1 # Android changes for NDK developers
3 This document details important changes related to native code
4 loading in various Android releases.
6 Required tools: the NDK has an _arch_-linux-android-readelf binary
7 (e.g. arm-linux-androideabi-readelf or i686-linux-android-readelf)
8 for each architecture (under toolchains/), but you can use readelf for
9 any architecture, as we will be doing basic inspection only. On Linux
10 you need to have the “binutils” package installed for readelf,
11 and “pax-utils” for scanelf.
14 ## How we manage incompatible changes
16 Our general practice with dynamic linker behavior changes is that they
17 will be tied to an app's target API level:
19 * Below the affected API level we'll preserve the old behavior or issue
20 a warning, as appropriate.
22 * At the affected API level and above, we’ll refuse to load the library.
24 * Warnings about any behavior change that will affect a library if you
25 increase your target API level will appear in logcat when that library
26 is loaded, even if you're not yet targeting that API level.
28 * On a developer preview build, dynamic linker warnings will also show up
29 as toasts. Experience has shown that many developers don’t habitually
30 check logcat for warnings until their app stops functioning, so the
31 toasts help bring some visibility to the issues before it's too late.
34 ## Changes to library search order
36 We have made various fixes to library search order when resolving symbols.
38 With API 22, load order switched from depth-first to breadth-first to
41 Before API 23, the default search order was to try the main executable,
42 LD_PRELOAD libraries, the library itself, and its DT_NEEDED libraries
43 in that order. For API 23 and later, for any given library, the dynamic
44 linker divides other libraries into the global group and the local
45 group. The global group is shared by all libraries and contains the main
46 executable, LD_PRELOAD libraries, and any library with the DF_1_GLOBAL
47 flag set (by passing “-z global” to ld(1)). The local group is
48 the breadth-first transitive closure of the library and its DT_NEEDED
49 libraries. The M dynamic linker searches the global group followed by
50 the local group. This allows ASAN, for example, to ensure that it can
54 ## RTLD_LOCAL (Available in API level >= 23)
56 The dlopen(3) RTLD_LOCAL flag used to be ignored but is implemented
57 correctly in API 23 and later. Note that RTLD_LOCAL is the default,
58 so even calls to dlopen(3) that didn’t explicitly use RTLD_LOCAL will
59 be affected (unless they explicitly used RTLD_GLOBAL). With RTLD_LOCAL,
60 symbols will not be made available to libraries loaded by later calls
61 to dlopen(3) (as opposed to being referenced by DT_NEEDED entries).
64 ## GNU hashes (Availible in API level >= 23)
66 The GNU hash style available with --hash-style=gnu allows faster
67 symbol lookup and is now supported by the dynamic linker in API 23 and
68 above. (Use --hash-style=both if you want to build code that uses this
69 feature >= Android M but still works on older releases.)
72 ## Correct soname/path handling (Available in API level >= 23)
74 The dynamic linker now understands the difference
75 between a library’s soname and its path (public bug
76 https://code.google.com/p/android/issues/detail?id=6670). API level 23
77 is the first release where search by soname is implemented. Earlier
78 releases would assume that the basename of the library was the soname,
79 and used that to search for already-loaded libraries. For example,
80 `dlopen("/this/directory/does/not/exist/libc.so", RTLD_NOW)` would
81 find `/system/lib/libc.so` because it’s already loaded. This also meant
82 that it was impossible to have two libraries `"dir1/libx.so"` and
83 `"dir2/libx.so"` --- the dynamic linker couldn’t tell the difference
84 and would always use whichever was loaded first, even if you explicitly
85 tried to load both. This also applied to DT_NEEDED entries.
87 Some apps have bad DT_NEEDED entries (usually absolute paths on the build
88 machine’s file system) that used to work because we ignored everything
89 but the basename. These apps will fail to load on API level 23 and above.
92 ## Symbol versioning (Available in API level >= 23)
94 Symbol versioning allows libraries to provide better backwards
95 compatibility. For example, if a library author knowingly changes
96 the behavior of a function, they can provide two versions in the same
97 library so that old code gets the old version and new code gets the new
98 version. This is supported in API level 23 and above.
101 ## Opening shared libraries directly from an APK
103 In API level 23 and above, it’s possible to open a .so file directly from
104 your APK. Just use `System.loadLibrary("foo")` exactly as normal but set
105 `android:extractNativeLibs="false"` in your `AndroidManifest.xml`. In
106 older releases, the .so files were extracted from the APK file
107 at install time. This meant that they took up space in your APK and
108 again in your installation directory (and this was counted against you
109 and reported to the user as space taken up by your app). Any .so file
110 that you want to load directly from your APK must be page aligned
111 (on a 4096-byte boundary) in the zip file and stored uncompressed.
112 Current versions of the zipalign tool take care of alignment.
114 Note that in API level 23 and above dlopen(3) will open a library from
115 any zip file, not just your APK. Just give dlopen(3) a path of the form
116 "my_zip_file.zip!/libs/libstuff.so". As with APKs, the library must be
117 page-aligned and stored uncompressed for this to work.
