Merge changes from topic "clang-r365631-switch-over"

* changes:
  Fix segment gap test
  stdatomic_test: always use bits/stdatomic.h
  Adapt tests due to the new Clang fortify-source warning
diff --git a/android-changes-for-ndk-developers.md b/android-changes-for-ndk-developers.md
index 4bd97a0..84456f9 100644
--- a/android-changes-for-ndk-developers.md
+++ b/android-changes-for-ndk-developers.md
@@ -1,8 +1,11 @@
-# Android changes for NDK developers
+# Android linker changes for NDK developers
 
 This document details important changes related to native code
 loading in various Android releases.
 
+See also [bionic status](docs/status.md) for general libc/libm/libdl
+behavior changes.
+
 Required tools: the NDK has an _arch_-linux-android-readelf binary
 (e.g. arm-linux-androideabi-readelf or i686-linux-android-readelf)
 for each architecture (under toolchains/), but you can use readelf for
@@ -46,6 +49,10 @@
 [ReLinker](https://github.com/KeepSafe/ReLinker) which claims to solve
 these problems automatically.
 
+Alternatively, if you don't have too many dependencies, it can be easiest to
+simply link all of your code into one big library and sidestep the details of
+library and symbol lookup changes on all past (and future) Android versions.
+
 ## Changes to library search order
 
 We have made various fixes to library search order when resolving symbols.
diff --git a/docs/native_allocator.md b/docs/native_allocator.md
index 97c3648..82a98fe 100644
--- a/docs/native_allocator.md
+++ b/docs/native_allocator.md
@@ -10,7 +10,7 @@
 It is important to note that there are two modes for a native allocator
 to run in on Android. The first is the normal allocator, the second is
 called the svelte config, which is designed to run on memory constrained
-systems and be a bit slower, but take less PSS. To enable the svelte config,
+systems and be a bit slower, but take less RSS. To enable the svelte config,
 add this line to the `BoardConfig.mk` for the given target:
 
     MALLOC_SVELTE := true
@@ -55,7 +55,7 @@
 When set to zero, `mallopt(M_DECAY_TIME, 0)`, it is expected that an
 allocator will attempt to purge and release any unused memory back to the
 kernel on free calls. This is important in Android to avoid consuming extra
-PSS.
+RSS.
 
 When set to non-zero, `mallopt(M_DECAY_TIME, 1)`, an allocator can delay the
 purge and release action. The amount of delay is up to the allocator
@@ -65,13 +65,13 @@
 The drawback to this option is that most allocators do not have a separate
 thread to handle the purge, so the decay is only handled when an
 allocation operation occurs. For server processes, this can mean that
-PSS is slightly higher when the server is waiting for the next connection
+RSS is slightly higher when the server is waiting for the next connection
 and no other allocation calls are made. The `M_PURGE` option is used to
 force a purge in this case.
 
 For all applications on Android, the call `mallopt(M_DECAY_TIME, 1)` is
 made by default. The idea is that it allows application frees to run a
-bit faster, while only increasing PSS a bit.
+bit faster, while only increasing RSS a bit.
 
 #### M\_PURGE
 When called, `mallopt(M_PURGE, 0)`, an allocator should purge and release
@@ -115,7 +115,7 @@
 ## Performance
 There are multiple different ways to evaluate the performance of a native
 allocator on Android. One is allocation speed in various different scenarios,
-anoher is total PSS taken by the allocator.
+another is total RSS taken by the allocator.
 
 The last is virtual address space consumed in 32 bit applications. There is
 a limited amount of address space available in 32 bit apps, and there have
@@ -129,7 +129,7 @@
     mmma -j bionic/benchmarks
 
 These benchmarks are only used to verify the speed of the allocator and
-ignore anything related to PSS and virtual address space consumed.
+ignore anything related to RSS and virtual address space consumed.
 
 #### Allocate/Free Benchmarks
 These are the benchmarks to verify the allocation speed of a loop doing a
@@ -228,7 +228,7 @@
 These numbers should be as performant as the current allocator.
 
 ### Memory Trace Benchmarks
-These benchmarks measure all three axes of a native allocator, PSS, virtual
+These benchmarks measure all three axes of a native allocator, RSS, virtual
 address space consumed, speed of allocation. They are designed to
 run on a trace of the allocations from a real world application or system
 process.
@@ -248,7 +248,7 @@
     /data/benchmarktest/trace_benchmark/trace_benchmark
 
 #### Memory Replay Benchmarks
-These benchmarks display PSS, virtual memory consumed (VA space), and do a
+These benchmarks display RSS, virtual memory consumed (VA space), and do a
 bit of performance testing on actual traces taken from running applications.
 
 The trace data includes what thread does each operation, so the replay
@@ -266,21 +266,21 @@
 To run these benchmarks, first copy the trace files to the target and
 unzip them using these commands:
 
-    adb shell push system/extras/dumps /data/local/tmp
-    adb shell 'cd /data/local/tmp/dumps && for name in *.zip; do unzip $name; done'
+    adb shell push system/extras/traces /data/local/tmp
+    adb shell 'cd /data/local/tmp/traces && for name in *.zip; do unzip $name; done'
 
 Since all of the traces come from applications, the `memory_replay` program
 will always call `mallopt(M_DECAY_TIME, 1)' before running the trace.
 
 Run the benchmark thusly:
 
-    adb shell memory_replay64 /data/local/tmp/dumps/XXX.txt
-    adb shell memory_replay32 /data/local/tmp/dumps/XXX.txt
+    adb shell memory_replay64 /data/local/tmp/traces/XXX.txt
+    adb shell memory_replay32 /data/local/tmp/traces/XXX.txt
 
 Where XXX.txt is the name of a trace file.
 
-Every 100000 allocation operations, a dump of the PSS and VA space will be
-performed. At the end, a final PSS and VA space number will be printed.
+Every 100000 allocation operations, a dump of the RSS and VA space will be
+performed. At the end, a final RSS and VA space number will be printed.
 For the most part, the intermediate data can be ignored, but it is always
 a good idea to look over the data to verify that no strange spikes are
 occurring.
@@ -304,6 +304,14 @@
 executable, the virtual address space consumed is not much larger than the
 current allocator. A small increase (on the order of a few MBs) would be okay.
 
+There is no specific benchmark for memory fragmentation, instead, the RSS
+when running the memory traces acts as a proxy for this. An allocator that
+is fragmenting badly will show an increase in RSS. The best trace for
+tracking fragmentation is system\_server.txt which is an extremely long
+trace (~13 million operations). The total number of live allocations goes
+up and down a bit, but stays mostly the same so an allocator that fragments
+badly would likely show an abnormal increase in RSS on this trace.
+
 NOTE: When a native allocator calls mmap, it is expected that the allocator
 will name the map using the call:
 
diff --git a/docs/status.md b/docs/status.md
index 2f356f3..6968a18 100644
--- a/docs/status.md
+++ b/docs/status.md
@@ -1,5 +1,11 @@
 # Android bionic status
 
+This document details libc/libm/libdl additions and behavior changes.
+
+See also
+[Android linker changes for NDK developers](../android-changes-for-ndk-developers.md)
+for changes related to native code loading in various Android releases.
+
 ## Bionic function availability
 
 ### POSIX
@@ -39,7 +45,9 @@
 
 New libc functions in R (API level 30):
   * Full C11 `<threads.h>` (available as inlines for older API levels).
+  * `memfd_create` and `mlock2` (GNU extensions).
   * `renameat2` (GNU extension).
+  * `pthread_cond_clockwait`/`pthread_mutex_clocklock`/`pthread_rwlock_clockrdlock`/`pthread_rwlock_clockwrlock`/`sem_clockwait`
 
 New libc functions in Q (API level 29):
   * `timespec_get` (C11 `<time.h>` addition)
diff --git a/libc/SECCOMP_WHITELIST_COMMON.TXT b/libc/SECCOMP_WHITELIST_COMMON.TXT
index 1b67a19..07f84a8 100644
--- a/libc/SECCOMP_WHITELIST_COMMON.TXT
+++ b/libc/SECCOMP_WHITELIST_COMMON.TXT
@@ -64,31 +64,36 @@
 int stat64:stat64(const char*, struct stat64*)  arm,x86
 ssize_t readlink:readlink(const char*, char*, size_t)  arm,x86,x86_64
 
