Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / compiler-rt / 2d8b3bdb112ebb8ed3f15ee41d4cebcd683b41b0 / . / lib / asan / asan_allocator.cc
blob: 0cd490576166c4b1085ac9d17c26dd94d5673589 [file] [log] [blame]
Kostya Serebryany1e172b42011-11-30 01:07:02 +0000[diff] [blame]1//===-- asan_allocator.cc ---------------------------------------*- C++ -*-===//
2//
3// The LLVM Compiler Infrastructure
4//
5// This file is distributed under the University of Illinois Open Source
6// License. See LICENSE.TXT for details.
7//
8//===----------------------------------------------------------------------===//
9//
10// This file is a part of AddressSanitizer, an address sanity checker.
11//
12// Implementation of ASan's memory allocator.
13// Evey piece of memory (AsanChunk) allocated by the allocator
14// has a left redzone of REDZONE bytes and
15// a right redzone such that the end of the chunk is aligned by REDZONE
16// (i.e. the right redzone is between 0 and REDZONE-1).
17// The left redzone is always poisoned.
18// The right redzone is poisoned on malloc, the body is poisoned on free.
19// Once freed, a chunk is moved to a quarantine (fifo list).
20// After quarantine, a chunk is returned to freelists.
21//
22// The left redzone contains ASan's internal data and the stack trace of
23// the malloc call.
24// Once freed, the body of the chunk contains the stack trace of the free call.
25//
26//===----------------------------------------------------------------------===//
27
28#include "asan_allocator.h"
29#include "asan_interceptors.h"
30#include "asan_interface.h"
31#include "asan_internal.h"
32#include "asan_lock.h"
33#include "asan_mapping.h"
34#include "asan_stats.h"
35#include "asan_thread.h"
36#include "asan_thread_registry.h"
37
38#include <sys/mman.h>
39#include <stdint.h>
40#include <string.h>
41#include <unistd.h>
Kostya Serebryany1e172b42011-11-30 01:07:02 +0000[diff] [blame]42
43namespace __asan {
44
45#define REDZONE FLAG_redzone
46static const size_t kMinAllocSize = REDZONE * 2;
47static const size_t kMinMmapSize = 4UL << 20; // 4M
48static const uint64_t kMaxAvailableRam = 128ULL << 30; // 128G
49static const size_t kMaxThreadLocalQuarantine = 1 << 20; // 1M
50static const size_t kMaxSizeForThreadLocalFreeList = 1 << 17;
51
52// Size classes less than kMallocSizeClassStep are powers of two.
53// All other size classes are multiples of kMallocSizeClassStep.
54static const size_t kMallocSizeClassStepLog = 26;
55static const size_t kMallocSizeClassStep = 1UL << kMallocSizeClassStepLog;
56
57#if __WORDSIZE == 32
58static const size_t kMaxAllowedMallocSize = 3UL << 30; // 3G
59#else
60static const size_t kMaxAllowedMallocSize = 8UL << 30; // 8G
61#endif
62
63static void OutOfMemoryMessage(const char *mem_type, size_t size) {
64 AsanThread *t = asanThreadRegistry().GetCurrent();
65 CHECK(t);
66 Report("ERROR: AddressSanitizer failed to allocate "
67 "0x%lx (%lu) bytes (%s) in T%d\n",
68 size, size, mem_type, t->tid());
69}
70
71static inline bool IsAligned(uintptr_t a, uintptr_t alignment) {
72 return (a & (alignment - 1)) == 0;
73}
74
75static inline bool IsPowerOfTwo(size_t x) {
76 return (x & (x - 1)) == 0;
77}
78
79static inline size_t Log2(size_t x) {
80 CHECK(IsPowerOfTwo(x));
81 return __builtin_ctzl(x);
82}
83
84static inline size_t RoundUpTo(size_t size, size_t boundary) {
