Gitiles
Code Review Sign In
gerrit.omnirom.org / android_bionic / 14152b9f31cc13c4fbffcbdf8155f3c3ee0c33a7 / . / libc / bionic / malloc_debug_qemu.cpp
blob: 2f4949b121ecfde643ed8bbba6674c528b87c9cd [file] [log] [blame]
/*
* Copyright (C) 2009 The Android Open Source Project
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
* OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
* AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/*
* Contains implementation of memory allocation routines instrumented for
* usage in the emulator to detect memory allocation violations, such as
* memory leaks, buffer overruns, etc.
* Code, implemented here is intended to run in the emulated environment only,
* and serves simply as hooks into memory allocation routines. Main job of this
* code is to notify the emulator about memory being allocated/deallocated,
* providing information about each allocation. The idea is that emulator will
* keep list of currently allocated blocks, and, knowing boundaries of each
* block it will be able to verify that ld/st access to these blocks don't step
* over boundaries set for the user. To enforce that, each memory block
* allocated by this code is guarded with "prefix" and "suffix" areas, so
* every time emulator detects access to any of these guarding areas, it can be
* considered as access violation.
*/
#include <stdlib.h>
#include <stddef.h>
#include <stdio.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <sys/param.h>
#include <pthread.h>
#include <unistd.h>
#include <errno.h>
#include "malloc_debug_common.h"
#include "private/bionic_macros.h"
#include "private/libc_logging.h"
/* This file should be included into the build only when
* MALLOC_QEMU_INSTRUMENT macro is defined. */
#ifndef MALLOC_QEMU_INSTRUMENT
#error MALLOC_QEMU_INSTRUMENT is not defined.
#endif // !MALLOC_QEMU_INSTRUMENT
/* Controls access violation test performed to make sure that we catch AVs
* all the time they occur. See test_access_violation for more info. This macro
* is used for internal testing purposes and should always be set to zero for
* the production builds. */
#define TEST_ACCESS_VIOLATIONS 0
// =============================================================================
// Communication structures
// =============================================================================
/* Describes memory block allocated from the heap. This structure is passed
* along with TRACE_DEV_REG_MALLOC event. This descriptor is used to inform
* the emulator about new memory block being allocated from the heap. The entire
* structure is initialized by the guest system before event is fired up. It is
* important to remember that same structure (an exact copy, except for
* replacing pointers with target_ulong) is also declared in the emulator's
* sources (file memcheck/memcheck_common.h). So, every time a change is made to
* any of these two declaration, another one must be also updated accordingly.
*/
struct MallocDesc {
/* Pointer to the memory block actually allocated from the heap. Note that
* this is not the pointer that is returned to the malloc's caller. Pointer
* returned to the caller is calculated by adding value stored in this field
* to the value stored in prefix_size field of this structure.
*/
void* ptr;
/* Number of bytes requested by the malloc's caller. */
uint32_t requested_bytes;
/* Byte size of the prefix data. Actual pointer returned to the malloc's
* caller is calculated by adding value stored in this field to the value
* stored in in the ptr field of this structure.
*/
uint32_t prefix_size;
/* Byte size of the suffix data. */
uint32_t suffix_size;
/* Id of the process that initialized libc instance, in which allocation
* has occurred. This field is used by the emulator to report errors in
* the course of TRACE_DEV_REG_MALLOC event handling. In case of an error,
* emulator sets this field to zero (invalid value for a process ID).
*/
uint32_t libc_pid;
/* Id of the process in context of which allocation has occurred.
* Value in this field may differ from libc_pid value, if process that
* is doing allocation has been forked from the process that initialized
* libc instance.
*/
uint32_t allocator_pid;
/* Number of access violations detected on this allocation. */
uint32_t av_count;
};
/* Describes memory block info queried from emulator. This structure is passed
* along with TRACE_DEV_REG_QUERY_MALLOC event. When handling free and realloc
* calls, it is required that we have information about memory blocks that were
* actually allocated in previous calls to malloc, calloc, memalign, or realloc.
* Since we don't keep this information directly in the allocated block, but
* rather we keep it in the emulator, we need to query emulator for that
* information with TRACE_DEV_REG_QUERY_MALLOC query. The entire structure is
* initialized by the guest system before event is fired up. It is important to
* remember that same structure (an exact copy, except for replacing pointers
* with target_ulong) is also declared in the emulator's sources (file
* memcheck/memecheck_common.h). So, every time a change is made to any of these
* two declaration, another one must be also updated accordingly.
*/
struct MallocDescQuery {
/* Pointer, for which information is queried. Note that this pointer doesn't
* have to be exact pointer returned to malloc's caller, but can point
* anywhere inside an allocated block, including guarding areas. Emulator
* will respond with information about allocated block that contains this
* pointer.
*/
const void* ptr;
/* Id of the process that initialized libc instance, in which this query
* is called. This field is used by the emulator to report errors in
* the course of TRACE_DEV_REG_QUERY_MALLOC event handling. In case of an
* error, emulator sets this field to zero (invalid value for a process ID).