-# Probed for and conditionally used by ART.
-int membarrier(int cmd, int flags) all
-
+#
 # Useful new syscalls which we don't yet use in bionic.
-int sched_getattr(pid_t pid, struct sched_attr* attr, unsigned int flags) all
-int sched_setattr(pid_t pid, struct sched_attr* attr, unsigned int size, unsigned int flags) all
-int memfd_create(const char* name, unsigned int flags) all
-int renameat2(int olddirfd, const char* oldpath, int newdirfd, const char* newpath, unsigned int flags)  all
-int execveat(int dirfd, const char* pathname, char* const* argv, char* const* envp, int flags)  all
-ssize_t copy_file_range(int fd_in, loff_t* off_in, int fd_out, loff_t* off_out, size_t len, unsigned int flags) all
-int mlock2(const void* addr, size_t len, int flags) all
-ssize_t preadv2(int fd, const struct iovec* iov, int iovcnt, off_t offset, int flags) all
-ssize_t pwritev2(int fd, const struct iovec* iov, int iovcnt, off_t offset, int flags) all
+#
+
+# Since Linux 2.5, not in glibc.
 int io_setup(unsigned nr, aio_context_t *ctxp) all
 int io_destroy(aio_context_t ctx) all
 int io_submit(aio_context_t ctx, long nr,  struct iocb **iocbpp) all
 int io_getevents(aio_context_t ctx, long min_nr, long max_nr, struct io_event *events, struct timespec *timeout) all
 int io_cancel(aio_context_t ctx, struct iocb *, struct io_event *result) all
+# Since Linux 3.14, not in glibc.
+int sched_getattr(pid_t pid, struct sched_attr* attr, unsigned int flags) all
+int sched_setattr(pid_t pid, struct sched_attr* attr, unsigned int size, unsigned int flags) all
+# Since Linux 3.19, not in glibc (and not really needed to implement fexecve).
+int execveat(int dirfd, const char* pathname, char* const* argv, char* const* envp, int flags)  all
+# Since Linux 4.3, not in glibc. Probed for and conditionally used by ART.
+int membarrier(int cmd, int flags) all
+# Since Linux 4.5, glibc 2.27.
+ssize_t copy_file_range(int fd_in, loff_t* off_in, int fd_out, loff_t* off_out, size_t len, unsigned int flags) all
+# Since Linux 4.6, glibc 2.26.
+ssize_t preadv2(int fd, const struct iovec* iov, int iovcnt, off_t offset, int flags) all
+ssize_t pwritev2(int fd, const struct iovec* iov, int iovcnt, off_t offset, int flags) all
+# Since Linux 4.11, glibc 2.30.
 int statx(int, const char*, int, unsigned int, statx*) all
+# Since Linux 5.1, not in glibc.
 int clock_gettime64(clockid_t, timespec64*) lp32
 int clock_settime64(clockid_t, const timespec64*) lp32
 int clock_adjtime64(clockid_t, timex64*) lp32
 int clock_getres_time64(clockid_t, timespec64*) lp32
 int clock_nanosleep_time64(clockid_t, int, const timespec64*, timespec*) lp32
-# TODO: afaict, __kernel_timer_t and itimerspec are both already fine?
 int timer_gettime64(__kernel_timer_t, itimerspec64*) lp32
 int timer_settime64(__kernel_timer_t, int, const itimerspec64*, itimerspec64*) lp32
 int timerfd_gettime64(int, itimerspec64*) lp32
diff --git a/libc/SYSCALLS.TXT b/libc/SYSCALLS.TXT
index 62d698f..21ebdbd 100644
--- a/libc/SYSCALLS.TXT
+++ b/libc/SYSCALLS.TXT
@@ -107,12 +107,14 @@
 
 int         __close:close(int)  all
 pid_t       __getpid:getpid()  all
+int memfd_create(const char*, unsigned) all
 int         munmap(void*, size_t)  all
 void*       __mremap:mremap(void*, size_t, size_t, int, void*)  all
 int         msync(const void*, size_t, int)    all
 int         mprotect(const void*, size_t, int)  all
 int         madvise(void*, size_t, int)  all
-int         mlock(const void* addr, size_t len)    all
+int mlock(const void* addr, size_t len)    all
+int mlock2(const void* addr, size_t len, int flags)    all
 int         munlock(const void* addr, size_t len)   all
 int         mlockall(int flags)   all
 int         munlockall()   all
diff --git a/libc/bionic/__cxa_guard.cpp b/libc/bionic/__cxa_guard.cpp
index 30b5f41..e2e7477 100644
--- a/libc/bionic/__cxa_guard.cpp
+++ b/libc/bionic/__cxa_guard.cpp
@@ -16,9 +16,7 @@
 
 #include <endian.h>
 #include <limits.h>
-#undef _USING_LIBCXX  // Prevent using of <atomic>.
 #include <stdatomic.h>
-
 #include <stddef.h>
 
 #include "private/bionic_futex.h"
diff --git a/libc/bionic/fdsan.cpp b/libc/bionic/fdsan.cpp
index dd3a96e..4ebc796 100644
--- a/libc/bionic/fdsan.cpp
+++ b/libc/bionic/fdsan.cpp
@@ -106,30 +106,8 @@
 }
 
 void __libc_init_fdsan() {
-  constexpr auto default_level = ANDROID_FDSAN_ERROR_LEVEL_WARN_ONCE;
-  const prop_info* pi = __system_property_find(kFdsanPropertyName);
-  if (!pi) {
-    android_fdsan_set_error_level(default_level);
-    return;
-  }
-  __system_property_read_callback(
-      pi,
-      [](void*, const char*, const char* value, uint32_t) {
-        if (strcasecmp(value, "1") == 0 || strcasecmp(value, "fatal") == 0) {
-          android_fdsan_set_error_level(ANDROID_FDSAN_ERROR_LEVEL_FATAL);
-        } else if (strcasecmp(value, "warn") == 0) {
-          android_fdsan_set_error_level(ANDROID_FDSAN_ERROR_LEVEL_WARN_ALWAYS);
-        } else if (strcasecmp(value, "warn_once") == 0) {
-          android_fdsan_set_error_level(ANDROID_FDSAN_ERROR_LEVEL_WARN_ONCE);
-        } else {
-          if (strlen(value) != 0 && strcasecmp(value, "0") != 0) {
-            async_safe_format_log(ANDROID_LOG_ERROR, "libc",
-                                  "debug.fdsan set to unknown value '%s', disabling", value);
-          }
-          android_fdsan_set_error_level(default_level);
-        }
-      },
-      nullptr);
+  constexpr auto default_level = ANDROID_FDSAN_ERROR_LEVEL_FATAL;
+  android_fdsan_set_error_level_from_property(default_level);
 }
 
 static FdTable& GetFdTable() {
@@ -355,6 +333,45 @@
   return atomic_exchange(&GetFdTable().error_level, new_level);
 }
 
+android_fdsan_error_level android_fdsan_set_error_level_from_property(
+    android_fdsan_error_level default_level) {
+  const prop_info* pi = __system_property_find(kFdsanPropertyName);
+  if (!pi) {
+    return android_fdsan_set_error_level(default_level);
+  }
+
+  struct callback_data {
+    android_fdsan_error_level default_value;
+    android_fdsan_error_level result;
+  };
+
+  callback_data data;
+  data.default_value = default_level;
+
+  __system_property_read_callback(
+      pi,
+      [](void* arg, const char*, const char* value, uint32_t) {
+        callback_data* data = static_cast<callback_data*>(arg);
+
+        if (strcasecmp(value, "1") == 0 || strcasecmp(value, "fatal") == 0) {
+          data->result = android_fdsan_set_error_level(ANDROID_FDSAN_ERROR_LEVEL_FATAL);
+        } else if (strcasecmp(value, "warn") == 0) {
+          data->result = android_fdsan_set_error_level(ANDROID_FDSAN_ERROR_LEVEL_WARN_ALWAYS);
+        } else if (strcasecmp(value, "warn_once") == 0) {
+          data->result = android_fdsan_set_error_level(ANDROID_FDSAN_ERROR_LEVEL_WARN_ONCE);
+        } else {
+          if (strlen(value) != 0 && strcasecmp(value, "0") != 0) {
+            async_safe_format_log(ANDROID_LOG_ERROR, "libc",
+                                  "debug.fdsan set to unknown value '%s', disabling", value);
+          }
+          data->result = android_fdsan_set_error_level(data->default_value);
+        }
+      },
+      &data);
+
+  return data.result;
+}
+
 int close(int fd) {
   int rc = android_fdsan_close_with_tag(fd, 0);
   if (rc == -1 && errno == EINTR) {
diff --git a/libc/bionic/fortify.cpp b/libc/bionic/fortify.cpp
index cf37666..3b804b0 100644
--- a/libc/bionic/fortify.cpp
+++ b/libc/bionic/fortify.cpp
@@ -249,7 +249,7 @@
 // This is a variant of __stpncpy_chk, but it also checks to make
 // sure we don't read beyond the end of "src". The code for this is
 // based on the original version of stpncpy, but modified to check
-// how much we read from "src" at the end of the copy operation.
+// how much we read from "src" during the copy operation.
 char* __stpncpy_chk2(char* dst, const char* src, size_t n, size_t dst_len, size_t src_len) {
   __check_buffer_access("stpncpy", "write into", n, dst_len);
   if (n != 0) {
@@ -257,6 +257,11 @@
     const char* s = src;
 
