tequilaOS/platform_bionic
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_bionic/libc/malloc_debug/MapData.h

104 lines
3.1 KiB
C
Raw Normal View History

bionic: import heaptracker as chk_malloc This patch is a rewrite of libc.debug.malloc = 10 (chk_malloc). It provides the same features as the original (poison freed memory, detect heap overruns and underruns), except that it provides more debugging information whenever it detects a problem. In addition to the original features, the new chk_malloc() implementation detects multiple frees within a given range of the last N allocations, N being configurable via the system property libc.debug.malloc.backlog. Finally, this patch keeps track of all outstanding memory allocations. On program exit, we walk that list and report each outstanding allocation. (There is support (not enabled) for a scanner thread periodically walks over the list of outstanding allocations as well as the backlog of recently-freed allocations, checking for heap-usage errors.) Feature overview: 1) memory leaks 2) multiple frees 3) use after free 4) overrun Implementation: -- for each allocation, there is a: 1) stack trace at the time the allocation is made 2) if the memory is freed, there is also a stack trace at the point 3) a front and rear guard (fence) 4) the stack traces are kept together with the allocation -- the following lists and maintained 1) all outstanding memory allocations 3) a backlog of allocations what are freed; when you call free(), instead of actually freed, the allocation is moved to this backlog; 4) when the backlog of allocations gets full, the oldest entry gets evicted from it; at that point, the allocation is checked for overruns or use-after-free errors, and then actually freed. 5) when the program exits, the list of outstanding allocations and the backlog are inspected for errors, then freed; To use this, set the following system properties before running the process or processes you want to inspect: libc.malloc.debug.backlog # defaults to 100 libc.malloc.debug 10 When a problem is detected, you will see the following on logcat for a multiple free: E/libc ( 7233): +++ ALLOCATION 0x404b9278 SIZE 10 BYTES MULTIPLY FREED! E/libc ( 7233): +++ ALLOCATION 0x404b9278 SIZE 10 ALLOCATED HERE: E/libc ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** E/libc ( 7233): #00 pc 0000c35a /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #01 pc 0000c658 /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #02 pc 00016d80 /system/lib/libc.so E/libc ( 7233): #03 pc 4009647c /system/bin/malloctest E/libc ( 7233): #04 pc 00016f24 /system/lib/libc.so E/libc ( 7233): +++ ALLOCATION 0x404b9278 SIZE 10 FIRST FREED HERE: E/libc ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** E/libc ( 7233): #00 pc 0000c35a /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #01 pc 0000c7d2 /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #02 pc 00016d94 /system/lib/libc.so E/libc ( 7233): #03 pc 40096490 /system/bin/malloctest E/libc ( 7233): #04 pc 00016f24 /system/lib/libc.so E/libc ( 7233): +++ ALLOCATION 0x404b9278 SIZE 10 NOW BEING FREED HERE: E/libc ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** E/libc ( 7233): #00 pc 0000c35a /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #01 pc 0000c6ac /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #02 pc 00016d94 /system/lib/libc.so E/libc ( 7233): #03 pc 400964a0 /system/bin/malloctest E/libc ( 7233): #04 pc 00016f24 /system/lib/libc.so The following for a heap overrun and underrun: E/libc ( 7233): +++ REAR GUARD MISMATCH [10, 11) E/libc ( 7233): +++ ALLOCATION 0x404b9198 SIZE 10 HAS A CORRUPTED REAR GUARD E/libc ( 7233): +++ ALLOCATION 0x404b9198 SIZE 10 ALLOCATED HERE: E/libc ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** E/libc ( 7233): #00 pc 0000c35a /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #01 pc 0000c658 /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #02 pc 00016d80 /system/lib/libc.so E/libc ( 7233): #03 pc 40096438 /system/bin/malloctest E/libc ( 7233): #04 pc 00016f24 /system/lib/libc.so E/libc ( 7233): +++ ALLOCATION 0x404b9198 SIZE 10 FREED HERE: E/libc ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** E/libc ( 7233): #00 pc 0000c35a /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #01 pc 0000c7d2 /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #02 pc 00016d94 /system/lib/libc.so E/libc ( 7233): #03 pc 40096462 /system/bin/malloctest E/libc ( 7233): #04 pc 00016f24 /system/lib/libc.so E/libc ( 7233): +++ ALLOCATION 0x404b9358 SIZE 10 HAS A CORRUPTED FRONT GUARD E/libc ( 7233): +++ ALLOCATION 0x404b9358 SIZE 10 ALLOCATED HERE: E/libc ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** E/libc ( 7233): #00 pc 0000c35a /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #01 pc 0000c658 /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #02 pc 00016d80 /system/lib/libc.so E/libc ( 7233): #03 pc 400964ba /system/bin/malloctest E/libc ( 7233): #04 pc 00016f24 /system/lib/libc.so E/libc ( 7233): +++ ALLOCATION 0x404b9358 SIZE 10 FREED HERE: E/libc ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** E/libc ( 7233): #00 pc 0000c35a /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #01 pc 0000c7d2 /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #02 pc 00016d94 /system/lib/libc.so E/libc ( 7233): #03 pc 400964e4 /system/bin/malloctest E/libc ( 7233): #04 pc 00016f24 /system/lib/libc.so The following for a memory leak: E/libc ( 7233): +++ THERE ARE 1 LEAKED ALLOCATIONS E/libc ( 7233): +++ DELETING 4096 BYTES OF LEAKED MEMORY AT 0x404b95e8 (1 REMAINING) E/libc ( 7233): +++ ALLOCATION 0x404b95e8 SIZE 4096 ALLOCATED HERE: E/libc ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** E/libc ( 7233): #00 pc 0000c35a /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #01 pc 0000c658 /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #02 pc 00016d80 /system/lib/libc.so E/libc ( 7233): #03 pc 0001bc94 /system/lib/libc.so E/libc ( 7233): #04 pc 0001edf6 /system/lib/libc.so E/libc ( 7233): #05 pc 0001b80a /system/lib/libc.so E/libc ( 7233): #06 pc 0001c086 /system/lib/libc.so E/libc ( 7233): #07 pc 40096402 /system/bin/malloctest E/libc ( 7233): #08 pc 00016f24 /system/lib/libc.so Change-Id: Ic440e9d05a01e2ea86b25e8998714e88bc2d16e0 Signed-off-by: Iliyan Malchev <malchev@google.com>
2012-05-29 23:22:42 +02:00
/*
* Copyright (C) 2012 The Android Open Source Project
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
* OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
* AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
Switch the rest of our internal headers to #pragma once. We've been using #pragma once for new internal files, but let's be more bold. Bug: N/A Test: builds Change-Id: I7e2ee2730043bd884f9571cdbd8b524043030c07
2018-02-13 23:26:29 +01:00
#pragma once
bionic: import heaptracker as chk_malloc This patch is a rewrite of libc.debug.malloc = 10 (chk_malloc). It provides the same features as the original (poison freed memory, detect heap overruns and underruns), except that it provides more debugging information whenever it detects a problem. In addition to the original features, the new chk_malloc() implementation detects multiple frees within a given range of the last N allocations, N being configurable via the system property libc.debug.malloc.backlog. Finally, this patch keeps track of all outstanding memory allocations. On program exit, we walk that list and report each outstanding allocation. (There is support (not enabled) for a scanner thread periodically walks over the list of outstanding allocations as well as the backlog of recently-freed allocations, checking for heap-usage errors.) Feature overview: 1) memory leaks 2) multiple frees 3) use after free 4) overrun Implementation: -- for each allocation, there is a: 1) stack trace at the time the allocation is made 2) if the memory is freed, there is also a stack trace at the point 3) a front and rear guard (fence) 4) the stack traces are kept together with the allocation -- the following lists and maintained 1) all outstanding memory allocations 3) a backlog of allocations what are freed; when you call free(), instead of actually freed, the allocation is moved to this backlog; 4) when the backlog of allocations gets full, the oldest entry gets evicted from it; at that point, the allocation is checked for overruns or use-after-free errors, and then actually freed. 5) when the program exits, the list of outstanding allocations and the backlog are inspected for errors, then freed; To use this, set the following system properties before running the process or processes you want to inspect: libc.malloc.debug.backlog # defaults to 100 libc.malloc.debug 10 When a problem is detected, you will see the following on logcat for a multiple free: E/libc ( 7233): +++ ALLOCATION 0x404b9278 SIZE 10 BYTES MULTIPLY FREED! E/libc ( 7233): +++ ALLOCATION 0x404b9278 SIZE 10 ALLOCATED HERE: E/libc ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** E/libc ( 7233): #00 pc 0000c35a /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #01 pc 0000c658 /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #02 pc 00016d80 /system/lib/libc.so E/libc ( 7233): #03 pc 4009647c /system/bin/malloctest E/libc ( 7233): #04 pc 00016f24 /system/lib/libc.so E/libc ( 7233): +++ ALLOCATION 0x404b9278 SIZE 10 FIRST FREED HERE: E/libc ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** E/libc ( 7233): #00 pc 0000c35a /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #01 pc 0000c7d2 /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #02 pc 00016d94 /system/lib/libc.so E/libc ( 7233): #03 pc 40096490 /system/bin/malloctest E/libc ( 7233): #04 pc 00016f24 /system/lib/libc.so E/libc ( 7233): +++ ALLOCATION 0x404b9278 SIZE 10 NOW BEING FREED HERE: E/libc ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** E/libc ( 7233): #00 pc 0000c35a /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #01 pc 0000c6ac /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #02 pc 00016d94 /system/lib/libc.so E/libc ( 7233): #03 pc 400964a0 /system/bin/malloctest E/libc ( 7233): #04 pc 00016f24 /system/lib/libc.so The following for a heap overrun and underrun: E/libc ( 7233): +++ REAR GUARD MISMATCH [10, 11) E/libc ( 7233): +++ ALLOCATION 0x404b9198 SIZE 10 HAS A CORRUPTED REAR GUARD E/libc ( 7233): +++ ALLOCATION 0x404b9198 SIZE 10 ALLOCATED HERE: E/libc ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** E/libc ( 7233): #00 pc 0000c35a /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #01 pc 0000c658 /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #02 