85 CHECK(IsPowerOfTwo(boundary));
86 return (size + boundary - 1) & ~(boundary - 1);
87}
88
89static inline size_t RoundUpToPowerOfTwo(size_t size) {
90 CHECK(size);
91 if (IsPowerOfTwo(size)) return size;
92 size_t up = __WORDSIZE - __builtin_clzl(size);
93 CHECK(size < (1ULL << up));
94 CHECK(size > (1ULL << (up - 1)));
95 return 1UL << up;
96}
97
98static inline size_t SizeClassToSize(uint8_t size_class) {
99 CHECK(size_class < kNumberOfSizeClasses);
100 if (size_class <= kMallocSizeClassStepLog) {
101 return 1UL << size_class;
102 } else {
103 return (size_class - kMallocSizeClassStepLog) * kMallocSizeClassStep;
104 }
105}
106
107static inline uint8_t SizeToSizeClass(size_t size) {
108 uint8_t res = 0;
109 if (size <= kMallocSizeClassStep) {
110 size_t rounded = RoundUpToPowerOfTwo(size);
111 res = Log2(rounded);
112 } else {
113 res = ((size + kMallocSizeClassStep - 1) / kMallocSizeClassStep)
114 + kMallocSizeClassStepLog;
115 }
116 CHECK(res < kNumberOfSizeClasses);
117 CHECK(size <= SizeClassToSize(res));
118 return res;
119}
120
Kostya Serebryany1e172b42011-11-30 01:07:02 +0000[diff] [blame]121// Given REDZONE bytes, we need to mark first size bytes
122// as addressable and the rest REDZONE-size bytes as unaddressable.
Kostya Serebryany218a9b72011-11-30 18:50:23 +0000[diff] [blame]123static void PoisonHeapPartialRightRedzone(uintptr_t mem, size_t size) {
Kostya Serebryany1e172b42011-11-30 01:07:02 +0000[diff] [blame]124 CHECK(size <= REDZONE);
125 CHECK(IsAligned(mem, REDZONE));
126 CHECK(IsPowerOfTwo(SHADOW_GRANULARITY));
127 CHECK(IsPowerOfTwo(REDZONE));
128 CHECK(REDZONE >= SHADOW_GRANULARITY);
Kostya Serebryany218a9b72011-11-30 18:50:23 +0000[diff] [blame]129 PoisonShadowPartialRightRedzone(mem, size, REDZONE,
Kostya Serebryany1e172b42011-11-30 01:07:02 +0000[diff] [blame]130 kAsanHeapRightRedzoneMagic);
131}
132
133static uint8_t *MmapNewPagesAndPoisonShadow(size_t size) {
134 CHECK(IsAligned(size, kPageSize));
135 uint8_t *res = (uint8_t*)asan_mmap(0, size,
136 PROT_READ | PROT_WRITE,
137 MAP_PRIVATE | MAP_ANON, -1, 0);
138 if (res == (uint8_t*)-1) {
139 OutOfMemoryMessage(__FUNCTION__, size);
140 PRINT_CURRENT_STACK();
141 ASAN_DIE;
142 }
143 PoisonShadow((uintptr_t)res, size, kAsanHeapLeftRedzoneMagic);
144 if (FLAG_debug) {
145 Printf("ASAN_MMAP: [%p, %p)\n", res, res + size);
146 }
147 return res;
148}
149
150// Every chunk of memory allocated by this allocator can be in one of 3 states:
151// CHUNK_AVAILABLE: the chunk is in the free list and ready to be allocated.
152// CHUNK_ALLOCATED: the chunk is allocated and not yet freed.
153// CHUNK_QUARANTINE: the chunk was freed and put into quarantine zone.
154//
155// The pseudo state CHUNK_MEMALIGN is used to mark that the address is not
156// the beginning of a AsanChunk (in which case 'next' contains the address
157// of the AsanChunk).
158//
159// The magic numbers for the enum values are taken randomly.
160enum {
161 CHUNK_AVAILABLE = 0x573B,
162 CHUNK_ALLOCATED = 0x3204,
163 CHUNK_QUARANTINE = 0x1978,
164 CHUNK_MEMALIGN = 0xDC68,
165};
166
167struct ChunkBase {
168 uint16_t chunk_state;
169 uint8_t size_class;
170 uint32_t offset; // User-visible memory starts at this+offset (beg()).
171 int32_t alloc_tid;
172 int32_t free_tid;
173 size_t used_size; // Size requested by the user.
