platform_build_soong/cc/sanitize.go

1253 lines
43 KiB
Go

// Copyright 2016 Google Inc. All rights reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package cc
import (
"fmt"
"sort"
"strings"
"sync"
"github.com/google/blueprint"
"android/soong/android"
"android/soong/cc/config"
)
var (
// Any C flags added by sanitizer which libTooling tools may not
// understand also need to be added to ClangLibToolingUnknownCflags in
// cc/config/clang.go
asanCflags = []string{
"-fno-omit-frame-pointer",
"-fno-experimental-new-pass-manager",
}
asanLdflags = []string{"-Wl,-u,__asan_preinit"}
hwasanCflags = []string{"-fno-omit-frame-pointer", "-Wno-frame-larger-than=",
"-fsanitize-hwaddress-abi=platform",
"-fno-experimental-new-pass-manager",
// The following improves debug location information
// availability at the cost of its accuracy. It increases
// the likelihood of a stack variable's frame offset
// to be recorded in the debug info, which is important
// for the quality of hwasan reports. The downside is a
// higher number of "optimized out" stack variables.
// b/112437883.
"-mllvm", "-instcombine-lower-dbg-declare=0",
}
cfiCflags = []string{"-flto", "-fsanitize-cfi-cross-dso",
"-fsanitize-blacklist=external/compiler-rt/lib/cfi/cfi_blocklist.txt"}
// -flto and -fvisibility are required by clang when -fsanitize=cfi is
// used, but have no effect on assembly files
cfiAsflags = []string{"-flto", "-fvisibility=default"}
cfiLdflags = []string{"-flto", "-fsanitize-cfi-cross-dso", "-fsanitize=cfi",
"-Wl,-plugin-opt,O1"}
cfiExportsMapPath = "build/soong/cc/config/cfi_exports.map"
intOverflowCflags = []string{"-fsanitize-blacklist=build/soong/cc/config/integer_overflow_blocklist.txt"}
minimalRuntimeFlags = []string{"-fsanitize-minimal-runtime", "-fno-sanitize-trap=integer,undefined",
"-fno-sanitize-recover=integer,undefined"}
hwasanGlobalOptions = []string{"heap_history_size=1023", "stack_history_size=512",
"export_memory_stats=0", "max_malloc_fill_size=0"}
)
type sanitizerType int
func boolPtr(v bool) *bool {
if v {
return &v
} else {
return nil
}
}
const (
asan sanitizerType = iota + 1
hwasan
tsan
intOverflow
cfi
scs
fuzzer
)
// Name of the sanitizer variation for this sanitizer type
func (t sanitizerType) variationName() string {
switch t {
case asan:
return "asan"
case hwasan:
return "hwasan"
case tsan:
return "tsan"
case intOverflow:
return "intOverflow"
case cfi:
return "cfi"
case scs:
return "scs"
case fuzzer:
return "fuzzer"
default:
panic(fmt.Errorf("unknown sanitizerType %d", t))
}
}
// This is the sanitizer names in SANITIZE_[TARGET|HOST]
func (t sanitizerType) name() string {
switch t {
case asan:
return "address"
case hwasan:
return "hwaddress"
case tsan:
return "thread"
case intOverflow:
return "integer_overflow"
case cfi:
return "cfi"
case scs:
return "shadow-call-stack"
case fuzzer:
return "fuzzer"
default:
panic(fmt.Errorf("unknown sanitizerType %d", t))
}
}
func (t sanitizerType) incompatibleWithCfi() bool {
return t == asan || t == fuzzer || t == hwasan
}
type SanitizeProperties struct {
// enable AddressSanitizer, ThreadSanitizer, or UndefinedBehaviorSanitizer
Sanitize struct {
Never *bool `android:"arch_variant"`
// main sanitizers
Address *bool `android:"arch_variant"`
Thread *bool `android:"arch_variant"`
Hwaddress *bool `android:"arch_variant"`
// local sanitizers
Undefined *bool `android:"arch_variant"`
All_undefined *bool `android:"arch_variant"`
Misc_undefined []string `android:"arch_variant"`
Fuzzer *bool `android:"arch_variant"`
Safestack *bool `android:"arch_variant"`
Cfi *bool `android:"arch_variant"`
Integer_overflow *bool `android:"arch_variant"`
Scudo *bool `android:"arch_variant"`
Scs *bool `android:"arch_variant"`
// A modifier for ASAN and HWASAN for write only instrumentation
Writeonly *bool `android:"arch_variant"`
// Sanitizers to run in the diagnostic mode (as opposed to the release mode).
// Replaces abort() on error with a human-readable error message.
// Address and Thread sanitizers always run in diagnostic mode.
Diag struct {
Undefined *bool `android:"arch_variant"`
Cfi *bool `android:"arch_variant"`
Integer_overflow *bool `android:"arch_variant"`
Misc_undefined []string `android:"arch_variant"`
No_recover []string
}
// value to pass to -fsanitize-recover=
Recover []string
// value to pass to -fsanitize-blacklist
Blocklist *string
} `android:"arch_variant"`
SanitizerEnabled bool `blueprint:"mutated"`
SanitizeDep bool `blueprint:"mutated"`
MinimalRuntimeDep bool `blueprint:"mutated"`
BuiltinsDep bool `blueprint:"mutated"`
UbsanRuntimeDep bool `blueprint:"mutated"`
InSanitizerDir bool `blueprint:"mutated"`
Sanitizers []string `blueprint:"mutated"`
DiagSanitizers []string `blueprint:"mutated"`
}
type sanitize struct {
Properties SanitizeProperties
}
func init() {
android.RegisterMakeVarsProvider(pctx, cfiMakeVarsProvider)
android.RegisterMakeVarsProvider(pctx, hwasanMakeVarsProvider)
}
func (sanitize *sanitize) props() []interface{} {
return []interface{}{&sanitize.Properties}
}
func (sanitize *sanitize) begin(ctx BaseModuleContext) {
s := &sanitize.Properties.Sanitize
// Don't apply sanitizers to NDK code.
if ctx.useSdk() {
s.Never = BoolPtr(true)
}
// Sanitizers do not work on Fuchsia yet.
