fortify: Migrate trivial cases to dynamic check macros
|__builtin_constant_p| has become more flexible in clang. In particular,
it's no longer forcibly lowered before inlining, so we can actually use
it on function parameters (or |__bos(param)|).
This CL tweaks things so that trivially safe calls to FORTIFY'ed
functions compile into direct calls to those functions, rather than to
their _chk counterparts. This will be the most impactful with things
like |memset|, |memcpy|, etc., since clang has way more flexibility
about how to lower those than it does with |__memset_chk|,
|__memcpy_chk|, ...
As noted in the comments, the spelling of the new macros is meant to
match closely with the spelling of our |__bos_static| macros used in
|diagnose_if|.
This isn't a full cleanup of all of the cases in which we can do this.
Just a start on the super simple cases.
Bug: 131861088
Test: m checkbuild; blueline boots.
Change-Id: I696f42ce4a65231e0c4a78a4c5133a6be1cb7708
diff --git a/libc/include/bits/fortify/string.h b/libc/include/bits/fortify/string.h
index 80eb43e..426076e 100644
--- a/libc/include/bits/fortify/string.h
+++ b/libc/include/bits/fortify/string.h
@@ -46,7 +46,11 @@
__overloadable
__clang_error_if(__bos_unevaluated_lt(__bos0(dst), copy_amount),
"'memcpy' called with size bigger than buffer") {
- return __builtin___memcpy_chk(dst, src, copy_amount, __bos0(dst));
+ size_t bos_dst = __bos0(dst);
+ if (__bos_trivially_not_lt(bos_dst, copy_amount)) {
+ return __builtin_memcpy(dst, src, copy_amount);
+ }
+ return __builtin___memcpy_chk(dst, src, copy_amount, bos_dst);
}
__BIONIC_FORTIFY_INLINE
@@ -54,7 +58,11 @@
__overloadable
__clang_error_if(__bos_unevaluated_lt(__bos0(dst), len),
"'memmove' called with size bigger than buffer") {
- return __builtin___memmove_chk(dst, src, len, __bos0(dst));
+ size_t bos_dst = __bos0(dst);
+ if (__bos_trivially_not_lt(bos_dst, len)) {
+ return __builtin_memmove(dst, src, len);
+ }
+ return __builtin___memmove_chk(dst, src, len, bos_dst);
}
#endif /* __ANDROID_API__ >= __ANDROID_API_J_MR1__ */
@@ -64,7 +72,11 @@
__overloadable
__clang_error_if(__bos_unevaluated_leq(__bos(dst), __builtin_strlen(src)),
"'stpcpy' called with string bigger than buffer") {
- return __builtin___stpcpy_chk(dst, src, __bos(dst));
+ size_t bos_dst = __bos(dst);
+ if (__bos_trivially_not_leq(bos_dst, __builtin_strlen(src))) {
+ return __builtin_stpcpy(dst, src);
+ }
+ return __builtin___stpcpy_chk(dst, src, bos_dst);
}
#endif /* __ANDROID_API__ >= __ANDROID_API_L__ */
@@ -74,7 +86,11 @@
__overloadable
__clang_error_if(__bos_unevaluated_leq(__bos(dst), __builtin_strlen(src)),
"'strcpy' called with string bigger than buffer") {
- return __builtin___strcpy_chk(dst, src, __bos(dst));
+ size_t bos_dst = __bos(dst);
+ if (__bos_trivially_not_leq(bos_dst, __builtin_strlen(src))) {
+ return __builtin_strcpy(dst, src);
+ }
+ return __builtin___strcpy_chk(dst, src, bos_dst);
}
__BIONIC_FORTIFY_INLINE
@@ -94,7 +110,11 @@
"'memset' called with size bigger than buffer")
/* If you're a user who wants this warning to go away: use `(&memset)(foo, bar, baz)`. */
__clang_warning_if(c && !n, "'memset' will set 0 bytes; maybe the arguments got flipped?") {
- return __builtin___memset_chk(s, c, n, __bos0(s));
+ size_t bos = __bos0(s);
+ if (__bos_trivially_not_lt(bos, n)) {
+ return __builtin_memset(s, c, n);
+ }
+ return __builtin___memset_chk(s, c, n, bos);
}
#endif /* __ANDROID_API__ >= __ANDROID_API_J_MR1__ */