this adds kernel & libroot stack protector hooks. it uses /dev/random in userspace.
A configure option --enable-stack-protector is added to activate -fstack-protector
on selected system components (ATM apps, kits, servers).
Change-Id: If3a2920ba9aa0a85eaff4ba6778947f8c76ade31
Reviewed-on: https://review.haiku-os.org/c/haiku/+/3895
Reviewed-by: Adrien Destugues <pulkomandy@gmail.com>
- libicule and libiculx do not exist anymore in newer ICU versions
(harfbuzz replaces them), but we didn't actually use them, so remove
them from the build feature and from the package dependencies
- Add namespace usage marcos since the newer ICU packages put ICU things
in a namespace, making it easier to have multiple versions of ICU used
side by side.
No functional change intended, but this makes it possible to build the
code with either ICU 57 (for gcc2) or 66 (for other architectures).
The goal here is to avoid potentially expensive fork()ing.
The time for a fork() is (for a process with no real heap usage
and thus few areas) 300-400us on my system. load_image() takes
3000us (3ms) or so, but this of course includes exec() time.
Overall, for compiling HaikuDepot (with a tweaked jam to use
posix_spawn on Haiku, not just on Linux) there is a slight
decrease in time:
before:
real 1m21.727s
user 1m2.131s
sys 0m43.029s
after:
real 1m19.472s
user 1m1.752s
sys 0m41.740s
Which is probably within the realm of "noise", so more benchmarks
are needed. Likely if we tweak our jam usage to not need as many
shells when running commands, this would be a much more noticeable
change.
Change-Id: I217f2476b1ed9aa18322b3c2bc8986571d89549a
Use the gcc builtin instead, which generates more efficient code (it
saves a function call) and means less platform specific code to write
for us.
Change-Id: I1d55b5703027b2ea4ecde2438ea306bd4850eb32
Reviewed-on: https://review.haiku-os.org/c/haiku/+/1859
Reviewed-by: waddlesplash <waddlesplash@gmail.com>
Refactored out of execvpe. Originally I did this for my attempted
change to posix_spawn, but that change turned out to be wrong and
actually not that beneficial. This bit seems potentially useful,
though, so here it is.
Implemented against POSIX-1.2013.
The implementation POSIX requirement thats setpriority() shall affect the
priority of all system scope threads only extends to POSIX threads. This
is implemented by modifying the default attributes for newly spawned
pthreads.
It is not possible to modify the default pthread attributes for different
processes with the current implementation, as default pthread attributes
are implemented in user-space. As a result, PRIO_PROCESS for which and 0
for who is the only supported combination for setpriority().
While it is possible to move the default attributes to the kernel, it
is chosen not to so as to keep the pthread implementation user-space only.
POSIX requires that lowering the nice value (increasing priority) can be
done only by processes with appropriate privileges. However, as Haiku
currently doesn't harbor any restrictions in setting the thread priority,
this is not implemented.
It is possible to have small precision errors when converting from Unix-
style thread priority to Be-style. For example, the following program
outputs "17" instead of the expected "18":
#include <stdio.h>
#include <sys/resource.h>
int
main()
{
setpriority(PRIO_PROCESS, 0, 18);
printf("%d\n", getpriority(PRIO_PROCESS, 0));
return 0;
}
The underlying reason is because when you setpriority() both 18 and 19
are converted to the Be-style "2". This problem should not happen with
priority levels lower than or equal to 20, when the Be notation is more
precise than the Unix-style.
Done as a part of GCI 2014. Fixes#2817.
Signed-off-by: Timothy Gu <timothygu99@gmail.com>
Co-authored-by: Leorize <leorize+oss@disroot.org>
Change-Id: Ie14f105b00fe8563d16b3562748e1c2e56c873a6
Reviewed-on: https://review.haiku-os.org/c/78
Reviewed-by: Jérôme Duval <jerome.duval@gmail.com>
Reviewed-by: waddlesplash <waddlesplash@gmail.com>
This allows heap implementations to initialize and clean up any thread
specific structures. The current default hoard heap does not use these.