*/
uint32_t libc_pid;
/* Process ID in context of which query is made. */
uint32_t query_pid;
/* Code of the allocation routine, in context of which query has been made:
* 1 - free
* 2 - realloc
*/
uint32_t routine;
/* Address of memory allocation descriptor for the queried pointer.
* Descriptor, addressed by this field is initialized by the emulator in
* response to the query.
*/
MallocDesc* desc;
};
/* Describes memory block that is being freed back to the heap. This structure
* is passed along with TRACE_DEV_REG_FREE_PTR event. The entire structure is
* initialized by the guest system before event is fired up. It is important to
* remember that same structure (an exact copy, except for replacing pointers
* with target_ulong) is also declared in the emulator's sources (file
* memcheck/memecheck_common.h). So, every time a change is made to any of these
* two declaration, another one must be also updated accordingly.
*/
struct MallocFree {
/* Pointer to be freed. */
void* ptr;
/* Id of the process that initialized libc instance, in which this free
* is called. This field is used by the emulator to report errors in
* the course of TRACE_DEV_REG_FREE_PTR event handling. In case of an
* error, emulator sets this field to zero (invalid value for a process ID).
*/
uint32_t libc_pid;
/* Process ID in context of which memory is being freed. */
uint32_t free_pid;
};
// =============================================================================
// Communication events
// =============================================================================
/* Notifies the emulator that libc has been initialized for a process.
* Event's value parameter is PID for the process in context of which libc has
* been initialized.
*/
#define TRACE_DEV_REG_LIBC_INIT 1536
/* Notifies the emulator about new memory block been allocated.
* Event's value parameter points to MallocDesc instance that contains
* allocated block information. Note that 'libc_pid' field of the descriptor
* is used by emulator to report failure in handling this event. In case
* of a failure emulator will zero that field before completing this event.
*/
#define TRACE_DEV_REG_MALLOC 1537
/* Notifies the emulator about memory block being freed.
* Event's value parameter points to MallocFree descriptor that contains
* information about block that's being freed. Note that 'libc_pid' field
* of the descriptor is used by emulator to report failure in handling this
* event. In case of a failure emulator will zero that field before completing
* this event.
*/
#define TRACE_DEV_REG_FREE_PTR 1538
/* Queries the emulator about allocated memory block information.
* Event's value parameter points to MallocDescQuery descriptor that contains
* query parameters. Note that 'libc_pid' field of the descriptor is used by
* emulator to report failure in handling this event. In case of a failure
* emulator will zero that field before completing this event.
*/
#define TRACE_DEV_REG_QUERY_MALLOC 1539
/* Queries the emulator to print a string to its stdout.
* Event's value parameter points to a zero-terminated string to be printed.
*/
#define TRACE_DEV_REG_PRINT_USER_STR 1540
static void notify_qemu_string(const char* str);
static void qemu_log(int prio, const char* fmt, ...);
static void dump_malloc_descriptor(char* str,
size_t str_buf_size,
const MallocDesc* desc);
// =============================================================================
// Macros
// =============================================================================
/* Defines default size of allocation prefix.
* Note that we make prefix area quite large in order to increase chances of
* catching buffer overflow. */
#define DEFAULT_PREFIX_SIZE (malloc_alignment * 4)
/* Defines default size of allocation suffix.
* Note that we make suffix area quite large in order to increase chances of
* catching buffer overflow. */
#define DEFAULT_SUFFIX_SIZE (malloc_alignment * 4)
/* Debug tracing has been enabled by the emulator. */
#define DEBUG_TRACING_ENABLED 0x00000001
/* Error tracing has been enabled by the emulator. */
#define ERROR_TRACING_ENABLED 0x00000002
/* Info tracing has been enabled by the emulator. */
#define INFO_TRACING_ENABLED 0x00000004
/* All tracing flags combined. */
#define ALL_TRACING_ENABLED (DEBUG_TRACING_ENABLED | \
ERROR_TRACING_ENABLED | \
INFO_TRACING_ENABLED)
/* Prints a string to the emulator's stdout.
* In early stages of system loading, logging messages to logcat
* is not available, because ADB API has not been
* hooked up yet. So, in order to see such messages we need to print them to
* the emulator's stdout.
* Parameters passed to this macro are the same as parameters for printf
* routine.
*/
#define TR(...) \
do { \
char tr_str[4096]; \
snprintf(tr_str, sizeof(tr_str), __VA_ARGS__); \
tr_str[sizeof(tr_str) - 1] = '\0'; \
notify_qemu_string(&tr_str[0]); \
} while (0)
// =============================================================================
// Logging macros. Note that we simultaneously log messages to ADB and emulator.
// =============================================================================
/*
* Helper macros for checking if particular trace level is enabled.
*/
#define debug_LOG_ENABLED ((tracing_flags & DEBUG_TRACING_ENABLED) != 0)
#define error_LOG_ENABLED ((tracing_flags & ERROR_TRACING_ENABLED) != 0)
#define info_LOG_ENABLED ((tracing_flags & INFO_TRACING_ENABLED) != 0)
#define tracing_enabled(type) (type##_LOG_ENABLED)
/*
* Logging helper macros.
