Merge "Update sanitize property format"
diff --git a/libc/Android.bp b/libc/Android.bp
index b453d32..c5a513c 100644
--- a/libc/Android.bp
+++ b/libc/Android.bp
@@ -309,8 +309,6 @@
     defaults: ["libc_defaults"],
     srcs: [
         "upstream-netbsd/common/lib/libc/stdlib/random.c",
-        "upstream-netbsd/lib/libc/gen/ftw.c",
-        "upstream-netbsd/lib/libc/gen/nftw.c",
         "upstream-netbsd/lib/libc/gen/nice.c",
         "upstream-netbsd/lib/libc/gen/popen.c",
         "upstream-netbsd/lib/libc/gen/psignal.c",
@@ -1282,6 +1280,7 @@
         "bionic/fpclassify.cpp",
         "bionic/fsetxattr.cpp",
         "bionic/ftruncate.cpp",
+        "bionic/ftw.cpp",
         "bionic/futimens.cpp",
         "bionic/getcwd.cpp",
         "bionic/getdomainname.cpp",
diff --git a/libc/Android.mk b/libc/Android.mk
index fa392d1..02682af 100644
--- a/libc/Android.mk
+++ b/libc/Android.mk
@@ -107,6 +107,7 @@
     bionic/fpclassify.cpp \
     bionic/fsetxattr.cpp \
     bionic/ftruncate.cpp \
+    bionic/ftw.cpp \
     bionic/futimens.cpp \
     bionic/getcwd.cpp \
     bionic/getdomainname.cpp \
@@ -288,8 +289,6 @@
 
 libc_upstream_netbsd_src_files := \
     upstream-netbsd/common/lib/libc/stdlib/random.c \
-    upstream-netbsd/lib/libc/gen/ftw.c \
-    upstream-netbsd/lib/libc/gen/nftw.c \
     upstream-netbsd/lib/libc/gen/nice.c \
     upstream-netbsd/lib/libc/gen/popen.c \
     upstream-netbsd/lib/libc/gen/psignal.c \
diff --git a/libc/bionic/ftw.cpp b/libc/bionic/ftw.cpp
new file mode 100644
index 0000000..2123619
--- /dev/null
+++ b/libc/bionic/ftw.cpp
@@ -0,0 +1,124 @@
+/*
+ * Copyright (c) 2003, 2004 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ * Sponsored in part by the Defense Advanced Research Projects
+ * Agency (DARPA) and Air Force Research Laboratory, Air Force
+ * Materiel Command, USAF, under agreement number F39502-99-1-0512.
+ */
+
+#include <errno.h>
+#include <fts.h>
+#include <ftw.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+static int do_nftw(const char *path,
+                   int (*ftw_fn)(const char*, const struct stat*, int),
+                   int (*nftw_fn)(const char*, const struct stat*, int, FTW*),
+                   int nfds,
+                   int nftw_flags) {
+  // TODO: nfds is currently unused.
+  if (nfds < 1) {
+    errno = EINVAL;
+    return -1;
+  }
+
+  // Translate to fts_open options.
+  int fts_options = FTS_LOGICAL | FTS_COMFOLLOW | FTS_NOCHDIR;
+  if (nftw_fn) {
+    fts_options = FTS_COMFOLLOW | ((nftw_flags & FTW_PHYS) ? FTS_PHYSICAL : FTS_LOGICAL);
+    if (!(nftw_flags & FTW_CHDIR)) fts_options |= FTS_NOCHDIR;
+    if (nftw_flags & FTW_MOUNT) fts_options |= FTS_XDEV;
+  }
+  bool postorder = (nftw_flags & FTW_DEPTH) != 0;
+
+  // Call fts_open.
+  char* const paths[2] = { const_cast<char*>(path), nullptr };
+  FTS* fts = fts_open(paths, fts_options, nullptr);
+  if (fts == nullptr) {
+    return -1;
+  }
+
+  // Translate fts_read results into ftw/nftw callbacks.
+  int error = 0;
+  FTSENT* cur;
+  while (error == 0 && (cur = fts_read(fts)) != nullptr) {
+    int fn_flag;
+    switch (cur->fts_info) {
+      case FTS_D:
+        // In the postorder case, we'll translate FTS_DP to FTW_DP later.
+        // In the can't-access case, we'll translate FTS_DNR to FTW_DNR later.
+        if (postorder || access(cur->fts_path, R_OK) == -1) continue;
+        fn_flag = FTW_D;
+        break;
+      case FTS_DNR:
+        fn_flag = FTW_DNR;
+        break;
+      case FTS_DP:
+        if (!postorder) continue;
+        fn_flag = FTW_DP;
+        break;
+      case FTS_F:
+      case FTS_DEFAULT:
+        fn_flag = FTW_F;
+        break;
+      case FTS_NS:
+      case FTS_NSOK:
+        fn_flag = FTW_NS;
+        break;
+      case FTS_SL:
+        fn_flag = FTW_SL;
+        break;
+      case FTS_SLNONE:
+        fn_flag = (nftw_fn != nullptr) ? FTW_SLN : FTW_NS;
+        break;
+      case FTS_DC:
+        errno = ELOOP;
+        error = -1;
+        continue;
+      default:
+        error = -1;
+        continue;
+    }
+
+    // Call the appropriate function.