if ctx.Fuchsia() {
s.Never = BoolPtr(true)
}
// Never always wins.
if Bool(s.Never) {
return
}
var globalSanitizers []string
var globalSanitizersDiag []string
if ctx.Host() {
if !ctx.Windows() {
globalSanitizers = ctx.Config().SanitizeHost()
}
} else {
arches := ctx.Config().SanitizeDeviceArch()
if len(arches) == 0 || inList(ctx.Arch().ArchType.Name, arches) {
globalSanitizers = ctx.Config().SanitizeDevice()
globalSanitizersDiag = ctx.Config().SanitizeDeviceDiag()
}
}
if len(globalSanitizers) > 0 {
var found bool
if found, globalSanitizers = removeFromList("undefined", globalSanitizers); found && s.All_undefined == nil {
s.All_undefined = boolPtr(true)
}
if found, globalSanitizers = removeFromList("default-ub", globalSanitizers); found && s.Undefined == nil {
s.Undefined = boolPtr(true)
}
if found, globalSanitizers = removeFromList("address", globalSanitizers); found && s.Address == nil {
s.Address = boolPtr(true)
}
if found, globalSanitizers = removeFromList("thread", globalSanitizers); found && s.Thread == nil {
s.Thread = boolPtr(true)
}
if found, globalSanitizers = removeFromList("fuzzer", globalSanitizers); found && s.Fuzzer == nil {
s.Fuzzer = boolPtr(true)
}
if found, globalSanitizers = removeFromList("safe-stack", globalSanitizers); found && s.Safestack == nil {
s.Safestack = boolPtr(true)
}
if found, globalSanitizers = removeFromList("cfi", globalSanitizers); found && s.Cfi == nil {
if !ctx.Config().CFIDisabledForPath(ctx.ModuleDir()) {
s.Cfi = boolPtr(true)
}
}
// Global integer_overflow builds do not support static libraries.
if found, globalSanitizers = removeFromList("integer_overflow", globalSanitizers); found && s.Integer_overflow == nil {
if !ctx.Config().IntegerOverflowDisabledForPath(ctx.ModuleDir()) && !ctx.static() {
s.Integer_overflow = boolPtr(true)
}
}
if found, globalSanitizers = removeFromList("scudo", globalSanitizers); found && s.Scudo == nil {
s.Scudo = boolPtr(true)
}
if found, globalSanitizers = removeFromList("hwaddress", globalSanitizers); found && s.Hwaddress == nil {
s.Hwaddress = boolPtr(true)
}
if found, globalSanitizers = removeFromList("writeonly", globalSanitizers); found && s.Writeonly == nil {
// Hwaddress and Address are set before, so we can check them here
// If they aren't explicitly set in the blueprint/SANITIZE_(HOST|TARGET), they would be nil instead of false
if s.Address == nil && s.Hwaddress == nil {
ctx.ModuleErrorf("writeonly modifier cannot be used without 'address' or 'hwaddress'")
}
s.Writeonly = boolPtr(true)
}
if len(globalSanitizers) > 0 {
ctx.ModuleErrorf("unknown global sanitizer option %s", globalSanitizers[0])
}
// Global integer_overflow builds do not support static library diagnostics.
if found, globalSanitizersDiag = removeFromList("integer_overflow", globalSanitizersDiag); found &&
s.Diag.Integer_overflow == nil && Bool(s.Integer_overflow) && !ctx.static() {
s.Diag.Integer_overflow = boolPtr(true)
}
if found, globalSanitizersDiag = removeFromList("cfi", globalSanitizersDiag); found &&
s.Diag.Cfi == nil && Bool(s.Cfi) {
s.Diag.Cfi = boolPtr(true)
}
if len(globalSanitizersDiag) > 0 {
ctx.ModuleErrorf("unknown global sanitizer diagnostics option %s", globalSanitizersDiag[0])
}
}
// Enable CFI for all components in the include paths (for Aarch64 only)
if s.Cfi == nil && ctx.Config().CFIEnabledForPath(ctx.ModuleDir()) && ctx.Arch().ArchType == android.Arm64 {
s.Cfi = boolPtr(true)
if inList("cfi", ctx.Config().SanitizeDeviceDiag()) {
s.Diag.Cfi = boolPtr(true)
}
}
// Is CFI actually enabled?
if !ctx.Config().EnableCFI() {
s.Cfi = boolPtr(false)
s.Diag.Cfi = boolPtr(false)
}
// Also disable CFI for arm32 until b/35157333 is fixed.
if ctx.Arch().ArchType == android.Arm {
s.Cfi = boolPtr(false)
s.Diag.Cfi = boolPtr(false)
}
// HWASan requires AArch64 hardware feature (top-byte-ignore).
if ctx.Arch().ArchType != android.Arm64 {
s.Hwaddress = nil
}
// SCS is only implemented on AArch64.
if ctx.Arch().ArchType != android.Arm64 {
s.Scs = nil
}
// Also disable CFI if ASAN is enabled.
if Bool(s.Address) || Bool(s.Hwaddress) {
s.Cfi = boolPtr(false)
s.Diag.Cfi = boolPtr(false)
}
// Disable sanitizers that depend on the UBSan runtime for windows/darwin builds.
if !ctx.Os().Linux() {
s.Cfi = boolPtr(false)
s.Diag.Cfi = boolPtr(false)
s.Misc_undefined = nil
s.Undefined = nil
s.All_undefined = nil
s.Integer_overflow = nil
}
// Also disable CFI for VNDK variants of components
if ctx.isVndk() && ctx.useVndk() {
if ctx.static() {
// Cfi variant for static vndk should be captured as vendor snapshot,
// so don't strictly disable Cfi.
s.Cfi = nil
s.Diag.Cfi = nil
} else {
s.Cfi = boolPtr(false)
s.Diag.Cfi = boolPtr(false)
}
}
// HWASan ramdisk (which is built from recovery) goes over some bootloader limit.