120 ## Private API (Enforced for API level >= 24)
122 Native libraries must use only public API, and must not link against
123 non-NDK platform libraries. Starting with API 24 this rule is enforced and
124 applications are no longer able to load non-NDK platform libraries. The
125 rule is enforced by the dynamic linker, so non-public libraries
126 are not accessible regardless of the way code tries to load them:
127 System.loadLibrary, DT_NEEDED entries, and direct calls to dlopen(3)
128 will all work exactly the same.
130 Users should have a consistent app experience across updates,
131 and developers shouldn't have to make emergency app updates to
132 handle platform changes. For that reason, we recommend against using
133 private C/C++ symbols. Private symbols aren't tested as part of the
134 Compatibility Test Suite (CTS) that all Android devices must pass. They
135 may not exist, or they may behave differently. This makes apps that use
136 them more likely to fail on specific devices, or on future releases ---
137 as many developers found when Android 6.0 Marshmallow switched from
138 OpenSSL to BoringSSL.
140 In order to reduce the user impact of this transition, we've identified
141 a set of libraries that see significant use from Google Play's
142 most-installed apps, and that are feasible for us to support in the
143 short term (including libandroid_runtime.so, libcutils.so, libcrypto.so,
144 and libssl.so). In order to give you more time to transition, we will
145 temporarily support these libraries; so if you see a warning that means
146 your code will not work in a future release -- please fix it now!
149 $ readelf --dynamic libBroken.so | grep NEEDED
150 0x00000001 (NEEDED) Shared library: [libnativehelper.so]
151 0x00000001 (NEEDED) Shared library: [libutils.so]
152 0x00000001 (NEEDED) Shared library: [libstagefright_foundation.so]
153 0x00000001 (NEEDED) Shared library: [libmedia_jni.so]
154 0x00000001 (NEEDED) Shared library: [liblog.so]
155 0x00000001 (NEEDED) Shared library: [libdl.so]
156 0x00000001 (NEEDED) Shared library: [libz.so]
157 0x00000001 (NEEDED) Shared library: [libstdc++.so]
158 0x00000001 (NEEDED) Shared library: [libm.so]
159 0x00000001 (NEEDED) Shared library: [libc.so]
162 *Potential problems*: starting from API 24 the dynamic linker will not
163 load private libraries, preventing the application from loading.
165 *Resolution*: rewrite your native code to rely only on public API. As a
166 short term workaround, platform libraries without complex dependencies
167 (libcutils.so) can be copied to the project. As a long term solution
168 the relevant code must be copied to the project tree. SSL/Media/JNI
169 internal/binder APIs should not be accessed from the native code. When
170 necessary, native code should call appropriate public Java API methods.
172 A complete list of public libraries is available within the NDK, under
173 platforms/android-API/usr/lib.
175 Note: SSL/crypto is a special case, applications must NOT use platform
176 libcrypto and libssl libraries directly, even on older platforms. All
177 applications should use GMS Security Provider to ensure they are protected
178 from known vulnerabilities.
181 ## Missing Section Headers (Enforced for API level >= 24)
183 Each ELF file has additional information contained in the section
184 headers. These headers must be present now, because the dynamic linker
185 uses them for sanity checking. Some developers strip them in an
186 attempt to obfuscate the binary and prevent reverse engineering. (This
187 doesn't really help because it is possible to reconstruct the stripped
188 information using widely-available tools.)
191 $ readelf --header libBroken.so | grep 'section headers'
192 Start of section headers: 0 (bytes into file)
193 Size of section headers: 0 (bytes)
194 Number of section headers: 0
197 *Resolution*: remove the extra steps from your build that strip section
200 ## Text Relocations (Enforced for API level >= 23)
202 Starting with API 23, shared objects must not contain text
203 relocations. That is, the code must be loaded as is and must not be
204 modified. Such an approach reduces load time and improves security.
206 The usual reason for text relocations is non-position independent
207 hand-written assembler. This is not common. Use the scanelf tool as
208 described in our documentation for further diagnostics:
211 $ scanelf -qT libTextRel.so
212 libTextRel.so: (memory/data?) [0x15E0E2] in (optimized out: previous simd_broken_op1) [0x15E0E0]
213 libTextRel.so: (memory/data?) [0x15E3B2] in (optimized out: previous simd_broken_op2) [0x15E3B0]
217 If you have no scanelf tool available, it is possible to do a basic
218 check with readelf instead, look for either a TEXTREL entry or the
219 TEXTREL flag. Either alone is sufficient. (The value corresponding to the
220 TEXTREL entry is irrelevant and typically 0 --- simply the presence of
221 the TEXTREL entry declares that the .so contains text relocations). This
222 example has both indicators present:
225 $ readelf --dynamic libTextRel.so | grep TEXTREL
226 0x00000016 (TEXTREL) 0x0
227 0x0000001e (FLAGS) SYMBOLIC TEXTREL BIND_NOW
230 Note: it is technically possible to have a shared object with the TEXTREL
231 entry/flag but without any actual text relocations. This doesn't happen
232 with the NDK, but if you're generating ELF files yourself make sure
233 you're not generating ELF files that claim to have text relocations,
234 because the Android dynamic linker trusts the entry/flag.