*/
#define qemu_debug_log(format, ...) \
do { \
__libc_format_log(ANDROID_LOG_DEBUG, "memcheck", (format), ##__VA_ARGS__); \
if (tracing_flags & DEBUG_TRACING_ENABLED) { \
qemu_log(ANDROID_LOG_DEBUG, (format), ##__VA_ARGS__); \
} \
} while (0)
#define qemu_error_log(format, ...) \
do { \
__libc_format_log(ANDROID_LOG_ERROR, "memcheck", (format), ##__VA_ARGS__); \
if (tracing_flags & ERROR_TRACING_ENABLED) { \
qemu_log(ANDROID_LOG_ERROR, (format), ##__VA_ARGS__); \
} \
} while (0)
#define qemu_info_log(format, ...) \
do { \
__libc_format_log(ANDROID_LOG_INFO, "memcheck", (format), ##__VA_ARGS__); \
if (tracing_flags & INFO_TRACING_ENABLED) { \
qemu_log(ANDROID_LOG_INFO, (format), ##__VA_ARGS__); \
} \
} while (0)
/* Logs message dumping MallocDesc instance at the end of the message.
* Param:
* type - Message type: debug, error, or info
* desc - MallocDesc instance to dump.
* fmt + rest - Formats message preceding dumped descriptor.
*/
#define log_mdesc(type, desc, fmt, ...) \
do { \
if (tracing_enabled(type)) { \
char log_str[4096]; \
__libc_format_buffer(log_str, sizeof(log_str), fmt, ##__VA_ARGS__); \
log_str[sizeof(log_str) - 1] = '\0'; \
size_t str_len = strlen(log_str); \
dump_malloc_descriptor(log_str + str_len, \
sizeof(log_str) - str_len, \
(desc)); \
type##_log("%s", log_str); \
} \
} while (0)
// =============================================================================
// Static data
// =============================================================================
// The underlying malloc implementation to use to get memory.
static const MallocDebug* g_malloc_dispatch = NULL;
/* Emulator's magic page address.
* This page (mapped on /dev/qemu_trace device) is used to fire up events
* in the emulator. */
static volatile void* qtrace = NULL;
/* Cached PID of the process in context of which this libc instance
* has been initialized. */
static uint32_t malloc_pid = 0;
/* Memory allocation alignment that is used in the malloc implementation.
* This variable is updated by memcheck_initialize routine. */
static uint32_t malloc_alignment = 8;
/* Tracing flags. These flags control which types of logging messages are
* enabled by the emulator. See XXX_TRACING_ENABLED for the values of flags
* stored in this variable. This variable is updated by memcheck_initialize
* routine. */
static uint32_t tracing_flags = 0;
// =============================================================================
// Static routines
// =============================================================================
/* Gets pointer, returned to malloc caller for the given allocation decriptor.
* Param:
* desc - Allocation descriptor.
* Return:
* Pointer to the allocated memory returned to the malloc caller.
*/
static inline void* mallocdesc_user_ptr(const MallocDesc* desc) {
return static_cast<char*>(desc->ptr) + desc->prefix_size;
}
/* Gets size of memory block actually allocated from the heap for the given
* allocation decriptor.
* Param:
* desc - Allocation descriptor.
* Return:
* Size of memory block actually allocated from the heap.
*/
static inline uint32_t mallocdesc_alloc_size(const MallocDesc* desc) {
return desc->prefix_size + desc->requested_bytes + desc->suffix_size;
}
/* Gets pointer to the end of the allocated block for the given descriptor.
* Param:
* desc - Descriptor for the memory block, allocated in malloc handler.
* Return:
* Pointer to the end of (one byte past) the allocated block.
*/
static inline void* mallocdesc_alloc_end(const MallocDesc* desc) {
return static_cast<char*>(desc->ptr) + mallocdesc_alloc_size(desc);
}
/* Fires up an event in the emulator.
* Param:
* code - Event code (one of the TRACE_DEV_XXX).
* val - Event's value parameter.
*/
static inline void notify_qemu(uint32_t code, uintptr_t val) {
if (NULL != qtrace) {
*(volatile uintptr_t*)((uintptr_t)qtrace + ((code - 1024) << 2)) = val;
}
}
/* Prints a zero-terminated string to the emulator's stdout (fires up
* TRACE_DEV_REG_PRINT_USER_STR event in the emulator).
* Param:
* str - Zero-terminated string to print.
*/
static void notify_qemu_string(const char* str) {
if (str != NULL) {
notify_qemu(TRACE_DEV_REG_PRINT_USER_STR, reinterpret_cast<uintptr_t>(str));
}
}
/* Fires up TRACE_DEV_REG_LIBC_INIT event in the emulator.
* Param:
* pid - ID of the process that initialized libc.
*/
static void notify_qemu_libc_initialized(uint32_t pid) {
notify_qemu(TRACE_DEV_REG_LIBC_INIT, pid);
}
/* Fires up TRACE_DEV_REG_MALLOC event in the emulator.
* Param:
* desc - Pointer to MallocDesc instance containing allocated block
* information.
* Return:
* Zero on success, or -1 on failure. Note that on failure libc_pid field of
* the desc parameter passed to this routine has been zeroed out by the
* emulator.