// Keep libc instrumented so that ramdisk / recovery can run hwasan-instrumented code if necessary.
if (ctx.inRamdisk() || ctx.inRecovery()) && !strings.HasPrefix(ctx.ModuleDir(), "bionic/libc") {
s.Hwaddress = nil
}
if ctx.staticBinary() {
s.Address = nil
s.Fuzzer = nil
s.Thread = nil
}
if Bool(s.All_undefined) {
s.Undefined = nil
}
if !ctx.toolchain().Is64Bit() {
// TSAN and SafeStack are not supported on 32-bit architectures
s.Thread = nil
s.Safestack = nil
// TODO(ccross): error for compile_multilib = "32"?
}
if ctx.Os() != android.Windows && (Bool(s.All_undefined) || Bool(s.Undefined) || Bool(s.Address) || Bool(s.Thread) ||
Bool(s.Fuzzer) || Bool(s.Safestack) || Bool(s.Cfi) || Bool(s.Integer_overflow) || len(s.Misc_undefined) > 0 ||
Bool(s.Scudo) || Bool(s.Hwaddress) || Bool(s.Scs)) {
sanitize.Properties.SanitizerEnabled = true
}
// Disable Scudo if ASan or TSan is enabled, or if it's disabled globally.
if Bool(s.Address) || Bool(s.Thread) || Bool(s.Hwaddress) || ctx.Config().DisableScudo() {
s.Scudo = nil
}
if Bool(s.Hwaddress) {
s.Address = nil
s.Thread = nil
}
// TODO(b/131771163): CFI transiently depends on LTO, and thus Fuzzer is
// mutually incompatible.
if Bool(s.Fuzzer) {
s.Cfi = boolPtr(false)
}
}
func (sanitize *sanitize) deps(ctx BaseModuleContext, deps Deps) Deps {
if !sanitize.Properties.SanitizerEnabled { // || c.static() {
return deps
}
return deps
}
func toDisableImplicitIntegerChange(flags []string) bool {
// Returns true if any flag is fsanitize*integer, and there is
// no explicit flag about sanitize=implicit-integer-sign-change.
for _, f := range flags {
if strings.Contains(f, "sanitize=implicit-integer-sign-change") {
return false
}
}
for _, f := range flags {
if strings.HasPrefix(f, "-fsanitize") && strings.Contains(f, "integer") {
return true
}
}
return false
}
func (sanitize *sanitize) flags(ctx ModuleContext, flags Flags) Flags {
minimalRuntimeLib := config.UndefinedBehaviorSanitizerMinimalRuntimeLibrary(ctx.toolchain()) + ".a"
minimalRuntimePath := "${config.ClangAsanLibDir}/" + minimalRuntimeLib
builtinsRuntimeLib := config.BuiltinsRuntimeLibrary(ctx.toolchain()) + ".a"
builtinsRuntimePath := "${config.ClangAsanLibDir}/" + builtinsRuntimeLib
if sanitize.Properties.MinimalRuntimeDep {
flags.Local.LdFlags = append(flags.Local.LdFlags,
minimalRuntimePath,
"-Wl,--exclude-libs,"+minimalRuntimeLib)
}
if sanitize.Properties.BuiltinsDep {
flags.libFlags = append([]string{builtinsRuntimePath}, flags.libFlags...)
}
if !sanitize.Properties.SanitizerEnabled && !sanitize.Properties.UbsanRuntimeDep {
return flags
}
if Bool(sanitize.Properties.Sanitize.Address) {
if ctx.Arch().ArchType == android.Arm {
// Frame pointer based unwinder in ASan requires ARM frame setup.
// TODO: put in flags?
flags.RequiredInstructionSet = "arm"
}
flags.Local.CFlags = append(flags.Local.CFlags, asanCflags...)
flags.Local.LdFlags = append(flags.Local.LdFlags, asanLdflags...)
if Bool(sanitize.Properties.Sanitize.Writeonly) {
flags.Local.CFlags = append(flags.Local.CFlags, "-mllvm", "-asan-instrument-reads=0")
}
if ctx.Host() {
// -nodefaultlibs (provided with libc++) prevents the driver from linking
// libraries needed with -fsanitize=address. http://b/18650275 (WAI)
flags.Local.LdFlags = append(flags.Local.LdFlags, "-Wl,--no-as-needed")
} else {
flags.Local.CFlags = append(flags.Local.CFlags, "-mllvm", "-asan-globals=0")
if ctx.bootstrap() {
flags.DynamicLinker = "/system/bin/bootstrap/linker_asan"
} else {
flags.DynamicLinker = "/system/bin/linker_asan"
}
if flags.Toolchain.Is64Bit() {
flags.DynamicLinker += "64"
}
}
}
if Bool(sanitize.Properties.Sanitize.Hwaddress) {
flags.Local.CFlags = append(flags.Local.CFlags, hwasanCflags...)
if Bool(sanitize.Properties.Sanitize.Writeonly) {
flags.Local.CFlags = append(flags.Local.CFlags, "-mllvm", "-hwasan-instrument-reads=0")
}
}
if Bool(sanitize.Properties.Sanitize.Fuzzer) {
flags.Local.CFlags = append(flags.Local.CFlags, "-fsanitize=fuzzer-no-link")
// TODO(b/131771163): LTO and Fuzzer support is mutually incompatible.
_, flags.Local.LdFlags = removeFromList("-flto", flags.Local.LdFlags)
_, flags.Local.CFlags = removeFromList("-flto", flags.Local.CFlags)
flags.Local.LdFlags = append(flags.Local.LdFlags, "-fno-lto")
flags.Local.CFlags = append(flags.Local.CFlags, "-fno-lto")
// TODO(b/142430592): Upstream linker scripts for sanitizer runtime libraries
// discard the sancov_lowest_stack symbol, because it's emulated TLS (and thus
// doesn't match the linker script due to the "__emutls_v." prefix).
flags.Local.LdFlags = append(flags.Local.LdFlags, "-fno-sanitize-coverage=stack-depth")
flags.Local.CFlags = append(flags.Local.CFlags, "-fno-sanitize-coverage=stack-depth")
// TODO(b/133876586): Experimental PM breaks sanitizer coverage.
flags.Local.CFlags = append(flags.Local.CFlags, "-fno-experimental-new-pass-manager")
// Disable fortify for fuzzing builds. Generally, we'll be building with
// UBSan or ASan here and the fortify checks pollute the stack traces.