174 AsanChunk *next;
175
176 uintptr_t beg() { return (uintptr_t)this + offset; }
177 size_t Size() { return SizeClassToSize(size_class); }
178 uint8_t SizeClass() { return size_class; }
179};
180
181struct AsanChunk: public ChunkBase {
182 uint32_t *compressed_alloc_stack() {
183 CHECK(REDZONE >= sizeof(ChunkBase));
184 return (uint32_t*)((uintptr_t)this + sizeof(ChunkBase));
185 }
186 uint32_t *compressed_free_stack() {
187 CHECK(REDZONE >= sizeof(ChunkBase));
188 return (uint32_t*)((uintptr_t)this + REDZONE);
189 }
190
191 // The left redzone after the ChunkBase is given to the alloc stack trace.
192 size_t compressed_alloc_stack_size() {
193 return (REDZONE - sizeof(ChunkBase)) / sizeof(uint32_t);
194 }
195 size_t compressed_free_stack_size() {
196 return (REDZONE) / sizeof(uint32_t);
197 }
198
199 bool AddrIsInside(uintptr_t addr, size_t access_size, size_t *offset) {
200 if (addr >= beg() && (addr + access_size) <= (beg() + used_size)) {
201 *offset = addr - beg();
202 return true;
203 }
204 return false;
205 }
206
207 bool AddrIsAtLeft(uintptr_t addr, size_t access_size, size_t *offset) {
208 if (addr < beg()) {
209 *offset = beg() - addr;
210 return true;
211 }
212 return false;
213 }
214
215 bool AddrIsAtRight(uintptr_t addr, size_t access_size, size_t *offset) {
216 if (addr + access_size >= beg() + used_size) {
217 if (addr <= beg() + used_size)
218 *offset = 0;
219 else
220 *offset = addr - (beg() + used_size);
221 return true;
222 }
223 return false;
224 }
225
226 void DescribeAddress(uintptr_t addr, size_t access_size) {
227 size_t offset;
228 Printf("%p is located ", addr);
229 if (AddrIsInside(addr, access_size, &offset)) {
230 Printf("%ld bytes inside of", offset);
231 } else if (AddrIsAtLeft(addr, access_size, &offset)) {
232 Printf("%ld bytes to the left of", offset);
233 } else if (AddrIsAtRight(addr, access_size, &offset)) {
234 Printf("%ld bytes to the right of", offset);
235 } else {
236 Printf(" somewhere around (this is AddressSanitizer bug!)");
237 }
238 Printf(" %lu-byte region [%p,%p)\n",
239 used_size, beg(), beg() + used_size);
240 }
241};
242
243static AsanChunk *PtrToChunk(uintptr_t ptr) {
244 AsanChunk *m = (AsanChunk*)(ptr - REDZONE);
245 if (m->chunk_state == CHUNK_MEMALIGN) {
246 m = m->next;
247 }
248 return m;
249}
250
251
252void AsanChunkFifoList::PushList(AsanChunkFifoList *q) {
253 if (last_) {
254 CHECK(first_);
255 CHECK(!last_->next);
256 last_->next = q->first_;
257 last_ = q->last_;
258 } else {
259 CHECK(!first_);
260 last_ = q->last_;
261 first_ = q->first_;
262 }
263 size_ += q->size();
264 q->clear();
265}
266
267void AsanChunkFifoList::Push(AsanChunk *n) {
268 CHECK(n->next == NULL);
269 if (last_) {
270 CHECK(first_);
271 CHECK(!last_->next);
272 last_->next = n;
273 last_ = n;
274 } else {
275 CHECK(!first_);
276 last_ = first_ = n;
277 }
278 size_ += n->Size();
279}
280
281// Interesting performance observation: this function takes up to 15% of overal
282// allocator time. That's because *first_ has been evicted from cache long time
283// ago. Not sure if we can or want to do anything with this.
284AsanChunk *AsanChunkFifoList::Pop() {
285 CHECK(first_);
286 AsanChunk *res = first_;
287 first_ = first_->next;
288 if (first_ == NULL)
289 last_ = NULL;
290 CHECK(size_ >= res->Size());
291 size_ -= res->Size();
292 if (last_) {
293 CHECK(!last_->next);
294 }
295 return res;
296}
297
298// All pages we ever allocated.
