths from Make for
integer overflow sanitization.
Bug: 30969751
Bug: 63927620
Test: Include paths passed from Make are being sanitized.
Test: Compilation succeeds with and without diagnostics enabled.
Test: See Make patch for further test notes.
Change-Id: I803a75646cc27ef5b4b5b74b8eb2981c39f8a6a3
AConfig() now duplicates Config(). Replace the uses of AConfig()
with Config(). Leave AConfig() for now until code in other
projects is cleaned up.
Test: m checkbuild
Change-Id: Ic88be643049d21dba45dbd1a65588ed94bf43bdc
This CL rolls back how often we bubble up both sanitized and
un-sanitized variants of a component. With this change only
CFI-enabled target static libraries will do this, all other cases
suppress one of the two variants (both from being installed and from
being exposed to Make for make-embedded builds).
This means we shouldn't need a separate sanitizer suffix for ASAN at
all (.asan), and similarly for non static-lib CFI components (.cfi),
so this CL changes that as well.
Lastly, because the version of ar meant for the host is not built
with plugin support (which CFI requires), this CL disables CFI for
host targets.
This CL should fix the following 2 issues:
(1) Removing warnings about multiple rules existing for the same
installable target.
(2) Fixing VTS packaging, which had been broken by the generation of
the .asan suffix.
Bug: 69172424, 69059192, 67507323
Test: m -j40 # Soong generated .mk file does not have duplicate rules.
Test: SANITIZE_TARGET="address" m -j40 libstagefright # installed
correctly.
Change-Id: Ib90fdbc8a6ad3924fc2a691b7277a8a1bc67cda8
This CL adds the ability to centrally enable or disable CFI for
components using either an environment or product config
variable. This is a better, nore manageable option that enabling CFI
across each component individually.
Bug: 67507323
Test: CFI_INCLUDE_PATHS= system/nfc m -j40
Test: CFI_EXCLUDE_PATHS = frameworks/av m -j40
Change-Id: I38b77946759121aec99ab25f31aaee2e5d993f73
there's no use case for prepending/appending to bool, and string
properties within module struct. Declearing "*bool" and "*string" almost
cover everything user need.
I did see one case that user specify relative_install_path as
path prefix in cc_defaults, and concatenate with the one in real module
to get the final relative install path in Android.bp <bionic/tests/libs>.
Test: m -j checkbuild
Bug: b/68853585
Change-Id: If3a7a2689c3fc307aae136af6bc9c57f27a1e1a0
Bug: http://b/33678192
Clang has been updated past the revisions mentioned in the work arounds.
So these seem no longer necessary.
Test: Build
Change-Id: I08fee0db7c5785836a1ad0104688245435865cb7
This CL ensures that only one of the two generated variants are
installed for non-make builds and for host binaries.
Bug: 30227045
Test: OUT_DIR=/tmp/ndk build/soong/scripts/build-ndk-prebuilts.sh
Change-Id: I7ca78af51ea6bd3ae1107a69331abd6ff68f2150
This reverts commit 33c252c2f1.
I have a fix to the crashes that this CL set was causing, and have
uploaded it as a patchset to this revert.
This also contains a partial fix that was initially submitted
separately as
https://android-review.googlesource.com/#/c/platform/build/soong/+/524295/
Bug: 30227045
Test: ./art/test/testrunner/run_build_test_target.py -j110 art-asan #no
build errors
Test: m -j50 ASAN_OPTIONS=detect_leaks=0 SANITIZE_HOST=address # no
build errors
Change-Id: I3e53549fa03413d35d9a952f04de1e7629e1f06d
This reverts commit d4b484b070.
Rationale: second in group of commits that left aosp_x86_64 not
building. (See https://android-build.googleplex.com/builds/
submitted/4426589/aosp_x86_64-eng/latest/logs/build_error.log)
Bug: 30227045
Test: builds
Change-Id: I38ab5284c614d6ee68e7359219bd75c7d50131be
This reverts commit 6147c6972a.
Rationale: first in group of commits that left aosp_x86_64 not
building. (See https://android-build.googleplex.com/builds/
submitted/4426589/aosp_x86_64-eng/latest/logs/build_error.log)
Bug: 30227045
Test: builds
Change-Id: I632869d13d09b43e2040da187d7ced4f05c332de
This CL hides (using Module.Properties.PreventInstall) either the
sanitized or stock variant for non-make embedded builds (based on
whether a sanitizer is enabled or not) so we don't have duplicate
rules for installing the same target.
Bug: 30227045
Test: OUT_DIR=out build/soong/scripts/build-ndk-prebuilts.sh # no
longer generates a duplicate build error.
Change-Id: I0b2dbb0afd5d426b32da67f951e2a4f9fbb3f3b9
This CL makes multiples changes in preparation for platform-wide CFI.
(a) Adds a second -version-script=... to the command line
when building components that use a version script. This ensures that
__cfi_check is also exported, and allows CFI to be enabled for these
components.
(b) Adds both topdown and bottom up mutators for CFI to help propagate
dependencies correctly for components that may need CFI disabled.