flags.Local.CFlags = append(flags.Local.CFlags, "-U_FORTIFY_SOURCE")
// Build fuzzer-sanitized libraries with an $ORIGIN DT_RUNPATH. Android's
// linker uses DT_RUNPATH, not DT_RPATH. When we deploy cc_fuzz targets and
// their libraries to /data/fuzz/<arch>/lib, any transient shared library gets
// the DT_RUNPATH from the shared library above it, and not the executable,
// meaning that the lookup falls back to the system. Adding the $ORIGIN to the
// DT_RUNPATH here means that transient shared libraries can be found
// colocated with their parents.
flags.Local.LdFlags = append(flags.Local.LdFlags, `-Wl,-rpath,\$$ORIGIN`)
}
if Bool(sanitize.Properties.Sanitize.Cfi) {
if ctx.Arch().ArchType == android.Arm {
// __cfi_check needs to be built as Thumb (see the code in linker_cfi.cpp). LLVM is not set up
// to do this on a function basis, so force Thumb on the entire module.
flags.RequiredInstructionSet = "thumb"
}
flags.Local.CFlags = append(flags.Local.CFlags, cfiCflags...)
flags.Local.AsFlags = append(flags.Local.AsFlags, cfiAsflags...)
// Only append the default visibility flag if -fvisibility has not already been set
// to hidden.
if !inList("-fvisibility=hidden", flags.Local.CFlags) {
flags.Local.CFlags = append(flags.Local.CFlags, "-fvisibility=default")
}
flags.Local.LdFlags = append(flags.Local.LdFlags, cfiLdflags...)
if ctx.staticBinary() {
_, flags.Local.CFlags = removeFromList("-fsanitize-cfi-cross-dso", flags.Local.CFlags)
_, flags.Local.LdFlags = removeFromList("-fsanitize-cfi-cross-dso", flags.Local.LdFlags)
}
}
if Bool(sanitize.Properties.Sanitize.Integer_overflow) {
flags.Local.CFlags = append(flags.Local.CFlags, intOverflowCflags...)
}
if len(sanitize.Properties.Sanitizers) > 0 {
sanitizeArg := "-fsanitize=" + strings.Join(sanitize.Properties.Sanitizers, ",")
flags.Local.CFlags = append(flags.Local.CFlags, sanitizeArg)
flags.Local.AsFlags = append(flags.Local.AsFlags, sanitizeArg)
if ctx.Host() {
// Host sanitizers only link symbols in the final executable, so
// there will always be undefined symbols in intermediate libraries.
_, flags.Global.LdFlags = removeFromList("-Wl,--no-undefined", flags.Global.LdFlags)
flags.Local.LdFlags = append(flags.Local.LdFlags, sanitizeArg)
// non-Bionic toolchain prebuilts are missing UBSan's vptr and function sanitizers
if !ctx.toolchain().Bionic() {
flags.Local.CFlags = append(flags.Local.CFlags, "-fno-sanitize=vptr,function")
}
}
if enableMinimalRuntime(sanitize) {
flags.Local.CFlags = append(flags.Local.CFlags, strings.Join(minimalRuntimeFlags, " "))
flags.libFlags = append([]string{minimalRuntimePath}, flags.libFlags...)
flags.Local.LdFlags = append(flags.Local.LdFlags, "-Wl,--exclude-libs,"+minimalRuntimeLib)
if !ctx.toolchain().Bionic() {
flags.libFlags = append([]string{builtinsRuntimePath}, flags.libFlags...)
}
}
if Bool(sanitize.Properties.Sanitize.Fuzzer) {
// When fuzzing, we wish to crash with diagnostics on any bug.
flags.Local.CFlags = append(flags.Local.CFlags, "-fno-sanitize-trap=all", "-fno-sanitize-recover=all")
} else if ctx.Host() {
flags.Local.CFlags = append(flags.Local.CFlags, "-fno-sanitize-recover=all")
} else {
flags.Local.CFlags = append(flags.Local.CFlags, "-fsanitize-trap=all", "-ftrap-function=abort")
}
// http://b/119329758, Android core does not boot up with this sanitizer yet.
if toDisableImplicitIntegerChange(flags.Local.CFlags) {
flags.Local.CFlags = append(flags.Local.CFlags, "-fno-sanitize=implicit-integer-sign-change")
}
}
if len(sanitize.Properties.DiagSanitizers) > 0 {
flags.Local.CFlags = append(flags.Local.CFlags, "-fno-sanitize-trap="+strings.Join(sanitize.Properties.DiagSanitizers, ","))
}
// FIXME: enable RTTI if diag + (cfi or vptr)
if sanitize.Properties.Sanitize.Recover != nil {
flags.Local.CFlags = append(flags.Local.CFlags, "-fsanitize-recover="+
strings.Join(sanitize.Properties.Sanitize.Recover, ","))
}
if sanitize.Properties.Sanitize.Diag.No_recover != nil {
flags.Local.CFlags = append(flags.Local.CFlags, "-fno-sanitize-recover="+
strings.Join(sanitize.Properties.Sanitize.Diag.No_recover, ","))
}
blocklist := android.OptionalPathForModuleSrc(ctx, sanitize.Properties.Sanitize.Blocklist)
if blocklist.Valid() {
flags.Local.CFlags = append(flags.Local.CFlags, "-fsanitize-blacklist="+blocklist.String())
flags.CFlagsDeps = append(flags.CFlagsDeps, blocklist.Path())
}
return flags
}
func (sanitize *sanitize) AndroidMkEntries(ctx AndroidMkContext, entries *android.AndroidMkEntries) {
// Add a suffix for cfi/hwasan/scs-enabled static/header libraries to allow surfacing
// both the sanitized and non-sanitized variants to make without a name conflict.