+    if (nftw_fn != nullptr) {
+      FTW ftw;
+      ftw.base = cur->fts_pathlen - cur->fts_namelen;
+      ftw.level = cur->fts_level;
+      error = nftw_fn(cur->fts_path, cur->fts_statp, fn_flag, &ftw);
+    } else {
+      error = ftw_fn(cur->fts_path, cur->fts_statp, fn_flag);
+    }
+  }
+
+  int saved_errno = errno;
+  if (fts_close(fts) != 0 && error == 0) {
+    error = -1;
+  } else {
+    errno = saved_errno;
+  }
+  return error;
+}
+
+int ftw(const char* path, int (*ftw_fn)(const char*, const struct stat*, int), int nfds) {
+  return do_nftw(path, ftw_fn, nullptr, nfds, 0);
+}
+
+int nftw(const char* path, int (*nftw_fn)(const char*, const struct stat*, int, FTW*),
+         int nfds, int nftw_flags) {
+  return do_nftw(path, nullptr, nftw_fn, nfds, nftw_flags);
+}
diff --git a/libc/libc.arm.brillo.map b/libc/libc.arm.brillo.map
index 651fea4..541dbb2 100644
--- a/libc/libc.arm.brillo.map
+++ b/libc/libc.arm.brillo.map
@@ -1434,7 +1434,7 @@
     __swrite; # arm x86 mips
     __swsetup; # arm x86 mips
     __truncdfsf2; # arm
-    __udivdi3; # arm mips
+    __udivdi3; # arm x86 mips
     __udivsi3; # arm
     __unorddf2; # arm
     __unordsf2; # arm
diff --git a/libc/libc.arm.map b/libc/libc.arm.map
index 1c7a0ba..1784b95 100644
--- a/libc/libc.arm.map
+++ b/libc/libc.arm.map
@@ -1445,7 +1445,7 @@
     __swrite; # arm x86 mips
     __swsetup; # arm x86 mips
     __truncdfsf2; # arm
-    __udivdi3; # arm mips
+    __udivdi3; # arm x86 mips
     __udivsi3; # arm
     __unorddf2; # arm
     __unordsf2; # arm
diff --git a/libc/libc.map.txt b/libc/libc.map.txt
index ed20efc..f51c5d3 100644
--- a/libc/libc.map.txt
+++ b/libc/libc.map.txt
@@ -207,7 +207,6 @@
     __timer_getoverrun; # arm x86 mips
     __timer_gettime; # arm x86 mips
     __timer_settime; # arm x86 mips
-    __udivdi3; # x86
     __umask_chk;
     __vsnprintf_chk;
     __vsprintf_chk;
@@ -1471,7 +1470,7 @@
     __swrite; # arm x86 mips
     __swsetup; # arm x86 mips
     __truncdfsf2; # arm
-    __udivdi3; # arm mips
+    __udivdi3; # arm x86 mips
     __udivsi3; # arm
     __umoddi3; # x86 mips
     __unorddf2; # arm
diff --git a/libc/libc.mips.brillo.map b/libc/libc.mips.brillo.map
index d96de34..953fc29 100644
--- a/libc/libc.mips.brillo.map
+++ b/libc/libc.mips.brillo.map
@@ -1294,7 +1294,7 @@
     __swbuf; # arm x86 mips
     __swrite; # arm x86 mips
     __swsetup; # arm x86 mips
-    __udivdi3; # arm mips
+    __udivdi3; # arm x86 mips
     __umoddi3; # x86 mips
     _fwalk; # arm x86 mips
     android_getaddrinfofornet;
diff --git a/libc/libc.mips.map b/libc/libc.mips.map
index 5fe3a51..90db79d 100644
--- a/libc/libc.mips.map
+++ b/libc/libc.mips.map
@@ -1305,7 +1305,7 @@
     __swbuf; # arm x86 mips
     __swrite; # arm x86 mips
     __swsetup; # arm x86 mips
-    __udivdi3; # arm mips
+    __udivdi3; # arm x86 mips
     __umoddi3; # x86 mips
     __wait4; # arm x86 mips nobrillo
     _fwalk; # arm x86 mips
diff --git a/libc/libc.x86.brillo.map b/libc/libc.x86.brillo.map
index f167183..9f6cc52 100644
--- a/libc/libc.x86.brillo.map
+++ b/libc/libc.x86.brillo.map
@@ -203,7 +203,6 @@
     __timer_getoverrun; # arm x86 mips
     __timer_gettime; # arm x86 mips
     __timer_settime; # arm x86 mips
-    __udivdi3; # x86
     __umask_chk;
     __vsnprintf_chk;
     __vsprintf_chk;
@@ -1294,6 +1293,7 @@
     __swbuf; # arm x86 mips
     __swrite; # arm x86 mips
     __swsetup; # arm x86 mips
+    __udivdi3; # arm x86 mips
     __umoddi3; # x86 mips
     _fwalk; # arm x86 mips
     android_getaddrinfofornet;
diff --git a/libc/libc.x86.map b/libc/libc.x86.map
index d37d28a..4443731 100644
--- a/libc/libc.x86.map
+++ b/libc/libc.x86.map
@@ -203,7 +203,6 @@
     __timer_getoverrun; # arm x86 mips
     __timer_gettime; # arm x86 mips
     __timer_settime; # arm x86 mips
-    __udivdi3; # x86
     __umask_chk;
     __vsnprintf_chk;
     __vsprintf_chk;
@@ -1305,6 +1304,7 @@
     __swbuf; # arm x86 mips
     __swrite; # arm x86 mips
     __swsetup; # arm x86 mips
+    __udivdi3; # arm x86 mips
     __umoddi3; # x86 mips
     __wait4; # arm x86 mips nobrillo
     _fwalk; # arm x86 mips
diff --git a/libc/malloc_debug/Config.cpp b/libc/malloc_debug/Config.cpp
index ded618c..cc60086 100644
--- a/libc/malloc_debug/Config.cpp
+++ b/libc/malloc_debug/Config.cpp
@@ -273,7 +273,7 @@
   fill_free_value = DEFAULT_FILL_FREE_VALUE;