pc 00016d80 /system/lib/libc.so E/libc ( 7233): #03 pc 40096438 /system/bin/malloctest E/libc ( 7233): #04 pc 00016f24 /system/lib/libc.so E/libc ( 7233): +++ ALLOCATION 0x404b9198 SIZE 10 FREED HERE: E/libc ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** E/libc ( 7233): #00 pc 0000c35a /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #01 pc 0000c7d2 /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #02 pc 00016d94 /system/lib/libc.so E/libc ( 7233): #03 pc 40096462 /system/bin/malloctest E/libc ( 7233): #04 pc 00016f24 /system/lib/libc.so E/libc ( 7233): +++ ALLOCATION 0x404b9358 SIZE 10 HAS A CORRUPTED FRONT GUARD E/libc ( 7233): +++ ALLOCATION 0x404b9358 SIZE 10 ALLOCATED HERE: E/libc ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** E/libc ( 7233): #00 pc 0000c35a /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #01 pc 0000c658 /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #02 pc 00016d80 /system/lib/libc.so E/libc ( 7233): #03 pc 400964ba /system/bin/malloctest E/libc ( 7233): #04 pc 00016f24 /system/lib/libc.so E/libc ( 7233): +++ ALLOCATION 0x404b9358 SIZE 10 FREED HERE: E/libc ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** E/libc ( 7233): #00 pc 0000c35a /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #01 pc 0000c7d2 /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #02 pc 00016d94 /system/lib/libc.so E/libc ( 7233): #03 pc 400964e4 /system/bin/malloctest E/libc ( 7233): #04 pc 00016f24 /system/lib/libc.so The following for a memory leak: E/libc ( 7233): +++ THERE ARE 1 LEAKED ALLOCATIONS E/libc ( 7233): +++ DELETING 4096 BYTES OF LEAKED MEMORY AT 0x404b95e8 (1 REMAINING) E/libc ( 7233): +++ ALLOCATION 0x404b95e8 SIZE 4096 ALLOCATED HERE: E/libc ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** E/libc ( 7233): #00 pc 0000c35a /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #01 pc 0000c658 /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #02 pc 00016d80 /system/lib/libc.so E/libc ( 7233): #03 pc 0001bc94 /system/lib/libc.so E/libc ( 7233): #04 pc 0001edf6 /system/lib/libc.so E/libc ( 7233): #05 pc 0001b80a /system/lib/libc.so E/libc ( 7233): #06 pc 0001c086 /system/lib/libc.so E/libc ( 7233): #07 pc 40096402 /system/bin/malloctest E/libc ( 7233): #08 pc 00016f24 /system/lib/libc.so Change-Id: Ic440e9d05a01e2ea86b25e8998714e88bc2d16e0 Signed-off-by: Iliyan Malchev <malchev@google.com>
2012-05-29 23:22:42 +02:00
#include <sys/cdefs.h>
malloc_debug: reread /proc/pid/maps when entry is missing Reread /proc/pid/maps on demand in case a new library has been loaded. Change-Id: Iac8109b3e6a07bf02c38300b21eecabf4bcd54df
2016-02-08 23:29:03 +01:00
#include <mutex>
#include <set>
Refactor malloc debug. Changes - Refactor the code so that only guards require creating a special header for every pointer allocated. - Store only a single copy of every backtrace. This saves memory so that turning on the backtrace option doesn't result in 10X memory usage. - Added new option track_allocs that only verifies pointers are valid for free/malloc_usable_size/realloc. - Remove suffix from test names. - Add the TRACK_ALLOCS options to all guard options. - Add new option verify_pointers that is a lightweight way to verify pointers that are passed to allocation routines. - Do auto-formatting of the code. - Updated documentation for all of these changes. Bug: 74361929 Test: Ran unit tests. Test: Ran libmemunreachable unit tests. Test: Ran an app with backtrace enabled. Change-Id: I3246c48ae4f9811f64622d90d0a9b4d9d818702c
2018-03-07 22:38:48 +01:00
#include <string>
Malloc debug rewrite. The major components of the rewrite: - Completely remove the qemu shared library code. Nobody was using it and it appears to have broken at some point. - Adds the ability to enable/disable different options independently. - Adds a new option that can enable the backtrace on alloc/free when a process gets a specific signal. - Adds a new way to enable malloc debug. If a special property is set, and the process has an environment variable set, then debug malloc will be enabled. This allows something that might be a derivative of app_process to be started with an environment variable being enabled. - get_malloc_leak_info() used to return one element for each pointer that had the exact same backtrace. The new version returns information for every one of the pointers with same backtrace. It turns out ddms already automatically coalesces these, so the old method simply hid the fact that there where multiple pointers with the same amount of backtrace. - Moved all of the malloc debug specific code into the library. Nothing related to the malloc debug data structures remains in libc. - Removed the calls to the debug malloc cleanup routine. Instead, I added an atexit call with the debug malloc cleanup routine. This gets around most problems related to the timing of doing the cleanup. The new properties and environment variables: libc.debug.malloc.options Set by option name (such as "backtrace"). Setting this to a bad value will cause a usage statement to be printed to the log. libc.debug.malloc.program Same as before. If this is set, then only the program named will be launched with malloc debug enabled. This is not a complete match, but if any part of the property is in the program name, malloc debug is enabled. libc.debug.malloc.env_enabled If set, then malloc debug is only enabled if the running process has the environment variable LIBC_DEBUG_MALLOC_ENABLE set. Bug: 19145921 Change-Id: I7b0e58cc85cc6d4118173fe1f8627a391b64c0d7