if entries.Class == "STATIC_LIBRARIES" || entries.Class == "HEADER_LIBRARIES" {
if Bool(sanitize.Properties.Sanitize.Cfi) {
entries.SubName += ".cfi"
}
if Bool(sanitize.Properties.Sanitize.Hwaddress) {
entries.SubName += ".hwasan"
}
if Bool(sanitize.Properties.Sanitize.Scs) {
entries.SubName += ".scs"
}
}
}
func (sanitize *sanitize) inSanitizerDir() bool {
return sanitize.Properties.InSanitizerDir
}
func (sanitize *sanitize) getSanitizerBoolPtr(t sanitizerType) *bool {
switch t {
case asan:
return sanitize.Properties.Sanitize.Address
case hwasan:
return sanitize.Properties.Sanitize.Hwaddress
case tsan:
return sanitize.Properties.Sanitize.Thread
case intOverflow:
return sanitize.Properties.Sanitize.Integer_overflow
case cfi:
return sanitize.Properties.Sanitize.Cfi
case scs:
return sanitize.Properties.Sanitize.Scs
case fuzzer:
return sanitize.Properties.Sanitize.Fuzzer
default:
panic(fmt.Errorf("unknown sanitizerType %d", t))
}
}
func (sanitize *sanitize) isUnsanitizedVariant() bool {
return !sanitize.isSanitizerEnabled(asan) &&
!sanitize.isSanitizerEnabled(hwasan) &&
!sanitize.isSanitizerEnabled(tsan) &&
!sanitize.isSanitizerEnabled(cfi) &&
!sanitize.isSanitizerEnabled(scs) &&
!sanitize.isSanitizerEnabled(fuzzer)
}
func (sanitize *sanitize) isVariantOnProductionDevice() bool {
return !sanitize.isSanitizerEnabled(asan) &&
!sanitize.isSanitizerEnabled(hwasan) &&
!sanitize.isSanitizerEnabled(tsan) &&
!sanitize.isSanitizerEnabled(fuzzer)
}
func (sanitize *sanitize) SetSanitizer(t sanitizerType, b bool) {
switch t {
case asan:
sanitize.Properties.Sanitize.Address = boolPtr(b)
case hwasan:
sanitize.Properties.Sanitize.Hwaddress = boolPtr(b)
case tsan:
sanitize.Properties.Sanitize.Thread = boolPtr(b)
case intOverflow:
sanitize.Properties.Sanitize.Integer_overflow = boolPtr(b)
case cfi:
sanitize.Properties.Sanitize.Cfi = boolPtr(b)
case scs:
sanitize.Properties.Sanitize.Scs = boolPtr(b)
case fuzzer:
sanitize.Properties.Sanitize.Fuzzer = boolPtr(b)
default:
panic(fmt.Errorf("unknown sanitizerType %d", t))
}
if b {
sanitize.Properties.SanitizerEnabled = true
}
}
// Check if the sanitizer is explicitly disabled (as opposed to nil by
// virtue of not being set).
func (sanitize *sanitize) isSanitizerExplicitlyDisabled(t sanitizerType) bool {
if sanitize == nil {
return false
}
sanitizerVal := sanitize.getSanitizerBoolPtr(t)
return sanitizerVal != nil && *sanitizerVal == false
}
// There isn't an analog of the method above (ie:isSanitizerExplicitlyEnabled)
// because enabling a sanitizer either directly (via the blueprint) or
// indirectly (via a mutator) sets the bool ptr to true, and you can't
// distinguish between the cases. It isn't needed though - both cases can be
// treated identically.
func (sanitize *sanitize) isSanitizerEnabled(t sanitizerType) bool {
if sanitize == nil {
return false
}
sanitizerVal := sanitize.getSanitizerBoolPtr(t)
return sanitizerVal != nil && *sanitizerVal == true
}
func isSanitizableDependencyTag(tag blueprint.DependencyTag) bool {
switch t := tag.(type) {
case dependencyTag:
return t == reuseObjTag || t == objDepTag
case libraryDependencyTag:
return true
default:
return false
}
}
// Determines if the current module is a static library going to be captured
// as vendor snapshot. Such modules must create both cfi and non-cfi variants,
// except for ones which explicitly disable cfi.
func needsCfiForVendorSnapshot(mctx android.TopDownMutatorContext) bool {
if isVendorProprietaryPath(mctx.ModuleDir()) {
return false
}
c := mctx.Module().(*Module)
if !c.inVendor() {
return false
}
if !c.static() {
return false
}
if c.Prebuilt() != nil {
return false
}
return c.sanitize != nil &&
!Bool(c.sanitize.Properties.Sanitize.Never) &&
!c.sanitize.isSanitizerExplicitlyDisabled(cfi)
}
// Propagate sanitizer requirements down from binaries
func sanitizerDepsMutator(t sanitizerType) func(android.TopDownMutatorContext) {
return func(mctx android.TopDownMutatorContext) {
if c, ok := mctx.Module().(*Module); ok {
enabled := c.sanitize.isSanitizerEnabled(t)
if t == cfi && needsCfiForVendorSnapshot(mctx) {
// We shouldn't change the result of isSanitizerEnabled(cfi) to correctly
// determine defaultVariation in sanitizerMutator below.
// Instead, just mark SanitizeDep to forcefully create cfi variant.
enabled = true
c.sanitize.Properties.SanitizeDep = true
}
if enabled {
mctx.WalkDeps(func(child, parent android.Module) bool {
if !isSanitizableDependencyTag(mctx.OtherModuleDependencyTag(child)) {
return false
}
if d, ok := child.(*Module); ok && d.sanitize != nil &&
!Bool(d.sanitize.Properties.Sanitize.Never) &&
!d.sanitize.isSanitizerExplicitlyDisabled(t) {
if t == cfi || t == hwasan || t == scs {
if d.static() {
d.sanitize.Properties.SanitizeDep = true
}
} else {
d.sanitize.Properties.SanitizeDep = true
}
}
return true
})
}
} else if sanitizeable, ok := mctx.Module().(Sanitizeable); ok {
// If an APEX module includes a lib which is enabled for a sanitizer T, then
// the APEX module is also enabled for the same sanitizer type.
mctx.VisitDirectDeps(func(child android.Module) {
if c, ok := child.(*Module); ok && c.sanitize.isSanitizerEnabled(t) {
sanitizeable.EnableSanitizer(t.name())
}
})
}
}
}
// Propagate the ubsan minimal runtime dependency when there are integer overflow sanitized static dependencies.