   front_guard_value = DEFAULT_FRONT_GUARD_VALUE;
   rear_guard_value = DEFAULT_REAR_GUARD_VALUE;
-  backtrace_signal = SIGRTMIN + 10;
+  backtrace_signal = SIGRTMAX - 19;
   free_track_backtrace_num_frames = 16;
 
   // Parse the options are of the format:
diff --git a/libc/malloc_debug/FreeTrackData.cpp b/libc/malloc_debug/FreeTrackData.cpp
index 682f93d..8e6502e 100644
--- a/libc/malloc_debug/FreeTrackData.cpp
+++ b/libc/malloc_debug/FreeTrackData.cpp
@@ -48,7 +48,7 @@
   uint8_t fill_free_value = debug_->config().fill_free_value;
   for (size_t i = 0; i < header->usable_size; i++) {
     if (pointer[i] != fill_free_value) {
-      error_log("  pointer[%zu] = 0x%02x (expected 0x%02x)", i, pointer[i], fill_free_value);
+      error_log("  allocation[%zu] = 0x%02x (expected 0x%02x)", i, pointer[i], fill_free_value);
     }
   }
   auto back_iter = backtraces_.find(header);
diff --git a/libc/malloc_debug/GuardData.cpp b/libc/malloc_debug/GuardData.cpp
index 48961b6..e207b86 100644
--- a/libc/malloc_debug/GuardData.cpp
+++ b/libc/malloc_debug/GuardData.cpp
@@ -57,7 +57,7 @@
   const uint8_t* real = reinterpret_cast<const uint8_t*>(data);
   for (size_t i = 0; i < cmp_mem_.size(); i++, pointer_idx++) {
     if (real[i] != expected[i]) {
-      error_log("  pointer[%d] = 0x%02x (expected 0x%02x)", pointer_idx, real[i], expected[i]);
+      error_log("  allocation[%d] = 0x%02x (expected 0x%02x)", pointer_idx, real[i], expected[i]);
     }
   }
 
diff --git a/libc/malloc_debug/README.md b/libc/malloc_debug/README.md
new file mode 100644
index 0000000..3fc2305
--- /dev/null
+++ b/libc/malloc_debug/README.md
@@ -0,0 +1,330 @@
+Malloc Debug
+============
+
+Malloc debug is a method of debugging native memory problems. It can help
+detect memory corruption, memory leaks, and use after free issues.
+
+Currently, malloc debug requires root to enable. When it is enabled, it works
+by adding a shim layer that replaces the normal allocation calls. The replaced
+calls are:
+
+<pre>
+malloc
+free
+calloc
+realloc
+posix_memalign
+memalign
+malloc_usable_size
+</pre>
+
+On 32 bit systems, these two deprecated functions are also replaced:
+
+<pre>
+pvalloc
+valloc
+</pre>
+
+Any errors detected by the library are reported in the log.
+
+Controlling Malloc Debug Behavior
+---------------------------------
+Malloc debug is controlled by individual options. Each option can be enabled
+individually, or in a group of other options. Every single option can be
+combined with every other option.
+
+Option Descriptions
+-------------------
+### front\_guard[=SIZE\_BYTES]
+Enables a small buffer placed before the allocated data. This is an attempt
+to find memory corruption occuring to a region before the original allocation.
+On first allocation, this front guard is written with a specific pattern (0xaa).
+When the allocation is freed, the guard is checked to verify it has not been
+modified. If any part of the front guard is modified, an error will be reported
+in the log indicating what bytes changed.
+
+If the backtrace option is also enabled, then any error message will include
+the backtrace of the allocation site.
+
+If SIZE\_BYTES is present, it indicates the number of bytes in the guard.
+The default is 32 bytes, the max bytes is 16384. SIZE\_BYTES will be
+padded so that it is a multiple of 8 bytes on 32 bit systems and 16 bytes
+on 64 bit systems to make sure that the allocation returned is aligned
+properly.
+
+This option adds a special header to all allocations that contains the guard
+and information about the original allocation.
+
+Example error:
+
+<pre>
+04-10 12:00:45.621  7412  7412 E malloc_debug: +++ ALLOCATION 0x12345678 SIZE 100 HAS A CORRUPTED FRONT GUARD
+04-10 12:00:45.622  7412  7412 E malloc_debug:   allocation[-32] = 0x00 (expected 0xaa)
+04-10 12:00:45.622  7412  7412 E malloc_debug:   allocation[-15] = 0x02 (expected 0xaa)
+</pre>
+
+### rear\_guard[=SIZE\_BYTES]
+Enables a small buffer placed after the allocated data. This is an attempt
+to find memory corruption occuring to a region after the original allocation.
+On first allocation, this rear guard is written with a specific pattern (0xbb).
+When the allocation is freed, the guard is checked to verify it has not been
+modified. If any part of the rear guard is modified, an error will be reported
+in the log indicating what bytes changed.