     do {
+      size_t s_copy_len = static_cast<size_t>(s - src);
+      if (__predict_false(s_copy_len >= src_len)) {
+        __fortify_fatal("stpncpy: detected read past end of %zu-byte buffer", src_len);
+      }
+
       if ((*d++ = *s++) == 0) {
         // NUL pad the remaining n-1 bytes.
         while (--n != 0) {
@@ -265,11 +270,6 @@
         break;
       }
     } while (--n != 0);
-
-    size_t s_copy_len = static_cast<size_t>(s - src);
-    if (__predict_false(s_copy_len > src_len)) {
-      __fortify_fatal("stpncpy: detected read past end of %zu-byte buffer", src_len);
-    }
   }
 
   return dst;
@@ -360,7 +360,7 @@
 // This is a variant of __strncpy_chk, but it also checks to make
 // sure we don't read beyond the end of "src". The code for this is
 // based on the original version of strncpy, but modified to check
-// how much we read from "src" at the end of the copy operation.
+// how much we read from "src" during the copy operation.
 char* __strncpy_chk2(char* dst, const char* src, size_t n, size_t dst_len, size_t src_len) {
   __check_buffer_access("strncpy", "write into", n, dst_len);
   if (n != 0) {
@@ -368,6 +368,11 @@
     const char* s = src;
 
     do {
+      size_t s_copy_len = static_cast<size_t>(s - src);
+      if (__predict_false(s_copy_len >= src_len)) {
+        __fortify_fatal("strncpy: detected read past end of %zu-byte buffer", src_len);
+      }
+
       if ((*d++ = *s++) == 0) {
         // NUL pad the remaining n-1 bytes.
         while (--n != 0) {
@@ -376,11 +381,6 @@
         break;
       }
     } while (--n != 0);
-
-    size_t s_copy_len = static_cast<size_t>(s - src);
-    if (__predict_false(s_copy_len > src_len)) {
-      __fortify_fatal("strncpy: detected read past end of %zu-byte buffer", src_len);
-    }
   }
 
   return dst;
diff --git a/libc/bionic/libc_init_dynamic.cpp b/libc/bionic/libc_init_dynamic.cpp
index 4f3b4f7..d6d5552 100644
--- a/libc/bionic/libc_init_dynamic.cpp
+++ b/libc/bionic/libc_init_dynamic.cpp
@@ -69,6 +69,13 @@
 __LIBC_HIDDEN__ void* __libc_sysinfo = reinterpret_cast<void*>(__libc_int0x80);
 #endif
 
+extern "C" __attribute__((weak)) void __hwasan_library_loaded(ElfW(Addr) base,
+                                                              const ElfW(Phdr)* phdr,
+                                                              ElfW(Half) phnum);
+extern "C" __attribute__((weak)) void __hwasan_library_unloaded(ElfW(Addr) base,
+                                                                const ElfW(Phdr)* phdr,
+                                                                ElfW(Half) phnum);
+
 // We need a helper function for __libc_preinit because compiling with LTO may
 // inline functions requiring a stack protector check, but __stack_chk_guard is
 // not initialized at the start of __libc_preinit. __libc_preinit_impl will run
@@ -91,6 +98,14 @@
 
   // Hooks for various libraries to let them know that we're starting up.
   __libc_globals.mutate(__libc_init_malloc);
+
+#if __has_feature(hwaddress_sanitizer)
+  // Notify the HWASan runtime library whenever a library is loaded or unloaded
+  // so that it can update its shadow memory.
+  __libc_shared_globals()->load_hook = __hwasan_library_loaded;
+  __libc_shared_globals()->unload_hook = __hwasan_library_unloaded;
+#endif
+
   netdClientInit();
 }
 
diff --git a/libc/include/android/fdsan.h b/libc/include/android/fdsan.h
index 1169ed0..83b9318 100644
--- a/libc/include/android/fdsan.h
+++ b/libc/include/android/fdsan.h
@@ -197,4 +197,8 @@
  */
 enum android_fdsan_error_level android_fdsan_set_error_level(enum android_fdsan_error_level new_level) __INTRODUCED_IN(29) __attribute__((__weak__));
 
+/*
+ * Set the error level to the global setting if available, or a default value.
+ */
+enum android_fdsan_error_level android_fdsan_set_error_level_from_property(enum android_fdsan_error_level default_level) __INTRODUCED_IN(30) __attribute__((__weak__));
 __END_DECLS
diff --git a/libc/include/bits/timespec.h b/libc/include/bits/timespec.h
index 0497cfe..daad03f 100644
--- a/libc/include/bits/timespec.h
+++ b/libc/include/bits/timespec.h
@@ -46,7 +46,7 @@
 struct timespec {
   /** Number of seconds. */
   time_t tv_sec;
-  /** Number of nanoseconds. Must be less than 1,000,000. */
+  /** Number of nanoseconds. Must be less than 1,000,000,000. */
   long tv_nsec;
 };
 #endif
diff --git a/libc/include/sys/cdefs.h b/libc/include/sys/cdefs.h
index dceb116..689b650 100644
--- a/libc/include/sys/cdefs.h
+++ b/libc/include/sys/cdefs.h
@@ -361,3 +361,6 @@
 
 #include <android/versioning.h>
 #include <android/api-level.h>
+#if __has_include(<android/ndk-version.h>)
+#include <android/ndk-version.h>
+#endif
diff --git a/libc/include/sys/mman.h b/libc/include/sys/mman.h
index 89d6d07..3b83229 100644
--- a/libc/include/sys/mman.h
+++ b/libc/include/sys/mman.h
@@ -26,34 +26,27 @@
  * SUCH DAMAGE.
  */
 
-#ifndef _SYS_MMAN_H_
-#define _SYS_MMAN_H_
+#pragma once
 
 #include <sys/cdefs.h>
 #include <sys/types.h>
+#include <linux/memfd.h>
 #include <linux/mman.h>
 
 __BEGIN_DECLS
 
-#ifndef MAP_ANON
-#define MAP_ANON  MAP_ANONYMOUS
-#endif
+/** Alternative spelling of the `MAP_ANONYMOUS` flag for mmap(). */
+#define MAP_ANON MAP_ANONYMOUS
 
+/** Return value for mmap(). */
 #define MAP_FAILED __BIONIC_CAST(reinterpret_cast, void*, -1)
 
-#define MREMAP_MAYMOVE  1
-#define MREMAP_FIXED    2
-
-/*
- * See https://android.googlesource.com/platform/bionic/+/master/docs/32-bit-abi.md
+/**
+ * [mmap(2)](http://man7.org/linux/man-pages/man2/mmap.2.html)
+ * creates a memory mapping for the given range.
  *
- * mmap64 wasn't really around until L, but we added an inline for it since it
- * allows a lot more code to compile with _FILE_OFFSET_BITS=64.
- *
- * GCC removes the static inline unless it is explicitly used. We can get around
- * this with __attribute__((used)), but that needlessly adds a definition of
- * mmap64 to every translation unit that includes this header. Instead, just
- * preserve the old behavior for GCC and emit a useful diagnostic.
+ * Returns the address of the mapping on success,
+ * and returns `MAP_FAILED` and sets `errno` on failure.
  */
 #if defined(__USE_FILE_OFFSET64)
 void* mmap(void* __addr, size_t __size, int __prot, int __flags, int __fd, off_t __offset) __RENAME(mmap64);
@@ -62,25 +55,126 @@
 #endif
 
 #if __ANDROID_API__ >= __ANDROID_API_L__
+/**
+ * mmap64() is a variant of mmap() that takes a 64-bit offset even on LP32.
+ *
+ * See https://android.googlesource.com/platform/bionic/+/master/docs/32-bit-abi.md
+ *
+ * mmap64 wasn't really around until L, but we added an inline for it since it
+ * allows a lot more code to compile with _FILE_OFFSET_BITS=64.
+ */
 void* mmap64(void* __addr, size_t __size, int __prot, int __flags, int __fd, off64_t __offset) __INTRODUCED_IN(21);
 #endif
 