func sanitizerRuntimeDepsMutator(mctx android.TopDownMutatorContext) {
if c, ok := mctx.Module().(*Module); ok && c.sanitize != nil {
mctx.WalkDeps(func(child, parent android.Module) bool {
if !isSanitizableDependencyTag(mctx.OtherModuleDependencyTag(child)) {
return false
}
d, ok := child.(*Module)
if !ok || !d.static() {
return false
}
if d.sanitize != nil {
if enableMinimalRuntime(d.sanitize) {
// If a static dependency is built with the minimal runtime,
// make sure we include the ubsan minimal runtime.
c.sanitize.Properties.MinimalRuntimeDep = true
} else if enableUbsanRuntime(d.sanitize) {
// If a static dependency runs with full ubsan diagnostics,
// make sure we include the ubsan runtime.
c.sanitize.Properties.UbsanRuntimeDep = true
}
if c.sanitize.Properties.MinimalRuntimeDep &&
c.sanitize.Properties.UbsanRuntimeDep {
// both flags that this mutator might set are true, so don't bother recursing
return false
}
if c.Os() == android.Linux {
c.sanitize.Properties.BuiltinsDep = true
}
return true
}
if p, ok := d.linker.(*vendorSnapshotLibraryDecorator); ok {
if Bool(p.properties.Sanitize_minimal_dep) {
c.sanitize.Properties.MinimalRuntimeDep = true
}
if Bool(p.properties.Sanitize_ubsan_dep) {
c.sanitize.Properties.UbsanRuntimeDep = true
}
}
return false
})
}
}
// Add the dependency to the runtime library for each of the sanitizer variants
func sanitizerRuntimeMutator(mctx android.BottomUpMutatorContext) {
if c, ok := mctx.Module().(*Module); ok && c.sanitize != nil {
if !c.Enabled() {
return
}
var sanitizers []string
var diagSanitizers []string
if Bool(c.sanitize.Properties.Sanitize.All_undefined) {
sanitizers = append(sanitizers, "undefined")
} else {
if Bool(c.sanitize.Properties.Sanitize.Undefined) {
sanitizers = append(sanitizers,
"bool",
"integer-divide-by-zero",
"return",
"returns-nonnull-attribute",
"shift-exponent",
"unreachable",
"vla-bound",
// TODO(danalbert): The following checks currently have compiler performance issues.
//"alignment",
//"bounds",
//"enum",
//"float-cast-overflow",
//"float-divide-by-zero",
//"nonnull-attribute",
//"null",
//"shift-base",
//"signed-integer-overflow",
// TODO(danalbert): Fix UB in libc++'s __tree so we can turn this on.
// https://llvm.org/PR19302
// http://reviews.llvm.org/D6974
// "object-size",
)
}
sanitizers = append(sanitizers, c.sanitize.Properties.Sanitize.Misc_undefined...)
}
if Bool(c.sanitize.Properties.Sanitize.Diag.Undefined) {
diagSanitizers = append(diagSanitizers, "undefined")
}
diagSanitizers = append(diagSanitizers, c.sanitize.Properties.Sanitize.Diag.Misc_undefined...)
if Bool(c.sanitize.Properties.Sanitize.Address) {
sanitizers = append(sanitizers, "address")
diagSanitizers = append(diagSanitizers, "address")
}
if Bool(c.sanitize.Properties.Sanitize.Hwaddress) {
sanitizers = append(sanitizers, "hwaddress")
}
if Bool(c.sanitize.Properties.Sanitize.Thread) {
sanitizers = append(sanitizers, "thread")
}
if Bool(c.sanitize.Properties.Sanitize.Safestack) {
sanitizers = append(sanitizers, "safe-stack")
}
if Bool(c.sanitize.Properties.Sanitize.Cfi) {
sanitizers = append(sanitizers, "cfi")
if Bool(c.sanitize.Properties.Sanitize.Diag.Cfi) {
diagSanitizers = append(diagSanitizers, "cfi")
}
}
if Bool(c.sanitize.Properties.Sanitize.Integer_overflow) {
sanitizers = append(sanitizers, "unsigned-integer-overflow")
sanitizers = append(sanitizers, "signed-integer-overflow")
if Bool(c.sanitize.Properties.Sanitize.Diag.Integer_overflow) {
diagSanitizers = append(diagSanitizers, "unsigned-integer-overflow")
diagSanitizers = append(diagSanitizers, "signed-integer-overflow")
}
}
if Bool(c.sanitize.Properties.Sanitize.Scudo) {
sanitizers = append(sanitizers, "scudo")
}
if Bool(c.sanitize.Properties.Sanitize.Scs) {
sanitizers = append(sanitizers, "shadow-call-stack")
}
if Bool(c.sanitize.Properties.Sanitize.Fuzzer) {
sanitizers = append(sanitizers, "fuzzer-no-link")
}
// Save the list of sanitizers. These will be used again when generating
// the build rules (for Cflags, etc.)
c.sanitize.Properties.Sanitizers = sanitizers
c.sanitize.Properties.DiagSanitizers = diagSanitizers
// TODO(b/150822854) Hosts have a different default behavior and assume the runtime library is used.
