malloc_debug_check.cpp revision 03eebcb6e8762e668a0d3af6bb303cccb88c5b81
1/* 2 * Copyright (C) 2012 The Android Open Source Project 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * * Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * * Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in 12 * the documentation and/or other materials provided with the 13 * distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 16 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 17 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 18 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 19 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS 22 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT 25 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29#include <arpa/inet.h> 30#include <dlfcn.h> 31#include <errno.h> 32#include <errno.h> 33#include <fcntl.h> 34#include <pthread.h> 35#include <stdarg.h> 36#include <stdbool.h> 37#include <stddef.h> 38#include <stdio.h> 39#include <stdlib.h> 40#include <string.h> 41#include <sys/param.h> 42#include <sys/socket.h> 43#include <sys/system_properties.h> 44#include <sys/types.h> 45#include <time.h> 46#include <unistd.h> 47#include <unwind.h> 48 49#include "debug_mapinfo.h" 50#include "debug_stacktrace.h" 51#include "malloc_debug_common.h" 52#include "private/bionic_macros.h" 53#include "private/libc_logging.h" 54#include "private/ScopedPthreadMutexLocker.h" 55 56#define MAX_BACKTRACE_DEPTH 16 57#define ALLOCATION_TAG 0x1ee7d00d 58#define BACKLOG_TAG 0xbabecafe 59#define FREE_POISON 0xa5 60#define FRONT_GUARD 0xaa 61#define FRONT_GUARD_LEN (1<<5) 62#define REAR_GUARD 0xbb 63#define REAR_GUARD_LEN (1<<5) 64 65static void log_message(const char* format, ...) { 66 va_list args; 67 va_start(args, format); 68 __libc_format_log_va_list(ANDROID_LOG_ERROR, "libc", format, args); 69 va_end(args); 70} 71 72struct hdr_t { 73 uint32_t tag; 74 void* base; // Always points to the memory allocated using malloc. 75 // For memory allocated in chk_memalign, this value will 76 // not be the same as the location of the start of this 77 // structure. 78 hdr_t* prev; 79 hdr_t* next; 80 uintptr_t bt[MAX_BACKTRACE_DEPTH]; 81 int bt_depth; 82 uintptr_t freed_bt[MAX_BACKTRACE_DEPTH]; 83 int freed_bt_depth; 84 size_t size; 85 uint8_t front_guard[FRONT_GUARD_LEN]; 86} __attribute__((packed, aligned(MALLOC_ALIGNMENT))); 87 88struct ftr_t { 89 uint8_t rear_guard[REAR_GUARD_LEN]; 90} __attribute__((packed)); 91 92static inline ftr_t* to_ftr(hdr_t* hdr) { 93 return reinterpret_cast<ftr_t*>(reinterpret_cast<char*>(hdr + 1) + hdr->size); 94} 95 96static inline void* user(hdr_t* hdr) { 97 return hdr + 1; 98} 99 100static inline hdr_t* meta(void* user) { 101 return reinterpret_cast<hdr_t*>(user) - 1; 102} 103 104static inline const hdr_t* const_meta(const void* user) { 105 return reinterpret_cast<const hdr_t*>(user) - 1; 106} 107 108// TODO: introduce a struct for this global state. 109// There are basically two lists here, the regular list and the backlog list. 110// We should be able to remove the duplication. 111static unsigned g_allocated_block_count; 112static hdr_t* tail; 113static hdr_t* head; 114static pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER; 115 116static unsigned backlog_num; 117static hdr_t* backlog_tail; 118static hdr_t* backlog_head; 119static pthread_mutex_t backlog_lock = PTHREAD_MUTEX_INITIALIZER; 120 121// This variable is set to the value of property libc.debug.malloc.backlog. 122// It determines the size of the backlog we use to detect multiple frees. 