+/**
+ * [munmap(2)](http://man7.org/linux/man-pages/man2/munmap.2.html)
+ * deletes a memory mapping for the given range.
+ *
+ * Returns 0 on success, and returns -1 and sets `errno` on failure.
+ */
 int munmap(void* __addr, size_t __size);
+
+/**
+ * [msync(2)](http://man7.org/linux/man-pages/man2/msync.2.html)
+ * flushes changes to a memory-mapped file to disk.
+ *
+ * Returns 0 on success, and returns -1 and sets `errno` on failure.
+ */
 int msync(void* __addr, size_t __size, int __flags);
+
+/**
+ * [mprotect(2)](http://man7.org/linux/man-pages/man2/mprotect.2.html)
+ * sets the protection on a memory region.
+ *
+ * Returns 0 on success, and returns -1 and sets `errno` on failure.
+ */
 int mprotect(void* __addr, size_t __size, int __prot);
+
+/** Flag for mremap(). */
+#define MREMAP_MAYMOVE  1
+
+/** Flag for mremap(). */
+#define MREMAP_FIXED    2
+
+/**
+ * [mremap(2)](http://man7.org/linux/man-pages/man2/mremap.2.html)
+ * expands or shrinks an existing memory mapping.
+ *
+ * Returns the address of the mapping on success,
+ * and returns `MAP_FAILED` and sets `errno` on failure.
+ */
 void* mremap(void* __old_addr, size_t __old_size, size_t __new_size, int __flags, ...);
 
+/**
+ * [mlockall(2)](http://man7.org/linux/man-pages/man2/mlockall.2.html)
+ * locks pages (preventing swapping).
+ *
+ * Returns 0 on success, and returns -1 and sets `errno` on failure.
+ */
 int mlockall(int __flags) __INTRODUCED_IN(17);
+
+/**
+ * [munlockall(2)](http://man7.org/linux/man-pages/man2/munlockall.2.html)
+ * unlocks pages (allowing swapping).
+ *
+ * Returns 0 on success, and returns -1 and sets `errno` on failure.
+ */
 int munlockall(void) __INTRODUCED_IN(17);
 
+/**
+ * [mlock(2)](http://man7.org/linux/man-pages/man2/mlock.2.html)
+ * locks pages (preventing swapping).
+ *
+ * Returns 0 on success, and returns -1 and sets `errno` on failure.
+ */
 int mlock(const void* __addr, size_t __size);
+
+/**
+ * [mlock2(2)](http://man7.org/linux/man-pages/man2/mlock.2.html)
+ * locks pages (preventing swapping), with optional flags.
+ *
+ * Returns 0 on success, and returns -1 and sets `errno` on failure.
+ */
+int mlock2(const void* __addr, size_t __size, int __flags) __INTRODUCED_IN(30);
+
+/**
+ * [munlock(2)](http://man7.org/linux/man-pages/man2/munlock.2.html)
+ * unlocks pages (allowing swapping).
+ *
+ * Returns 0 on success, and returns -1 and sets `errno` on failure.
+ */
 int munlock(const void* __addr, size_t __size);
 
+/**
+ * [mincore(2)](http://man7.org/linux/man-pages/man2/mincore.2.html)
+ * tests whether pages are resident in memory.
+ *
+ * Returns 0 on success, and returns -1 and sets `errno` on failure.
+ */
 int mincore(void* __addr, size_t __size, unsigned char* __vector);
 
+/**
+ * [madvise(2)](http://man7.org/linux/man-pages/man2/madvise.2.html)
+ * gives the kernel advice about future usage patterns.
+ *
+ * Returns 0 on success, and returns -1 and sets `errno` on failure.
+ */
 int madvise(void* __addr, size_t __size, int __advice);
 
+#if defined(__USE_GNU)
+
+/**
+ * [memfd_create(2)](http://man7.org/linux/man-pages/man2/memfd_create.2.html)
+ * creates an anonymous file.
+ *
+ * Returns an fd on success, and returns -1 and sets `errno` on failure.
+ */
+int memfd_create(const char* __name, unsigned __flags) __INTRODUCED_IN(30);
+
+#endif
+
 #if __ANDROID_API__ >= __ANDROID_API_M__
+
 /*
  * Some third-party code uses the existence of POSIX_MADV_NORMAL to detect the
  * availability of posix_madvise. This is not correct, since having up-to-date
@@ -89,16 +183,30 @@
  *
  * https://github.com/android-ndk/ndk/issues/395
  */
+
+/** Flag for posix_madvise(). */
 #define POSIX_MADV_NORMAL     MADV_NORMAL
+/** Flag for posix_madvise(). */
 #define POSIX_MADV_RANDOM     MADV_RANDOM
+/** Flag for posix_madvise(). */
 #define POSIX_MADV_SEQUENTIAL MADV_SEQUENTIAL
+/** Flag for posix_madvise(). */
 #define POSIX_MADV_WILLNEED   MADV_WILLNEED
+/** Flag for posix_madvise(). */
 #define POSIX_MADV_DONTNEED   MADV_DONTNEED
+
 #endif
+
+/**
+ * [posix_madvise(3)](http://man7.org/linux/man-pages/man3/posix_madvise.3.html)
+ * gives the kernel advice about future usage patterns.
+ *
+ * Returns 0 on success, and returns a positive error number on failure.
+ *
+ * See also madvise() which has been available much longer.
+ */
 int posix_madvise(void* __addr, size_t __size, int __advice) __INTRODUCED_IN(23);
 
 __END_DECLS
 
 #include <android/legacy_sys_mman_inlines.h>
-
-#endif
diff --git a/libc/kernel/tools/update_all.py b/libc/kernel/tools/update_all.py
index 9d5b02d..cef24dd 100755
--- a/libc/kernel/tools/update_all.py
+++ b/libc/kernel/tools/update_all.py
@@ -110,7 +110,9 @@
         content += '  #define SYS_%s %s\n' % (syscall, nr_name)
         content += '#endif\n'
 
-    updater.editFile('%s/include/bits/glibc-syscalls.h' % libc_root, content)
+    syscall_file = os.path.join(libc_root, 'include/bits/glibc-syscalls.h')
+    updater.readFile(syscall_file)
+    updater.editFile(syscall_file, content)
 