+
+If SIZE\_BYTES is present, it indicates the number of bytes in the guard.
+The default is 32 bytes, the max bytes is 16384.
+
+This option adds a special header to all allocations that contains
+information about the original allocation.
+
+Example error:
+
+<pre>
+04-10 12:00:45.621  7412  7412 E malloc_debug: +++ ALLOCATION 0x12345678 SIZE 100 HAS A CORRUPTED REAR GUARD
+04-10 12:00:45.622  7412  7412 E malloc_debug:   allocation[130] = 0xbf (expected 0xbb)
+04-10 12:00:45.622  7412  7412 E malloc_debug:   allocation[131] = 0x00 (expected 0xbb)
+</pre>
+
+### guard[=SIZE\_BYTES]
+Enables both a front guard and a rear guard on all allocations.
+
+If SIZE\_BYTES is present, it indicates the number of bytes in both guards.
+The default is 32 bytes, the max bytes is 16384.
+
+### backtrace[=MAX\_FRAMES]
+Enable capturing the backtrace of each allocation site.
+This option will slow down allocations by an order of magnitude. If the
+system runs too slowly with this option enabled, decreasing the maximum number
+of frames captured will speed the allocations up.
+
+Note that any backtrace frames that occur within the malloc backtrace library
+itself are not recorded.
+
+If MAX\_FRAMES is present, it indicates the maximum number of frames to
+capture in a backtrace. The default is 16 frames, the maximumum value
+this can be set to is 256.
+
+This option adds a special header to all allocations that contains the
+backtrace and information about the original allocation.
+
+### backtrace\_enable\_on\_signal[=MAX\_FRAMES]
+Enable capturing the backtrace of each allocation site. If the
+backtrace capture is toggled when the process receives the signal
+SIGRTMAX - 19 (which is 45 on most Android devices). When this
+option is used alone, backtrace capture starts out disabled until the signal
+is received. If both this option and the backtrace option are set, then
+backtrace capture is enabled until the signal is received.
+
+If MAX\_FRAMES is present, it indicates the maximum number of frames to
+capture in a backtrace. The default is 16 frames, the maximumum value
+this can be set to is 256.
+
+This option adds a special header to all allocations that contains the
+backtrace and information about the original allocation.
+
+### fill\_on\_alloc[=MAX\_FILLED\_BYTES]
+Any allocation routine, other than calloc, will result in the allocation being
+filled with the value 0xeb. When doing a realloc to a larger size, the bytes
+above the original usable size will be set to 0xeb.
+
+If MAX\_FILLED\_BYTES is present, it will only fill up to the specified number
+of bytes in the allocation. The default is to fill the entire allocation.
+
+### fill\_on\_free[=MAX\_FILLED\_BYTES]
+When an allocation is freed, fill it with 0xef.
+
+If MAX\_FILLED\_BYTES is present, it will only fill up to the specified number
+of bytes in the allocation. The default is to fill the entire allocation.
+
+### fill[=MAX\_FILLED\_BYTES]
+This enables both the fill\_on\_alloc option and the fill\_on\_free option.
+
+If MAX\_FILLED\_BYTES is present, it will only fill up to the specified number
+of bytes in the allocation. The default is to fill the entire allocation.
+
+### expand\_alloc[=EXPAND\_BYTES]
+Add an extra amount to allocate for every allocation.
+
+If XX is present, it is the number of bytes to expand the allocation by.
+The default is 16 bytes, the max bytes is 16384.
+
+### free\_track[=ALLOCATION\_COUNT]
+When a pointer is freed, do not free the memory right away, but add it to
+a list of freed allocations. In addition to being added to the list, the
+entire allocation is filled with the value 0xef, and the backtrace at
+the time of the free is recorded. The backtrace recording is completely
+separate from the backtrace option, and happens automatically if this
+option is enabled. By default, a maximum of 16 frames will be recorded,
+but this value can be changed using the free\_track\_backtrace\_num\_frames
+option. It can also be completely disabled by setting the option to zero.
+See the full description of this option below.
+
+When the list is full, an allocation is removed from the list and is
+checked to make sure that none of the contents have been modified since
+being placed on the list. When the program terminates, all of the allocations
+left on the list are verified.
+
+If ALLOCATION\_COUNT is present, it indicates the total number of allocations
+in the list. The default is to record 100 freed allocations, the max
+allocations to record is 16384.
+
+This option adds a special header to all allocations that contains
+information about the original allocation.
+
+Example error:
+
+<pre>
+04-15 12:00:31.304  7412  7412 E malloc_debug: +++ ALLOCATION 0x12345678 USED AFTER FREE
+04-15 12:00:31.305  7412  7412 E malloc_debug:   allocation[20] = 0xaf (expected 0xef)
+04-15 12:00:31.305  7412  7412 E malloc_debug:   allocation[99] = 0x12 (expected 0xef)
+04-15 12:00:31.305  7412  7412 E malloc_debug: Backtrace at time of free:
+04-15 12:00:31.305  7412  7412 E malloc_debug:           #00  pc 00029310  /system/lib/libc.so
+04-15 12:00:31.305  7412  7412 E malloc_debug:           #01  pc 00021438  /system/lib/libc.so (newlocale+160)
+04-15 12:00:31.305  7412  7412 E malloc_debug:           #02  pc 000a9e38  /system/lib/libc++.so
+04-15 12:00:31.305  7412  7412 E malloc_debug:           #03  pc 000a28a8  /system/lib/libc++.so
+</pre>
+
+In addition, there is another type of error message that can occur if
+an allocation has a special header applied, and the header is corrupted
+before the verification occurs. This is the error message that will be found
+in the log:
+
+<pre>
++++ ALLOCATION 0x12345678 HAS CORRUPTED HEADER TAG 0x1cc7dc00 AFTER FREE
+</pre>
+
+### free\_track\_backtrace\_num\_frames[=MAX\_FRAMES]
+This option only has meaning if free\_track is set. It indicates how many
+backtrace frames to capture when an allocation is freed.
