Merge "Update sanitize property format"
diff --git a/libc/Android.bp b/libc/Android.bp
index b453d32..c5a513c 100644
--- a/libc/Android.bp
+++ b/libc/Android.bp
@@ -309,8 +309,6 @@
defaults: ["libc_defaults"],
srcs: [
"upstream-netbsd/common/lib/libc/stdlib/random.c",
- "upstream-netbsd/lib/libc/gen/ftw.c",
- "upstream-netbsd/lib/libc/gen/nftw.c",
"upstream-netbsd/lib/libc/gen/nice.c",
"upstream-netbsd/lib/libc/gen/popen.c",
"upstream-netbsd/lib/libc/gen/psignal.c",
@@ -1282,6 +1280,7 @@
"bionic/fpclassify.cpp",
"bionic/fsetxattr.cpp",
"bionic/ftruncate.cpp",
+ "bionic/ftw.cpp",
"bionic/futimens.cpp",
"bionic/getcwd.cpp",
"bionic/getdomainname.cpp",
diff --git a/libc/Android.mk b/libc/Android.mk
index fa392d1..02682af 100644
--- a/libc/Android.mk
+++ b/libc/Android.mk
@@ -107,6 +107,7 @@
bionic/fpclassify.cpp \
bionic/fsetxattr.cpp \
bionic/ftruncate.cpp \
+ bionic/ftw.cpp \
bionic/futimens.cpp \
bionic/getcwd.cpp \
bionic/getdomainname.cpp \
@@ -288,8 +289,6 @@
libc_upstream_netbsd_src_files := \
upstream-netbsd/common/lib/libc/stdlib/random.c \
- upstream-netbsd/lib/libc/gen/ftw.c \
- upstream-netbsd/lib/libc/gen/nftw.c \
upstream-netbsd/lib/libc/gen/nice.c \
upstream-netbsd/lib/libc/gen/popen.c \
upstream-netbsd/lib/libc/gen/psignal.c \
diff --git a/libc/bionic/ftw.cpp b/libc/bionic/ftw.cpp
new file mode 100644
index 0000000..2123619
--- /dev/null
+++ b/libc/bionic/ftw.cpp
@@ -0,0 +1,124 @@
+/*
+ * Copyright (c) 2003, 2004 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ * Sponsored in part by the Defense Advanced Research Projects
+ * Agency (DARPA) and Air Force Research Laboratory, Air Force
+ * Materiel Command, USAF, under agreement number F39502-99-1-0512.
+ */
+
+#include <errno.h>
+#include <fts.h>
+#include <ftw.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+static int do_nftw(const char *path,
+ int (*ftw_fn)(const char*, const struct stat*, int),
+ int (*nftw_fn)(const char*, const struct stat*, int, FTW*),
+ int nfds,
+ int nftw_flags) {
+ // TODO: nfds is currently unused.
+ if (nfds < 1) {
+ errno = EINVAL;
+ return -1;
+ }
+
+ // Translate to fts_open options.
+ int fts_options = FTS_LOGICAL | FTS_COMFOLLOW | FTS_NOCHDIR;
+ if (nftw_fn) {
+ fts_options = FTS_COMFOLLOW | ((nftw_flags & FTW_PHYS) ? FTS_PHYSICAL : FTS_LOGICAL);
+ if (!(nftw_flags & FTW_CHDIR)) fts_options |= FTS_NOCHDIR;
+ if (nftw_flags & FTW_MOUNT) fts_options |= FTS_XDEV;
+ }
+ bool postorder = (nftw_flags & FTW_DEPTH) != 0;
+
+ // Call fts_open.
+ char* const paths[2] = { const_cast<char*>(path), nullptr };
+ FTS* fts = fts_open(paths, fts_options, nullptr);
+ if (fts == nullptr) {
+ return -1;
+ }
+
+ // Translate fts_read results into ftw/nftw callbacks.
+ int error = 0;
+ FTSENT* cur;
+ while (error == 0 && (cur = fts_read(fts)) != nullptr) {
+ int fn_flag;
+ switch (cur->fts_info) {
+ case FTS_D:
+ // In the postorder case, we'll translate FTS_DP to FTW_DP later.
+ // In the can't-access case, we'll translate FTS_DNR to FTW_DNR later.
+ if (postorder || access(cur->fts_path, R_OK) == -1) continue;
+ fn_flag = FTW_D;
+ break;
+ case FTS_DNR:
+ fn_flag = FTW_DNR;
+ break;
+ case FTS_DP:
+ if (!postorder) continue;
+ fn_flag = FTW_DP;
+ break;
+ case FTS_F:
+ case FTS_DEFAULT:
+ fn_flag = FTW_F;
+ break;
+ case FTS_NS:
+ case FTS_NSOK:
+ fn_flag = FTW_NS;
+ break;
+ case FTS_SL:
+ fn_flag = FTW_SL;
+ break;
+ case FTS_SLNONE:
+ fn_flag = (nftw_fn != nullptr) ? FTW_SLN : FTW_NS;
+ break;
+ case FTS_DC:
+ errno = ELOOP;
+ error = -1;
+ continue;
+ default:
+ error = -1;
+ continue;
+ }
+
+ // Call the appropriate function.