 
 try:
diff --git a/libc/kernel/uapi/asm-x86/asm/vmx.h b/libc/kernel/uapi/asm-x86/asm/vmx.h
index 0f7ede3..83365f8 100644
--- a/libc/kernel/uapi/asm-x86/asm/vmx.h
+++ b/libc/kernel/uapi/asm-x86/asm/vmx.h
@@ -78,6 +78,5 @@
 #define VMX_EXIT_REASONS { EXIT_REASON_EXCEPTION_NMI, "EXCEPTION_NMI" }, { EXIT_REASON_EXTERNAL_INTERRUPT, "EXTERNAL_INTERRUPT" }, { EXIT_REASON_TRIPLE_FAULT, "TRIPLE_FAULT" }, { EXIT_REASON_PENDING_INTERRUPT, "PENDING_INTERRUPT" }, { EXIT_REASON_NMI_WINDOW, "NMI_WINDOW" }, { EXIT_REASON_TASK_SWITCH, "TASK_SWITCH" }, { EXIT_REASON_CPUID, "CPUID" }, { EXIT_REASON_HLT, "HLT" }, { EXIT_REASON_INVD, "INVD" }, { EXIT_REASON_INVLPG, "INVLPG" }, { EXIT_REASON_RDPMC, "RDPMC" }, { EXIT_REASON_RDTSC, "RDTSC" }, { EXIT_REASON_VMCALL, "VMCALL" }, { EXIT_REASON_VMCLEAR, "VMCLEAR" }, { EXIT_REASON_VMLAUNCH, "VMLAUNCH" }, { EXIT_REASON_VMPTRLD, "VMPTRLD" }, { EXIT_REASON_VMPTRST, "VMPTRST" }, { EXIT_REASON_VMREAD, "VMREAD" }, { EXIT_REASON_VMRESUME, "VMRESUME" }, { EXIT_REASON_VMWRITE, "VMWRITE" }, { EXIT_REASON_VMOFF, "VMOFF" }, { EXIT_REASON_VMON, "VMON" }, { EXIT_REASON_CR_ACCESS, "CR_ACCESS" }, { EXIT_REASON_DR_ACCESS, "DR_ACCESS" }, { EXIT_REASON_IO_INSTRUCTION, "IO_INSTRUCTION" }, { EXIT_REASON_MSR_READ, "MSR_READ" }, { EXIT_REASON_MSR_WRITE, "MSR_WRITE" }, { EXIT_REASON_INVALID_STATE, "INVALID_STATE" }, { EXIT_REASON_MSR_LOAD_FAIL, "MSR_LOAD_FAIL" }, { EXIT_REASON_MWAIT_INSTRUCTION, "MWAIT_INSTRUCTION" }, { EXIT_REASON_MONITOR_TRAP_FLAG, "MONITOR_TRAP_FLAG" }, { EXIT_REASON_MONITOR_INSTRUCTION, "MONITOR_INSTRUCTION" }, { EXIT_REASON_PAUSE_INSTRUCTION, "PAUSE_INSTRUCTION" }, { EXIT_REASON_MCE_DURING_VMENTRY, "MCE_DURING_VMENTRY" }, { EXIT_REASON_TPR_BELOW_THRESHOLD, "TPR_BELOW_THRESHOLD" }, { EXIT_REASON_APIC_ACCESS, "APIC_ACCESS" }, { EXIT_REASON_EOI_INDUCED, "EOI_INDUCED" }, { EXIT_REASON_GDTR_IDTR, "GDTR_IDTR" }, { EXIT_REASON_LDTR_TR, "LDTR_TR" }, { EXIT_REASON_EPT_VIOLATION, "EPT_VIOLATION" }, { EXIT_REASON_EPT_MISCONFIG, "EPT_MISCONFIG" }, { EXIT_REASON_INVEPT, "INVEPT" }, { EXIT_REASON_RDTSCP, "RDTSCP" }, { EXIT_REASON_PREEMPTION_TIMER, "PREEMPTION_TIMER" }, { EXIT_REASON_INVVPID, "INVVPID" }, { EXIT_REASON_WBINVD, "WBINVD" }, { EXIT_REASON_XSETBV, "XSETBV" }, { EXIT_REASON_APIC_WRITE, "APIC_WRITE" }, { EXIT_REASON_RDRAND, "RDRAND" }, { EXIT_REASON_INVPCID, "INVPCID" }, { EXIT_REASON_VMFUNC, "VMFUNC" }, { EXIT_REASON_ENCLS, "ENCLS" }, { EXIT_REASON_RDSEED, "RDSEED" }, { EXIT_REASON_PML_FULL, "PML_FULL" }, { EXIT_REASON_XSAVES, "XSAVES" }, { EXIT_REASON_XRSTORS, "XRSTORS" }
 #define VMX_ABORT_SAVE_GUEST_MSR_FAIL 1
 #define VMX_ABORT_LOAD_HOST_PDPTE_FAIL 2
-#define VMX_ABORT_VMCS_CORRUPTED 3
 #define VMX_ABORT_LOAD_HOST_MSR_FAIL 4
 #endif
diff --git a/libc/kernel/uapi/linux/bpf.h b/libc/kernel/uapi/linux/bpf.h
index 11df994..3f09421 100644
--- a/libc/kernel/uapi/linux/bpf.h
+++ b/libc/kernel/uapi/linux/bpf.h
@@ -548,6 +548,7 @@
   char name[BPF_OBJ_NAME_LEN];
   __u32 ifindex;
   __u32 gpl_compatible : 1;
+  __u32 : 31;
   __u64 netns_dev;
   __u64 netns_ino;
   __u32 nr_jited_ksyms;
diff --git a/libc/kernel/uapi/linux/nilfs2_ondisk.h b/libc/kernel/uapi/linux/nilfs2_ondisk.h
index e9995a1..a05e7b7 100644
--- a/libc/kernel/uapi/linux/nilfs2_ondisk.h
+++ b/libc/kernel/uapi/linux/nilfs2_ondisk.h
@@ -20,6 +20,7 @@
 #define _LINUX_NILFS2_ONDISK_H
 #include <linux/types.h>
 #include <linux/magic.h>
+#include <asm/byteorder.h>
 #define NILFS_INODE_BMAP_SIZE 7
 struct nilfs_inode {
   __le64 i_blocks;
@@ -248,11 +249,11 @@
   NILFS_CHECKPOINT_MINOR,
 };
 #define NILFS_CHECKPOINT_FNS(flag,name) static inline void nilfs_checkpoint_set_ ##name(struct nilfs_checkpoint * cp) \
-{ cp->cp_flags = cpu_to_le32(le32_to_cpu(cp->cp_flags) | (1UL << NILFS_CHECKPOINT_ ##flag)); \
+{ cp->cp_flags = __cpu_to_le32(__le32_to_cpu(cp->cp_flags) | (1UL << NILFS_CHECKPOINT_ ##flag)); \
 } static inline void nilfs_checkpoint_clear_ ##name(struct nilfs_checkpoint * cp) \
-{ cp->cp_flags = cpu_to_le32(le32_to_cpu(cp->cp_flags) & ~(1UL << NILFS_CHECKPOINT_ ##flag)); \
+{ cp->cp_flags = __cpu_to_le32(__le32_to_cpu(cp->cp_flags) & ~(1UL << NILFS_CHECKPOINT_ ##flag)); \
 } static inline int nilfs_checkpoint_ ##name(const struct nilfs_checkpoint * cp) \
-{ return ! ! (le32_to_cpu(cp->cp_flags) & (1UL << NILFS_CHECKPOINT_ ##flag)); \
+{ return ! ! (__le32_to_cpu(cp->cp_flags) & (1UL << NILFS_CHECKPOINT_ ##flag)); \
 }
 struct nilfs_cpfile_header {
   __le64 ch_ncheckpoints;
@@ -272,11 +273,11 @@
   NILFS_SEGMENT_USAGE_ERROR,
 };
 #define NILFS_SEGMENT_USAGE_FNS(flag,name) static inline void nilfs_segment_usage_set_ ##name(struct nilfs_segment_usage * su) \
-{ su->su_flags = cpu_to_le32(le32_to_cpu(su->su_flags) | (1UL << NILFS_SEGMENT_USAGE_ ##flag)); \
+{ su->su_flags = __cpu_to_le32(__le32_to_cpu(su->su_flags) | (1UL << NILFS_SEGMENT_USAGE_ ##flag)); \
 } static inline void nilfs_segment_usage_clear_ ##name(struct nilfs_segment_usage * su) \
-{ su->su_flags = cpu_to_le32(le32_to_cpu(su->su_flags) & ~(1UL << NILFS_SEGMENT_USAGE_ ##flag)); \
+{ su->su_flags = __cpu_to_le32(__le32_to_cpu(su->su_flags) & ~(1UL << NILFS_SEGMENT_USAGE_ ##flag)); \
 } static inline int nilfs_segment_usage_ ##name(const struct nilfs_segment_usage * su) \
-{ return ! ! (le32_to_cpu(su->su_flags) & (1UL << NILFS_SEGMENT_USAGE_ ##flag)); \
+{ return ! ! (__le32_to_cpu(su->su_flags) & (1UL << NILFS_SEGMENT_USAGE_ ##flag)); \
 }
 struct nilfs_sufile_header {
   __le64 sh_ncleansegs;
diff --git a/libc/kernel/uapi/linux/version.h b/libc/kernel/uapi/linux/version.h
index 815f53d..94bf4ba 100644
--- a/libc/kernel/uapi/linux/version.h
+++ b/libc/kernel/uapi/linux/version.h
@@ -16,5 +16,5 @@
  ***
  ****************************************************************************
  ****************************************************************************/
-#define LINUX_VERSION_CODE 328192
+#define LINUX_VERSION_CODE 328198
 #define KERNEL_VERSION(a,b,c) (((a) << 16) + ((b) << 8) + (c))
diff --git a/libc/kernel/uapi/linux/videodev2.h b/libc/kernel/uapi/linux/videodev2.h
index e6df45c..f77c6bd 100644
--- a/libc/kernel/uapi/linux/videodev2.h
+++ b/libc/kernel/uapi/linux/videodev2.h
@@ -210,7 +210,7 @@
 #define V4L2_PIX_FMT_RGBX444 v4l2_fourcc('R', 'X', '1', '2')
 #define V4L2_PIX_FMT_ABGR444 v4l2_fourcc('A', 'B', '1', '2')
 #define V4L2_PIX_FMT_XBGR444 v4l2_fourcc('X', 'B', '1', '2')
-#define V4L2_PIX_FMT_BGRA444 v4l2_fourcc('B', 'A', '1', '2')
+#define V4L2_PIX_FMT_BGRA444 v4l2_fourcc('G', 'A', '1', '2')
 #define V4L2_PIX_FMT_BGRX444 v4l2_fourcc('B', 'X', '1', '2')
 #define V4L2_PIX_FMT_RGB555 v4l2_fourcc('R', 'G', 'B', 'O')
 #define V4L2_PIX_FMT_ARGB555 v4l2_fourcc('A', 'R', '1', '5')
diff --git a/libc/libc.map.txt b/libc/libc.map.txt
index c3b9e2c..9b39bb8 100644
--- a/libc/libc.map.txt
+++ b/libc/libc.map.txt
@@ -1493,6 +1493,8 @@
     cnd_signal;
     cnd_timedwait;
     cnd_wait;
+    memfd_create;
+    mlock2;
     mtx_destroy;
     mtx_init;
     mtx_lock;
diff --git a/libc/malloc_debug/Android.bp b/libc/malloc_debug/Android.bp
index d6b8531..2bff260 100644
--- a/libc/malloc_debug/Android.bp
+++ b/libc/malloc_debug/Android.bp
@@ -27,6 +27,12 @@
     },
     native_coverage: false,
 
