e1dd3c287b
This patch is a rewrite of libc.debug.malloc = 10 (chk_malloc). It provides the same features as the original (poison freed memory, detect heap overruns and underruns), except that it provides more debugging information whenever it detects a problem. In addition to the original features, the new chk_malloc() implementation detects multiple frees within a given range of the last N allocations, N being configurable via the system property libc.debug.malloc.backlog. Finally, this patch keeps track of all outstanding memory allocations. On program exit, we walk that list and report each outstanding allocation. (There is support (not enabled) for a scanner thread periodically walks over the list of outstanding allocations as well as the backlog of recently-freed allocations, checking for heap-usage errors.) Feature overview: 1) memory leaks 2) multiple frees 3) use after free 4) overrun Implementation: -- for each allocation, there is a: 1) stack trace at the time the allocation is made 2) if the memory is freed, there is also a stack trace at the point 3) a front and rear guard (fence) 4) the stack traces are kept together with the allocation -- the following lists and maintained 1) all outstanding memory allocations 3) a backlog of allocations what are freed; when you call free(), instead of actually freed, the allocation is moved to this backlog; 4) when the backlog of allocations gets full, the oldest entry gets evicted from it; at that point, the allocation is checked for overruns or use-after-free errors, and then actually freed. 5) when the program exits, the list of outstanding allocations and the backlog are inspected for errors, then freed; To use this, set the following system properties before running the process or processes you want to inspect: libc.malloc.debug.backlog # defaults to 100 libc.malloc.debug 10 When a problem is detected, you will see the following on logcat for a multiple free: E/libc ( 7233): +++ ALLOCATION 0x404b9278 SIZE 10 BYTES MULTIPLY FREED! E/libc ( 7233): +++ ALLOCATION 0x404b9278 SIZE 10 ALLOCATED HERE: E/libc ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** E/libc ( 7233): #00 pc 0000c35a /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #01 pc 0000c658 /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #02 pc 00016d80 /system/lib/libc.so E/libc ( 7233): #03 pc 4009647c /system/bin/malloctest E/libc ( 7233): #04 pc 00016f24 /system/lib/libc.so E/libc ( 7233): +++ ALLOCATION 0x404b9278 SIZE 10 FIRST FREED HERE: E/libc ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** E/libc ( 7233): #00 pc 0000c35a /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #01 pc 0000c7d2 /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #02 pc 00016d94 /system/lib/libc.so E/libc ( 7233): #03 pc 40096490 /system/bin/malloctest E/libc ( 7233): #04 pc 00016f24 /system/lib/libc.so E/libc ( 7233): +++ ALLOCATION 0x404b9278 SIZE 10 NOW BEING FREED HERE: E/libc ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** E/libc ( 7233): #00 pc 0000c35a /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #01 pc 0000c6ac /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #02 pc 00016d94 /system/lib/libc.so E/libc ( 7233): #03 pc 400964a0 /system/bin/malloctest E/libc ( 7233): #04 pc 00016f24 /system/lib/libc.so The following for a heap overrun and underrun: E/libc ( 7233): +++ REAR GUARD MISMATCH [10, 11) E/libc ( 7233): +++ ALLOCATION 0x404b9198 SIZE 10 HAS A CORRUPTED REAR GUARD E/libc ( 7233): +++ ALLOCATION 0x404b9198 SIZE 10 ALLOCATED HERE: E/libc ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** E/libc ( 7233): #00 pc 0000c35a /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #01 pc 0000c658 /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #02 pc 00016d80 /system/lib/libc.so E/libc ( 7233): #03 pc 40096438 /system/bin/malloctest E/libc ( 7233): #04 pc 00016f24 /system/lib/libc.so E/libc ( 7233): +++ ALLOCATION 0x404b9198 SIZE 10 FREED HERE: E/libc ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** E/libc ( 7233): #00 pc 0000c35a /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #01 pc 0000c7d2 /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #02 