+ if (nftw_fn != nullptr) {
+ FTW ftw;
+ ftw.base = cur->fts_pathlen - cur->fts_namelen;
+ ftw.level = cur->fts_level;
+ error = nftw_fn(cur->fts_path, cur->fts_statp, fn_flag, &ftw);
+ } else {
+ error = ftw_fn(cur->fts_path, cur->fts_statp, fn_flag);
+ }
+ }
+
+ int saved_errno = errno;
+ if (fts_close(fts) != 0 && error == 0) {
+ error = -1;
+ } else {
+ errno = saved_errno;
+ }
+ return error;
+}
+
+int ftw(const char* path, int (*ftw_fn)(const char*, const struct stat*, int), int nfds) {
+ return do_nftw(path, ftw_fn, nullptr, nfds, 0);
+}
+
+int nftw(const char* path, int (*nftw_fn)(const char*, const struct stat*, int, FTW*),
+ int nfds, int nftw_flags) {
+ return do_nftw(path, nullptr, nftw_fn, nfds, nftw_flags);
+}
diff --git a/libc/libc.arm.brillo.map b/libc/libc.arm.brillo.map
index 651fea4..541dbb2 100644
--- a/libc/libc.arm.brillo.map
+++ b/libc/libc.arm.brillo.map
@@ -1434,7 +1434,7 @@
__swrite; # arm x86 mips
__swsetup; # arm x86 mips
__truncdfsf2; # arm
- __udivdi3; # arm mips
+ __udivdi3; # arm x86 mips
__udivsi3; # arm
__unorddf2; # arm
__unordsf2; # arm
diff --git a/libc/libc.arm.map b/libc/libc.arm.map
index 1c7a0ba..1784b95 100644
--- a/libc/libc.arm.map
+++ b/libc/libc.arm.map
@@ -1445,7 +1445,7 @@
__swrite; # arm x86 mips
__swsetup; # arm x86 mips
__truncdfsf2; # arm
- __udivdi3; # arm mips
+ __udivdi3; # arm x86 mips
__udivsi3; # arm
__unorddf2; # arm
__unordsf2; # arm
diff --git a/libc/libc.map.txt b/libc/libc.map.txt
index ed20efc..f51c5d3 100644
--- a/libc/libc.map.txt
+++ b/libc/libc.map.txt
@@ -207,7 +207,6 @@
__timer_getoverrun; # arm x86 mips
__timer_gettime; # arm x86 mips
__timer_settime; # arm x86 mips
- __udivdi3; # x86
__umask_chk;
__vsnprintf_chk;
__vsprintf_chk;
@@ -1471,7 +1470,7 @@
__swrite; # arm x86 mips
__swsetup; # arm x86 mips
__truncdfsf2; # arm
- __udivdi3; # arm mips
+ __udivdi3; # arm x86 mips
__udivsi3; # arm
__umoddi3; # x86 mips
__unorddf2; # arm
diff --git a/libc/libc.mips.brillo.map b/libc/libc.mips.brillo.map
index d96de34..953fc29 100644
--- a/libc/libc.mips.brillo.map
+++ b/libc/libc.mips.brillo.map
@@ -1294,7 +1294,7 @@
__swbuf; # arm x86 mips
__swrite; # arm x86 mips
__swsetup; # arm x86 mips
- __udivdi3; # arm mips
+ __udivdi3; # arm x86 mips
__umoddi3; # x86 mips
_fwalk; # arm x86 mips
android_getaddrinfofornet;
diff --git a/libc/libc.mips.map b/libc/libc.mips.map
index 5fe3a51..90db79d 100644
--- a/libc/libc.mips.map
+++ b/libc/libc.mips.map
@@ -1305,7 +1305,7 @@
__swbuf; # arm x86 mips
__swrite; # arm x86 mips
__swsetup; # arm x86 mips
- __udivdi3; # arm mips
+ __udivdi3; # arm x86 mips
__umoddi3; # x86 mips
__wait4; # arm x86 mips nobrillo
_fwalk; # arm x86 mips
diff --git a/libc/libc.x86.brillo.map b/libc/libc.x86.brillo.map
index f167183..9f6cc52 100644
--- a/libc/libc.x86.brillo.map
+++ b/libc/libc.x86.brillo.map
@@ -203,7 +203,6 @@
__timer_getoverrun; # arm x86 mips
__timer_gettime; # arm x86 mips
__timer_settime; # arm x86 mips
- __udivdi3; # x86
__umask_chk;
__vsnprintf_chk;
__vsprintf_chk;
@@ -1294,6 +1293,7 @@
__swbuf; # arm x86 mips
__swrite; # arm x86 mips
__swsetup; # arm x86 mips
+ __udivdi3; # arm x86 mips
__umoddi3; # x86 mips
_fwalk; # arm x86 mips
android_getaddrinfofornet;
diff --git a/libc/libc.x86.map b/libc/libc.x86.map
index d37d28a..4443731 100644
--- a/libc/libc.x86.map
+++ b/libc/libc.x86.map
@@ -203,7 +203,6 @@
__timer_getoverrun; # arm x86 mips
__timer_gettime; # arm x86 mips
__timer_settime; # arm x86 mips
- __udivdi3; # x86
__umask_chk;
__vsnprintf_chk;
__vsprintf_chk;
@@ -1305,6 +1304,7 @@
__swbuf; # arm x86 mips
__swrite; # arm x86 mips
__swsetup; # arm x86 mips
+ __udivdi3; # arm x86 mips
__umoddi3; # x86 mips
__wait4; # arm x86 mips nobrillo
_fwalk; # arm x86 mips
diff --git a/libc/malloc_debug/Config.cpp b/libc/malloc_debug/Config.cpp
index ded618c..cc60086 100644
--- a/libc/malloc_debug/Config.cpp
+++ b/libc/malloc_debug/Config.cpp
@@ -273,7 +273,7 @@
fill_free_value = DEFAULT_FILL_FREE_VALUE;
front_guard_value = DEFAULT_FRONT_GUARD_VALUE;
rear_guard_value = DEFAULT_REAR_GUARD_VALUE;
- backtrace_signal = SIGRTMIN + 10;
+ backtrace_signal = SIGRTMAX - 19;