Note that the thread exit hook will not be called for the main thread as
the heap may be needed during process termination (__cxa_finalize for
example).
Change-Id: I703fbd34dec0d9029d619a2125c5b19d8c1933aa
Reviewed-on: https://review.haiku-os.org/799
Reviewed-by: waddlesplash <waddlesplash@gmail.com>
Fixes#13733.
Unlike written in the ticket, the string length is 136 (not 135),
and the code checks for rejects anything greater or equal to the max
value. So set the constant to 137.
This is an implementation of pthread barriers pursuant to the relevant specification.
Barriers are essentially a special case of conditional variables,
such that all threads waiting on one are woken up when the number of
waiters reaches a number provided at the initialization of the barrier.
In view of that, this implementation mimics the implementation of pthread_cond,
except it is more specialized and self-contained.
Signed-off-by: Jérôme Duval <jerome.duval@gmail.com>
* Also defer signals while registering fork hooks.
* While malloc provides fork heap hooks which lock the heaps and unlock/reinit,
malloc_debug provides empty hooks.
* Ideas suggested by Ingo, patch reviewed by him. Thanks a lot!
* Also call fork parent hooks on failure.
* Solve locks-up when combining multithreading and process forking, should help
with #13111.
The individual debug heap implementations are now exposed via a
structure of function pointers and a common frontend dispatches the
malloc and malloc_debug APIs through them.
The MALLOC_DEBUG environment variable can be used to select the guarded
heap by adding 'g', otherwise the debug heap is used as the default.
Consequently the separate libroot_guarded is not needed anymore and has
been removed.
To allow the use of environment variables this early, init_env_post_heap
has been added and the heap dependent atfork() moved there. This allowed
to fold the code of init_heap_post_env into init_heap so the former has
been removed.
* When creating the port of the registrar's authentication manager, we
now set it manually, so that the user/group functions work.
* This allows LaunchDaemon::_StartSession() to set up the user, and
groups as needed.
* These methods don't really work yet, as BMessage doesn't support
replying with a KMessage; the request is received, but the reply
never gets to the target.
It can be used to get a stack trace of the current thread. Note that
this works by walking frame pointers and will not produce anything
useful if an application is compiled with the frame pointers omitted.
The stack base and end addresses have to be provided as arguments and
are used to check that the frame pointers fall within that range. These
values are thread specific and can be retrieved with get_thread_info().
No other sanity checks (like checking for loops in the linked list) are
done.
This is a simplified rewrite of the stack trace code from the kernel
debugger.
As this code is common to x86 and x86_64 but is not generic across
architectures I introduced x86_common as a directory to put such
sources.
When enabled (using heap_debug_dump_allocations_on_exit(true) or
MALLOC_DEBUG=e) this causes a dump of all remaining allocations when
libroot_debug is unloaded. It uses terminate_after to be called as
late as possible.
When combined with alloc stack traces this makes for a nice if a bit
crude leak checker. Note that a lot of allocations usually remain
even at that stage due to statically, lazyly and globally allocated
stuff from the various system libraries where it isn't necessarily
worth the overhead to free them when the program terminates anyway.
__flatten_process_args() does now have the executable path as an
additional (optional) parameter. If specified, the function will read
the file's SYS:ENV attribute (if set) and use its value to modified the
environment it is preparing for the new process. Currently supported
attribute values are strings consisting of "<var>=<value>" substrings
separated by "\0" (backslash zero), with '\' being used as an escape
character. The environment will be altered to contain the specified
"<var>=<value>" elements, replacing a preexisting <var> element (if
any).
A possible use case would be setting a SYS:ENV attribute with value
"DISABLE_ASLR=1" on an executable that needs ASLR disabled.
* No need for the atomically changed variables to be declared as
volatile.
* Drop support for atomically getting and setting unaligned data.
* Introduce atomic_get_and_set[64]() which works the same as
atomic_set[64]() used to. atomic_set[64]() does not return the
previous value anymore.