if c.Host() {
diagSanitizers = sanitizers
}
// Determine the runtime library required
runtimeLibrary := ""
var extraStaticDeps []string
toolchain := c.toolchain(mctx)
if Bool(c.sanitize.Properties.Sanitize.Address) {
runtimeLibrary = config.AddressSanitizerRuntimeLibrary(toolchain)
} else if Bool(c.sanitize.Properties.Sanitize.Hwaddress) {
if c.staticBinary() {
runtimeLibrary = config.HWAddressSanitizerStaticLibrary(toolchain)
extraStaticDeps = []string{"libdl"}
} else {
runtimeLibrary = config.HWAddressSanitizerRuntimeLibrary(toolchain)
}
} else if Bool(c.sanitize.Properties.Sanitize.Thread) {
runtimeLibrary = config.ThreadSanitizerRuntimeLibrary(toolchain)
} else if Bool(c.sanitize.Properties.Sanitize.Scudo) {
if len(diagSanitizers) == 0 && !c.sanitize.Properties.UbsanRuntimeDep {
runtimeLibrary = config.ScudoMinimalRuntimeLibrary(toolchain)
} else {
runtimeLibrary = config.ScudoRuntimeLibrary(toolchain)
}
} else if len(diagSanitizers) > 0 || c.sanitize.Properties.UbsanRuntimeDep ||
Bool(c.sanitize.Properties.Sanitize.Fuzzer) ||
Bool(c.sanitize.Properties.Sanitize.Undefined) ||
Bool(c.sanitize.Properties.Sanitize.All_undefined) {
runtimeLibrary = config.UndefinedBehaviorSanitizerRuntimeLibrary(toolchain)
}
if runtimeLibrary != "" && (toolchain.Bionic() || c.sanitize.Properties.UbsanRuntimeDep) {
// UBSan is supported on non-bionic linux host builds as well
if isLlndkLibrary(runtimeLibrary, mctx.Config()) && !c.static() && c.UseVndk() {
runtimeLibrary = runtimeLibrary + llndkLibrarySuffix
}
// Adding dependency to the runtime library. We are using *FarVariation*
// because the runtime libraries themselves are not mutated by sanitizer
// mutators and thus don't have sanitizer variants whereas this module
// has been already mutated.
//
// Note that by adding dependency with {static|shared}DepTag, the lib is
// added to libFlags and LOCAL_SHARED_LIBRARIES by cc.Module
if c.staticBinary() {
deps := append(extraStaticDeps, runtimeLibrary)
// If we're using snapshots and in vendor, redirect to snapshot whenever possible
if c.VndkVersion() == mctx.DeviceConfig().VndkVersion() {
snapshots := vendorSnapshotStaticLibs(mctx.Config())
for idx, dep := range deps {
if lib, ok := snapshots.get(dep, mctx.Arch().ArchType); ok {
deps[idx] = lib
}
}
}
// static executable gets static runtime libs
depTag := libraryDependencyTag{Kind: staticLibraryDependency}
mctx.AddFarVariationDependencies(append(mctx.Target().Variations(), []blueprint.Variation{
{Mutator: "link", Variation: "static"},
c.ImageVariation(),
}...), depTag, deps...)
} else if !c.static() && !c.header() {
// If we're using snapshots and in vendor, redirect to snapshot whenever possible
if c.VndkVersion() == mctx.DeviceConfig().VndkVersion() {
snapshots := vendorSnapshotSharedLibs(mctx.Config())
if lib, ok := snapshots.get(runtimeLibrary, mctx.Arch().ArchType); ok {
runtimeLibrary = lib
}
}
// dynamic executable and shared libs get shared runtime libs
depTag := libraryDependencyTag{Kind: sharedLibraryDependency, Order: earlyLibraryDependency}
mctx.AddFarVariationDependencies(append(mctx.Target().Variations(), []blueprint.Variation{
{Mutator: "link", Variation: "shared"},
c.ImageVariation(),
}...), depTag, runtimeLibrary)
}
// static lib does not have dependency to the runtime library. The
// dependency will be added to the executables or shared libs using
// the static lib.
}
}
}
type Sanitizeable interface {
android.Module
IsSanitizerEnabled(ctx android.BaseModuleContext, sanitizerName string) bool
EnableSanitizer(sanitizerName string)
AddSanitizerDependencies(ctx android.BottomUpMutatorContext, sanitizerName string)
}
// Create sanitized variants for modules that need them
func sanitizerMutator(t sanitizerType) func(android.BottomUpMutatorContext) {
return func(mctx android.BottomUpMutatorContext) {
if c, ok := mctx.Module().(*Module); ok && c.sanitize != nil {
if c.isDependencyRoot() && c.sanitize.isSanitizerEnabled(t) {
modules := mctx.CreateVariations(t.variationName())
modules[0].(*Module).sanitize.SetSanitizer(t, true)
} else if c.sanitize.isSanitizerEnabled(t) || c.sanitize.Properties.SanitizeDep {
isSanitizerEnabled := c.sanitize.isSanitizerEnabled(t)
if c.static() || c.header() || t == asan || t == fuzzer {
// Static and header libs are split into non-sanitized and sanitized variants.
// Shared libs are not split. However, for asan and fuzzer, we split even for shared
// libs because a library sanitized for asan/fuzzer can't be linked from a library
// that isn't sanitized for asan/fuzzer.
//
// Note for defaultVariation: since we don't split for shared libs but for static/header
// libs, it is possible for the sanitized variant of a static/header lib to depend
// on non-sanitized variant of a shared lib. Such unfulfilled variation causes an
// error when the module is split. defaultVariation is the name of the variation that
// will be used when such a dangling dependency occurs during the split of the current
// module. By setting it to the name of the sanitized variation, the dangling dependency
// is redirected to the sanitized variant of the dependent module.
defaultVariation := t.variationName()
mctx.SetDefaultDependencyVariation(&defaultVariation)
modules := mctx.CreateVariations("", t.variationName())
modules[0].(*Module).sanitize.SetSanitizer(t, false)
modules[1].(*Module).sanitize.SetSanitizer(t, true)
modules[0].(*Module).sanitize.Properties.SanitizeDep = false
modules[1].(*Module).sanitize.Properties.SanitizeDep = false
if mctx.Device() && t.incompatibleWithCfi() {
// TODO: Make sure that cfi mutator runs "after" any of the sanitizers that
// are incompatible with cfi
modules[1].(*Module).sanitize.SetSanitizer(cfi, false)
}
// For cfi/scs/hwasan, we can export both sanitized and un-sanitized variants
// to Make, because the sanitized version has a different suffix in name.