2015-11-17 02:30:32 +01:00
Move bionic_macros.h from private to platform. Test: treehugger Change-Id: Ie473914f4c8924c7240b3ac22093a9daf42fc948
2019-12-20 01:35:51 +01:00
#include <platform/bionic/macros.h>
Malloc debug rewrite. The major components of the rewrite: - Completely remove the qemu shared library code. Nobody was using it and it appears to have broken at some point. - Adds the ability to enable/disable different options independently. - Adds a new option that can enable the backtrace on alloc/free when a process gets a specific signal. - Adds a new way to enable malloc debug. If a special property is set, and the process has an environment variable set, then debug malloc will be enabled. This allows something that might be a derivative of app_process to be started with an environment variable being enabled. - get_malloc_leak_info() used to return one element for each pointer that had the exact same backtrace. The new version returns information for every one of the pointers with same backtrace. It turns out ddms already automatically coalesces these, so the old method simply hid the fact that there where multiple pointers with the same amount of backtrace. - Moved all of the malloc debug specific code into the library. Nothing related to the malloc debug data structures remains in libc. - Removed the calls to the debug malloc cleanup routine. Instead, I added an atexit call with the debug malloc cleanup routine. This gets around most problems related to the timing of doing the cleanup. The new properties and environment variables: libc.debug.malloc.options Set by option name (such as "backtrace"). Setting this to a bad value will cause a usage statement to be printed to the log. libc.debug.malloc.program Same as before. If this is set, then only the program named will be launched with malloc debug enabled. This is not a complete match, but if any part of the property is in the program name, malloc debug is enabled. libc.debug.malloc.env_enabled If set, then malloc debug is only enabled if the running process has the environment variable LIBC_DEBUG_MALLOC_ENABLE set. Bug: 19145921 Change-Id: I7b0e58cc85cc6d4118173fe1f8627a391b64c0d7
2015-11-17 02:30:32 +01:00
Read maps data before using and do safe reads. Rather than only updating the maps when a pc can't be found, always update the maps before using them. This avoids issues where the maps change and it could cause a crash reading from a map that has been modified. This assumes that executed code never gets unloaded, or that the code is unloaded so infrequently that it doesn't matter. This happens because the pcs for the backtraces are gathered as the program runs and those pcs are symbolized and made into relative pcs at a later time. Also, add safe reading of the elf data when necessary to avoid any crashes if maps are changing while this is running. Since the MapEntry objects can be deleted, copy the values for the current map in the backtrace code to detect when in our own code instead of keeping a pointer. Bug: 340988785 Test: malloc_debug unit/system tests pass. Test: libmemunreachable tests pass. Change-Id: Ica2ba50a5bcf9e19c7e4033e29a5a67a1847d1a6
2024-05-16 23:15:15 +02:00
class MapEntry {
public:
MapEntry() = default;
MapEntry(uintptr_t start, uintptr_t end, uintptr_t offset, const char* name, size_t name_len,
int flags)
: start_(start), end_(end), offset_(offset), name_(name, name_len), flags_(flags) {}
explicit MapEntry(uintptr_t pc) : start_(pc), end_(pc) {}
void Init();
uintptr_t GetLoadBias();
void SetInvalid() {
valid_ = false;
init_ = true;
load_bias_read_ = true;
}
bool valid() { return valid_; }
uintptr_t start() const { return start_; }
uintptr_t end() const { return end_; }
uintptr_t offset() const { return offset_; }
uintptr_t elf_start_offset() const { return elf_start_offset_; }
void set_elf_start_offset(uintptr_t elf_start_offset) { elf_start_offset_ = elf_start_offset; }
const std::string& name() const { return name_; }
int flags() const { return flags_; }
private:
uintptr_t start_;
uintptr_t end_;
uintptr_t offset_;
uintptr_t load_bias_ = 0;
uintptr_t elf_start_offset_ = 0;
std::string name_;
int flags_;
bool init_ = false;
bool valid_ = false;
bool load_bias_read_ = false;
Clean up warnings in the malloc_debug_* files. Also clean up cpplint.py-detected lint. Change-Id: Ia18e89c4c6878764f8d7ed34b8247e7a8d8fe88b
2012-08-28 23:15:04 +02:00
};