236 *Potential problems*: Relocations enforce code pages being writable, and
237 wastefully increase the number of dirty pages in memory. The dynamic
238 linker has issued warnings about text relocations since Android K
239 (API 19), but on API 23 and above it refuses to load code with text
242 *Resolution*: rewrite assembler to be position independent to ensure
243 no text relocations are necessary. The
244 [Gentoo Textrels guide](https://wiki.gentoo.org/wiki/Hardened/Textrels_Guide)
245 has instructions for fixing text relocations, and more detailed
246 [scanelf documentation](https://wiki.gentoo.org/wiki/Hardened/PaX_Utilities).
249 ## Invalid DT_NEEDED Entries (Enforced for API level >= 23)
251 While library dependencies (DT_NEEDED entries in the ELF headers) can be
252 absolute paths, that doesn't make sense on Android because you have
253 no control over where your library will be installed by the system. A
254 DT_NEEDED entry should be the same as the needed library's SONAME,
255 leaving the business of finding the library at runtime to the dynamic
258 Before API 23, Android's dynamic linker ignored the full path, and
259 used only the basename (the part after the last ‘/') when looking
260 up the required libraries. Since API 23 the runtime linker will honor
261 the DT_NEEDED exactly and so it won't be able to load the library if
262 it is not present in that exact location on the device.
264 Even worse, some build systems have bugs that cause them to insert
265 DT_NEEDED entries that point to a file on the build host, something that
266 cannot be found on the device.
269 $ readelf --dynamic libSample.so | grep NEEDED
270 0x00000001 (NEEDED) Shared library: [libm.so]
271 0x00000001 (NEEDED) Shared library: [libc.so]
272 0x00000001 (NEEDED) Shared library: [libdl.so]
273 0x00000001 (NEEDED) Shared library:
274 [C:\Users\build\Android\ci\jni\libBroken.so]
277 *Potential problems*: before API 23 the DT_NEEDED entry's basename was
278 used, but starting from API 23 the Android runtime will try to load the
279 library using the path specified, and that path won't exist on the
280 device. There are broken third-party toolchains/build systems that use
281 a path on a build host instead of the SONAME.
283 *Resolution*: make sure all required libraries are referenced by SONAME
284 only. It is better to let the runtime linker to find and load those
285 libraries as the location may change from device to device.
288 ## Missing SONAME (Enforced for API level >= 23)
290 Each ELF shared object (“native library”) must have a SONAME (Shared
291 Object Name) attribute. The NDK toolchain adds this attribute by default,
292 so its absence indicates either a misconfigured alternative toolchain
293 or a misconfiguration in your build system. A missing SONAME may lead
294 to runtime issues such as the wrong library being loaded: the filename
295 is used instead when this attribute is missing.
298 $ readelf --dynamic libWithSoName.so | grep SONAME
299 0x0000000e (SONAME) Library soname: [libWithSoName.so]
302 *Potential problems*: namespace conflicts may lead to the wrong library
303 being loaded at runtime, which leads to crashes when required symbols
304 are not found, or you try to use an ABI-incompatible library that isn't
305 the library you were expecting.
307 *Resolution*: the current NDK generates the correct SONAME by
308 default. Ensure you're using the current NDK and that you haven't
309 configured your build system to generate incorrect SONAME entries (using
310 the -soname linker option).
313 ## Writable and Executable Segments (Enforced for API level >= 26)
315 Each segment in an ELF file has associated flags that tell the
316 dynamic linker what permissions to give the corresponding page in
317 memory. For security, data shouldn't be executable and code shouldn't be
318 writable. This means that the W (for Writable) and E (for Executable)
319 flags should be mutually exclusive. This wasn't historically enforced,
323 $ readelf --program-headers -W libBadFlags.so | grep WE
324 LOAD 0x000000 0x00000000 0x00000000 0x4c01d 0x4c01d RWE 0x1000
327 *Resolution*: we're aware of one middleware product that introduces these
328 into your app. The middleware vendor is aware of the problem and has a fix
331 ## Invalid ELF header/section headers (Enforced for API level >= 26)
333 In API level 26 and above the dynamic linker checks more values in
334 the ELF header and section headers and fails if they are invalid.
338 dlopen failed: "/data/data/com.example.bad/lib.so" has unsupported e_shentsize: 0x0 (expected 0x28)
341 *Resolution*: don't use tools that produce invalid/malformed
342 ELF files. Note that using them puts application under high risk of
343 being incompatible with future versions of Android.
345 ## Enable logging of dlopen/dlsym and library loading errors for apps (Available in Android O)
347 Starting with Android O it is possible to enable logging of all dlsym/dlopen calls
348 for debuggable apps. Here is short instruction on how to do that:
350 adb shell setprop debug.ld.app.com.example.myapp dlsym,dlopen,dlerror
354 Any subset of (dlsym,dlopen,dlerror) can be used.
356 On userdebug and eng builds it is possible to enable tracing for the whole system
357 by using debug.ld.all system property instead of app-specific one:
359 adb shell setprop debug.ld.all dlerror,dlopen
362 enables logging of all errors and dlopen calls