299struct PageGroup {
300 uintptr_t beg;
301 uintptr_t end;
302 size_t size_of_chunk;
303 uintptr_t last_chunk;
304 bool InRange(uintptr_t addr) {
305 return addr >= beg && addr < end;
306 }
307};
308
309class MallocInfo {
310 public:
311
312 explicit MallocInfo(LinkerInitialized x) : mu_(x) { }
313
314 AsanChunk *AllocateChunks(uint8_t size_class, size_t n_chunks) {
315 AsanChunk *m = NULL;
316 AsanChunk **fl = &free_lists_[size_class];
317 {
318 ScopedLock lock(&mu_);
319 for (size_t i = 0; i < n_chunks; i++) {
320 if (!(*fl)) {
321 *fl = GetNewChunks(size_class);
322 }
323 AsanChunk *t = *fl;
324 *fl = t->next;
325 t->next = m;
326 CHECK(t->chunk_state == CHUNK_AVAILABLE);
327 m = t;
328 }
329 }
330 return m;
331 }
332
333 void SwallowThreadLocalMallocStorage(AsanThreadLocalMallocStorage *x,
334 bool eat_free_lists) {
335 CHECK(FLAG_quarantine_size > 0);
336 ScopedLock lock(&mu_);
337 AsanChunkFifoList *q = &x->quarantine_;
338 if (q->size() > 0) {
339 quarantine_.PushList(q);
340 while (quarantine_.size() > FLAG_quarantine_size) {
341 QuarantinePop();
342 }
343 }
344 if (eat_free_lists) {
345 for (size_t size_class = 0; size_class < kNumberOfSizeClasses;
346 size_class++) {
347 AsanChunk *m = x->free_lists_[size_class];
348 while (m) {
349 AsanChunk *t = m->next;
350 m->next = free_lists_[size_class];
351 free_lists_[size_class] = m;
352 m = t;
353 }
354 x->free_lists_[size_class] = 0;
355 }
356 }
357 }
358
359 void BypassThreadLocalQuarantine(AsanChunk *chunk) {
360 ScopedLock lock(&mu_);
361 quarantine_.Push(chunk);
362 }
363
364 AsanChunk *FindMallocedOrFreed(uintptr_t addr, size_t access_size) {
365 ScopedLock lock(&mu_);
366 return FindChunkByAddr(addr);
367 }
368
369 // TODO(glider): AllocationSize() may become very slow if the size of
370 // page_groups_ grows. This can be fixed by increasing kMinMmapSize,
371 // but a better solution is to speed up the search somehow.
372 size_t AllocationSize(uintptr_t ptr) {
373 ScopedLock lock(&mu_);
374
375 // first, check if this is our memory
376 PageGroup *g = FindPageGroupUnlocked(ptr);
377 if (!g) return 0;
378 AsanChunk *m = PtrToChunk(ptr);
379 if (m->chunk_state == CHUNK_ALLOCATED) {
380 return m->used_size;
381 } else {
382 return 0;
383 }
384 }
385
386 void ForceLock() {
387 mu_.Lock();
388 }
389
390 void ForceUnlock() {
391 mu_.Unlock();
392 }
393
394 void PrintStatus() {
395 ScopedLock lock(&mu_);
396 size_t malloced = 0;
397
398 Printf(" MallocInfo: in quarantine: %ld malloced: %ld; ",
399 quarantine_.size() >> 20, malloced >> 20);
400 for (size_t j = 1; j < kNumberOfSizeClasses; j++) {
401 AsanChunk *i = free_lists_[j];
402 if (!i) continue;
403 size_t t = 0;
404 for (; i; i = i->next) {
405 t += i->Size();
406 }
407 Printf("%ld:%ld ", j, t >> 20);
408 }
409 Printf("\n");
410 }
411
412 PageGroup *FindPageGroup(uintptr_t addr) {
413 ScopedLock lock(&mu_);
414 return FindPageGroupUnlocked(addr);
415 }
416
417 private:
418 PageGroup *FindPageGroupUnlocked(uintptr_t addr) {
419 for (int i = 0; i < n_page_groups_; i++) {
420 PageGroup *g = page_groups_[i];
421 if (g->InRange(addr)) {
422 return g;
423 }
424 }
425 return NULL;
426 }
427
428 // We have an address between two chunks, and we want to report just one.