free_track_backtrace_num_frames = 16;
// Parse the options are of the format:
diff --git a/libc/malloc_debug/FreeTrackData.cpp b/libc/malloc_debug/FreeTrackData.cpp
index 682f93d..8e6502e 100644
--- a/libc/malloc_debug/FreeTrackData.cpp
+++ b/libc/malloc_debug/FreeTrackData.cpp
@@ -48,7 +48,7 @@
uint8_t fill_free_value = debug_->config().fill_free_value;
for (size_t i = 0; i < header->usable_size; i++) {
if (pointer[i] != fill_free_value) {
- error_log(" pointer[%zu] = 0x%02x (expected 0x%02x)", i, pointer[i], fill_free_value);
+ error_log(" allocation[%zu] = 0x%02x (expected 0x%02x)", i, pointer[i], fill_free_value);
}
}
auto back_iter = backtraces_.find(header);
diff --git a/libc/malloc_debug/GuardData.cpp b/libc/malloc_debug/GuardData.cpp
index 48961b6..e207b86 100644
--- a/libc/malloc_debug/GuardData.cpp
+++ b/libc/malloc_debug/GuardData.cpp
@@ -57,7 +57,7 @@
const uint8_t* real = reinterpret_cast<const uint8_t*>(data);
for (size_t i = 0; i < cmp_mem_.size(); i++, pointer_idx++) {
if (real[i] != expected[i]) {
- error_log(" pointer[%d] = 0x%02x (expected 0x%02x)", pointer_idx, real[i], expected[i]);
+ error_log(" allocation[%d] = 0x%02x (expected 0x%02x)", pointer_idx, real[i], expected[i]);
}
}
diff --git a/libc/malloc_debug/README.md b/libc/malloc_debug/README.md
new file mode 100644
index 0000000..3fc2305
--- /dev/null
+++ b/libc/malloc_debug/README.md
@@ -0,0 +1,330 @@
+Malloc Debug
+============
+
+Malloc debug is a method of debugging native memory problems. It can help
+detect memory corruption, memory leaks, and use after free issues.
+
+Currently, malloc debug requires root to enable. When it is enabled, it works
+by adding a shim layer that replaces the normal allocation calls. The replaced
+calls are:
+
+<pre>
+malloc
+free
+calloc
+realloc
+posix_memalign
+memalign
+malloc_usable_size
+</pre>
+
+On 32 bit systems, these two deprecated functions are also replaced:
+
+<pre>
+pvalloc
+valloc
+</pre>
+
+Any errors detected by the library are reported in the log.
+
+Controlling Malloc Debug Behavior
+---------------------------------
+Malloc debug is controlled by individual options. Each option can be enabled
+individually, or in a group of other options. Every single option can be
+combined with every other option.
+
+Option Descriptions
+-------------------
+### front\_guard[=SIZE\_BYTES]
+Enables a small buffer placed before the allocated data. This is an attempt
+to find memory corruption occuring to a region before the original allocation.
+On first allocation, this front guard is written with a specific pattern (0xaa).
+When the allocation is freed, the guard is checked to verify it has not been
+modified. If any part of the front guard is modified, an error will be reported
+in the log indicating what bytes changed.
+
+If the backtrace option is also enabled, then any error message will include
+the backtrace of the allocation site.
+
+If SIZE\_BYTES is present, it indicates the number of bytes in the guard.
+The default is 32 bytes, the max bytes is 16384. SIZE\_BYTES will be
+padded so that it is a multiple of 8 bytes on 32 bit systems and 16 bytes
+on 64 bit systems to make sure that the allocation returned is aligned
+properly.
+
+This option adds a special header to all allocations that contains the guard
+and information about the original allocation.
+
+Example error:
+
+<pre>
+04-10 12:00:45.621 7412 7412 E malloc_debug: +++ ALLOCATION 0x12345678 SIZE 100 HAS A CORRUPTED FRONT GUARD
+04-10 12:00:45.622 7412 7412 E malloc_debug: allocation[-32] = 0x00 (expected 0xaa)
+04-10 12:00:45.622 7412 7412 E malloc_debug: allocation[-15] = 0x02 (expected 0xaa)
+</pre>
+
+### rear\_guard[=SIZE\_BYTES]
+Enables a small buffer placed after the allocated data. This is an attempt
+to find memory corruption occuring to a region after the original allocation.
+On first allocation, this rear guard is written with a specific pattern (0xbb).
+When the allocation is freed, the guard is checked to verify it has not been
+modified. If any part of the rear guard is modified, an error will be reported
+in the log indicating what bytes changed.