bionic: import heaptracker as chk_malloc This patch is a rewrite of libc.debug.malloc = 10 (chk_malloc). It provides the same features as the original (poison freed memory, detect heap overruns and underruns), except that it provides more debugging information whenever it detects a problem. In addition to the original features, the new chk_malloc() implementation detects multiple frees within a given range of the last N allocations, N being configurable via the system property libc.debug.malloc.backlog. Finally, this patch keeps track of all outstanding memory allocations. On program exit, we walk that list and report each outstanding allocation. (There is support (not enabled) for a scanner thread periodically walks over the list of outstanding allocations as well as the backlog of recently-freed allocations, checking for heap-usage errors.) Feature overview: 1) memory leaks 2) multiple frees 3) use after free 4) overrun Implementation: -- for each allocation, there is a: 1) stack trace at the time the allocation is made 2) if the memory is freed, there is also a stack trace at the point 3) a front and rear guard (fence) 4) the stack traces are kept together with the allocation -- the following lists and maintained 1) all outstanding memory allocations 3) a backlog of allocations what are freed; when you call free(), instead of actually freed, the allocation is moved to this backlog; 4) when the backlog of allocations gets full, the oldest entry gets evicted from it; at that point, the allocation is checked for overruns or use-after-free errors, and then actually freed. 5) when the program exits, the list of outstanding allocations and the backlog are inspected for errors, then freed; To use this, set the following system properties before running the process or processes you want to inspect: libc.malloc.debug.backlog # defaults to 100 libc.malloc.debug 10 When a problem is detected, you will see the following on logcat for a multiple free: E/libc ( 7233): +++ ALLOCATION 0x404b9278 SIZE 10 BYTES MULTIPLY FREED! E/libc ( 7233): +++ ALLOCATION 0x404b9278 SIZE 10 ALLOCATED HERE: E/libc ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** E/libc ( 7233): #00 pc 0000c35a /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #01 pc 0000c658 /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #02 pc 00016d80 /system/lib/libc.so E/libc ( 7233): #03 pc 4009647c /system/bin/malloctest E/libc ( 7233): #04 pc 00016f24 /system/lib/libc.so E/libc ( 7233): +++ ALLOCATION 0x404b9278 SIZE 10 FIRST FREED HERE: E/libc ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** E/libc ( 7233): #00 pc 0000c35a /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #01 pc 0000c7d2 /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #02 pc 00016d94 /system/lib/libc.so E/libc ( 7233): #03 pc 40096490 /system/bin/malloctest E/libc ( 7233): #04 pc 00016f24 /system/lib/libc.so E/libc ( 7233): +++ ALLOCATION 0x404b9278 SIZE 10 NOW BEING FREED HERE: E/libc ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** E/libc ( 7233): #00 pc 0000c35a /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #01 pc 0000c6ac /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #02 pc 00016d94 /system/lib/libc.so E/libc ( 7233): #03 pc 400964a0 /system/bin/malloctest E/libc ( 7233): #04 pc 00016f24 /system/lib/libc.so The following for a heap overrun and underrun: E/libc ( 7233): +++ REAR GUARD MISMATCH [10, 11) E/libc ( 7233): +++ ALLOCATION 0x404b9198 SIZE 10 HAS A CORRUPTED REAR GUARD E/libc ( 7233): +++ ALLOCATION 0x404b9198 SIZE 10 ALLOCATED HERE: E/libc ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** E/libc ( 7233): #00 pc 0000c35a /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #01 pc 0000c658 /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #02 pc 00016d80 /system/lib/libc.so E/libc ( 7233): #03 pc 40096438 /system/bin/malloctest E/libc ( 7233): #04 pc 00016f24 /system/lib/libc.so E/libc ( 7233): +++ ALLOCATION 0x404b9198 SIZE 10 FREED HERE: E/libc ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** E/libc ( 7233): #00 pc 0000c35a /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #01 pc 0000c7d2 /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #02 pc 00016d94 /system/lib/libc.so E/libc ( 7233): #03 pc 40096462 /system/bin/malloctest E/libc ( 7233): #04 pc 00016f24 /system/lib/libc.so E/libc ( 7233): +++ ALLOCATION 0x404b9358 SIZE 10 HAS A CORRUPTED FRONT GUARD E/libc ( 7233): +++ ALLOCATION 0x404b9358 SIZE 10 ALLOCATED HERE: E/libc ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** E/libc ( 7233): #00 pc 0000c35a /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #01 pc 0000c658 /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #02 pc 00016d80 /system/lib/libc.so E/libc ( 7233): #03 pc 400964ba /system/bin/malloctest E/libc ( 7233): #04 pc 00016f24 /system/lib/libc.so E/libc ( 7233): +++ ALLOCATION 0x404b9358 SIZE 10 FREED HERE: E/libc ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** E/libc ( 7233): #00 pc 0000c35a /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #01 pc 0000c7d2 /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #02 pc 00016d94 /system/lib/libc.so E/libc ( 7233): #03 pc 400964e4 /system/bin/malloctest E/libc ( 7233): #04 pc 00016f24 /system/lib/libc.so The following for a memory leak: E/libc ( 7233): +++ THERE ARE 1 LEAKED ALLOCATIONS E/libc ( 7233): +++ DELETING 4096 BYTES OF LEAKED MEMORY AT 0x404b95e8 (1 REMAINING) E/libc ( 7233): +++ ALLOCATION 0x404b95e8 SIZE 4096 ALLOCATED HERE: E/libc ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** E/libc ( 7233): #00 pc 0000c35a /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #01 pc 0000c658 /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #02 pc 00016d80 /system/lib/libc.so E/libc ( 7233): #03 pc 0001bc94 /system/lib/libc.so E/libc ( 7233): #04 pc 0001edf6 /system/lib/libc.so E/libc ( 7233): #05 pc 0001b80a /system/lib/libc.so E/libc ( 7233): #06 pc 0001c086 /system/lib/libc.so E/libc ( 7233): #07 pc 40096402 /system/bin/malloctest E/libc ( 7233): #08 pc 00016f24 /system/lib/libc.so Change-Id: Ic440e9d05a01e2ea86b25e8998714e88bc2d16e0 Signed-off-by: Iliyan Malchev <malchev@google.com>