// For other types of sanitizers, suppress the variation that is disabled.
if t != cfi && t != scs && t != hwasan {
if isSanitizerEnabled {
modules[0].(*Module).Properties.PreventInstall = true
modules[0].(*Module).Properties.HideFromMake = true
} else {
modules[1].(*Module).Properties.PreventInstall = true
modules[1].(*Module).Properties.HideFromMake = true
}
}
// Export the static lib name to make
if c.static() && c.ExportedToMake() {
if t == cfi {
cfiStaticLibs(mctx.Config()).add(c, c.Name())
} else if t == hwasan {
hwasanStaticLibs(mctx.Config()).add(c, c.Name())
}
}
} else {
// Shared libs are not split. Only the sanitized variant is created.
modules := mctx.CreateVariations(t.variationName())
modules[0].(*Module).sanitize.SetSanitizer(t, true)
modules[0].(*Module).sanitize.Properties.SanitizeDep = false
// locate the asan libraries under /data/asan
if mctx.Device() && t == asan && isSanitizerEnabled {
modules[0].(*Module).sanitize.Properties.InSanitizerDir = true
}
if mctx.Device() && t.incompatibleWithCfi() {
// TODO: Make sure that cfi mutator runs "after" any of the sanitizers that
// are incompatible with cfi
modules[0].(*Module).sanitize.SetSanitizer(cfi, false)
}
}
}
c.sanitize.Properties.SanitizeDep = false
} else if sanitizeable, ok := mctx.Module().(Sanitizeable); ok && sanitizeable.IsSanitizerEnabled(mctx, t.name()) {
// APEX modules fall here
sanitizeable.AddSanitizerDependencies(mctx, t.name())
mctx.CreateVariations(t.variationName())
} else if c, ok := mctx.Module().(*Module); ok {
// Check if it's a snapshot module supporting sanitizer
if s, ok := c.linker.(snapshotSanitizer); ok && s.isSanitizerEnabled(t) {
// Set default variation as above.
defaultVariation := t.variationName()
mctx.SetDefaultDependencyVariation(&defaultVariation)
modules := mctx.CreateVariations("", t.variationName())
modules[0].(*Module).linker.(snapshotSanitizer).setSanitizerVariation(t, false)
modules[1].(*Module).linker.(snapshotSanitizer).setSanitizerVariation(t, true)
// Export the static lib name to make
if c.static() && c.ExportedToMake() {
if t == cfi {
// use BaseModuleName which is the name for Make.
cfiStaticLibs(mctx.Config()).add(c, c.BaseModuleName())
}
}
}
}
}
}
type sanitizerStaticLibsMap struct {
// libsMap contains one list of modules per each image and each arch.
// e.g. libs[vendor]["arm"] contains arm modules installed to vendor
libsMap map[imageVariantType]map[string][]string
libsMapLock sync.Mutex
sanitizerType sanitizerType
}
func newSanitizerStaticLibsMap(t sanitizerType) *sanitizerStaticLibsMap {
return &sanitizerStaticLibsMap{
sanitizerType: t,
libsMap: make(map[imageVariantType]map[string][]string),
}
}
// Add the current module to sanitizer static libs maps
// Each module should pass its exported name as names of Make and Soong can differ.
func (s *sanitizerStaticLibsMap) add(c *Module, name string) {
image := c.getImageVariantType()
arch := c.Arch().ArchType.String()
s.libsMapLock.Lock()
defer s.libsMapLock.Unlock()
if _, ok := s.libsMap[image]; !ok {
s.libsMap[image] = make(map[string][]string)
}
s.libsMap[image][arch] = append(s.libsMap[image][arch], name)
}
// Exports makefile variables in the following format:
// SOONG_{sanitizer}_{image}_{arch}_STATIC_LIBRARIES
// e.g. SOONG_cfi_core_x86_STATIC_LIBRARIES
// These are to be used by use_soong_sanitized_static_libraries.
// See build/make/core/binary.mk for more details.
func (s *sanitizerStaticLibsMap) exportToMake(ctx android.MakeVarsContext) {
for _, image := range android.SortedStringKeys(s.libsMap) {
archMap := s.libsMap[imageVariantType(image)]
for _, arch := range android.SortedStringKeys(archMap) {
libs := archMap[arch]
sort.Strings(libs)
key := fmt.Sprintf(
"SOONG_%s_%s_%s_STATIC_LIBRARIES",
s.sanitizerType.variationName(),
image, // already upper
arch)
ctx.Strict(key, strings.Join(libs, " "))
}
}
}
var cfiStaticLibsKey = android.NewOnceKey("cfiStaticLibs")
func cfiStaticLibs(config android.Config) *sanitizerStaticLibsMap {
return config.Once(cfiStaticLibsKey, func() interface{} {
return newSanitizerStaticLibsMap(cfi)
}).(*sanitizerStaticLibsMap)
}
var hwasanStaticLibsKey = android.NewOnceKey("hwasanStaticLibs")
func hwasanStaticLibs(config android.Config) *sanitizerStaticLibsMap {
return config.Once(hwasanStaticLibsKey, func() interface{} {
return newSanitizerStaticLibsMap(hwasan)
}).(*sanitizerStaticLibsMap)
}
func enableMinimalRuntime(sanitize *sanitize) bool {
if !Bool(sanitize.Properties.Sanitize.Address) &&
!Bool(sanitize.Properties.Sanitize.Hwaddress) &&
!Bool(sanitize.Properties.Sanitize.Fuzzer) &&
(Bool(sanitize.Properties.Sanitize.Integer_overflow) ||
len(sanitize.Properties.Sanitize.Misc_undefined) > 0 ||
Bool(sanitize.Properties.Sanitize.Undefined) ||
Bool(sanitize.Properties.Sanitize.All_undefined)) &&
!(Bool(sanitize.Properties.Sanitize.Diag.Integer_overflow) ||
Bool(sanitize.Properties.Sanitize.Diag.Cfi) ||
Bool(sanitize.Properties.Sanitize.Diag.Undefined) ||
len(sanitize.Properties.Sanitize.Diag.Misc_undefined) > 0) {
return true
}
return false
}
func enableUbsanRuntime(sanitize *sanitize) bool {
return Bool(sanitize.Properties.Sanitize.Diag.Integer_overflow) ||
Bool(sanitize.Properties.Sanitize.Diag.Undefined) ||
len(sanitize.Properties.Sanitize.Diag.Misc_undefined) > 0
}
func cfiMakeVarsProvider(ctx android.MakeVarsContext) {
cfiStaticLibs(ctx.Config()).exportToMake(ctx)
}
func hwasanMakeVarsProvider(ctx android.MakeVarsContext) {
hwasanStaticLibs(ctx.Config()).exportToMake(ctx)
}