+
+If MAX\_FRAMES is present, it indicates the number of frames to capture.
+If the value is set to zero, then no backtrace will be captured when the
+allocation is freed. The default is to record 16 frames, the max number of
+frames to to record is 256.
+
+### leak\_track
+Track all live allocations. When the program terminates, all of the live
+allocations will be dumped to the log. If the backtrace option was enabled,
+then the log will include the backtrace of the leaked allocations. This
+option is not useful when enabled globally because a lot of programs do not
+free everything before the program terminates.
+
+This option adds a special header to all allocations that contains
+information about the original allocation.
+
+Example leak error found in the log:
+
+<pre>
+04-15 12:35:33.304  7412  7412 E malloc_debug: +++ APP leaked block of size 100 at 0x2be3b0b0 (leak 1 of 2)
+04-15 12:35:33.304  7412  7412 E malloc_debug: Backtrace at time of allocation:
+04-15 12:35:33.305  7412  7412 E malloc_debug:           #00  pc 00029310  /system/lib/libc.so
+04-15 12:35:33.305  7412  7412 E malloc_debug:           #01  pc 00021438  /system/lib/libc.so (newlocale+160)
+04-15 12:35:33.305  7412  7412 E malloc_debug:           #02  pc 000a9e38  /system/lib/libc++.so
+04-15 12:35:33.305  7412  7412 E malloc_debug:           #03  pc 000a28a8  /system/lib/libc++.so
+04-15 12:35:33.305  7412  7412 E malloc_debug: +++ APP leaked block of size 24 at 0x7be32380 (leak 2 of 2)
+04-15 12:35:33.305  7412  7412 E malloc_debug: Backtrace at time of allocation:
+04-15 12:35:33.305  7412  7412 E malloc_debug:           #00  pc 00029310  /system/lib/libc.so
+04-15 12:35:33.305  7412  7412 E malloc_debug:           #01  pc 00021438  /system/lib/libc.so (newlocale+160)
+04-15 12:35:33.305  7412  7412 E malloc_debug:           #02  pc 000a9e38  /system/lib/libc++.so
+04-15 12:35:33.305  7412  7412 E malloc_debug:           #03  pc 000a28a8  /system/lib/libc++.so
+</pre>
+
+Additional Errors
+-----------------
+There are a few other error messages that might appear in the log.
+
+### Use After Free
+<pre>
+04-15 12:00:31.304  7412  7412 E malloc_debug: +++ ALLOCATION 0x12345678 USED AFTER FREE (free)
+04-15 12:00:31.305  7412  7412 E malloc_debug: Backtrace of original free:
+04-15 12:00:31.305  7412  7412 E malloc_debug:           #00  pc 00029310  /system/lib/libc.so
+04-15 12:00:31.305  7412  7412 E malloc_debug:           #01  pc 00021438  /system/lib/libc.so (newlocale+160)
+04-15 12:00:31.305  7412  7412 E malloc_debug:           #02  pc 000a9e38  /system/lib/libc++.so
+04-15 12:00:31.305  7412  7412 E malloc_debug:           #03  pc 000a28a8  /system/lib/libc++.so
+04-15 12:00:31.305  7412  7412 E malloc_debug: Backtrace at time of failure:
+04-15 12:00:31.305  7412  7412 E malloc_debug:           #00  pc 00029310  /system/lib/libc.so
+04-15 12:00:31.305  7412  7412 E malloc_debug:           #01  pc 00021438  /system/lib/libc.so (newlocale+160)
+04-15 12:00:31.305  7412  7412 E malloc_debug:           #02  pc 000a9e38  /system/lib/libc++.so
+04-15 12:00:31.305  7412  7412 E malloc_debug:           #03  pc 000a28a8  /system/lib/libc++.so
+</pre>
+
+This indicates that code is attempting to free an already freed pointer. The
+name in parenthesis indicates that the application called the function
+<i>free</i> with the bad pointer.
+
+For example, this message:
+
+<pre>
+04-15 12:00:31.304  7412  7412 E malloc_debug: +++ ALLOCATION 0x12345678 USED AFTER FREE (realloc)
+</pre>
+
+Would indicate that the application called the <i>realloc</i> function
+with an already freed pointer.
+
+### Invalid Tag
+<pre>
+04-15 12:00:31.304  7412  7412 E malloc_debug: +++ ALLOCATION 0x12345678 HAS INVALID TAG 1ee7d000 (malloc_usable_size)
+04-15 12:00:31.305  7412  7412 E malloc_debug: Backtrace at time of failure:
+04-15 12:00:31.305  7412  7412 E malloc_debug:           #00  pc 00029310  /system/lib/libc.so
+04-15 12:00:31.305  7412  7412 E malloc_debug:           #01  pc 00021438  /system/lib/libc.so (newlocale+160)
+04-15 12:00:31.305  7412  7412 E malloc_debug:           #02  pc 000a9e38  /system/lib/libc++.so
+04-15 12:00:31.305  7412  7412 E malloc_debug:           #03  pc 000a28a8  /system/lib/libc++.so
+</pre>
+
+This indicates that a function (malloc\_usable\_size) was called with
+a pointer that is either not allocated memory, or that the memory of
+the pointer has been corrupted.