*/
static inline int notify_qemu_malloc(volatile MallocDesc* desc) {
desc->libc_pid = malloc_pid;
desc->allocator_pid = getpid();
desc->av_count = 0;
notify_qemu(TRACE_DEV_REG_MALLOC, reinterpret_cast<uintptr_t>(desc));
/* Emulator reports failure by zeroing libc_pid field of the
* descriptor. */
return desc->libc_pid != 0 ? 0 : -1;
}
/* Fires up TRACE_DEV_REG_FREE_PTR event in the emulator.
* Param:
* ptr - Pointer to the memory block that's being freed.
* Return:
* Zero on success, or -1 on failure.
*/
static inline int notify_qemu_free(void* ptr_to_free) {
volatile MallocFree free_desc;
free_desc.ptr = ptr_to_free;
free_desc.libc_pid = malloc_pid;
free_desc.free_pid = getpid();
notify_qemu(TRACE_DEV_REG_FREE_PTR, reinterpret_cast<uintptr_t>(&free_desc));
/* Emulator reports failure by zeroing libc_pid field of the
* descriptor. */
return free_desc.libc_pid != 0 ? 0 : -1;
}
/* Fires up TRACE_DEV_REG_QUERY_MALLOC event in the emulator.
* Param:
* ptr - Pointer to request allocation information for.
* desc - Pointer to MallocDesc instance that will receive allocation
* information.
* routine - Code of the allocation routine, in context of which query is made:
* 1 - free
* 2 - realloc
* Return:
* Zero on success, or -1 on failure.
*/
static inline int query_qemu_malloc_info(const void* ptr, MallocDesc* desc, uint32_t routine) {
volatile MallocDescQuery query;
query.ptr = ptr;
query.libc_pid = malloc_pid;
query.query_pid = getpid();
query.routine = routine;
query.desc = desc;
notify_qemu(TRACE_DEV_REG_QUERY_MALLOC, reinterpret_cast<uintptr_t>(&query));
/* Emulator reports failure by zeroing libc_pid field of the
* descriptor. */
return query.libc_pid != 0 ? 0 : -1;
}
/* Logs a message to emulator's stdout.
* Param:
* prio - Message priority (debug, info, or error)
* fmt + rest - Message format and parameters.
*/
static void qemu_log(int prio, const char* fmt, ...) {
va_list ap;
char buf[4096];
const char* prefix;
/* Choose message prefix depending on the priority value. */
switch (prio) {
case ANDROID_LOG_ERROR:
if (!tracing_enabled(error)) {
return;
}
prefix = "E";
break;
case ANDROID_LOG_INFO:
if (!tracing_enabled(info)) {
return;
}
prefix = "I";
break;
case ANDROID_LOG_DEBUG:
default:
if (!tracing_enabled(debug)) {
return;
}
prefix = "D";
break;
}
va_start(ap, fmt);
vsnprintf(buf, sizeof(buf), fmt, ap);
va_end(ap);
buf[sizeof(buf) - 1] = '\0';
TR("%s/memcheck: %s\n", prefix, buf);
}
/* Dumps content of memory allocation descriptor to a string.
* Param:
* str - String to dump descriptor to.
* str_buf_size - Size of string's buffer.
* desc - Descriptor to dump.
*/
static void dump_malloc_descriptor(char* str, size_t str_buf_size, const MallocDesc* desc) {
if (str_buf_size) {
snprintf(str, str_buf_size,
"MDesc: %p: %p <-> %p [%u + %u + %u] by pid=%03u in libc_pid=%03u",
mallocdesc_user_ptr(desc), desc->ptr,
mallocdesc_alloc_end(desc), desc->prefix_size,
desc->requested_bytes, desc->suffix_size, desc->allocator_pid,
desc->libc_pid);
str[str_buf_size - 1] = '\0';
}
}
#if TEST_ACCESS_VIOLATIONS
/* Causes an access violation on allocation descriptor, and verifies that
* violation has been detected by memory checker in the emulator.
*/
static void test_access_violation(const MallocDesc* desc) {
MallocDesc desc_chk;
char ch;
volatile char* prefix = (volatile char*)desc->ptr;
volatile char* suffix = (volatile char*)mallocdesc_user_ptr(desc) +
desc->requested_bytes;
/* We're causing AV by reading from the prefix and suffix areas of the
* allocated block. This should produce two access violations, so when we
* get allocation descriptor from QEMU, av_counter should be bigger than
* av_counter of the original descriptor by 2. */
ch = *prefix;
ch = *suffix;
if (!query_qemu_malloc_info(mallocdesc_user_ptr(desc), &desc_chk, 2) &&
desc_chk.av_count != (desc->av_count + 2)) {
log_mdesc(error, &desc_chk,
"<libc_pid=%03u, pid=%03u>: malloc: Access violation test failed:\n"
"Expected violations count %u is not equal to the actually reported %u",
malloc_pid, getpid(), desc->av_count + 2,
desc_chk.av_count);
}
}
#endif // TEST_ACCESS_VIOLATIONS
// =============================================================================
// API routines
// =============================================================================
extern "C" void* qemu_instrumented_calloc(size_t, size_t);
extern "C" void qemu_instrumented_free(void*);
extern "C" struct mallinfo qemu_instrumented_mallinfo();
extern "C" void* qemu_instrumented_malloc(size_t);
extern "C" size_t qemu_instrumented_malloc_usable_size(const void*);
extern "C" void* qemu_instrumented_memalign(size_t, size_t);
extern "C" int qemu_instrumented_posix_memalign(void**, size_t, size_t);
extern "C" void* qemu_instrumented_pvalloc(size_t);
extern "C" void* qemu_instrumented_realloc(void*, size_t);
extern "C" void* qemu_instrumented_valloc(size_t);
/* Initializes malloc debugging instrumentation for the emulator.