429 AsanChunk *ChooseChunk(uintptr_t addr,
430 AsanChunk *left_chunk, AsanChunk *right_chunk) {
431 // Prefer an allocated chunk or a chunk from quarantine.
432 if (left_chunk->chunk_state == CHUNK_AVAILABLE &&
433 right_chunk->chunk_state != CHUNK_AVAILABLE)
434 return right_chunk;
435 if (right_chunk->chunk_state == CHUNK_AVAILABLE &&
436 left_chunk->chunk_state != CHUNK_AVAILABLE)
437 return left_chunk;
438 // Choose based on offset.
Daniel Dunbar514cebb2011-12-02 01:36:38 +0000[diff] [blame]439 size_t l_offset = 0, r_offset = 0;
Kostya Serebryany1e172b42011-11-30 01:07:02 +0000[diff] [blame]440 CHECK(left_chunk->AddrIsAtRight(addr, 1, &l_offset));
441 CHECK(right_chunk->AddrIsAtLeft(addr, 1, &r_offset));
442 if (l_offset < r_offset)
443 return left_chunk;
444 return right_chunk;
445 }
446
447 AsanChunk *FindChunkByAddr(uintptr_t addr) {
448 PageGroup *g = FindPageGroupUnlocked(addr);
449 if (!g) return 0;
450 CHECK(g->size_of_chunk);
451 uintptr_t offset_from_beg = addr - g->beg;
452 uintptr_t this_chunk_addr = g->beg +
453 (offset_from_beg / g->size_of_chunk) * g->size_of_chunk;
454 CHECK(g->InRange(this_chunk_addr));
455 AsanChunk *m = (AsanChunk*)this_chunk_addr;
456 CHECK(m->chunk_state == CHUNK_ALLOCATED ||
457 m->chunk_state == CHUNK_AVAILABLE ||
458 m->chunk_state == CHUNK_QUARANTINE);
Daniel Dunbar514cebb2011-12-02 01:36:38 +0000[diff] [blame]459 size_t offset = 0;
Kostya Serebryany1e172b42011-11-30 01:07:02 +0000[diff] [blame]460 if (m->AddrIsInside(addr, 1, &offset))
461 return m;
462
463 if (m->AddrIsAtRight(addr, 1, &offset)) {
464 if (this_chunk_addr == g->last_chunk) // rightmost chunk
465 return m;
466 uintptr_t right_chunk_addr = this_chunk_addr + g->size_of_chunk;
467 CHECK(g->InRange(right_chunk_addr));
468 return ChooseChunk(addr, m, (AsanChunk*)right_chunk_addr);
469 } else {
470 CHECK(m->AddrIsAtLeft(addr, 1, &offset));
471 if (this_chunk_addr == g->beg) // leftmost chunk
472 return m;
473 uintptr_t left_chunk_addr = this_chunk_addr - g->size_of_chunk;
474 CHECK(g->InRange(left_chunk_addr));
475 return ChooseChunk(addr, (AsanChunk*)left_chunk_addr, m);
476 }
477 }
478
479 void QuarantinePop() {
480 CHECK(quarantine_.size() > 0);
481 AsanChunk *m = quarantine_.Pop();
482 CHECK(m);
483 // if (F_v >= 2) Printf("MallocInfo::pop %p\n", m);
484
485 CHECK(m->chunk_state == CHUNK_QUARANTINE);
486 m->chunk_state = CHUNK_AVAILABLE;
487 CHECK(m->alloc_tid >= 0);
488 CHECK(m->free_tid >= 0);
489
490 size_t size_class = m->SizeClass();
491 m->next = free_lists_[size_class];
492 free_lists_[size_class] = m;
493
494 if (FLAG_stats) {
495 AsanStats &thread_stats = asanThreadRegistry().GetCurrentThreadStats();
496 thread_stats.real_frees++;
497 thread_stats.really_freed += m->used_size;
498 thread_stats.really_freed_redzones += m->Size() - m->used_size;
499 thread_stats.really_freed_by_size[m->SizeClass()]++;
500 }
501 }
502
503 // Get a list of newly allocated chunks.