123static unsigned g_malloc_debug_backlog = 100; 124 125__LIBC_HIDDEN__ HashTable* g_hash_table; 126 127static inline void init_front_guard(hdr_t* hdr) { 128 memset(hdr->front_guard, FRONT_GUARD, FRONT_GUARD_LEN); 129} 130 131static inline bool is_front_guard_valid(hdr_t* hdr) { 132 for (size_t i = 0; i < FRONT_GUARD_LEN; i++) { 133 if (hdr->front_guard[i] != FRONT_GUARD) { 134 return false; 135 } 136 } 137 return true; 138} 139 140static inline void init_rear_guard(hdr_t* hdr) { 141 ftr_t* ftr = to_ftr(hdr); 142 memset(ftr->rear_guard, REAR_GUARD, REAR_GUARD_LEN); 143} 144 145static inline bool is_rear_guard_valid(hdr_t* hdr) { 146 unsigned i; 147 int valid = 1; 148 int first_mismatch = -1; 149 ftr_t* ftr = to_ftr(hdr); 150 for (i = 0; i < REAR_GUARD_LEN; i++) { 151 if (ftr->rear_guard[i] != REAR_GUARD) { 152 if (first_mismatch < 0) 153 first_mismatch = i; 154 valid = 0; 155 } else if (first_mismatch >= 0) { 156 log_message("+++ REAR GUARD MISMATCH [%d, %d)\n", first_mismatch, i); 157 first_mismatch = -1; 158 } 159 } 160 161 if (first_mismatch >= 0) 162 log_message("+++ REAR GUARD MISMATCH [%d, %d)\n", first_mismatch, i); 163 return valid; 164} 165 166static inline void add_locked(hdr_t* hdr, hdr_t** tail, hdr_t** head) { 167 hdr->prev = NULL; 168 hdr->next = *head; 169 if (*head) 170 (*head)->prev = hdr; 171 else 172 *tail = hdr; 173 *head = hdr; 174} 175 176static inline int del_locked(hdr_t* hdr, hdr_t** tail, hdr_t** head) { 177 if (hdr->prev) { 178 hdr->prev->next = hdr->next; 179 } else { 180 *head = hdr->next; 181 } 182 if (hdr->next) { 183 hdr->next->prev = hdr->prev; 184 } else { 185 *tail = hdr->prev; 186 } 187 return 0; 188} 189 190static inline void add(hdr_t* hdr, size_t size) { 191 ScopedPthreadMutexLocker locker(&lock); 192 hdr->tag = ALLOCATION_TAG; 193 hdr->size = size; 194 init_front_guard(hdr); 195 init_rear_guard(hdr); 196 ++g_allocated_block_count; 197 add_locked(hdr, &tail, &head); 198} 199 200static inline int del(hdr_t* hdr) { 201 if (hdr->tag != ALLOCATION_TAG) { 202 return -1; 203 } 204 205 ScopedPthreadMutexLocker locker(&lock); 206 del_locked(hdr, &tail, &head); 207 --g_allocated_block_count; 208 return 0; 209} 210 211static inline void poison(hdr_t* hdr) { 212 memset(user(hdr), FREE_POISON, hdr->size); 213} 214 215static bool was_used_after_free(hdr_t* hdr) { 216 const uint8_t* data = reinterpret_cast<const uint8_t*>(user(hdr)); 217 for (size_t i = 0; i < hdr->size; i++) { 218 if (data[i] != FREE_POISON) { 219 return true; 220 } 221 } 222 return false; 223} 224 225/* returns 1 if valid, *safe == 1 if safe to dump stack */ 226static inline int check_guards(hdr_t* hdr, int* safe) { 227 *safe = 1; 228 if (!is_front_guard_valid(hdr)) { 229 if (hdr->front_guard[0] == FRONT_GUARD) { 230 log_message("+++ ALLOCATION %p SIZE %d HAS A CORRUPTED FRONT GUARD\n", 231 user(hdr), hdr->size); 232 } else { 233 log_message("+++ ALLOCATION %p HAS A CORRUPTED FRONT GUARD "\ 234 "(NOT DUMPING STACKTRACE)\n", user(hdr)); 235 /* Allocation header is probably corrupt, do not print stack trace */ 236 *safe = 0; 237 } 238 return 0; 239 } 240 241 if (!is_rear_guard_valid(hdr)) { 242 log_message("+++ ALLOCATION %p SIZE %d HAS A CORRUPTED REAR GUARD\n", 243 user(hdr), hdr->size); 244 return 0; 245 } 246 247 return 1; 248} 249 250/* returns 1 if valid, *safe == 1 if safe to dump stack */ 251static inline int check_allocation_locked(hdr_t* hdr, int* safe) { 252 int valid = 1; 253 *safe = 1; 254 255 if (hdr->tag != ALLOCATION_TAG && hdr->tag != BACKLOG_TAG) { 256 log_message("+++ ALLOCATION %p HAS INVALID TAG %08x (NOT DUMPING STACKTRACE)\n", 257 user(hdr), hdr->tag); 258 // Allocation header is probably corrupt, do not dequeue or dump stack 259 // trace. 