* This routine is called from malloc_init_impl routine implemented in
* bionic/libc/bionic/malloc_debug_common.c when malloc debugging gets
* initialized for a process. The way malloc debugging implementation is
* done, it is guaranteed that this routine will be called just once per
* process.
* Return:
* 0 on success, or -1 on failure.
*/
extern "C" bool malloc_debug_initialize(HashTable*, const MallocDebug* malloc_dispatch) {
g_malloc_dispatch = malloc_dispatch;
/* We will be using emulator's magic page to report memory allocation
* activities. In essence, what magic page does, it translates writes to
* the memory mapped spaces into writes to an I/O port that emulator
* "listens to" on the other end. Note that until we open and map that
* device, logging to emulator's stdout will not be available. */
int fd = open("/dev/qemu_trace", O_CLOEXEC | O_RDWR);
if (fd < 0) {
error_log("Unable to open /dev/qemu_trace");
return false;
} else {
qtrace = mmap(NULL, PAGESIZE, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
close(fd);
if (qtrace == MAP_FAILED) {
qtrace = NULL;
error_log("Unable to mmap /dev/qemu_trace");
return false;
}
}
/* Cache pid of the process this library has been initialized for. */
malloc_pid = getpid();
return true;
}
/* Completes malloc debugging instrumentation for the emulator.
* Note that this routine is called after successful return from
* malloc_debug_initialize, which means that connection to the emulator via
* "magic page" has been established.
* Param:
* alignment - Alignment requirement set for memiry allocations.
* memcheck_param - Emulator's -memcheck option parameters. This string
* contains abbreviation for guest events that are enabled for tracing.
* Return:
* 0 on success, or -1 on failure.
*/
extern "C" int memcheck_initialize(int alignment, const char* memcheck_param) {
malloc_alignment = alignment;
/* Parse -memcheck parameter for the guest tracing flags. */
while (*memcheck_param != '\0') {
switch (*memcheck_param) {
case 'a':
// Enable all messages from the guest.
tracing_flags |= ALL_TRACING_ENABLED;
break;
case 'd':
// Enable debug messages from the guest.
tracing_flags |= DEBUG_TRACING_ENABLED;
break;
case 'e':
// Enable error messages from the guest.
tracing_flags |= ERROR_TRACING_ENABLED;
break;
case 'i':
// Enable info messages from the guest.
tracing_flags |= INFO_TRACING_ENABLED;
break;
default:
break;
}
if (tracing_flags == ALL_TRACING_ENABLED) {
break;
}
memcheck_param++;
}
notify_qemu_libc_initialized(malloc_pid);
qemu_debug_log("Instrumented for pid=%03u: malloc=%p, free=%p, calloc=%p, realloc=%p, memalign=%p",
malloc_pid, qemu_instrumented_malloc, qemu_instrumented_free,
qemu_instrumented_calloc, qemu_instrumented_realloc,
qemu_instrumented_memalign);
return 0;
}
/* This routine serves as entry point for 'malloc'.
* Primary responsibility of this routine is to allocate requested number of
* bytes (plus prefix, and suffix guards), and report allocation to the
* emulator.
*/
extern "C" void* qemu_instrumented_malloc(size_t bytes) {
MallocDesc desc;
/* Initialize block descriptor and allocate memory. Note that malloc
* returns a valid pointer on zero allocation. Lets mimic this behavior. */
desc.prefix_size = DEFAULT_PREFIX_SIZE;
desc.requested_bytes = bytes;
desc.suffix_size = DEFAULT_SUFFIX_SIZE;
size_t size = mallocdesc_alloc_size(&desc);
if (size < bytes) { // Overflow
qemu_error_log("<libc_pid=%03u, pid=%03u> malloc: malloc(%zu) overflow caused failure.",
malloc_pid, getpid(), bytes);
errno = ENOMEM;
return NULL;
}
desc.ptr = g_malloc_dispatch->malloc(size);
if (desc.ptr == NULL) {
qemu_error_log("<libc_pid=%03u, pid=%03u> malloc(%zu): malloc(%zu) failed.",
malloc_pid, getpid(), bytes, size);
return NULL;
}
// Fire up event in the emulator.
if (notify_qemu_malloc(&desc)) {
log_mdesc(error, &desc, "<libc_pid=%03u, pid=%03u>: malloc: notify_malloc failed for ",
malloc_pid, getpid());
g_malloc_dispatch->free(desc.ptr);
errno = ENOMEM;
return NULL;
} else {
#if TEST_ACCESS_VIOLATIONS
test_access_violation(&desc);
#endif // TEST_ACCESS_VIOLATIONS
log_mdesc(info, &desc, "+++ <libc_pid=%03u, pid=%03u> malloc(%zu) -> ",
malloc_pid, getpid(), bytes);
return mallocdesc_user_ptr(&desc);
}
}
/* This routine serves as entry point for 'malloc'.