2012-05-29 23:22:42 +02:00
malloc_debug: reread /proc/pid/maps when entry is missing Reread /proc/pid/maps on demand in case a new library has been loaded. Change-Id: Iac8109b3e6a07bf02c38300b21eecabf4bcd54df
2016-02-08 23:29:03 +01:00
// Ordering comparator that returns equivalence for overlapping entries
struct compare_entries {
Read maps data before using and do safe reads. Rather than only updating the maps when a pc can't be found, always update the maps before using them. This avoids issues where the maps change and it could cause a crash reading from a map that has been modified. This assumes that executed code never gets unloaded, or that the code is unloaded so infrequently that it doesn't matter. This happens because the pcs for the backtraces are gathered as the program runs and those pcs are symbolized and made into relative pcs at a later time. Also, add safe reading of the elf data when necessary to avoid any crashes if maps are changing while this is running. Since the MapEntry objects can be deleted, copy the values for the current map in the backtrace code to detect when in our own code instead of keeping a pointer. Bug: 340988785 Test: malloc_debug unit/system tests pass. Test: libmemunreachable tests pass. Change-Id: Ica2ba50a5bcf9e19c7e4033e29a5a67a1847d1a6
2024-05-16 23:15:15 +02:00
bool operator()(const MapEntry* a, const MapEntry* b) const { return a->end() <= b->start(); }
malloc_debug: reread /proc/pid/maps when entry is missing Reread /proc/pid/maps on demand in case a new library has been loaded. Change-Id: Iac8109b3e6a07bf02c38300b21eecabf4bcd54df
2016-02-08 23:29:03 +01:00
};
Malloc debug rewrite. The major components of the rewrite: - Completely remove the qemu shared library code. Nobody was using it and it appears to have broken at some point. - Adds the ability to enable/disable different options independently. - Adds a new option that can enable the backtrace on alloc/free when a process gets a specific signal. - Adds a new way to enable malloc debug. If a special property is set, and the process has an environment variable set, then debug malloc will be enabled. This allows something that might be a derivative of app_process to be started with an environment variable being enabled. - get_malloc_leak_info() used to return one element for each pointer that had the exact same backtrace. The new version returns information for every one of the pointers with same backtrace. It turns out ddms already automatically coalesces these, so the old method simply hid the fact that there where multiple pointers with the same amount of backtrace. - Moved all of the malloc debug specific code into the library. Nothing related to the malloc debug data structures remains in libc. - Removed the calls to the debug malloc cleanup routine. Instead, I added an atexit call with the debug malloc cleanup routine. This gets around most problems related to the timing of doing the cleanup. The new properties and environment variables: libc.debug.malloc.options Set by option name (such as "backtrace"). Setting this to a bad value will cause a usage statement to be printed to the log. libc.debug.malloc.program Same as before. If this is set, then only the program named will be launched with malloc debug enabled. This is not a complete match, but if any part of the property is in the program name, malloc debug is enabled. libc.debug.malloc.env_enabled If set, then malloc debug is only enabled if the running process has the environment variable LIBC_DEBUG_MALLOC_ENABLE set. Bug: 19145921 Change-Id: I7b0e58cc85cc6d4118173fe1f8627a391b64c0d7
2015-11-17 02:30:32 +01:00
class MapData {
public:
malloc_debug: reread /proc/pid/maps when entry is missing Reread /proc/pid/maps on demand in case a new library has been loaded. Change-Id: Iac8109b3e6a07bf02c38300b21eecabf4bcd54df
2016-02-08 23:29:03 +01:00
MapData() = default;
Malloc debug rewrite. The major components of the rewrite: - Completely remove the qemu shared library code. Nobody was using it and it appears to have broken at some point. - Adds the ability to enable/disable different options independently. - Adds a new option that can enable the backtrace on alloc/free when a process gets a specific signal. - Adds a new way to enable malloc debug. If a special property is set, and the process has an environment variable set, then debug malloc will be enabled. This allows something that might be a derivative of app_process to be started with an environment variable being enabled. - get_malloc_leak_info() used to return one element for each pointer that had the exact same backtrace. The new version returns information for every one of the pointers with same backtrace. It turns out ddms already automatically coalesces these, so the old method simply hid the fact that there where multiple pointers with the same amount of backtrace. - Moved all of the malloc debug specific code into the library. Nothing related to the malloc debug data structures remains in libc. - Removed the calls to the debug malloc cleanup routine. Instead, I added an atexit call with the debug malloc cleanup routine. This gets around most problems related to the timing of doing the cleanup. The new properties and environment variables: libc.debug.malloc.options Set by option name (such as "backtrace"). Setting this to a bad value will cause a usage statement to be printed to the log. libc.debug.malloc.program Same as before. If this is set, then only the program named will be launched with malloc debug enabled. This is not a complete match, but if any part of the property is in the program name, malloc debug is enabled. libc.debug.malloc.env_enabled If set, then malloc debug is only enabled if the running process has the environment variable LIBC_DEBUG_MALLOC_ENABLE set. Bug: 19145921 Change-Id: I7b0e58cc85cc6d4118173fe1f8627a391b64c0d7