504 AsanChunk *GetNewChunks(uint8_t size_class) {
505 size_t size = SizeClassToSize(size_class);
506 CHECK(IsPowerOfTwo(kMinMmapSize));
507 CHECK(size < kMinMmapSize || (size % kMinMmapSize) == 0);
Kostya Serebryany2d8b3bd2011-12-02 18:42:04 +0000[diff] [blame^]508 size_t mmap_size = Max(size, kMinMmapSize);
Kostya Serebryany1e172b42011-11-30 01:07:02 +0000[diff] [blame]509 size_t n_chunks = mmap_size / size;
510 CHECK(n_chunks * size == mmap_size);
511 if (size < kPageSize) {
512 // Size is small, just poison the last chunk.
513 n_chunks--;
514 } else {
515 // Size is large, allocate an extra page at right and poison it.
516 mmap_size += kPageSize;
517 }
518 CHECK(n_chunks > 0);
519 uint8_t *mem = MmapNewPagesAndPoisonShadow(mmap_size);
520 if (FLAG_stats) {
521 AsanStats &thread_stats = asanThreadRegistry().GetCurrentThreadStats();
522 thread_stats.mmaps++;
523 thread_stats.mmaped += mmap_size;
524 thread_stats.mmaped_by_size[size_class] += n_chunks;
525 }
526 AsanChunk *res = NULL;
527 for (size_t i = 0; i < n_chunks; i++) {
528 AsanChunk *m = (AsanChunk*)(mem + i * size);
529 m->chunk_state = CHUNK_AVAILABLE;
530 m->size_class = size_class;
531 m->next = res;
532 res = m;
533 }
534 PageGroup *pg = (PageGroup*)(mem + n_chunks * size);
535 // This memory is already poisoned, no need to poison it again.
536 pg->beg = (uintptr_t)mem;
537 pg->end = pg->beg + mmap_size;
538 pg->size_of_chunk = size;
539 pg->last_chunk = (uintptr_t)(mem + size * (n_chunks - 1));
540 int page_group_idx = AtomicInc(&n_page_groups_) - 1;
541 CHECK(page_group_idx < (int)ASAN_ARRAY_SIZE(page_groups_));
542 page_groups_[page_group_idx] = pg;
543 return res;
544 }
545
546 AsanChunk *free_lists_[kNumberOfSizeClasses];
547 AsanChunkFifoList quarantine_;
548 AsanLock mu_;
549
550 PageGroup *page_groups_[kMaxAvailableRam / kMinMmapSize];
551 int n_page_groups_; // atomic
552};
553
554static MallocInfo malloc_info(LINKER_INITIALIZED);
555
556void AsanThreadLocalMallocStorage::CommitBack() {
557 malloc_info.SwallowThreadLocalMallocStorage(this, true);
558}
559
560static void Describe(uintptr_t addr, size_t access_size) {
561 AsanChunk *m = malloc_info.FindMallocedOrFreed(addr, access_size);
562 if (!m) return;
563 m->DescribeAddress(addr, access_size);
564 CHECK(m->alloc_tid >= 0);
565 AsanThreadSummary *alloc_thread =
566 asanThreadRegistry().FindByTid(m->alloc_tid);
567 AsanStackTrace alloc_stack;
568 AsanStackTrace::UncompressStack(&alloc_stack, m->compressed_alloc_stack(),
569 m->compressed_alloc_stack_size());
570 AsanThread *t = asanThreadRegistry().GetCurrent();
571 CHECK(t);
572 if (m->free_tid >= 0) {
573 AsanThreadSummary *free_thread =
574 asanThreadRegistry().FindByTid(m->free_tid);
575 Printf("freed by thread T%d here:\n", free_thread->tid());
576 AsanStackTrace free_stack;
577 AsanStackTrace::UncompressStack(&free_stack, m->compressed_free_stack(),
578 m->compressed_free_stack_size());
579 free_stack.PrintStack();
580 Printf("previously allocated by thread T%d here:\n",