* Primary responsibility of this routine is to free requested memory, and
* report free block to the emulator.
*/
extern "C" void qemu_instrumented_free(void* mem) {
MallocDesc desc;
if (mem == NULL) {
// Just let go NULL free
g_malloc_dispatch->free(mem);
return;
}
// Query emulator for the freeing block information.
if (query_qemu_malloc_info(mem, &desc, 1)) {
error_log("<libc_pid=%03u, pid=%03u>: free(%p) query_info failed.",
malloc_pid, getpid(), mem);
return;
}
#if TEST_ACCESS_VIOLATIONS
test_access_violation(&desc);
#endif // TEST_ACCESS_VIOLATIONS
/* Make sure that pointer that's being freed matches what we expect
* for this memory block. Note that this violation should be already
* caught in the emulator. */
if (mem != mallocdesc_user_ptr(&desc)) {
log_mdesc(error, &desc, "<libc_pid=%03u, pid=%03u>: free(%p) is invalid for ",
malloc_pid, getpid(), mem);
return;
}
// Fire up event in the emulator and free block that was actually allocated.
if (notify_qemu_free(mem)) {
log_mdesc(error, &desc, "<libc_pid=%03u, pid=%03u>: free(%p) notify_free failed for ",
malloc_pid, getpid(), mem);
} else {
log_mdesc(info, &desc, "--- <libc_pid=%03u, pid=%03u> free(%p) -> ",
malloc_pid, getpid(), mem);
g_malloc_dispatch->free(desc.ptr);
}
}
/* This routine serves as entry point for 'calloc'.
* This routine behaves similarly to qemu_instrumented_malloc.
*/
extern "C" void* qemu_instrumented_calloc(size_t n_elements, size_t elem_size) {
if (n_elements == 0 || elem_size == 0) {
// Just let go zero bytes allocation.
qemu_info_log("::: <libc_pid=%03u, pid=%03u>: Zero calloc redir to malloc",
malloc_pid, getpid());
return qemu_instrumented_malloc(0);
}
// Fail on overflow - just to be safe even though this code runs only
// within the debugging C library, not the production one.
if (n_elements && SIZE_MAX / n_elements < elem_size) {
qemu_error_log("<libc_pid=%03u, pid=%03u> calloc: calloc(%zu, %zu) overflow caused failure.",
malloc_pid, getpid(), n_elements, elem_size);
errno = ENOMEM;
return NULL;
}
MallocDesc desc;
/* Calculating prefix size. The trick here is to make sure that
* first element (returned to the caller) is properly aligned. */
if (DEFAULT_PREFIX_SIZE >= elem_size) {
/* If default alignment is bigger than element size, we will
* set our prefix size to the default alignment size. */
desc.prefix_size = DEFAULT_PREFIX_SIZE;
/* For the suffix we will use whatever bytes remain from the prefix
* allocation size, aligned to the size of an element, plus the usual
* default suffix size. */
desc.suffix_size = (DEFAULT_PREFIX_SIZE % elem_size) +
DEFAULT_SUFFIX_SIZE;
} else {
/* Make sure that prefix, and suffix sizes is at least elem_size,
* and first element returned to the caller is properly aligned. */
desc.prefix_size = elem_size + DEFAULT_PREFIX_SIZE - 1;
desc.prefix_size &= ~(malloc_alignment - 1);
desc.suffix_size = DEFAULT_SUFFIX_SIZE;
}
desc.requested_bytes = n_elements * elem_size;
size_t total_size = desc.requested_bytes + desc.prefix_size + desc.suffix_size;
if (total_size < desc.requested_bytes) { // Overflow
qemu_error_log("<libc_pid=%03u, pid=%03u> calloc: calloc(%zu, %zu) overflow caused failure.",
malloc_pid, getpid(), n_elements, elem_size);
errno = ENOMEM;
return NULL;
}
size_t total_elements = total_size / elem_size;
total_size %= elem_size;
if (total_size != 0) {
// Add extra to the suffix area.
total_elements++;
desc.suffix_size += (elem_size - total_size);
}
desc.ptr = g_malloc_dispatch->calloc(total_elements, elem_size);
if (desc.ptr == NULL) {
error_log("<libc_pid=%03u, pid=%03u> calloc: calloc(%zu(%zu), %zu) (prx=%u, sfx=%u) failed.",
malloc_pid, getpid(), n_elements, total_elements, elem_size,
desc.prefix_size, desc.suffix_size);
return NULL;
}
if (notify_qemu_malloc(&desc)) {
log_mdesc(error, &desc, "<libc_pid=%03u, pid=%03u>: calloc(%zu(%zu), %zu): notify_malloc failed for ",
malloc_pid, getpid(), n_elements, total_elements, elem_size);
g_malloc_dispatch->free(desc.ptr);
errno = ENOMEM;
return NULL;
} else {
#if TEST_ACCESS_VIOLATIONS
test_access_violation(&desc);
#endif // TEST_ACCESS_VIOLATIONS
log_mdesc(info, &desc, "### <libc_pid=%03u, pid=%03u> calloc(%zu(%zu), %zu) -> ",
malloc_pid, getpid(), n_elements, total_elements, elem_size);
return mallocdesc_user_ptr(&desc);
}
}
/* This routine serves as entry point for 'realloc'.