+    target: {
+        android: {
+            static_libs: ["libc++demangle"],
+        },
+    },
+
     // -Wno-error=format-zero-length needed for gcc to compile.
     cflags: [
         "-Wall",
diff --git a/libc/private/WriteProtected.h b/libc/private/WriteProtected.h
index d240e14..26c239c 100644
--- a/libc/private/WriteProtected.h
+++ b/libc/private/WriteProtected.h
@@ -47,11 +47,11 @@
   WriteProtectedContents<T> contents;
 
   int set_protection(int prot) {
-    auto addr = reinterpret_cast<uintptr_t>(&contents);
+    auto addr = &contents;
 #if __has_feature(hwaddress_sanitizer)
     // The mprotect system call does not currently untag pointers, so do it
     // ourselves.
-    addr &= (1ULL << 56) - 1;
+    addr = untag_address(addr);
 #endif
     return mprotect(reinterpret_cast<void*>(addr), PAGE_SIZE, prot);
   }
diff --git a/libc/private/bionic_globals.h b/libc/private/bionic_globals.h
index d73079e..ef735ba 100644
--- a/libc/private/bionic_globals.h
+++ b/libc/private/bionic_globals.h
@@ -88,6 +88,10 @@
   TlsModules tls_modules;
   BionicAllocator tls_allocator;
 
+  // Values passed from the HWASan runtime (via libc.so) to the loader.
+  void (*load_hook)(ElfW(Addr) base, const ElfW(Phdr)* phdr, ElfW(Half) phnum) = nullptr;
+  void (*unload_hook)(ElfW(Addr) base, const ElfW(Phdr)* phdr, ElfW(Half) phnum) = nullptr;
+
   // Values passed from the linker to libc.so.
   const char* init_progname = nullptr;
   char** init_environ = nullptr;
diff --git a/libc/private/bionic_macros.h b/libc/private/bionic_macros.h
index 4800e3a..13934e5 100644
--- a/libc/private/bionic_macros.h
+++ b/libc/private/bionic_macros.h
@@ -87,3 +87,12 @@
 #else
 #define __BIONIC_FALLTHROUGH
 #endif
+
+template <typename T>
+static inline T* untag_address(T* p) {
+#if defined(__aarch64__)
+  return reinterpret_cast<T*>(reinterpret_cast<uintptr_t>(p) & ((1ULL << 56) - 1));
+#else
+  return p;
+#endif
+}
diff --git a/libdl/libdl_cfi.cpp b/libdl/libdl_cfi.cpp
index 1446143..3b68fc7 100644
--- a/libdl/libdl_cfi.cpp
+++ b/libdl/libdl_cfi.cpp
@@ -44,11 +44,8 @@
 }
 
 static uint16_t shadow_load(void* p) {
-  uintptr_t addr = reinterpret_cast<uintptr_t>(p);
-#ifdef __aarch64__
   // Untag the pointer to move it into the address space covered by the shadow.
-  addr &= (1ULL << 56) - 1;
-#endif
+  uintptr_t addr = reinterpret_cast<uintptr_t>(untag_address(p));
   uintptr_t ofs = CFIShadow::MemToShadowOffset(addr);
   if (ofs > CFIShadow::kShadowSize) return CFIShadow::kInvalidShadow;
   return *reinterpret_cast<uint16_t*>(shadow_base_storage.v + ofs);
diff --git a/linker/Android.bp b/linker/Android.bp
index 5e7a921..e2cdd14 100644
--- a/linker/Android.bp
+++ b/linker/Android.bp
@@ -177,11 +177,6 @@
         "-Wextra",
         "-Wunused",
         "-Werror",
-
-        // Define _USING_LIBCXX so <stdatomic.h> defers to the <atomic> header. When a Soong module
-        // uses the platform libc++, Soong automatically passes this macro, but the dynamic linker
-        // links against libc++ manually.
-        "-D_USING_LIBCXX",
     ],
 