2015-11-17 02:30:32 +01:00
~MapData();
const MapEntry* find(uintptr_t pc, uintptr_t* rel_pc = nullptr);
Read maps data before using and do safe reads. Rather than only updating the maps when a pc can't be found, always update the maps before using them. This avoids issues where the maps change and it could cause a crash reading from a map that has been modified. This assumes that executed code never gets unloaded, or that the code is unloaded so infrequently that it doesn't matter. This happens because the pcs for the backtraces are gathered as the program runs and those pcs are symbolized and made into relative pcs at a later time. Also, add safe reading of the elf data when necessary to avoid any crashes if maps are changing while this is running. Since the MapEntry objects can be deleted, copy the values for the current map in the backtrace code to detect when in our own code instead of keeping a pointer. Bug: 340988785 Test: malloc_debug unit/system tests pass. Test: libmemunreachable tests pass. Change-Id: Ica2ba50a5bcf9e19c7e4033e29a5a67a1847d1a6
2024-05-16 23:15:15 +02:00
size_t NumMaps() { return entries_.size(); }
Malloc debug rewrite. The major components of the rewrite: - Completely remove the qemu shared library code. Nobody was using it and it appears to have broken at some point. - Adds the ability to enable/disable different options independently. - Adds a new option that can enable the backtrace on alloc/free when a process gets a specific signal. - Adds a new way to enable malloc debug. If a special property is set, and the process has an environment variable set, then debug malloc will be enabled. This allows something that might be a derivative of app_process to be started with an environment variable being enabled. - get_malloc_leak_info() used to return one element for each pointer that had the exact same backtrace. The new version returns information for every one of the pointers with same backtrace. It turns out ddms already automatically coalesces these, so the old method simply hid the fact that there where multiple pointers with the same amount of backtrace. - Moved all of the malloc debug specific code into the library. Nothing related to the malloc debug data structures remains in libc. - Removed the calls to the debug malloc cleanup routine. Instead, I added an atexit call with the debug malloc cleanup routine. This gets around most problems related to the timing of doing the cleanup. The new properties and environment variables: libc.debug.malloc.options Set by option name (such as "backtrace"). Setting this to a bad value will cause a usage statement to be printed to the log. libc.debug.malloc.program Same as before. If this is set, then only the program named will be launched with malloc debug enabled. This is not a complete match, but if any part of the property is in the program name, malloc debug is enabled. libc.debug.malloc.env_enabled If set, then malloc debug is only enabled if the running process has the environment variable LIBC_DEBUG_MALLOC_ENABLE set. Bug: 19145921 Change-Id: I7b0e58cc85cc6d4118173fe1f8627a391b64c0d7
2015-11-17 02:30:32 +01:00
Read maps data before using and do safe reads. Rather than only updating the maps when a pc can't be found, always update the maps before using them. This avoids issues where the maps change and it could cause a crash reading from a map that has been modified. This assumes that executed code never gets unloaded, or that the code is unloaded so infrequently that it doesn't matter. This happens because the pcs for the backtraces are gathered as the program runs and those pcs are symbolized and made into relative pcs at a later time. Also, add safe reading of the elf data when necessary to avoid any crashes if maps are changing while this is running. Since the MapEntry objects can be deleted, copy the values for the current map in the backtrace code to detect when in our own code instead of keeping a pointer. Bug: 340988785 Test: malloc_debug unit/system tests pass. Test: libmemunreachable tests pass. Change-Id: Ica2ba50a5bcf9e19c7e4033e29a5a67a1847d1a6
2024-05-16 23:15:15 +02:00
void ReadMaps();
private:
malloc_debug: reread /proc/pid/maps when entry is missing Reread /proc/pid/maps on demand in case a new library has been loaded. Change-Id: Iac8109b3e6a07bf02c38300b21eecabf4bcd54df
2016-02-08 23:29:03 +01:00
std::mutex m_;
std::set<MapEntry*, compare_entries> entries_;