* This routine behaves similarly to qemu_instrumented_free +
* qemu_instrumented_malloc. Note that this modifies behavior of "shrinking" an
* allocation, but overall it doesn't seem to matter, as caller of realloc
* should not expect that pointer returned after shrinking will remain the same.
*/
extern "C" void* qemu_instrumented_realloc(void* mem, size_t bytes) {
if (mem == NULL) {
// Nothing to realloc. just do regular malloc.
qemu_info_log("::: <libc_pid=%03u, pid=%03u>: realloc(%p, %zu) redir to malloc",
malloc_pid, getpid(), mem, bytes);
return qemu_instrumented_malloc(bytes);
}
if (bytes == 0) {
// This is a "free" condition.
qemu_info_log("::: <libc_pid=%03u, pid=%03u>: realloc(%p, %zu) redir to free and malloc",
malloc_pid, getpid(), mem, bytes);
qemu_instrumented_free(mem);
// This is what realloc does for a "free" realloc.
return NULL;
}
// Query emulator for the reallocating block information.
MallocDesc cur_desc;
if (query_qemu_malloc_info(mem, &cur_desc, 2)) {
// Note that this violation should be already caught in the emulator.
error_log("<libc_pid=%03u, pid=%03u>: realloc(%p, %zu) query_info failed.",
malloc_pid, getpid(), mem, bytes);
errno = ENOMEM;
return NULL;
}
#if TEST_ACCESS_VIOLATIONS
test_access_violation(&cur_desc);
#endif // TEST_ACCESS_VIOLATIONS
/* Make sure that reallocating pointer value is what we would expect
* for this memory block. Note that this violation should be already caught
* in the emulator.*/
if (mem != mallocdesc_user_ptr(&cur_desc)) {
log_mdesc(error, &cur_desc, "<libc_pid=%03u, pid=%03u>: realloc(%p, %zu) is invalid for ",
malloc_pid, getpid(), mem, bytes);
errno = ENOMEM;
return NULL;
}
/* TODO: We're a bit inefficient here, always allocating new block from
* the heap. If this realloc shrinks current buffer, we can just do the
* shrinking "in place", adjusting suffix_size in the allocation descriptor
* for this block that is stored in the emulator. */
// Initialize descriptor for the new block.
MallocDesc new_desc;
new_desc.prefix_size = DEFAULT_PREFIX_SIZE;
new_desc.requested_bytes = bytes;
new_desc.suffix_size = DEFAULT_SUFFIX_SIZE;
size_t new_size = mallocdesc_alloc_size(&new_desc);
if (new_size < bytes) { // Overflow
qemu_error_log("<libc_pid=%03u, pid=%03u>: realloc(%p, %zu): malloc(%zu) failed due to overflow",
malloc_pid, getpid(), mem, bytes, new_size);
errno = ENOMEM;
return NULL;
}
new_desc.ptr = g_malloc_dispatch->malloc(new_size);
if (new_desc.ptr == NULL) {
log_mdesc(error, &cur_desc, "<libc_pid=%03u, pid=%03u>: realloc(%p, %zu): malloc(%zu) failed on ",
malloc_pid, getpid(), mem, bytes, new_size);
return NULL;
}
void* new_mem = mallocdesc_user_ptr(&new_desc);
// Copy user data from old block to the new one.
size_t to_copy = bytes < cur_desc.requested_bytes ? bytes : cur_desc.requested_bytes;
if (to_copy != 0) {
memcpy(new_mem, mallocdesc_user_ptr(&cur_desc), to_copy);
}
// Register new block with emulator.
if (notify_qemu_malloc(&new_desc)) {
log_mdesc(error, &new_desc, "<libc_pid=%03u, pid=%03u>: realloc(%p, %zu) notify_malloc failed -> ",
malloc_pid, getpid(), mem, bytes);
log_mdesc(error, &cur_desc, " <- ");
g_malloc_dispatch->free(new_desc.ptr);
errno = ENOMEM;
return NULL;
}
#if TEST_ACCESS_VIOLATIONS
test_access_violation(&new_desc);
#endif // TEST_ACCESS_VIOLATIONS
// Free old block.
if (notify_qemu_free(mem)) {
log_mdesc(error, &cur_desc, "<libc_pid=%03u, pid=%03u>: realloc(%p, %zu): notify_free failed for ",
malloc_pid, getpid(), mem, bytes);
/* Since we registered new decriptor with the emulator, we need
* to unregister it before freeing newly allocated block. */
notify_qemu_free(mallocdesc_user_ptr(&new_desc));
g_malloc_dispatch->free(new_desc.ptr);
errno = ENOMEM;
return NULL;
}
g_malloc_dispatch->free(cur_desc.ptr);
log_mdesc(info, &new_desc, "=== <libc_pid=%03u, pid=%03u>: realloc(%p, %zu) -> ",
malloc_pid, getpid(), mem, bytes);
log_mdesc(info, &cur_desc, " <- ");
return new_mem;
}
/* This routine serves as entry point for 'memalign'.