+
+If SIZE\_BYTES is present, it indicates the number of bytes in the guard.
+The default is 32 bytes, the max bytes is 16384.
+
+This option adds a special header to all allocations that contains
+information about the original allocation.
+
+Example error:
+
+<pre>
+04-10 12:00:45.621 7412 7412 E malloc_debug: +++ ALLOCATION 0x12345678 SIZE 100 HAS A CORRUPTED REAR GUARD
+04-10 12:00:45.622 7412 7412 E malloc_debug: allocation[130] = 0xbf (expected 0xbb)
+04-10 12:00:45.622 7412 7412 E malloc_debug: allocation[131] = 0x00 (expected 0xbb)
+</pre>
+
+### guard[=SIZE\_BYTES]
+Enables both a front guard and a rear guard on all allocations.
+
+If SIZE\_BYTES is present, it indicates the number of bytes in both guards.
+The default is 32 bytes, the max bytes is 16384.
+
+### backtrace[=MAX\_FRAMES]
+Enable capturing the backtrace of each allocation site.
+This option will slow down allocations by an order of magnitude. If the
+system runs too slowly with this option enabled, decreasing the maximum number
+of frames captured will speed the allocations up.
+
+Note that any backtrace frames that occur within the malloc backtrace library
+itself are not recorded.
+
+If MAX\_FRAMES is present, it indicates the maximum number of frames to
+capture in a backtrace. The default is 16 frames, the maximumum value
+this can be set to is 256.
+
+This option adds a special header to all allocations that contains the
+backtrace and information about the original allocation.
+
+### backtrace\_enable\_on\_signal[=MAX\_FRAMES]
+Enable capturing the backtrace of each allocation site. If the
+backtrace capture is toggled when the process receives the signal
+SIGRTMAX - 19 (which is 45 on most Android devices). When this
+option is used alone, backtrace capture starts out disabled until the signal
+is received. If both this option and the backtrace option are set, then
+backtrace capture is enabled until the signal is received.
+
+If MAX\_FRAMES is present, it indicates the maximum number of frames to
+capture in a backtrace. The default is 16 frames, the maximumum value
+this can be set to is 256.
+
+This option adds a special header to all allocations that contains the
+backtrace and information about the original allocation.
+
+### fill\_on\_alloc[=MAX\_FILLED\_BYTES]
+Any allocation routine, other than calloc, will result in the allocation being
+filled with the value 0xeb. When doing a realloc to a larger size, the bytes
+above the original usable size will be set to 0xeb.
+
+If MAX\_FILLED\_BYTES is present, it will only fill up to the specified number
+of bytes in the allocation. The default is to fill the entire allocation.
+
+### fill\_on\_free[=MAX\_FILLED\_BYTES]
+When an allocation is freed, fill it with 0xef.
+
+If MAX\_FILLED\_BYTES is present, it will only fill up to the specified number
+of bytes in the allocation. The default is to fill the entire allocation.
+
+### fill[=MAX\_FILLED\_BYTES]
+This enables both the fill\_on\_alloc option and the fill\_on\_free option.
+
+If MAX\_FILLED\_BYTES is present, it will only fill up to the specified number
+of bytes in the allocation. The default is to fill the entire allocation.
+
+### expand\_alloc[=EXPAND\_BYTES]
+Add an extra amount to allocate for every allocation.
+
+If XX is present, it is the number of bytes to expand the allocation by.
+The default is 16 bytes, the max bytes is 16384.
+
+### free\_track[=ALLOCATION\_COUNT]
+When a pointer is freed, do not free the memory right away, but add it to
+a list of freed allocations. In addition to being added to the list, the
+entire allocation is filled with the value 0xef, and the backtrace at
+the time of the free is recorded. The backtrace recording is completely
+separate from the backtrace option, and happens automatically if this
+option is enabled. By default, a maximum of 16 frames will be recorded,
+but this value can be changed using the free\_track\_backtrace\_num\_frames
+option. It can also be completely disabled by setting the option to zero.
+See the full description of this option below.
+
+When the list is full, an allocation is removed from the list and is
+checked to make sure that none of the contents have been modified since
+being placed on the list. When the program terminates, all of the allocations
+left on the list are verified.
+
+If ALLOCATION\_COUNT is present, it indicates the total number of allocations
+in the list. The default is to record 100 freed allocations, the max
+allocations to record is 16384.
+
+This option adds a special header to all allocations that contains
+information about the original allocation.
+
+Example error:
+
+<pre>
+04-15 12:00:31.304 7412 7412 E malloc_debug: +++ ALLOCATION 0x12345678 USED AFTER FREE
+04-15 12:00:31.305 7412 7412 E malloc_debug: allocation[20] = 0xaf (expected 0xef)
+04-15 12:00:31.305 7412 7412 E malloc_debug: allocation[99] = 0x12 (expected 0xef)
+04-15 12:00:31.305 7412 7412 E malloc_debug: Backtrace at time of free:
+04-15 12:00:31.305 7412 7412 E malloc_debug: #00 pc 00029310 /system/lib/libc.so
+04-15 12:00:31.305 7412 7412 E malloc_debug: #01 pc 00021438 /system/lib/libc.so (newlocale+160)
+04-15 12:00:31.305 7412 7412 E malloc_debug: #02 pc 000a9e38 /system/lib/libc++.so
+04-15 12:00:31.305 7412 7412 E malloc_debug: #03 pc 000a28a8 /system/lib/libc++.so
+</pre>
+
+In addition, there is another type of error message that can occur if
+an allocation has a special header applied, and the header is corrupted
+before the verification occurs. This is the error message that will be found
+in the log:
+
+<pre>
++++ ALLOCATION 0x12345678 HAS CORRUPTED HEADER TAG 0x1cc7dc00 AFTER FREE
+</pre>
+
+### free\_track\_backtrace\_num\_frames[=MAX\_FRAMES]
+This option only has meaning if free\_track is set. It indicates how many
+backtrace frames to capture when an allocation is freed.