     // TODO: split out the asflags.
@@ -300,7 +295,10 @@
 
     target: {
         android: {
-            static_libs: ["libdebuggerd_handler_fallback"],
+            static_libs: [
+                "libc++demangle",
+                "libdebuggerd_handler_fallback",
+            ],
         },
     },
     compile_multilib: "both",
diff --git a/linker/ld.config.format.md b/linker/ld.config.format.md
index faf5cc8..f9fbcde 100644
--- a/linker/ld.config.format.md
+++ b/linker/ld.config.format.md
@@ -25,7 +25,7 @@
 ## Example
 
 ```
-# The following line maps section to a dir. Binraies ran from this location will use namespaces
+# The following line maps section to a dir. Binaries ran from this location will use namespaces
 # configuration specified in [example_section] below
 dir.example_section=/system/bin/example
 
@@ -38,7 +38,7 @@
 # default value is false
 enable.target.sdk.version = true
 
-# This property can be used to declare additional namespaces.Note that there is always the default
+# This property can be used to declare additional namespaces. Note that there is always the default
 # namespace. The default namespace is the namespace for the main executable. This list is
 # comma-separated.
 additional.namespaces = ns1
@@ -65,7 +65,7 @@
 # This declares linked namespaces - comma separated list.
 namespace.default.links = ns1
 
-# For every link define list of shared libraries. This is list of the libraries accessilbe from
+# For every link define list of shared libraries. This is list of the libraries accessible from
 # default namespace but loaded in the linked namespace.
 namespace.default.link.ns1.shared_libs = libexternal.so:libother.so
 
diff --git a/linker/linker.cpp b/linker/linker.cpp
index df7dd40..d581dd8 100644
--- a/linker/linker.cpp
+++ b/linker/linker.cpp
@@ -76,6 +76,7 @@
 
 static std::unordered_map<void*, size_t> g_dso_handle_counters;
 
+static bool g_anonymous_namespace_set = false;
 static android_namespace_t* g_anonymous_namespace = &g_default_namespace;
 static std::unordered_map<std::string, android_namespace_t*> g_exported_namespaces;
 
@@ -90,6 +91,8 @@
 static const char* const kLdConfigFilePath = "/system/etc/ld.config.txt";
 static const char* const kLdConfigVndkLiteFilePath = "/system/etc/ld.config.vndk_lite.txt";
 
+static const char* const kLdGeneratedConfigFilePath = "/dev/linkerconfig/ld.config.txt";
+
 #if defined(__LP64__)
 static const char* const kSystemLibDir        = "/system/lib64";
 static const char* const kOdmLibDir           = "/odm/lib64";
@@ -270,8 +273,6 @@
 
 static std::vector<std::string> g_ld_preload_names;
 
-static bool g_anonymous_namespace_initialized;
-
 #if STATS
 struct linker_stats_t {
   int count[kRelocMax];
@@ -951,7 +952,9 @@
 }
 
 soinfo* find_containing_library(const void* p) {
-  ElfW(Addr) address = reinterpret_cast<ElfW(Addr)>(p);
+  // Addresses within a library may be tagged if they point to globals. Untag
+  // them so that the bounds check succeeds.
+  ElfW(Addr) address = reinterpret_cast<ElfW(Addr)>(untag_address(p));
   for (soinfo* si = solist_get_head(); si != nullptr; si = si->next) {
     if (address < si->base || address - si->base >= si->size) {
       continue;
@@ -1901,6 +1904,9 @@
           // flag is set.
           link_extinfo = extinfo;
         }
+        if (__libc_shared_globals()->load_hook) {
+          __libc_shared_globals()->load_hook(si->load_bias, si->phdr, si->phnum);
+        }
         if (!si->link_image(global_group, local_group, link_extinfo, &relro_fd_offset) ||
             !get_cfi_shadow()->AfterLoad(si, solist_get_head())) {
           return false;
@@ -2039,6 +2045,9 @@
            si);
     notify_gdb_of_unload(si);
     unregister_soinfo_tls(si);
+    if (__libc_shared_globals()->unload_hook) {
+      __libc_shared_globals()->unload_hook(si->load_bias, si->phdr, si->phnum);
+    }
     get_cfi_shadow()->BeforeUnload(si);
     soinfo_free(si);
   }
@@ -2471,14 +2480,29 @@
   return 0;
 }
 
-bool init_anonymous_namespace(const char* shared_lib_sonames, const char* library_search_path) {
-  if (g_anonymous_namespace_initialized) {
-    DL_ERR("anonymous namespace has already been initialized.");
-    return false;
+// Make ns as the anonymous namespace that is a namespace used when
+// we fail to determine the caller address (e.g., call from mono-jited code)
+// Since there can be multiple anonymous namespace in a process, subsequent
+// call to this function causes an error.
+static bool set_anonymous_namespace(android_namespace_t* ns) {
+  if (!g_anonymous_namespace_set && ns != nullptr) {
+    CHECK(ns->is_also_used_as_anonymous());
+    g_anonymous_namespace = ns;
+    g_anonymous_namespace_set = true;
+    return true;
   }
+  return false;
+}
 
+// TODO(b/130388701) remove this. Currently, this is used only for testing
+// where we don't have classloader namespace.
+bool init_anonymous_namespace(const char* shared_lib_sonames, const char* library_search_path) {
   ProtectedDataGuard guard;
 
+  // Test-only feature: we need to change the anonymous namespace multiple times
+  // while the test is running.
+  g_anonymous_namespace_set = false;
+
   // create anonymous namespace
   // When the caller is nullptr - create_namespace will take global group
   // from the anonymous namespace, which is fine because anonymous namespace
@@ -2488,21 +2512,18 @@
                        "(anonymous)",
                        nullptr,
                        library_search_path,
-                       ANDROID_NAMESPACE_TYPE_ISOLATED,
+                       ANDROID_NAMESPACE_TYPE_ISOLATED |
+                       ANDROID_NAMESPACE_TYPE_ALSO_USED_AS_ANONYMOUS,
                        nullptr,
                        &g_default_namespace);
 
-  if (anon_ns == nullptr) {
-    return false;
-  }
+  CHECK(anon_ns != nullptr);
 
   if (!link_namespaces(anon_ns, &g_default_namespace, shared_lib_sonames)) {
+    // TODO: delete anon_ns
     return false;
   }
 
-  g_anonymous_namespace = anon_ns;
-  g_anonymous_namespace_initialized = true;
-
   return true;
 }
 
@@ -2542,6 +2563,7 @@
   ns->set_name(name);
   ns->set_isolated((type & ANDROID_NAMESPACE_TYPE_ISOLATED) != 0);
   ns->set_greylist_enabled((type & ANDROID_NAMESPACE_TYPE_GREYLIST_ENABLED) != 0);
+  ns->set_also_used_as_anonymous((type & ANDROID_NAMESPACE_TYPE_ALSO_USED_AS_ANONYMOUS) != 0);
 
   if ((type & ANDROID_NAMESPACE_TYPE_SHARED) != 0) {
     // append parent namespace paths.
@@ -2573,6 +2595,16 @@
   ns->set_default_library_paths(std::move(default_library_paths));
   ns->set_permitted_paths(std::move(permitted_paths));
 
+  if (ns->is_also_used_as_anonymous() && !set_anonymous_namespace(ns)) {
+    DL_ERR("failed to set namespace: [name=\"%s\", ld_library_path=\"%s\", default_library_paths=\"%s\""
+           " permitted_paths=\"%s\"] as the anonymous namespace",
+           ns->get_name(),
+           android::base::Join(ns->get_ld_library_paths(), ':').c_str(),
+           android::base::Join(ns->get_default_library_paths(), ':').c_str(),
+           android::base::Join(ns->get_permitted_paths(), ':').c_str());
+    return nullptr;
+  }
+
   return ns;
 }
 
@@ -4142,6 +4174,13 @@
   }
 #endif
 
+  // Use generated linker config if flag is set
+  // TODO(b/138920271) Do not check property once it is confirmed as stable
+  if (android::base::GetBoolProperty("sys.linker.use_generated_config", false) &&
+      file_exists(kLdGeneratedConfigFilePath)) {
+    return kLdGeneratedConfigFilePath;
+  }
+
   std::string path = get_ld_config_file_apex_path(executable_path);
   if (!path.empty()) {
     if (file_exists(path.c_str())) {
diff --git a/linker/linker.h b/linker/linker.h
index 782da1c..89390b3 100644
--- a/linker/linker.h
+++ b/linker/linker.h
@@ -165,6 +165,13 @@
    */
   ANDROID_NAMESPACE_TYPE_GREYLIST_ENABLED = 0x08000000,
 
+  /* This flag instructs linker to use this namespace as the anonymous
+   * namespace. There can be only one anonymous namespace in a process. If there
+   * already an anonymous namespace in the process, using this flag when
+   * creating a new namespace causes an error
+   */
+  ANDROID_NAMESPACE_TYPE_ALSO_USED_AS_ANONYMOUS = 0x10000000,
+
   ANDROID_NAMESPACE_TYPE_SHARED_ISOLATED = ANDROID_NAMESPACE_TYPE_SHARED |
                                            ANDROID_NAMESPACE_TYPE_ISOLATED,
 };
diff --git a/linker/linker_main.cpp b/linker/linker_main.cpp
index 11d3d29..fd1592d 100644
--- a/linker/linker_main.cpp
+++ b/linker/linker_main.cpp
@@ -63,6 +63,8 @@
 static void get_elf_base_from_phdr(const ElfW(Phdr)* phdr_table, size_t phdr_count,
                                    ElfW(Addr)* base, ElfW(Addr)* load_bias);
 
+static void set_bss_vma_name(soinfo* si);
+
 // These should be preserved static to avoid emitting
 // RELATIVE relocations for the part of the code running
 // before linker links itself.
@@ -366,6 +368,8 @@
   si->set_main_executable();
   init_link_map_head(*si);
 
+  set_bss_vma_name(si);
+