* This routine behaves similarly to qemu_instrumented_malloc.
*/
extern "C" void* qemu_instrumented_memalign(size_t alignment, size_t bytes) {
MallocDesc desc;
if (bytes == 0) {
// Just let go zero bytes allocation.
qemu_info_log("::: <libc_pid=%03u, pid=%03u>: memalign(%zx, %zu) redir to malloc",
malloc_pid, getpid(), alignment, bytes);
return qemu_instrumented_malloc(0);
}
// Prefix size for aligned allocation must be equal to the alignment used
// for allocation in order to ensure proper alignment of the returned
// pointer. in case that alignment requirement is greater than prefix
// size.
if (alignment < DEFAULT_PREFIX_SIZE) {
alignment = DEFAULT_PREFIX_SIZE;
} else if (!powerof2(alignment)) {
alignment = BIONIC_ROUND_UP_POWER_OF_2(alignment);
}
desc.prefix_size = alignment;
desc.requested_bytes = bytes;
desc.suffix_size = DEFAULT_SUFFIX_SIZE;
size_t size = mallocdesc_alloc_size(&desc);
if (size < bytes) { // Overflow
qemu_error_log("<libc_pid=%03u, pid=%03u> memalign(%zx, %zu): malloc(%zu) failed due to overflow.",
malloc_pid, getpid(), alignment, bytes, size);
return NULL;
}
desc.ptr = g_malloc_dispatch->memalign(desc.prefix_size, size);
if (desc.ptr == NULL) {
error_log("<libc_pid=%03u, pid=%03u> memalign(%zx, %zu): malloc(%zu) failed.",
malloc_pid, getpid(), alignment, bytes, size);
return NULL;
}
if (notify_qemu_malloc(&desc)) {
log_mdesc(error, &desc, "<libc_pid=%03u, pid=%03u>: memalign(%zx, %zu): notify_malloc failed for ",
malloc_pid, getpid(), alignment, bytes);
g_malloc_dispatch->free(desc.ptr);
return NULL;
}
#if TEST_ACCESS_VIOLATIONS
test_access_violation(&desc);
#endif // TEST_ACCESS_VIOLATIONS
log_mdesc(info, &desc, "@@@ <libc_pid=%03u, pid=%03u> memalign(%zx, %zu) -> ",
malloc_pid, getpid(), alignment, bytes);
return mallocdesc_user_ptr(&desc);
}
extern "C" size_t qemu_instrumented_malloc_usable_size(const void* mem) {
MallocDesc cur_desc;
// Query emulator for the reallocating block information.
if (query_qemu_malloc_info(mem, &cur_desc, 2)) {
// Note that this violation should be already caught in the emulator.
error_log("<libc_pid=%03u, pid=%03u>: malloc_usable_size(%p) query_info failed.",
malloc_pid, getpid(), mem);
return 0;
}
/* Make sure that reallocating pointer value is what we would expect
* for this memory block. Note that this violation should be already caught
* in the emulator.*/
if (mem != mallocdesc_user_ptr(&cur_desc)) {
log_mdesc(error, &cur_desc, "<libc_pid=%03u, pid=%03u>: malloc_usable_size(%p) is invalid for ",
malloc_pid, getpid(), mem);
return 0;
}
/* during instrumentation, we can't really report anything more than requested_bytes */
return cur_desc.requested_bytes;
}
extern "C" struct mallinfo qemu_instrumented_mallinfo() {
return g_malloc_dispatch->mallinfo();
}
extern "C" int qemu_instrumented_posix_memalign(void** memptr, size_t alignment, size_t size) {
if ((alignment & (alignment - 1)) != 0) {
qemu_error_log("<libc_pid=%03u, pid=%03u> posix_memalign(%p, %zu, %zu): invalid alignment.",
malloc_pid, getpid(), memptr, alignment, size);
return EINVAL;
}
int saved_errno = errno;
*memptr = qemu_instrumented_memalign(alignment, size);
errno = saved_errno;
return (*memptr != NULL) ? 0 : ENOMEM;
}
extern "C" void* qemu_instrumented_pvalloc(size_t bytes) {
size_t pagesize = getpagesize();
size_t size = BIONIC_ALIGN(bytes, pagesize);
if (size < bytes) { // Overflow
qemu_error_log("<libc_pid=%03u, pid=%03u> pvalloc(%zu): overflow (%zu).",
malloc_pid, getpid(), bytes, size);
return NULL;
}
return qemu_instrumented_memalign(pagesize, size);
}
extern "C" void* qemu_instrumented_valloc(size_t size) {
return qemu_instrumented_memalign(getpagesize(), size);
}