fortify: use __builtin_constant_p for more short-circuits
This also lets us retire our |__enable_if| version of |strlen|, which
should catch strictly fewer cases where we can fold the string's length
to a constant than |__builtin_constant_p| inside of |strlen|.
Bug: 131861088
Test: checkbuild on internal master. blueline bionic tests pass + it
boots.
Change-Id: I21b750a24f7d1825591a88d12a385be03a0a7ca3
diff --git a/libc/include/bits/fortify/poll.h b/libc/include/bits/fortify/poll.h
index 0d9b927..660dfca 100644
--- a/libc/include/bits/fortify/poll.h
+++ b/libc/include/bits/fortify/poll.h
@@ -37,6 +37,10 @@
#if defined(__BIONIC_FORTIFY)
#if __ANDROID_API__ >= __ANDROID_API_M__
+#define __bos_fd_count_trivially_safe(bos_val, fds, fd_count) \
+ __bos_dynamic_check_impl_and((bos_val), >=, (sizeof(*fds) * (fd_count)), \
+ (fd_count) <= __BIONIC_CAST(static_cast, nfds_t, -1) / sizeof(*fds))
+
__BIONIC_FORTIFY_INLINE
int poll(struct pollfd* const fds __pass_object_size, nfds_t fd_count, int timeout)
__overloadable
@@ -44,7 +48,7 @@
"in call to 'poll', fd_count is larger than the given buffer") {
size_t bos_fds = __bos(fds);
- if (bos_fds == __BIONIC_FORTIFY_UNKNOWN_SIZE) {
+ if (__bos_fd_count_trivially_safe(bos_fds, fds, fd_count)) {
return __call_bypassing_fortify(poll)(fds, fd_count, timeout);
}
return __poll_chk(fds, fd_count, timeout, bos_fds);
@@ -57,7 +61,7 @@
"in call to 'ppoll', fd_count is larger than the given buffer") {
size_t bos_fds = __bos(fds);
- if (bos_fds == __BIONIC_FORTIFY_UNKNOWN_SIZE) {
+ if (__bos_fd_count_trivially_safe(bos_fds, fds, fd_count)) {
return __call_bypassing_fortify(ppoll)(fds, fd_count, timeout, mask);
}
return __ppoll_chk(fds, fd_count, timeout, mask, bos_fds);
@@ -71,12 +75,14 @@
"in call to 'ppoll64', fd_count is larger than the given buffer") {
size_t bos_fds = __bos(fds);
- if (bos_fds == __BIONIC_FORTIFY_UNKNOWN_SIZE) {
+ if (__bos_fd_count_trivially_safe(bos_fds, fds, fd_count)) {
return __call_bypassing_fortify(ppoll64)(fds, fd_count, timeout, mask);
}
return __ppoll64_chk(fds, fd_count, timeout, mask, bos_fds);
}
#endif
+#undef __bos_fd_count_trivially_safe
+
#endif /* __ANDROID_API__ >= __ANDROID_API_M__ */
#endif /* defined(__BIONIC_FORTIFY) */
diff --git a/libc/include/bits/fortify/stdio.h b/libc/include/bits/fortify/stdio.h
index fc7d359..6e47daf 100644
--- a/libc/include/bits/fortify/stdio.h
+++ b/libc/include/bits/fortify/stdio.h
@@ -89,6 +89,10 @@
#endif /* __ANDROID_API__ >= __ANDROID_API_J_MR1__ */
#if __ANDROID_API__ >= __ANDROID_API_N__
+#define __bos_trivially_not_lt_mul(bos_val, size, count) \
+ __bos_dynamic_check_impl_and(bos_val, >=, (size) * (count), \
+ !__unsafe_check_mul_overflow(size, count))
+
__BIONIC_FORTIFY_INLINE
size_t fread(void* const __pass_object_size0 buf, size_t size, size_t count, FILE* stream)
__overloadable
@@ -98,7 +102,7 @@
"in call to 'fread', size * count is too large for the given buffer") {
size_t bos = __bos0(buf);
- if (bos == __BIONIC_FORTIFY_UNKNOWN_SIZE) {
+ if (__bos_trivially_not_lt_mul(bos, size, count)) {
return __call_bypassing_fortify(fread)(buf, size, count, stream);
}
return __fread_chk(buf, size, count, stream, bos);
@@ -113,12 +117,13 @@
"in call to 'fwrite', size * count is too large for the given buffer") {
size_t bos = __bos0(buf);
- if (bos == __BIONIC_FORTIFY_UNKNOWN_SIZE) {
+ if (__bos_trivially_not_lt_mul(bos, size, count)) {
return __call_bypassing_fortify(fwrite)(buf, size, count, stream);
}
return __fwrite_chk(buf, size, count, stream, bos);
}
+#undef __bos_trivially_not_lt_mul
#endif /* __ANDROID_API__ >= __ANDROID_API_N__ */
#if __ANDROID_API__ >= __ANDROID_API_J_MR1__
@@ -130,7 +135,7 @@
"in call to 'fgets', size is larger than the destination buffer") {
size_t bos = __bos(dest);
- if (bos == __BIONIC_FORTIFY_UNKNOWN_SIZE) {
+ if (__bos_dynamic_check_impl_and(bos, >=, (size_t)size, size >= 0)) {
return __call_bypassing_fortify(fgets)(dest, size, stream);
}
diff --git a/libc/include/bits/fortify/string.h b/libc/include/bits/fortify/string.h
index 426076e..af93b91 100644
--- a/libc/include/bits/fortify/string.h
+++ b/libc/include/bits/fortify/string.h
@@ -123,7 +123,7 @@
void* memchr(const void* const s __pass_object_size, int c, size_t n) __overloadable {
size_t bos = __bos(s);
- if (bos == __BIONIC_FORTIFY_UNKNOWN_SIZE) {
+ if (__bos_trivially_geq(bos, n)) {
return __builtin_memchr(s, c, n);
}
@@ -134,7 +134,7 @@
void* __memrchr_fortify(const void* const __pass_object_size s, int c, size_t n) __overloadable {
size_t bos = __bos(s);
- if (bos == __BIONIC_FORTIFY_UNKNOWN_SIZE) {
+ if (__bos_trivially_geq(bos, n)) {
return __memrchr_real(s, c, n);
}
@@ -195,24 +195,11 @@
return __strlcat_chk(dst, src, size, bos);
}
-/*
- * If we can evaluate the size of s at compile-time, just call __builtin_strlen
- * on it directly. This makes it way easier for compilers to fold things like
- * strlen("Foo") into a constant, as users would expect. -1ULL is chosen simply
- * because it's large.
- */
-__BIONIC_FORTIFY_INLINE
-size_t strlen(const char* const s __pass_object_size)
- __overloadable __enable_if(__builtin_strlen(s) != -1ULL,
- "enabled if s is a known good string.") {
- return __builtin_strlen(s);
-}
-
__BIONIC_FORTIFY_INLINE
size_t strlen(const char* const s __pass_object_size0) __overloadable {
size_t bos = __bos0(s);
- if (bos == __BIONIC_FORTIFY_UNKNOWN_SIZE) {
+ if (__bos_trivially_gt(bos, __builtin_strlen(s))) {
return __builtin_strlen(s);
}