+
+If MAX\_FRAMES is present, it indicates the number of frames to capture.
+If the value is set to zero, then no backtrace will be captured when the
+allocation is freed. The default is to record 16 frames, the max number of
+frames to to record is 256.
+
+### leak\_track
+Track all live allocations. When the program terminates, all of the live
+allocations will be dumped to the log. If the backtrace option was enabled,
+then the log will include the backtrace of the leaked allocations. This
+option is not useful when enabled globally because a lot of programs do not
+free everything before the program terminates.
+
+This option adds a special header to all allocations that contains
+information about the original allocation.
+
+Example leak error found in the log:
+
+<pre>
+04-15 12:35:33.304 7412 7412 E malloc_debug: +++ APP leaked block of size 100 at 0x2be3b0b0 (leak 1 of 2)
+04-15 12:35:33.304 7412 7412 E malloc_debug: Backtrace at time of allocation:
+04-15 12:35:33.305 7412 7412 E malloc_debug: #00 pc 00029310 /system/lib/libc.so
+04-15 12:35:33.305 7412 7412 E malloc_debug: #01 pc 00021438 /system/lib/libc.so (newlocale+160)
+04-15 12:35:33.305 7412 7412 E malloc_debug: #02 pc 000a9e38 /system/lib/libc++.so
+04-15 12:35:33.305 7412 7412 E malloc_debug: #03 pc 000a28a8 /system/lib/libc++.so
+04-15 12:35:33.305 7412 7412 E malloc_debug: +++ APP leaked block of size 24 at 0x7be32380 (leak 2 of 2)
+04-15 12:35:33.305 7412 7412 E malloc_debug: Backtrace at time of allocation:
+04-15 12:35:33.305 7412 7412 E malloc_debug: #00 pc 00029310 /system/lib/libc.so
+04-15 12:35:33.305 7412 7412 E malloc_debug: #01 pc 00021438 /system/lib/libc.so (newlocale+160)
+04-15 12:35:33.305 7412 7412 E malloc_debug: #02 pc 000a9e38 /system/lib/libc++.so
+04-15 12:35:33.305 7412 7412 E malloc_debug: #03 pc 000a28a8 /system/lib/libc++.so
+</pre>
+
+Additional Errors
+-----------------
+There are a few other error messages that might appear in the log.
+
+### Use After Free
+<pre>
+04-15 12:00:31.304 7412 7412 E malloc_debug: +++ ALLOCATION 0x12345678 USED AFTER FREE (free)
+04-15 12:00:31.305 7412 7412 E malloc_debug: Backtrace of original free:
+04-15 12:00:31.305 7412 7412 E malloc_debug: #00 pc 00029310 /system/lib/libc.so
+04-15 12:00:31.305 7412 7412 E malloc_debug: #01 pc 00021438 /system/lib/libc.so (newlocale+160)
+04-15 12:00:31.305 7412 7412 E malloc_debug: #02 pc 000a9e38 /system/lib/libc++.so
+04-15 12:00:31.305 7412 7412 E malloc_debug: #03 pc 000a28a8 /system/lib/libc++.so
+04-15 12:00:31.305 7412 7412 E malloc_debug: Backtrace at time of failure:
+04-15 12:00:31.305 7412 7412 E malloc_debug: #00 pc 00029310 /system/lib/libc.so
+04-15 12:00:31.305 7412 7412 E malloc_debug: #01 pc 00021438 /system/lib/libc.so (newlocale+160)
+04-15 12:00:31.305 7412 7412 E malloc_debug: #02 pc 000a9e38 /system/lib/libc++.so
+04-15 12:00:31.305 7412 7412 E malloc_debug: #03 pc 000a28a8 /system/lib/libc++.so
+</pre>
+
+This indicates that code is attempting to free an already freed pointer. The
+name in parenthesis indicates that the application called the function
+<i>free</i> with the bad pointer.
+
+For example, this message:
+
+<pre>
+04-15 12:00:31.304 7412 7412 E malloc_debug: +++ ALLOCATION 0x12345678 USED AFTER FREE (realloc)
+</pre>
+
+Would indicate that the application called the <i>realloc</i> function
+with an already freed pointer.