   // Use the executable's PT_INTERP string as the solinker filename in the
   // dynamic linker's module list. gdb reads both PT_INTERP and the module list,
   // and if the paths for the linker are different, gdb will report that the
@@ -570,6 +574,31 @@
   async_safe_fatal("Could not find a PHDR: broken executable?");
 }
 
+/*
+ * Set anonymous VMA name for .bss section.  For DSOs loaded by the linker, this
+ * is done by ElfReader.  This function is here for DSOs loaded by the kernel,
+ * namely the linker itself and the main executable.
+ */
+static void set_bss_vma_name(soinfo* si) {
+  for (size_t i = 0; i < si->phnum; ++i) {
+    auto phdr = &si->phdr[i];
+
+    if (phdr->p_type != PT_LOAD) {
+      continue;
+    }
+
+    ElfW(Addr) seg_start = phdr->p_vaddr + si->load_bias;
+    ElfW(Addr) seg_page_end = PAGE_END(seg_start + phdr->p_memsz);
+    ElfW(Addr) seg_file_end = PAGE_END(seg_start + phdr->p_filesz);
+
+    if (seg_page_end > seg_file_end) {
+      prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME,
+            reinterpret_cast<void*>(seg_file_end), seg_page_end - seg_file_end,
+            ".bss");
+    }
+  }
+}
+
 // Detect an attempt to run the linker on itself. e.g.:
 //   /system/bin/linker64 /system/bin/linker64
 // Use priority-1 to run this constructor before other constructors.
@@ -660,6 +689,9 @@
   // couldn't make system calls on x86 at that point, but we can now...
   if (!tmp_linker_so.protect_relro()) __linker_cannot_link(args.argv[0]);
 
+  // And we can set VMA name for the bss section now
+  set_bss_vma_name(&tmp_linker_so);
+
   // Initialize the linker's static libc's globals
   __libc_init_globals();
 
diff --git a/linker/linker_namespaces.h b/linker/linker_namespaces.h
index 215ad05..9561bb4 100644
--- a/linker/linker_namespaces.h
+++ b/linker/linker_namespaces.h
@@ -72,7 +72,10 @@
 
 struct android_namespace_t {
  public:
-  android_namespace_t() : is_isolated_(false), is_greylist_enabled_(false) {}
+  android_namespace_t() :
+    is_isolated_(false),
+    is_greylist_enabled_(false),
+    is_also_used_as_anonymous_(false) {}
 
   const char* get_name() const { return name_.c_str(); }
   void set_name(const char* name) { name_ = name; }
@@ -83,6 +86,9 @@
   bool is_greylist_enabled() const { return is_greylist_enabled_; }
   void set_greylist_enabled(bool enabled) { is_greylist_enabled_ = enabled; }
 
+  bool is_also_used_as_anonymous() const { return is_also_used_as_anonymous_; }
+  void set_also_used_as_anonymous(bool yes) { is_also_used_as_anonymous_ = yes; }
+
   const std::vector<std::string>& get_ld_library_paths() const {
     return ld_library_paths_;
   }
@@ -164,6 +170,7 @@
   std::string name_;
   bool is_isolated_;
   bool is_greylist_enabled_;
+  bool is_also_used_as_anonymous_;
   std::vector<std::string> ld_library_paths_;
   std::vector<std::string> default_library_paths_;
   std::vector<std::string> permitted_paths_;
diff --git a/linker/linker_sdk_versions.cpp b/linker/linker_sdk_versions.cpp
index b06f3e6..29c0f4a 100644
--- a/linker/linker_sdk_versions.cpp
+++ b/linker/linker_sdk_versions.cpp
@@ -26,10 +26,13 @@
  * SUCH DAMAGE.
  */
 
-#include "linker.h"
-#include <android/api-level.h>
 #include <atomic>
 
+#include <android/api-level.h>
+#include <android/fdsan.h>
+
+#include "linker.h"
+
 static std::atomic<int> g_target_sdk_version(__ANDROID_API__);
 
 void set_application_target_sdk_version(int target) {
@@ -38,6 +41,10 @@
     target = __ANDROID_API__;
   }
   g_target_sdk_version = target;
+
+  if (target < 30) {
+    android_fdsan_set_error_level_from_property(ANDROID_FDSAN_ERROR_LEVEL_WARN_ONCE);
+  }
 }
 
 int get_application_target_sdk_version() {
diff --git a/tests/dlext_test.cpp b/tests/dlext_test.cpp
index 67ebf37..e7274f7 100644
--- a/tests/dlext_test.cpp
+++ b/tests/dlext_test.cpp
@@ -29,9 +29,7 @@
 #include <android-base/file.h>
 #include <android-base/strings.h>
 
-#include <linux/memfd.h>
 #include <sys/mman.h>
-#include <sys/syscall.h>
 #include <sys/types.h>
 #include <sys/vfs.h>
 #include <sys/wait.h>
@@ -363,8 +361,10 @@
 
   uint32_t* taxicab_number = reinterpret_cast<uint32_t*>(dlsym(handle_, "dlopen_testlib_taxicab_number"));
   ASSERT_DL_NOTNULL(taxicab_number);
-  EXPECT_GE(reinterpret_cast<void*>(taxicab_number), start);
-  EXPECT_LT(reinterpret_cast<void*>(taxicab_number), reinterpret_cast<char*>(start) + kLibSize);
+  // Untag the pointer so that it can be compared with start, which will be untagged.
+  void* addr = reinterpret_cast<void*>(untag_address(taxicab_number));
+  EXPECT_GE(addr, start);
+  EXPECT_LT(addr, reinterpret_cast<char*>(start) + kLibSize);
   EXPECT_EQ(1729U, *taxicab_number);
 }
 
@@ -942,7 +942,7 @@
   const std::string lib_path = GetTestlibRoot() + "/libtest_simple.so";
 
   // create memfd
-  int memfd = syscall(__NR_memfd_create, "foobar", MFD_CLOEXEC);
+  int memfd = memfd_create("foobar", MFD_CLOEXEC);
   if (memfd == -1 && errno == ENOSYS) {
     return;
   }
diff --git a/tests/leak_test.cpp b/tests/leak_test.cpp
index 6005209..3cc1a0a 100644
--- a/tests/leak_test.cpp
+++ b/tests/leak_test.cpp
@@ -17,6 +17,7 @@
 #include <err.h>
 #include <inttypes.h>
 #include <pthread.h>
+#include <sched.h>
 #include <stdio.h>
 #include <string.h>
 #include <sys/mman.h>
@@ -30,26 +31,28 @@
 #include <vector>
 
 #include <android-base/macros.h>
+#include <android-base/threads.h>
 
 #include "utils.h"
 
 using namespace std::chrono_literals;
 
-static void WaitUntilAllExited(pid_t* pids, size_t pid_count) {
+static void WaitUntilAllThreadsExited(pid_t* tids, size_t tid_count) {
   // Wait until all children have exited.
   bool alive = true;
   while (alive) {
     alive = false;
-    for (size_t i = 0; i < pid_count; ++i) {
-      if (pids[i] != 0) {
-        if (kill(pids[i], 0) == 0) {
+    for (size_t i = 0; i < tid_count; ++i) {
+      if (tids[i] != 0) {
+        if (tgkill(getpid(), tids[i], 0) == 0) {
           alive = true;
         } else {
           EXPECT_EQ(errno, ESRCH);
-          pids[i] = 0;  // Skip in next loop.
+          tids[i] = 0;  // Skip in next loop.
         }
       }
     }
+    sched_yield();
   }
 }
 
@@ -155,7 +158,7 @@
     pthread_barrier_wait(&barrier);
     ASSERT_EQ(pthread_barrier_destroy(&barrier), 0);
 
-    WaitUntilAllExited(tids, arraysize(tids));
+    WaitUntilAllThreadsExited(tids, threads_count);
 
     // A native bridge implementation might need a warm up pass to reach a steady state.
     // http://b/37920774.
diff --git a/tests/libs/segment_gap_outer.lds b/tests/libs/segment_gap_outer.lds
index b4e5aaa..0f175af 100644
--- a/tests/libs/segment_gap_outer.lds
+++ b/tests/libs/segment_gap_outer.lds
@@ -21,6 +21,6 @@
   # Place end_of_gap at the end of the gap.
   . = 0x1000000;
   .bss.end_of_gap : {
-    *(.bss.end_of_gap);
+    *(.bss.*end_of_gap*);
   }
 }
diff --git a/tests/sys_mman_test.cpp b/tests/sys_mman_test.cpp
index 0b98198..e403ea5 100644
--- a/tests/sys_mman_test.cpp
+++ b/tests/sys_mman_test.cpp
@@ -230,7 +230,10 @@
 TEST(sys_mman, mremap_PTRDIFF_MAX) {
   void* map = mmap(nullptr, PAGE_SIZE, PROT_NONE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
   ASSERT_NE(MAP_FAILED, map);
+
   ASSERT_EQ(MAP_FAILED, mremap(map, PAGE_SIZE, kHuge, MREMAP_MAYMOVE));
+
+  ASSERT_EQ(0, munmap(map, PAGE_SIZE));
 }
 
 TEST(sys_mman, mmap_bug_27265969) {
@@ -239,3 +242,61 @@
   // Some kernels had bugs that would cause segfaults here...
   __builtin___clear_cache(base, base + (PAGE_SIZE * 2));
 }
+
+TEST(sys_mman, mlock) {
+  void* map = mmap(nullptr, PAGE_SIZE, PROT_NONE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+  ASSERT_NE(MAP_FAILED, map);
+
+  // Not really anything we can assert about this.
+  mlock(map, PAGE_SIZE);
+
+  ASSERT_EQ(0, munmap(map, PAGE_SIZE));
+}
+
+TEST(sys_mman, mlock2) {
+#if defined(__GLIBC__)
+  GTEST_SKIP() << "needs glibc 2.27";
+#else
+  void* map = mmap(nullptr, PAGE_SIZE, PROT_NONE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+  ASSERT_NE(MAP_FAILED, map);
+
+  // Not really anything we can assert about this.
+  mlock2(map, PAGE_SIZE, MLOCK_ONFAULT);
+
+  ASSERT_EQ(0, munmap(map, PAGE_SIZE));
+#endif
+}
+
+TEST(sys_mman, memfd_create) {
+#if defined(__GLIBC__)
+  GTEST_SKIP() << "needs glibc 2.27";
+#else
+  // Is the MFD_CLOEXEC flag obeyed?
+  errno = 0;
+  int fd = memfd_create("doesn't matter", 0);
+  if (fd == -1) {
+    ASSERT_EQ(ENOSYS, errno);
+    GTEST_SKIP() << "no memfd_create available";
+  }
+  int f = fcntl(fd, F_GETFD);
+  ASSERT_NE(-1, f);
+  ASSERT_FALSE(f & FD_CLOEXEC);
+  close(fd);
+
+  errno = 0;
+  fd = memfd_create("doesn't matter", MFD_CLOEXEC);
+  f = fcntl(fd, F_GETFD);
+  ASSERT_NE(-1, f);
+  ASSERT_TRUE(f & FD_CLOEXEC);
+
+  // Can we read and write?
+  std::string expected("hello, world!");
+  ASSERT_TRUE(android::base::WriteStringToFd(expected, fd));
+  ASSERT_EQ(0, lseek(fd, 0, SEEK_SET));
+  std::string actual;
+  ASSERT_TRUE(android::base::ReadFdToString(fd, &actual));
+  ASSERT_EQ(expected, actual);
+
+  close(fd);
+#endif
+}