581 alloc_thread->tid());
582
583 alloc_stack.PrintStack();
584 t->summary()->Announce();
585 free_thread->Announce();
586 alloc_thread->Announce();
587 } else {
588 Printf("allocated by thread T%d here:\n", alloc_thread->tid());
589 alloc_stack.PrintStack();
590 t->summary()->Announce();
591 alloc_thread->Announce();
592 }
593}
594
595static uint8_t *Allocate(size_t alignment, size_t size, AsanStackTrace *stack) {
596 __asan_init();
597 CHECK(stack);
598 if (size == 0) {
599 size = 1; // TODO(kcc): do something smarter
600 }
601 CHECK(IsPowerOfTwo(alignment));
602 size_t rounded_size = RoundUpTo(size, REDZONE);
603 size_t needed_size = rounded_size + REDZONE;
604 if (alignment > REDZONE) {
605 needed_size += alignment;
606 }
607 CHECK(IsAligned(needed_size, REDZONE));
608 if (size > kMaxAllowedMallocSize || needed_size > kMaxAllowedMallocSize) {
609 Report("WARNING: AddressSanitizer failed to allocate %p bytes\n", size);
610 return 0;
611 }
612
613 uint8_t size_class = SizeToSizeClass(needed_size);
614 size_t size_to_allocate = SizeClassToSize(size_class);
615 CHECK(size_to_allocate >= kMinAllocSize);
616 CHECK(size_to_allocate >= needed_size);
617 CHECK(IsAligned(size_to_allocate, REDZONE));
618
619 if (FLAG_v >= 2) {
620 Printf("Allocate align: %ld size: %ld class: %d real: %ld\n",
621 alignment, size, size_class, size_to_allocate);
622 }
623
624 AsanThread *t = asanThreadRegistry().GetCurrent();
625 AsanStats &thread_stats = asanThreadRegistry().GetCurrentThreadStats();
626 if (FLAG_stats) {
627 thread_stats.mallocs++;
628 thread_stats.malloced += size;
629 thread_stats.malloced_redzones += size_to_allocate - size;
630 thread_stats.malloced_by_size[size_class]++;
631 }
632
633 AsanChunk *m = NULL;
634 if (!t || size_to_allocate >= kMaxSizeForThreadLocalFreeList) {
635 // get directly from global storage.
636 m = malloc_info.AllocateChunks(size_class, 1);
637 if (FLAG_stats) {
638 thread_stats.malloc_large++;
639 }
640 } else {
641 // get from the thread-local storage.
642 AsanChunk **fl = &t->malloc_storage().free_lists_[size_class];
643 if (!*fl) {
644 size_t n_new_chunks = kMaxSizeForThreadLocalFreeList / size_to_allocate;
Kostya Serebryany1e172b42011-11-30 01:07:02 +0000[diff] [blame]645 *fl = malloc_info.AllocateChunks(size_class, n_new_chunks);
646 if (FLAG_stats) {
647 thread_stats.malloc_small_slow++;
648 }
649 }
650 m = *fl;
651 *fl = (*fl)->next;
652 }
653 CHECK(m);
654 CHECK(m->chunk_state == CHUNK_AVAILABLE);
655 m->chunk_state = CHUNK_ALLOCATED;
656 m->next = NULL;
657 CHECK(m->Size() == size_to_allocate);
658 uintptr_t addr = (uintptr_t)m + REDZONE;
659 CHECK(addr == (uintptr_t)m->compressed_free_stack());
660
661 if (alignment > REDZONE && (addr & (alignment - 1))) {
662 addr = RoundUpTo(addr, alignment);
663 CHECK((addr & (alignment - 1)) == 0);
664 AsanChunk *p = (AsanChunk*)(addr - REDZONE);
665 p->chunk_state = CHUNK_MEMALIGN;
666 p->next = m;
667 }
668 CHECK(m == PtrToChunk(addr));
669 m->used_size = size;
670 m->offset = addr - (uintptr_t)m;