+
+### Invalid Tag
+<pre>
+04-15 12:00:31.304 7412 7412 E malloc_debug: +++ ALLOCATION 0x12345678 HAS INVALID TAG 1ee7d000 (malloc_usable_size)
+04-15 12:00:31.305 7412 7412 E malloc_debug: Backtrace at time of failure:
+04-15 12:00:31.305 7412 7412 E malloc_debug: #00 pc 00029310 /system/lib/libc.so
+04-15 12:00:31.305 7412 7412 E malloc_debug: #01 pc 00021438 /system/lib/libc.so (newlocale+160)
+04-15 12:00:31.305 7412 7412 E malloc_debug: #02 pc 000a9e38 /system/lib/libc++.so
+04-15 12:00:31.305 7412 7412 E malloc_debug: #03 pc 000a28a8 /system/lib/libc++.so
+</pre>
+
+This indicates that a function (malloc\_usable\_size) was called with
+a pointer that is either not allocated memory, or that the memory of
+the pointer has been corrupted.
+
+As with the other error message, the function in parenthesis is the
+function that was called with the bad pointer.
+
+Examples
+========
+Enable backtrace tracking of all allocation for all processes:
+
+<pre>
+ adb shell stop
+ adb shell setprop libc.debug.malloc.options backtrace
+ adb shell start
+</pre>
+
+Enable backtrace tracking for a specific process (ls):
+
+<pre>
+ adb shell setprop libc.debug.malloc.options backtrace
+ adb shell setprop libc.debug.malloc.program ls
+ adb shell ls
+</pre>
+
+Enable backtrace tracking for the zygote and zygote based processes:
+
+<pre>
+ adb shell stop
+ adb shell setprop libc.debug.malloc.program app_process
+ adb shell setprop libc.debug.malloc.options backtrace
+ adb shell start
+</pre>
+
+Enable multiple options (backtrace and guards):
+
+<pre>
+ adb shell stop
+ adb shell setprop libc.debug.malloc.options "\"backtrace guards\""
+ adb shell start
+</pre>
+
+Enable malloc debug when multiple processes have the same name. This method
+can be used to enable malloc debug for only a very specific process if
+multiple processes have the same name.
+
+Note: The double quotes in the adb shell command are necessary. Otherwise,
+the setprop command will fail since the backtrace guards options will look
+like two arguments instead of one.
+
+<pre>
+ adb shell
+ # setprop libc.debug.malloc.env_enabled
+ # setprop libc.debug.malloc.options backtrace
+ # export LIBC_DEBUG_MALLOC_ENABLE 1
+ # ls
+</pre>
diff --git a/libc/malloc_debug/README_api.md b/libc/malloc_debug/README_api.md
new file mode 100644
index 0000000..cd04c32
--- /dev/null
+++ b/libc/malloc_debug/README_api.md
@@ -0,0 +1,64 @@
+Native Memory Tracking using libc Callbacks
+-------------------------------------------
+Malloc debug can be used to get information on all of the live allocations
+in a process. The libc library in Android exports two calls that can be
+used to gather this data from a process. This tracking can be enabled using
+either the backtrace option or the backtrace\_enabled\_on\_signal option.
+
+The function to gather the data:
+
+<pre>
+<b>
+extern "C" void get_malloc_leak_info(uint8_t** info, size_t* overall_size, size_t* info_size, size_t* total_memory, size_t* backtrace_size);
+</b>
+</pre>
+
+<i>info</i> is set to a buffer allocated by the call that contains all of
+the allocation information.
+<i>overall\_size</i> is set to the total size of the buffer returned. If this
+<i>info\_size</i>
+value is zero, then there are no allocation being tracked.
+<i>total\_memory</i> is set to the sum of all allocation sizes that are live at
+the point of the function call. This does not include the memory allocated
+by the malloc debug library itself.
+<i>backtrace\_size</i> is set to the maximum number of backtrace entries
+that are present for each allocation.
+
+In order to free the buffer allocated by the function, call:
+
+<pre>
+<b>
+extern "C" void free_malloc_leak_info(uint8_t* info);
+</b>
+</pre>
+
+### Format of info Buffer
+<pre>
+size_t size_of_original_allocation
+size_t num_backtrace_frames
+uintptr_t pc1
+uintptr_t pc2
+uintptr_t pc3
+.
+.
+.
+</pre>
+
+The number of <i>uintptr\_t</i> values is determined by the value
+<i>backtrace\_size</i> as returned by the original call to
+<i>get\_malloc\_leak\_info</i>. This value is not variable, it is the same
+for all the returned data. The value
+<i>num\_backtrace\_frames</i> contains the real number of frames found. The
+extra frames are set to zero. Each <i>uintptr\_t</i> is a pc of the callstack.
+The calls from within the malloc debug library are automatically removed.
+
+For 32 bit systems, <i>size\_t</i> and <i>uintptr\_t</i> are both 4 byte values.
+
+For 64 bit systems, <i>size\_t</i> and <i>uintptr\_t</i> are both 8 byte values.
+
+The total number of these structures returned in <i>info</i> is
+<i>overall\_size</i> divided by <i>info\_size</i>.
+
+Note, the size value in each allocation data structure will have bit 31 set
+if this allocation was created by the Zygote process. This helps to distinguish
+between native allocations created by the application.
diff --git a/libc/upstream-netbsd/lib/libc/gen/ftw.c b/libc/upstream-netbsd/lib/libc/gen/ftw.c
deleted file mode 100644
index a7f6bbd..0000000
--- a/libc/upstream-netbsd/lib/libc/gen/ftw.c
+++ /dev/null
@@ -1,98 +0,0 @@
-/* $NetBSD: ftw.c,v 1.1 2005/12/30 23:07:32 agc Exp $ */
-
-/* From OpenBSD: ftw.c,v 1.2 2003/07/21 21:15:32 millert Exp */
-
-/*
- * Copyright (c) 2003 Todd C. Miller <Todd.Miller@courtesan.com>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Sponsored in part by the Defense Advanced Research Projects
- * Agency (DARPA) and Air Force Research Laboratory, Air Force
- * Materiel Command, USAF, under agreement number F39502-99-1-0512.