260 *safe = 0; 261 return 0; 262 } 263 264 if (hdr->tag == BACKLOG_TAG && was_used_after_free(hdr)) { 265 log_message("+++ ALLOCATION %p SIZE %d WAS USED AFTER BEING FREED\n", 266 user(hdr), hdr->size); 267 valid = 0; 268 /* check the guards to see if it's safe to dump a stack trace */ 269 check_guards(hdr, safe); 270 } else { 271 valid = check_guards(hdr, safe); 272 } 273 274 if (!valid && *safe) { 275 log_message("+++ ALLOCATION %p SIZE %d ALLOCATED HERE:\n", 276 user(hdr), hdr->size); 277 log_backtrace(hdr->bt, hdr->bt_depth); 278 if (hdr->tag == BACKLOG_TAG) { 279 log_message("+++ ALLOCATION %p SIZE %d FREED HERE:\n", 280 user(hdr), hdr->size); 281 log_backtrace(hdr->freed_bt, hdr->freed_bt_depth); 282 } 283 } 284 285 return valid; 286} 287 288static inline int del_and_check_locked(hdr_t* hdr, 289 hdr_t** tail, hdr_t** head, unsigned* cnt, 290 int* safe) { 291 int valid = check_allocation_locked(hdr, safe); 292 if (safe) { 293 (*cnt)--; 294 del_locked(hdr, tail, head); 295 } 296 return valid; 297} 298 299static inline void del_from_backlog_locked(hdr_t* hdr) { 300 int safe; 301 del_and_check_locked(hdr, 302 &backlog_tail, &backlog_head, &backlog_num, 303 &safe); 304 hdr->tag = 0; /* clear the tag */ 305} 306 307static inline void del_from_backlog(hdr_t* hdr) { 308 ScopedPthreadMutexLocker locker(&backlog_lock); 309 del_from_backlog_locked(hdr); 310} 311 312static inline int del_leak(hdr_t* hdr, int* safe) { 313 ScopedPthreadMutexLocker locker(&lock); 314 return del_and_check_locked(hdr, &tail, &head, &g_allocated_block_count, safe); 315} 316 317static inline void add_to_backlog(hdr_t* hdr) { 318 ScopedPthreadMutexLocker locker(&backlog_lock); 319 hdr->tag = BACKLOG_TAG; 320 backlog_num++; 321 add_locked(hdr, &backlog_tail, &backlog_head); 322 poison(hdr); 323 /* If we've exceeded the maximum backlog, clear it up */ 324 while (backlog_num > g_malloc_debug_backlog) { 325 hdr_t* gone = backlog_tail; 326 del_from_backlog_locked(gone); 327 Malloc(free)(gone->base); 328 } 329} 330 331extern "C" void* chk_malloc(size_t bytes) { 332// log_message("%s: %s\n", __FILE__, __FUNCTION__); 333 334 size_t size = sizeof(hdr_t) + bytes + sizeof(ftr_t); 335 if (size < bytes) { // Overflow 336 errno = ENOMEM; 337 return NULL; 338 } 339 hdr_t* hdr = static_cast<hdr_t*>(Malloc(malloc)(size)); 340 if (hdr) { 341 hdr->base = hdr; 342 hdr->bt_depth = get_backtrace(hdr->bt, MAX_BACKTRACE_DEPTH); 343 add(hdr, bytes); 344 return user(hdr); 345 } 346 return NULL; 347} 348 349extern "C" void* chk_memalign(size_t alignment, size_t bytes) { 350 if (alignment <= MALLOC_ALIGNMENT) { 351 return chk_malloc(bytes); 352 } 353 354 // Make the alignment a power of two. 355 if (!powerof2(alignment)) { 356 alignment = BIONIC_ROUND_UP_POWER_OF_2(alignment); 357 } 358 359 // here, alignment is at least MALLOC_ALIGNMENT<<1 bytes 360 // we will align by at least MALLOC_ALIGNMENT bytes 361 // and at most alignment-MALLOC_ALIGNMENT bytes 362 size_t size = (alignment-MALLOC_ALIGNMENT) + bytes; 363 if (size < bytes) { // Overflow. 364 return NULL; 365 } 366 367 void* base = Malloc(malloc)(sizeof(hdr_t) + size + sizeof(ftr_t)); 368 if (base != NULL) { 369 // Check that the actual pointer that will be returned is aligned 370 // properly. 371 uintptr_t ptr = reinterpret_cast<uintptr_t>(user(reinterpret_cast<hdr_t*>(base))); 372 if ((ptr % alignment) != 0) { 373 // Align the pointer. 