* If at least one image is either B_HAIKU_ABI_GCC_2_ANCIENT or
B_HAIKU_ABI_GCC_2_BEOS almost all areas are marked as executable.
* B_EXECUTE_AREA and B_STACK_AREA are made public. The former is enforced since
the introduction of DEP and apps need it to correctly set area protection.
The latter is currently needed only to recognize stack areas and fix their
protection in compatibility mode, but may also be useful if an app wants
to use sigaltstack from POSIX API.
This patch introduces randomization of commpage position. From now on commpage
table contains offsets from begining to of the commpage to the particular
commpage entry. Similary addresses of symbols in ELF memory image "commpage"
are just offsets from the begining of the commpage.
This patch also updates KDL so that commpage entries are recognized and shown
correctly in stack trace. An update of Debugger is yet to be done.
* Added the aforementioned functions.
* create_area_etc() now takes a guard size parameter.
* The thread_info::stack_base/end range now refers to the usable range
only.
* add Wcscoll() and Wcsxfrm() ICU locale backend
* provide implementations of wcscoll() and wcsxfrm() that are using
the respective methods of the locale backend
* make room in mbstate_t for containing an ICU-converter's state
(well, in fact the whole converter object)
* adjust libroot's locale add-on to clone converters into a given
mbstate_t directly
* adjust ICUThreadLocalStorageValue to contain the converter pointer
instead of a converter-ID (if the converter is related to an
mbstate_t, it points into the mbstate_t).
* adjust users of converters to directly use converter pointers
instead of ICUConverterRef
* drop now unused ICUConverterManager and ICUConverterRef
* update gcc4 optional package
This brings our multibyte implementation into a fully working state,
both non-ascii and non-8-bit characters can now be handled normally
in the Terminal, i.e. this finally fixes#6276.
N.B.: Since the size of mbstate_t has changed, everything (including
the compiler!) needs to be rebuilt.
* add MultibyteStringToWchar() to ICU locale backend
* implement mbsrtowcs() and mbsnrtowcs() on top of
MultibyteStringToWchar()
* drop respective glibc files
Bring the changes that aren't package management related and the ones
that are but don't take effect as long as they are ignored by the build
system into the master.
Summary of changes:
* Introduce private header <directories.h> with constants for a good
deal of paths that should usually be retrieved via find_directory().
* Replace hard-coded paths by using find_directory() or the
<directories.h> constants (e.g. in drivers and the kernel).
* Add find_directory() constants needed for package management.
* Add __HAIKU_ABI_NAME and B_HAIKU_ABI_NAME macros.
* src/apps/deskbar: BeMenu.* -> DeskbarMenu.*,
DeskBarUtils.* -> DeskbarUtils.*
* Change deskbar menu settings directory from ~/config/be to
~/config/settings/deskbar.
* Other smaller cleanups, changes, and fixes.
* add errno_private.h, which defines the __set_errno() macro with
and without tracing
* instead of setting errno manually, all libroot's code now invokes
__set_errno(), which makes it much easier to trace changes to errno
* redirect glibc's use of __set_errno() to our own version
* update copyrights of locale backend files
Multibyte-support has been rewritten to use ICU as backend.
While this does not necessarily work properly in every aspect
(e.g. the shell still has [different] problems with multibyte-
characters now), it does fix#6263 and #7700.
* add implementations for the following multibyte-related
functions:
btwoc()
mblen()
mbrlen()
mbrtowc()
mbsinit()
mbtowc()
wcrtomb()
wcswidth()
wctob()
wctomb()
* the implementation of the above function live in a symbol
named __<name>, the above symbol names are defined as a weak
alias to the internal ones - TODO: we need to make sure to
only invoked the internal functions (i.e. prepended with __)
in order to avoid problems with symbol preemption.
* deactivate the limited mb implementation we provided before,
as well as respective stuff from glibc
* add actual converter methods MultibyteToWchar() and WcharToMultibyte()
to locale backend and implement them in the ctype subpart
* add management code for maintaining converters referenced by mbstate_t