- */
-#include <sys/cdefs.h>
-
-#ifndef lint
-__RCSID("$NetBSD: ftw.c,v 1.1 2005/12/30 23:07:32 agc Exp $");
-#endif
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <errno.h>
-#include <fts.h>
-#include <ftw.h>
-#include <limits.h>
-
-int
-ftw(const char *path, int (*fn)(const char *, const struct stat *, int),
- int nfds)
-{
- /* LINTED */
- char * const paths[2] = { __UNCONST(path), NULL };
- FTSENT *cur;
- FTS *ftsp;
- int fnflag, error, sverrno;
-
- /* XXX - nfds is currently unused */
- if (nfds < 1 || nfds > OPEN_MAX) {
- errno = EINVAL;
- return (-1);
- }
-
- ftsp = fts_open(paths, FTS_COMFOLLOW | FTS_NOCHDIR, NULL);
- if (ftsp == NULL)
- return (-1);
- error = 0;
- while ((cur = fts_read(ftsp)) != NULL) {
- switch (cur->fts_info) {
- case FTS_D:
- fnflag = FTW_D;
- break;
- case FTS_DNR:
- fnflag = FTW_DNR;
- break;
- case FTS_DP:
- /* we only visit in preorder */
- continue;
- case FTS_F:
- case FTS_DEFAULT:
- fnflag = FTW_F;
- break;
- case FTS_NS:
- case FTS_NSOK:
- case FTS_SLNONE:
- fnflag = FTW_NS;
- break;
- case FTS_SL:
- fnflag = FTW_SL;
- break;
- case FTS_DC:
- errno = ELOOP;
- /* FALLTHROUGH */
- default:
- error = -1;
- goto done;
- }
- error = fn(cur->fts_path, cur->fts_statp, fnflag);
- if (error != 0)
- break;
- }
-done:
- sverrno = errno;
- if (fts_close(ftsp) != 0 && error == 0)
- error = -1;
- else
- errno = sverrno;
- return (error);
-}
diff --git a/libc/upstream-netbsd/lib/libc/gen/nftw.c b/libc/upstream-netbsd/lib/libc/gen/nftw.c
deleted file mode 100644
index 0e51342..0000000
--- a/libc/upstream-netbsd/lib/libc/gen/nftw.c
+++ /dev/null
@@ -1,114 +0,0 @@
-/* $NetBSD */
-
-/* From OpenBSD: nftw.c,v 1.2 2003/07/21 21:15:32 millert Exp */
-
-/*
- * Copyright (c) 2003 Todd C. Miller <Todd.Miller@courtesan.com>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Sponsored in part by the Defense Advanced Research Projects
- * Agency (DARPA) and Air Force Research Laboratory, Air Force
- * Materiel Command, USAF, under agreement number F39502-99-1-0512.
- */
-
-#include <sys/cdefs.h>
-
-#ifndef lint
-__RCSID("$NetBSD: nftw.c,v 1.1 2005/12/30 23:07:32 agc Exp $");
-#endif
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <errno.h>
-#include <fts.h>
-#include <ftw.h>
-#include <limits.h>
-
-int
-nftw(const char *path, int (*fn)(const char *, const struct stat *, int,
- struct FTW *), int nfds, int ftwflags)
-{
- /* LINTED */
- char * const paths[2] = { __UNCONST(path), NULL };
- struct FTW f;
- FTSENT *cur;
- FTS *ftsp;
- int ftsflags, fnflag, error, postorder, sverrno;
-
- /* XXX - nfds is currently unused */
- if (nfds < 1 || nfds > OPEN_MAX) {
- errno = EINVAL;
- return (-1);
- }
-
- ftsflags = FTS_COMFOLLOW;
- if (!(ftwflags & FTW_CHDIR))
- ftsflags |= FTS_NOCHDIR;
- if (ftwflags & FTW_MOUNT)
- ftsflags |= FTS_XDEV;
- if (ftwflags & FTW_PHYS)
- ftsflags |= FTS_PHYSICAL;
- postorder = (ftwflags & FTW_DEPTH) != 0;
- ftsp = fts_open(paths, ftsflags, NULL);
- if (ftsp == NULL)
- return (-1);
- error = 0;
- while ((cur = fts_read(ftsp)) != NULL) {
- switch (cur->fts_info) {
- case FTS_D:
- if (postorder)
- continue;
- fnflag = FTW_D;
- break;
- case FTS_DNR:
- fnflag = FTW_DNR;
- break;
- case FTS_DP:
- if (!postorder)
- continue;
- fnflag = FTW_DP;
- break;
- case FTS_F:
- case FTS_DEFAULT:
- fnflag = FTW_F;
- break;
- case FTS_NS:
- case FTS_NSOK:
- fnflag = FTW_NS;
- break;
- case FTS_SL:
- fnflag = FTW_SL;
- break;
- case FTS_SLNONE:
- fnflag = FTW_SLN;
- break;
- case FTS_DC:
- errno = ELOOP;
- /* FALLTHROUGH */
- default:
- error = -1;
- goto done;
- }
- f.base = cur->fts_pathlen - cur->fts_namelen;
- f.level = cur->fts_level;