374 ptr += ((-ptr) % alignment); 375 } 376 377 hdr_t* hdr = meta(reinterpret_cast<void*>(ptr)); 378 hdr->base = base; 379 hdr->bt_depth = get_backtrace(hdr->bt, MAX_BACKTRACE_DEPTH); 380 add(hdr, bytes); 381 return user(hdr); 382 } 383 return base; 384} 385 386extern "C" void chk_free(void* ptr) { 387// log_message("%s: %s\n", __FILE__, __FUNCTION__); 388 389 if (!ptr) /* ignore free(NULL) */ 390 return; 391 392 hdr_t* hdr = meta(ptr); 393 394 if (del(hdr) < 0) { 395 uintptr_t bt[MAX_BACKTRACE_DEPTH]; 396 int depth = get_backtrace(bt, MAX_BACKTRACE_DEPTH); 397 if (hdr->tag == BACKLOG_TAG) { 398 log_message("+++ ALLOCATION %p SIZE %d BYTES MULTIPLY FREED!\n", 399 user(hdr), hdr->size); 400 log_message("+++ ALLOCATION %p SIZE %d ALLOCATED HERE:\n", 401 user(hdr), hdr->size); 402 log_backtrace(hdr->bt, hdr->bt_depth); 403 /* hdr->freed_bt_depth should be nonzero here */ 404 log_message("+++ ALLOCATION %p SIZE %d FIRST FREED HERE:\n", 405 user(hdr), hdr->size); 406 log_backtrace(hdr->freed_bt, hdr->freed_bt_depth); 407 log_message("+++ ALLOCATION %p SIZE %d NOW BEING FREED HERE:\n", 408 user(hdr), hdr->size); 409 log_backtrace(bt, depth); 410 } else { 411 log_message("+++ ALLOCATION %p IS CORRUPTED OR NOT ALLOCATED VIA TRACKER!\n", 412 user(hdr)); 413 log_backtrace(bt, depth); 414 } 415 } else { 416 hdr->freed_bt_depth = get_backtrace(hdr->freed_bt, MAX_BACKTRACE_DEPTH); 417 add_to_backlog(hdr); 418 } 419} 420 421extern "C" void* chk_realloc(void* ptr, size_t bytes) { 422// log_message("%s: %s\n", __FILE__, __FUNCTION__); 423 424 if (!ptr) { 425 return chk_malloc(bytes); 426 } 427 428#ifdef REALLOC_ZERO_BYTES_FREE 429 if (!bytes) { 430 chk_free(ptr); 431 return NULL; 432 } 433#endif 434 435 hdr_t* hdr = meta(ptr); 436 437 if (del(hdr) < 0) { 438 uintptr_t bt[MAX_BACKTRACE_DEPTH]; 439 int depth = get_backtrace(bt, MAX_BACKTRACE_DEPTH); 440 if (hdr->tag == BACKLOG_TAG) { 441 log_message("+++ REALLOCATION %p SIZE %d OF FREED MEMORY!\n", 442 user(hdr), bytes, hdr->size); 443 log_message("+++ ALLOCATION %p SIZE %d ALLOCATED HERE:\n", 444 user(hdr), hdr->size); 445 log_backtrace(hdr->bt, hdr->bt_depth); 446 /* hdr->freed_bt_depth should be nonzero here */ 447 log_message("+++ ALLOCATION %p SIZE %d FIRST FREED HERE:\n", 448 user(hdr), hdr->size); 449 log_backtrace(hdr->freed_bt, hdr->freed_bt_depth); 450 log_message("+++ ALLOCATION %p SIZE %d NOW BEING REALLOCATED HERE:\n", 451 user(hdr), hdr->size); 452 log_backtrace(bt, depth); 453 454 /* We take the memory out of the backlog and fall through so the 455 * reallocation below succeeds. Since we didn't really free it, we 456 * can default to this behavior. 457 */ 458 del_from_backlog(hdr); 459 } else { 460 log_message("+++ REALLOCATION %p SIZE %d IS CORRUPTED OR NOT ALLOCATED VIA TRACKER!\n", 461 user(hdr), bytes); 462 log_backtrace(bt, depth); 463 // just get a whole new allocation and leak the old one 464 return Malloc(realloc)(0, bytes); 465 // return realloc(user(hdr), bytes); // assuming it was allocated externally 466 } 467 } 468 469 size_t size = sizeof(hdr_t) + bytes + sizeof(ftr_t); 470 if (size < bytes) { // Overflow 471 errno = ENOMEM; 472 return NULL; 473 } 474 if (hdr->base != hdr) { 475 // An allocation from memalign, so create another allocation and 476 // copy the data out. 477 void* newMem = Malloc(malloc)(size); 478 if (newMem == NULL) { 479 return NULL; 480 } 481 memcpy(newMem, hdr, sizeof(hdr_t) + hdr->size); 482 Malloc(free)(hdr->base); 483 hdr = static_cast<hdr_t*>(newMem); 484 } else { 