pc 00016d94 /system/lib/libc.so E/libc ( 7233): #03 pc 40096462 /system/bin/malloctest E/libc ( 7233): #04 pc 00016f24 /system/lib/libc.so E/libc ( 7233): +++ ALLOCATION 0x404b9358 SIZE 10 HAS A CORRUPTED FRONT GUARD E/libc ( 7233): +++ ALLOCATION 0x404b9358 SIZE 10 ALLOCATED HERE: E/libc ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** E/libc ( 7233): #00 pc 0000c35a /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #01 pc 0000c658 /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #02 pc 00016d80 /system/lib/libc.so E/libc ( 7233): #03 pc 400964ba /system/bin/malloctest E/libc ( 7233): #04 pc 00016f24 /system/lib/libc.so E/libc ( 7233): +++ ALLOCATION 0x404b9358 SIZE 10 FREED HERE: E/libc ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** E/libc ( 7233): #00 pc 0000c35a /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #01 pc 0000c7d2 /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #02 pc 00016d94 /system/lib/libc.so E/libc ( 7233): #03 pc 400964e4 /system/bin/malloctest E/libc ( 7233): #04 pc 00016f24 /system/lib/libc.so The following for a memory leak: E/libc ( 7233): +++ THERE ARE 1 LEAKED ALLOCATIONS E/libc ( 7233): +++ DELETING 4096 BYTES OF LEAKED MEMORY AT 0x404b95e8 (1 REMAINING) E/libc ( 7233): +++ ALLOCATION 0x404b95e8 SIZE 4096 ALLOCATED HERE: E/libc ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** E/libc ( 7233): #00 pc 0000c35a /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #01 pc 0000c658 /system/lib/libc_malloc_debug_leak.so E/libc ( 7233): #02 pc 00016d80 /system/lib/libc.so E/libc ( 7233): #03 pc 0001bc94 /system/lib/libc.so E/libc ( 7233): #04 pc 0001edf6 /system/lib/libc.so E/libc ( 7233): #05 pc 0001b80a /system/lib/libc.so E/libc ( 7233): #06 pc 0001c086 /system/lib/libc.so E/libc ( 7233): #07 pc 40096402 /system/bin/malloctest E/libc ( 7233): #08 pc 00016f24 /system/lib/libc.so Change-Id: Ic440e9d05a01e2ea86b25e8998714e88bc2d16e0 Signed-off-by: Iliyan Malchev <malchev@google.com>
76 lines
2.6 KiB
C
76 lines
2.6 KiB
C
/*
|
|
* Copyright (C) 2012 The Android Open Source Project
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* * Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* * Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in
|
|
* the documentation and/or other materials provided with the
|
|
* distribution.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
|
|
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
|
* COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
|
|
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
|
|
* OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
|
|
* AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
|
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
|
|
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
* SUCH DAMAGE.
|
|
*/
|
|
#include <unwind.h>
|
|
#include <sys/types.h>
|
|
|
|
// =============================================================================
|
|
// stack trace functions
|
|
// =============================================================================
|
|
|
|
typedef struct
|
|
{
|
|
size_t count;
|
|
intptr_t* addrs;
|
|
} stack_crawl_state_t;
|
|
|
|
|
|
/* depends how the system includes define this */
|
|
#ifdef HAVE_UNWIND_CONTEXT_STRUCT
|
|
typedef struct _Unwind_Context __unwind_context;
|
|
#else
|
|
typedef _Unwind_Context __unwind_context;
|
|
#endif
|
|
|
|
static _Unwind_Reason_Code trace_function(__unwind_context *context, void *arg)
|
|
{
|
|
stack_crawl_state_t* state = (stack_crawl_state_t*)arg;
|
|
if (state->count) {
|
|
intptr_t ip = (intptr_t)_Unwind_GetIP(context);
|
|
if (ip) {
|
|
state->addrs[0] = ip;
|
|
state->addrs++;
|
|
state->count--;
|
|
return _URC_NO_REASON;
|
|
}
|
|
}
|
|
/*
|
|
* If we run out of space to record the address or 0 has been seen, stop
|
|
* unwinding the stack.
|
|
*/
|
|
return _URC_END_OF_STACK;
|
|
}
|
|
|
|
__LIBC_HIDDEN__
|
|
int get_backtrace(intptr_t* addrs, size_t max_entries)
|
|
{
|
|
stack_crawl_state_t state;
|
|
state.count = max_entries;
|
|
state.addrs = (intptr_t*)addrs;
|
|
_Unwind_Backtrace(trace_function, (void*)&state);
|
|
return max_entries - state.count;
|
|
}
|