1/* 2 * Copyright 2017 Google Inc. 3 * 4 * Use of this source code is governed by a BSD-style license that can be 5 * found in the LICENSE file. 6 */ 7 8#ifndef SkMalloc_DEFINED 9#define SkMalloc_DEFINED 10 11#include <cstddef> 12#include <cstring> 13 14#include "SkTypes.h" 15 16/* 17 memory wrappers to be implemented by the porting layer (platform) 18*/ 19 20 21/** Free memory returned by sk_malloc(). It is safe to pass null. */ 22SK_API extern void sk_free(void*); 23 24/** 25 * Called internally if we run out of memory. The platform implementation must 26 * not return, but should either throw an exception or otherwise exit. 27 */ 28SK_API extern void sk_out_of_memory(void); 29 30enum { 31 /** 32 * If this bit is set, the returned buffer must be zero-initialized. If this bit is not set 33 * the buffer can be uninitialized. 34 */ 35 SK_MALLOC_ZERO_INITIALIZE = 1 << 0, 36 37 /** 38 * If this bit is set, the implementation must throw/crash/quit if the request cannot 39 * be fulfilled. If this bit is not set, then it should return nullptr on failure. 40 */ 41 SK_MALLOC_THROW = 1 << 1, 42}; 43/** 44 * Return a block of memory (at least 4-byte aligned) of at least the specified size. 45 * If the requested memory cannot be returned, either return nullptr or throw/exit, depending 46 * on the SK_MALLOC_THROW bit. If the allocation succeeds, the memory will be zero-initialized 47 * if the SK_MALLOC_ZERO_INITIALIZE bit was set. 48 * 49 * To free the memory, call sk_free() 50 */ 51SK_API extern void* sk_malloc_flags(size_t size, unsigned flags); 52 53/** Same as standard realloc(), but this one never returns null on failure. It will throw 54 * an exception if it fails. 55 */ 56SK_API extern void* sk_realloc_throw(void* buffer, size_t size); 57 58static inline void* sk_malloc_throw(size_t size) { 59 return sk_malloc_flags(size, SK_MALLOC_THROW); 60} 61 62static inline void* sk_calloc_throw(size_t size) { 63 return sk_malloc_flags(size, SK_MALLOC_THROW | SK_MALLOC_ZERO_INITIALIZE); 64} 65 66static inline void* sk_calloc_canfail(size_t size) { 67#if defined(IS_FUZZING_WITH_LIBFUZZER) 68 // The Libfuzzer environment is very susceptible to OOM, so to avoid those 69 // just pretend we can't allocate more than 200kb. 70 if (size > 200000) { 71 return nullptr; 72 } 73#endif 74 return sk_malloc_flags(size, SK_MALLOC_ZERO_INITIALIZE); 75} 76 77// Performs a safe multiply count * elemSize, checking for overflow 78SK_API extern void* sk_calloc_throw(size_t count, size_t elemSize); 79SK_API extern void* sk_malloc_throw(size_t count, size_t elemSize); 80SK_API extern void* sk_realloc_throw(void* buffer, size_t count, size_t elemSize); 81 82/** 83 * These variants return nullptr on failure 84 */ 85static inline void* sk_malloc_canfail(size_t size) { 86#if defined(IS_FUZZING_WITH_LIBFUZZER) 87 // The Libfuzzer environment is very susceptible to OOM, so to avoid those 88 // just pretend we can't allocate more than 200kb. 89 if (size > 200000) { 90 return nullptr; 91 } 92#endif 93 return sk_malloc_flags(size, 0); 94} 95SK_API extern void* sk_malloc_canfail(size_t count, size_t elemSize); 96 97// bzero is safer than memset, but we can't rely on it, so... sk_bzero() 98static inline void sk_bzero(void* buffer, size_t size) { 99 // Please c.f. sk_careful_memcpy. It's undefined behavior to call memset(null, 0, 0). 100 if (size) { 101 memset(buffer, 0, size); 102 } 103} 104 105/** 106 * sk_careful_memcpy() is just like memcpy(), but guards against undefined behavior. 107 * 108 * It is undefined behavior to call memcpy() with null dst or src, even if len is 0. 109 * If an optimizer is "smart" enough, it can exploit this to do unexpected things. 110 * memcpy(dst, src, 0); 111 * if (src) { 112 * printf("%x\n", *src); 113 * } 114 * In this code the compiler can assume src is not null and omit the if (src) {...} check, 115 * unconditionally running the printf, crashing the program if src really is null. 116 * Of the compilers we pay attention to only GCC performs this optimization in practice. 117 */ 118static inline void* sk_careful_memcpy(void* dst, const void* src, size_t len) { 119 // When we pass >0 len we had better already be passing valid pointers. 120 // So we just need to skip calling memcpy when len == 0. 121 if (len) { 122 memcpy(dst,src,len); 123 } 124 return dst; 125} 126 127#endif // SkMalloc_DEFINED 128