485 hdr = static_cast<hdr_t*>(Malloc(realloc)(hdr, size)); 486 } 487 if (hdr) { 488 hdr->base = hdr; 489 hdr->bt_depth = get_backtrace(hdr->bt, MAX_BACKTRACE_DEPTH); 490 add(hdr, bytes); 491 return user(hdr); 492 } 493 return NULL; 494} 495 496extern "C" void* chk_calloc(size_t nmemb, size_t bytes) { 497// log_message("%s: %s\n", __FILE__, __FUNCTION__); 498 size_t total_bytes = nmemb * bytes; 499 size_t size = sizeof(hdr_t) + total_bytes + sizeof(ftr_t); 500 if (size < total_bytes || (nmemb && SIZE_MAX / nmemb < bytes)) { // Overflow 501 errno = ENOMEM; 502 return NULL; 503 } 504 hdr_t* hdr = static_cast<hdr_t*>(Malloc(calloc)(1, size)); 505 if (hdr) { 506 hdr->base = hdr; 507 hdr->bt_depth = get_backtrace(hdr->bt, MAX_BACKTRACE_DEPTH); 508 add(hdr, total_bytes); 509 return user(hdr); 510 } 511 return NULL; 512} 513 514extern "C" size_t chk_malloc_usable_size(const void* ptr) { 515 // malloc_usable_size returns 0 for NULL and unknown blocks. 516 if (ptr == NULL) 517 return 0; 518 519 const hdr_t* hdr = const_meta(ptr); 520 521 // The sentinel tail is written just after the request block bytes 522 // so there is no extra room we can report here. 523 return hdr->size; 524} 525 526extern "C" struct mallinfo chk_mallinfo() { 527 return Malloc(mallinfo)(); 528} 529 530extern "C" int chk_posix_memalign(void** memptr, size_t alignment, size_t size) { 531 if (!powerof2(alignment)) { 532 return EINVAL; 533 } 534 int saved_errno = errno; 535 *memptr = chk_memalign(alignment, size); 536 errno = saved_errno; 537 return (*memptr != NULL) ? 0 : ENOMEM; 538} 539 540extern "C" void* chk_pvalloc(size_t bytes) { 541 size_t pagesize = sysconf(_SC_PAGESIZE); 542 size_t size = BIONIC_ALIGN(bytes, pagesize); 543 if (size < bytes) { // Overflow 544 return NULL; 545 } 546 return chk_memalign(pagesize, size); 547} 548 549extern "C" void* chk_valloc(size_t size) { 550 return chk_memalign(sysconf(_SC_PAGESIZE), size); 551} 552 553static void ReportMemoryLeaks() { 554 // Use /proc/self/exe link to obtain the program name for logging 555 // purposes. If it's not available, we set it to "<unknown>". 556 char exe[PATH_MAX]; 557 int count; 558 if ((count = readlink("/proc/self/exe", exe, sizeof(exe) - 1)) == -1) { 559 strlcpy(exe, "<unknown>", sizeof(exe)); 560 } else { 561 exe[count] = '\0'; 562 } 563 564 if (g_allocated_block_count == 0) { 565 log_message("+++ %s did not leak", exe); 566 return; 567 } 568 569 size_t index = 1; 570 const size_t total = g_allocated_block_count; 571 while (head != NULL) { 572 int safe; 573 hdr_t* block = head; 574 log_message("+++ %s leaked block of size %d at %p (leak %d of %d)", 575 exe, block->size, user(block), index++, total); 576 if (del_leak(block, &safe)) { 577 /* safe == 1, because the allocation is valid */ 578 log_backtrace(block->bt, block->bt_depth); 579 } 580 } 581 582 while (backlog_head != NULL) { 583 del_from_backlog(backlog_tail); 584 } 585} 586 587extern "C" bool malloc_debug_initialize(HashTable* hash_table) { 588 g_hash_table = hash_table; 589 590 char debug_backlog[PROP_VALUE_MAX]; 591 if (__system_property_get("libc.debug.malloc.backlog", debug_backlog)) { 592 g_malloc_debug_backlog = atoi(debug_backlog); 593 info_log("%s: setting backlog length to %d\n", getprogname(), g_malloc_debug_backlog); 594 } 595 596 backtrace_startup(); 597 return true; 598} 599 600extern "C" void malloc_debug_finalize(int malloc_debug_level) { 601 // We only track leaks at level 10. 602 if (malloc_debug_level == 10) { 603 ReportMemoryLeaks(); 604 } 605 backtrace_shutdown(); 606} 607