+
+As with the other error message, the function in parenthesis is the
+function that was called with the bad pointer.
+
+Examples
+========
+Enable backtrace tracking of all allocation for all processes:
+
+<pre>
+  adb shell stop
+  adb shell setprop libc.debug.malloc.options backtrace
+  adb shell start
+</pre>
+
+Enable backtrace tracking for a specific process (ls):
+
+<pre>
+  adb shell setprop libc.debug.malloc.options backtrace
+  adb shell setprop libc.debug.malloc.program ls
+  adb shell ls
+</pre>
+
+Enable backtrace tracking for the zygote and zygote based processes:
+
+<pre>
+  adb shell stop
+  adb shell setprop libc.debug.malloc.program app_process
+  adb shell setprop libc.debug.malloc.options backtrace
+  adb shell start
+</pre>
+
+Enable multiple options (backtrace and guards):
+
+<pre>
+  adb shell stop
+  adb shell setprop libc.debug.malloc.options "\"backtrace guards\""
+  adb shell start
+</pre>
+
+Enable malloc debug when multiple processes have the same name. This method
+can be used to enable malloc debug for only a very specific process if
+multiple processes have the same name.
+
+Note: The double quotes in the adb shell command are necessary. Otherwise,
+the setprop command will fail since the backtrace guards options will look
+like two arguments instead of one.
+
+<pre>
+  adb shell
+  # setprop libc.debug.malloc.env_enabled
+  # setprop libc.debug.malloc.options backtrace
+  # export LIBC_DEBUG_MALLOC_ENABLE 1
+  # ls
+</pre>
diff --git a/libc/malloc_debug/README_api.md b/libc/malloc_debug/README_api.md
new file mode 100644
index 0000000..cd04c32
--- /dev/null
+++ b/libc/malloc_debug/README_api.md
@@ -0,0 +1,64 @@
+Native Memory Tracking using libc Callbacks
+-------------------------------------------
+Malloc debug can be used to get information on all of the live allocations
+in a process. The libc library in Android exports two calls that can be
+used to gather this data from a process. This tracking can be enabled using
+either the backtrace option or the backtrace\_enabled\_on\_signal option.
+
+The function to gather the data:
+
+<pre>
+<b>
+extern "C" void get_malloc_leak_info(uint8_t** info, size_t* overall_size, size_t* info_size, size_t* total_memory, size_t* backtrace_size);
+</b>
+</pre>
+
+<i>info</i> is set to a buffer allocated by the call that contains all of
+the allocation information.
+<i>overall\_size</i> is set to the total size of the buffer returned. If this
+<i>info\_size</i>
+value is zero, then there are no allocation being tracked.
+<i>total\_memory</i> is set to the sum of all allocation sizes that are live at
+the point of the function call. This does not include the memory allocated
+by the malloc debug library itself.
+<i>backtrace\_size</i> is set to the maximum number of backtrace entries
+that are present for each allocation.
+
+In order to free the buffer allocated by the function, call:
+
+<pre>
+<b>
+extern "C" void free_malloc_leak_info(uint8_t* info);
+</b>
+</pre>
+
+### Format of info Buffer
+<pre>
+size_t size_of_original_allocation
+size_t num_backtrace_frames
+uintptr_t pc1
+uintptr_t pc2
+uintptr_t pc3
+.
+.
+.
+</pre>
+
+The number of <i>uintptr\_t</i> values is determined by the value
+<i>backtrace\_size</i> as returned by the original call to
+<i>get\_malloc\_leak\_info</i>. This value is not variable, it is the same
+for all the returned data. The value
+<i>num\_backtrace\_frames</i> contains the real number of frames found. The
+extra frames are set to zero. Each <i>uintptr\_t</i> is a pc of the callstack.
+The calls from within the malloc debug library are automatically removed.
+
+For 32 bit systems, <i>size\_t</i> and <i>uintptr\_t</i> are both 4 byte values.
+
+For 64 bit systems, <i>size\_t</i> and <i>uintptr\_t</i> are both 8 byte values.
+
+The total number of these structures returned in <i>info</i> is
+<i>overall\_size</i> divided by <i>info\_size</i>.
+
+Note, the size value in each allocation data structure will have bit 31 set
+if this allocation was created by the Zygote process. This helps to distinguish
+between native allocations created by the application.
diff --git a/libc/upstream-netbsd/lib/libc/gen/ftw.c b/libc/upstream-netbsd/lib/libc/gen/ftw.c
deleted file mode 100644
index a7f6bbd..0000000
--- a/libc/upstream-netbsd/lib/libc/gen/ftw.c
+++ /dev/null
@@ -1,98 +0,0 @@
-/* $NetBSD: ftw.c,v 1.1 2005/12/30 23:07:32 agc Exp $ */
-
-/*	From OpenBSD: ftw.c,v 1.2 2003/07/21 21:15:32 millert Exp 	*/
-
-/*
- * Copyright (c) 2003 Todd C. Miller <Todd.Miller@courtesan.com>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Sponsored in part by the Defense Advanced Research Projects
- * Agency (DARPA) and Air Force Research Laboratory, Air Force
- * Materiel Command, USAF, under agreement number F39502-99-1-0512.