- error = fn(cur->fts_path, cur->fts_statp, fnflag, &f);
- if (error != 0)
- break;
- }
-done:
- sverrno = errno;
- (void) fts_close(ftsp);
- errno = sverrno;
- return (error);
-}
diff --git a/tests/ftw_test.cpp b/tests/ftw_test.cpp
index b7e5bd5..ea494ba 100644
--- a/tests/ftw_test.cpp
+++ b/tests/ftw_test.cpp
@@ -16,6 +16,7 @@
#include <ftw.h>
+#include <pwd.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/stat.h>
@@ -24,6 +25,7 @@
#include "TemporaryFile.h"
+#include <android-base/stringprintf.h>
#include <gtest/gtest.h>
static void MakeTree(const char* root) {
@@ -39,7 +41,7 @@
snprintf(path, sizeof(path), "%s/dangler", root);
ASSERT_EQ(0, symlink("/does-not-exist", path));
snprintf(path, sizeof(path), "%s/symlink", root);
- ASSERT_EQ(0, symlink("sub2", path));
+ ASSERT_EQ(0, symlink("dir/sub", path));
int fd;
snprintf(path, sizeof(path), "%s/regular", root);
@@ -51,8 +53,21 @@
ASSERT_TRUE(fpath != NULL);
ASSERT_TRUE(sb != NULL);
+ // Was it a case where the struct stat we're given is meaningless?
+ if (tflag == FTW_NS || tflag == FTW_SLN) {
+ // If so, double-check that we really can't stat.
+ struct stat sb;
+ EXPECT_EQ(-1, stat(fpath, &sb));
+ return;
+ }
+
+ // Otherwise check that the struct stat matches the type flag.
if (S_ISDIR(sb->st_mode)) {
- EXPECT_TRUE(tflag == FTW_D || tflag == FTW_DNR || tflag == FTW_DP) << fpath;
+ if (access(fpath, R_OK) == 0) {
+ EXPECT_TRUE(tflag == FTW_D || tflag == FTW_DP) << fpath << ' ' << tflag;
+ } else {
+ EXPECT_EQ(FTW_DNR, tflag) << fpath;
+ }
} else if (S_ISLNK(sb->st_mode)) {
EXPECT_EQ(FTW_SL, tflag) << fpath;
} else {
@@ -60,7 +75,7 @@
}
}
-void sanity_check_nftw(const char* fpath, const struct stat* sb, int tflag, struct FTW* ftwbuf) {
+void sanity_check_nftw(const char* fpath, const struct stat* sb, int tflag, FTW* ftwbuf) {
sanity_check_ftw(fpath, sb, tflag);
ASSERT_EQ('/', fpath[ftwbuf->base - 1]) << fpath;
}
@@ -75,12 +90,12 @@
return 0;
}
-int check_nftw(const char* fpath, const struct stat* sb, int tflag, struct FTW* ftwbuf) {
+int check_nftw(const char* fpath, const struct stat* sb, int tflag, FTW* ftwbuf) {
sanity_check_nftw(fpath, sb, tflag, ftwbuf);
return 0;
}
-int check_nftw64(const char* fpath, const struct stat64* sb, int tflag, struct FTW* ftwbuf) {
+int check_nftw64(const char* fpath, const struct stat64* sb, int tflag, FTW* ftwbuf) {
sanity_check_nftw(fpath, reinterpret_cast<const struct stat*>(sb), tflag, ftwbuf);
return 0;
}
@@ -108,3 +123,33 @@
MakeTree(root.dirname);
ASSERT_EQ(0, nftw64(root.dirname, check_nftw64, 128, 0));
}
+
+template <typename StatT>
+static int bug_28197840_ftw(const char* path, const StatT*, int flag) {
+ EXPECT_EQ(strstr(path, "unreadable") != nullptr ? FTW_DNR : FTW_D, flag) << path;
+ return 0;
+}
+
+template <typename StatT>
+static int bug_28197840_nftw(const char* path, const StatT* sb, int flag, FTW*) {
+ return bug_28197840_ftw(path, sb, flag);
+}
+
+TEST(ftw, bug_28197840) {
+ // Drop root for this test, because root can still read directories even if
+ // permissions would imply otherwise.
+ if (getuid() == 0) {
+ passwd* pwd = getpwnam("shell");
+ ASSERT_EQ(0, setuid(pwd->pw_uid));
+ }
+
+ TemporaryDir root;
+
+ std::string path = android::base::StringPrintf("%s/unreadable-directory", root.dirname);
+ ASSERT_EQ(0, mkdir(path.c_str(), 0000)) << path;
+
+ ASSERT_EQ(0, ftw(root.dirname, bug_28197840_ftw<struct stat>, 128));
+ ASSERT_EQ(0, ftw64(root.dirname, bug_28197840_ftw<struct stat64>, 128));
+ ASSERT_EQ(0, nftw(root.dirname, bug_28197840_nftw<struct stat>, 128, FTW_PHYS));
+ ASSERT_EQ(0, nftw64(root.dirname, bug_28197840_nftw<struct stat64>, 128, FTW_PHYS));
+}