Malloc debug rewrite. The major components of the rewrite: - Completely remove the qemu shared library code. Nobody was using it and it appears to have broken at some point. - Adds the ability to enable/disable different options independently. - Adds a new option that can enable the backtrace on alloc/free when a process gets a specific signal. - Adds a new way to enable malloc debug. If a special property is set, and the process has an environment variable set, then debug malloc will be enabled. This allows something that might be a derivative of app_process to be started with an environment variable being enabled. - get_malloc_leak_info() used to return one element for each pointer that had the exact same backtrace. The new version returns information for every one of the pointers with same backtrace. It turns out ddms already automatically coalesces these, so the old method simply hid the fact that there where multiple pointers with the same amount of backtrace. - Moved all of the malloc debug specific code into the library. Nothing related to the malloc debug data structures remains in libc. - Removed the calls to the debug malloc cleanup routine. Instead, I added an atexit call with the debug malloc cleanup routine. This gets around most problems related to the timing of doing the cleanup. The new properties and environment variables: libc.debug.malloc.options Set by option name (such as "backtrace"). Setting this to a bad value will cause a usage statement to be printed to the log. libc.debug.malloc.program Same as before. If this is set, then only the program named will be launched with malloc debug enabled. This is not a complete match, but if any part of the property is in the program name, malloc debug is enabled. libc.debug.malloc.env_enabled If set, then malloc debug is only enabled if the running process has the environment variable LIBC_DEBUG_MALLOC_ENABLE set. Bug: 19145921 Change-Id: I7b0e58cc85cc6d4118173fe1f8627a391b64c0d7
2015-11-17 02:30:32 +01:00
Read maps data before using and do safe reads. Rather than only updating the maps when a pc can't be found, always update the maps before using them. This avoids issues where the maps change and it could cause a crash reading from a map that has been modified. This assumes that executed code never gets unloaded, or that the code is unloaded so infrequently that it doesn't matter. This happens because the pcs for the backtraces are gathered as the program runs and those pcs are symbolized and made into relative pcs at a later time. Also, add safe reading of the elf data when necessary to avoid any crashes if maps are changing while this is running. Since the MapEntry objects can be deleted, copy the values for the current map in the backtrace code to detect when in our own code instead of keeping a pointer. Bug: 340988785 Test: malloc_debug unit/system tests pass. Test: libmemunreachable tests pass. Change-Id: Ica2ba50a5bcf9e19c7e4033e29a5a67a1847d1a6
2024-05-16 23:15:15 +02:00
void ClearEntries();
Clean up bionic_macros.h a bit. Use <android-base/macros.h> instead where possible, and move the bionic macros out of the way of the libbase ones. Yes, there are folks who manage to end up with both included at once (thanks OpenGL!), and cleaning that up doesn't seem nearly as practical as just making this change. Bug: N/A Test: builds Change-Id: I23fc544f39d5addf81dc61471771a5438778895b
2018-10-25 20:00:00 +02:00
BIONIC_DISALLOW_COPY_AND_ASSIGN(MapData);
Malloc debug rewrite. The major components of the rewrite: - Completely remove the qemu shared library code. Nobody was using it and it appears to have broken at some point. - Adds the ability to enable/disable different options independently. - Adds a new option that can enable the backtrace on alloc/free when a process gets a specific signal. - Adds a new way to enable malloc debug. If a special property is set, and the process has an environment variable set, then debug malloc will be enabled. This allows something that might be a derivative of app_process to be started with an environment variable being enabled. - get_malloc_leak_info() used to return one element for each pointer that had the exact same backtrace. The new version returns information for every one of the pointers with same backtrace. It turns out ddms already automatically coalesces these, so the old method simply hid the fact that there where multiple pointers with the same amount of backtrace. - Moved all of the malloc debug specific code into the library. Nothing related to the malloc debug data structures remains in libc. - Removed the calls to the debug malloc cleanup routine. Instead, I added an atexit call with the debug malloc cleanup routine. This gets around most problems related to the timing of doing the cleanup. The new properties and environment variables: libc.debug.malloc.options Set by option name (such as "backtrace"). Setting this to a bad value will cause a usage statement to be printed to the log. libc.debug.malloc.program Same as before. If this is set, then only the program named will be launched with malloc debug enabled. This is not a complete match, but if any part of the property is in the program name, malloc debug is enabled. libc.debug.malloc.env_enabled If set, then malloc debug is only enabled if the running process has the environment variable LIBC_DEBUG_MALLOC_ENABLE set. Bug: 19145921 Change-Id: I7b0e58cc85cc6d4118173fe1f8627a391b64c0d7
2015-11-17 02:30:32 +01:00
};
Reference in a new issue Copy permalink