- */
-#include <sys/cdefs.h>
-
-#ifndef lint
-__RCSID("$NetBSD: ftw.c,v 1.1 2005/12/30 23:07:32 agc Exp $");
-#endif
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <errno.h>
-#include <fts.h>
-#include <ftw.h>
-#include <limits.h>
-
-int
-ftw(const char *path, int (*fn)(const char *, const struct stat *, int),
-    int nfds)
-{
-	/* LINTED */
-	char * const paths[2] = { __UNCONST(path), NULL };
-	FTSENT *cur;
-	FTS *ftsp;
-	int fnflag, error, sverrno;
-
-	/* XXX - nfds is currently unused */
-	if (nfds < 1 || nfds > OPEN_MAX) {
-		errno = EINVAL;
-		return (-1);
-	}
-
-	ftsp = fts_open(paths, FTS_COMFOLLOW | FTS_NOCHDIR, NULL);
-	if (ftsp == NULL)
-		return (-1);
-	error = 0;
-	while ((cur = fts_read(ftsp)) != NULL) {
-		switch (cur->fts_info) {
-		case FTS_D:
-			fnflag = FTW_D;
-			break;
-		case FTS_DNR:
-			fnflag = FTW_DNR;
-			break;
-		case FTS_DP:
-			/* we only visit in preorder */
-			continue;
-		case FTS_F:
-		case FTS_DEFAULT:
-			fnflag = FTW_F;
-			break;
-		case FTS_NS:
-		case FTS_NSOK:
-		case FTS_SLNONE:
-			fnflag = FTW_NS;
-			break;
-		case FTS_SL:
-			fnflag = FTW_SL;
-			break;
-		case FTS_DC:
-			errno = ELOOP;
-			/* FALLTHROUGH */
-		default:
-			error = -1;
-			goto done;
-		}
-		error = fn(cur->fts_path, cur->fts_statp, fnflag);
-		if (error != 0)
-			break;
-	}
-done:
-	sverrno = errno;
-	if (fts_close(ftsp) != 0 && error == 0)
-		error = -1;
-	else
-		errno = sverrno;
-	return (error);
-}
diff --git a/libc/upstream-netbsd/lib/libc/gen/nftw.c b/libc/upstream-netbsd/lib/libc/gen/nftw.c
deleted file mode 100644
index 0e51342..0000000
--- a/libc/upstream-netbsd/lib/libc/gen/nftw.c
+++ /dev/null
@@ -1,114 +0,0 @@
-/* $NetBSD */
-
-/*	From OpenBSD: nftw.c,v 1.2 2003/07/21 21:15:32 millert Exp 	*/
-
-/*
- * Copyright (c) 2003 Todd C. Miller <Todd.Miller@courtesan.com>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Sponsored in part by the Defense Advanced Research Projects
- * Agency (DARPA) and Air Force Research Laboratory, Air Force
- * Materiel Command, USAF, under agreement number F39502-99-1-0512.
- */
-
-#include <sys/cdefs.h>
-
-#ifndef lint
-__RCSID("$NetBSD: nftw.c,v 1.1 2005/12/30 23:07:32 agc Exp $");
-#endif
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <errno.h>
-#include <fts.h>
-#include <ftw.h>
-#include <limits.h>
-
-int
-nftw(const char *path, int (*fn)(const char *, const struct stat *, int,
-     struct FTW *), int nfds, int ftwflags)
-{
-	/* LINTED */
-	char * const paths[2] = { __UNCONST(path), NULL };
-	struct FTW f;
-	FTSENT *cur;
-	FTS *ftsp;
-	int ftsflags, fnflag, error, postorder, sverrno;
-
-	/* XXX - nfds is currently unused */
-	if (nfds < 1 || nfds > OPEN_MAX) {
-		errno = EINVAL;
-		return (-1);
-	}
-
-	ftsflags = FTS_COMFOLLOW;
-	if (!(ftwflags & FTW_CHDIR))
-		ftsflags |= FTS_NOCHDIR;
-	if (ftwflags & FTW_MOUNT)
-		ftsflags |= FTS_XDEV;
-	if (ftwflags & FTW_PHYS)
-		ftsflags |= FTS_PHYSICAL;
-	postorder = (ftwflags & FTW_DEPTH) != 0;
-	ftsp = fts_open(paths, ftsflags, NULL);
-	if (ftsp == NULL)
-		return (-1);
-	error = 0;
-	while ((cur = fts_read(ftsp)) != NULL) {
-		switch (cur->fts_info) {
-		case FTS_D:
-			if (postorder)
-				continue;
-			fnflag = FTW_D;
-			break;
-		case FTS_DNR:
-			fnflag = FTW_DNR;
-			break;
-		case FTS_DP:
-			if (!postorder)
-				continue;
-			fnflag = FTW_DP;
-			break;
-		case FTS_F:
-		case FTS_DEFAULT:
-			fnflag = FTW_F;
-			break;
-		case FTS_NS:
-		case FTS_NSOK:
-			fnflag = FTW_NS;
-			break;
-		case FTS_SL:
-			fnflag = FTW_SL;
-			break;
-		case FTS_SLNONE:
-			fnflag = FTW_SLN;
-			break;
-		case FTS_DC:
-			errno = ELOOP;
-			/* FALLTHROUGH */
-		default:
-			error = -1;
-			goto done;
-		}
-		f.base = cur->fts_pathlen - cur->fts_namelen;
-		f.level = cur->fts_level;