(c) Fixes an issue with the mutators to correctly apply settings to
both generated variants
(d) Fixes issues when components have more than a single visibility
flag.
Bug: 30227045
Test: SANITIZE_TARGET=cfi m -j40 # dependencies are correctly built
# with/without CFI
Change-Id: I44793cc03bcbcdaa957cc49c7240b87d7c9db327
Also adds checks that the dependencies are android.Modules and
are not disabled.
Test: m checkbuild
Change-Id: I05e945f38915d49cd3c0ab72a86576949bc7eff2
This reverts commit 2370af0e23.
Reason for revert: New Build Breakage: aosp-master/aosp_arm64_ab-userdebug @ 4376965
Change-Id: Ibe4b819c4292457c454bf42e6d94fba3071ec04b
libm is a default library for device builds, so default it for host
builds as well.
Also removes duplicate additions of -ldl, -lpthread, -lm and -lrt.
Test: m host
Change-Id: I8f7e799d48a1f427e48dcfb1d0ccba93c5f9780b
Make sure that libdl is always after libc on the command line.
Simplifies the logic to always support system_shared_libs for
sdk and vndk builds.
For backwards compatibility without updating lots of Android.bp
files, allow libdl to be listed in shared_libs as long as it
is also in system_shared_libs or libc is not in system_shared_libs.
Remove all the places that libdl is added as a dependency, since
it will always be present unless explicitly removed now.
Bug: 62815515
Test: m -j checkbuild
Change-Id: I0233178ffea87a2f0b82190746022476304a68e2
It's never anything except nil, and it unnecessarily complicates
the implementations.
Test: m -j checkbuild
Change-Id: I8a117a86aa39aeb07d9d8d0686ef869c52784f19
This CL blocks modules intended for the host from having the bottom up
sanitizer mutator applied. We only maintain a single copy of host
binaries, so generating variants doesn't make sense
anyway. Additionally, the existing logic was causing an error with
builds not embedded in make (eg: aosp-build-tools which uses
soong_ui.bash) where the wrong variant was installed on the host. This
change should fix that.
Bug: 64536751
Test: m -j40 && SANITIZE_TARGET="address" m -j40
Test: aosp-build-tools build breakage is fixed.
Change-Id: Ia79b4661f69ce26a7be17c4339c18ca0f397d760
This CL fixes a bug in the ASAN top down mutator which was incorrectly
checking (and setting) SanitizeDep to true only for the parent module
and not for the visited child modules.
Fixing this also requires some changes to the variant creation logic
to ensure that the correct variant is passed to make for
installation. This will eventually be replaced by logic that appends
an appropriate suffix to sanitized libraries (eg: libc++.asan), which
will allow both variants to be passed to make.
Bug: 64536751
Test: m -j40 && SANITIZE_TARGET="address" m -j40
Change-Id: Id5e5a5946192adf07418dd433bca503047177007
When the lib is vendor-only, then .vendor suffix is not added.
Furthermore, this change correctly adds .vendor suffix even to the names
listed in LOCAL_SHARED_LIBRARIES so that we don't need to add the suffix
in the make world.
This also allows us to use the original name (without the .vendor
suffix) of the vendor-only modules in make (e.g. in PRODUCT_PACKAGES or
as a make target).
Bug: 37480243
Test: BOARD_VNDK_VERSION=current m -j <name> is successful, where <name>
is one of the vendor-only libraries in Soong. (i.e.
android.hardware.renderscript@1.0-impl)
Test: m -j does not break anything
Change-Id: I203e546ff941878a40c5e7cfbb9f70b617df272d
Ubsan is currently support ARM/ARM64,
so It's OK to enable the build Flag
Test: build test module with flags in Android.bp:
sanitize: {
all_undefined: true,
diag: {
undefined: true,
},
},
BUG:38250996
Change-Id: I37a01b4610132f58315e68335b3c3cdfb148357d
Add support for excluding paths from having integer_overflow applied to
them when using SANITIZE_TARGET=integer_overflow via an
INTEGER_OVERFLOW_EXCLUDE_PATHS make variable. This covers the soong side
of the change.
Bug: 30969751
Test: Build with SANITIZE_TARGET=integer_overflow
SANITIZE_TARGET_DIAG=integer_overflow
INTEGER_OVERFLOW_EXCLUDE_PATHS=<path> and confirmed this was no
longer being applied to binaries in that path.
Change-Id: I298b772f5425da28dff1cf007825be19558db3a8
Adds the SANITIZE_TARGET=integer_overflow build option to apply signed and
unsigned integer overflow sanitization globally. This implements the
Soong side of the build option.
An additional build option is provided to control whether or not to run
in diagnostics mode, controlled by SANITIZE_TARGET_DIAG. This works the
same way that SANITIZE_TARGET does and currently only supports
'integer_overflow' as an option.
A default sanitizer blacklist is added to avoid applying sanitization
to functions that are likely to exhibit benign overflows.
Bug: 30969751
Test: Building with and without the new flags, device boot-up, tested
various permutations of controlling the new flags from build files.
Change-Id: Ibc8a8615d3132f1a23faaf1cb4861f24c5ef734a