-		error = fn(cur->fts_path, cur->fts_statp, fnflag, &f);
-		if (error != 0)
-			break;
-	}
-done:
-	sverrno = errno;
-	(void) fts_close(ftsp);
-	errno = sverrno;
-	return (error);
-}
diff --git a/tests/ftw_test.cpp b/tests/ftw_test.cpp
index b7e5bd5..ea494ba 100644
--- a/tests/ftw_test.cpp
+++ b/tests/ftw_test.cpp
@@ -16,6 +16,7 @@
 
 #include <ftw.h>
 
+#include <pwd.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <sys/stat.h>
@@ -24,6 +25,7 @@
 
 #include "TemporaryFile.h"
 
+#include <android-base/stringprintf.h>
 #include <gtest/gtest.h>
 
 static void MakeTree(const char* root) {
@@ -39,7 +41,7 @@
   snprintf(path, sizeof(path), "%s/dangler", root);
   ASSERT_EQ(0, symlink("/does-not-exist", path));
   snprintf(path, sizeof(path), "%s/symlink", root);
-  ASSERT_EQ(0, symlink("sub2", path));
+  ASSERT_EQ(0, symlink("dir/sub", path));
 
   int fd;
   snprintf(path, sizeof(path), "%s/regular", root);
@@ -51,8 +53,21 @@
   ASSERT_TRUE(fpath != NULL);
   ASSERT_TRUE(sb != NULL);
 
+  // Was it a case where the struct stat we're given is meaningless?
+  if (tflag == FTW_NS || tflag == FTW_SLN) {
+    // If so, double-check that we really can't stat.
+    struct stat sb;
+    EXPECT_EQ(-1, stat(fpath, &sb));
+    return;
+  }
+
+  // Otherwise check that the struct stat matches the type flag.
   if (S_ISDIR(sb->st_mode)) {
-    EXPECT_TRUE(tflag == FTW_D || tflag == FTW_DNR || tflag == FTW_DP) << fpath;
+    if (access(fpath, R_OK) == 0) {
+      EXPECT_TRUE(tflag == FTW_D || tflag == FTW_DP) << fpath << ' ' << tflag;
+    } else {
+      EXPECT_EQ(FTW_DNR, tflag) << fpath;
+    }
   } else if (S_ISLNK(sb->st_mode)) {
     EXPECT_EQ(FTW_SL, tflag) << fpath;
   } else {
@@ -60,7 +75,7 @@
   }
 }
 
-void sanity_check_nftw(const char* fpath, const struct stat* sb, int tflag, struct FTW* ftwbuf) {
+void sanity_check_nftw(const char* fpath, const struct stat* sb, int tflag, FTW* ftwbuf) {
   sanity_check_ftw(fpath, sb, tflag);
   ASSERT_EQ('/', fpath[ftwbuf->base - 1]) << fpath;
 }
@@ -75,12 +90,12 @@
   return 0;
 }
 
-int check_nftw(const char* fpath, const struct stat* sb, int tflag, struct FTW* ftwbuf) {
+int check_nftw(const char* fpath, const struct stat* sb, int tflag, FTW* ftwbuf) {
   sanity_check_nftw(fpath, sb, tflag, ftwbuf);
   return 0;
 }
 
-int check_nftw64(const char* fpath, const struct stat64* sb, int tflag, struct FTW* ftwbuf) {
+int check_nftw64(const char* fpath, const struct stat64* sb, int tflag, FTW* ftwbuf) {
   sanity_check_nftw(fpath, reinterpret_cast<const struct stat*>(sb), tflag, ftwbuf);
   return 0;
 }
@@ -108,3 +123,33 @@
   MakeTree(root.dirname);
   ASSERT_EQ(0, nftw64(root.dirname, check_nftw64, 128, 0));
 }
+
+template <typename StatT>
+static int bug_28197840_ftw(const char* path, const StatT*, int flag) {
+  EXPECT_EQ(strstr(path, "unreadable") != nullptr ? FTW_DNR : FTW_D, flag) << path;
+  return 0;
+}
+
+template <typename StatT>
+static int bug_28197840_nftw(const char* path, const StatT* sb, int flag, FTW*) {
+  return bug_28197840_ftw(path, sb, flag);
+}
+
+TEST(ftw, bug_28197840) {
+  // Drop root for this test, because root can still read directories even if
+  // permissions would imply otherwise.
+  if (getuid() == 0) {
+    passwd* pwd = getpwnam("shell");
+    ASSERT_EQ(0, setuid(pwd->pw_uid));
+  }
+
+  TemporaryDir root;
+
+  std::string path = android::base::StringPrintf("%s/unreadable-directory", root.dirname);
+  ASSERT_EQ(0, mkdir(path.c_str(), 0000)) << path;
+
+  ASSERT_EQ(0, ftw(root.dirname, bug_28197840_ftw<struct stat>, 128));
+  ASSERT_EQ(0, ftw64(root.dirname, bug_28197840_ftw<struct stat64>, 128));
+  ASSERT_EQ(0, nftw(root.dirname, bug_28197840_nftw<struct stat>, 128, FTW_PHYS));
+  ASSERT_EQ(0, nftw64(root.dirname, bug_28197840_nftw<struct stat64>, 128, FTW_PHYS));
+}