671 CHECK(m->beg() == addr);
672 m->alloc_tid = t ? t->tid() : 0;
673 m->free_tid = AsanThread::kInvalidTid;
674 AsanStackTrace::CompressStack(stack, m->compressed_alloc_stack(),
675 m->compressed_alloc_stack_size());
676 PoisonShadow(addr, rounded_size, 0);
677 if (size < rounded_size) {
Kostya Serebryany218a9b72011-11-30 18:50:23 +0000[diff] [blame]678 PoisonHeapPartialRightRedzone(addr + rounded_size - REDZONE,
679 size & (REDZONE - 1));
Kostya Serebryany1e172b42011-11-30 01:07:02 +0000[diff] [blame]680 }
681 if (size <= FLAG_max_malloc_fill_size) {
682 real_memset((void*)addr, 0, rounded_size);
683 }
684 return (uint8_t*)addr;
685}
686
687static void Deallocate(uint8_t *ptr, AsanStackTrace *stack) {
688 if (!ptr) return;
689 CHECK(stack);
690
691 if (FLAG_debug) {
692 CHECK(malloc_info.FindPageGroup((uintptr_t)ptr));
693 }
694
695 // Printf("Deallocate %p\n", ptr);
696 AsanChunk *m = PtrToChunk((uintptr_t)ptr);
697 if (m->chunk_state == CHUNK_QUARANTINE) {
698 Printf("attempting double-free on %p:\n", ptr);
699 stack->PrintStack();
700 m->DescribeAddress((uintptr_t)ptr, 1);
701 ShowStatsAndAbort();
702 } else if (m->chunk_state != CHUNK_ALLOCATED) {
703 Printf("attempting free on address which was not malloc()-ed: %p\n", ptr);
704 stack->PrintStack();
705 ShowStatsAndAbort();
706 }
707 CHECK(m->chunk_state == CHUNK_ALLOCATED);
708 CHECK(m->free_tid == AsanThread::kInvalidTid);
709 CHECK(m->alloc_tid >= 0);
710 AsanThread *t = asanThreadRegistry().GetCurrent();
711 m->free_tid = t ? t->tid() : 0;
712 AsanStackTrace::CompressStack(stack, m->compressed_free_stack(),
713 m->compressed_free_stack_size());
714 size_t rounded_size = RoundUpTo(m->used_size, REDZONE);
715 PoisonShadow((uintptr_t)ptr, rounded_size, kAsanHeapFreeMagic);
716
717 if (FLAG_stats) {
718 AsanStats &thread_stats = asanThreadRegistry().GetCurrentThreadStats();
719 thread_stats.frees++;
720 thread_stats.freed += m->used_size;
721 thread_stats.freed_by_size[m->SizeClass()]++;
722 }
723
724 m->chunk_state = CHUNK_QUARANTINE;
725 if (t) {
726 AsanThreadLocalMallocStorage *ms = &t->malloc_storage();
727 CHECK(!m->next);
728 ms->quarantine_.Push(m);
729
730 if (ms->quarantine_.size() > kMaxThreadLocalQuarantine) {
731 malloc_info.SwallowThreadLocalMallocStorage(ms, false);
732 }
733 } else {
734 CHECK(!m->next);
735 malloc_info.BypassThreadLocalQuarantine(m);
736 }
737}
738
739static uint8_t *Reallocate(uint8_t *old_ptr, size_t new_size,
740 AsanStackTrace *stack) {
741 CHECK(old_ptr && new_size);
742 if (FLAG_stats) {
743 AsanStats &thread_stats = asanThreadRegistry().GetCurrentThreadStats();
744 thread_stats.reallocs++;
745 thread_stats.realloced += new_size;
746 }
747 AsanChunk *m = PtrToChunk((uintptr_t)old_ptr);
748 CHECK(m->chunk_state == CHUNK_ALLOCATED);
749 size_t old_size = m->used_size;
Kostya Serebryany2d8b3bd2011-12-02 18:42:04 +0000[diff] [blame^]750 size_t memcpy_size = Min(new_size, old_size);
Kostya Serebryany1e172b42011-11-30 01:07:02 +0000[diff] [blame]751 uint8_t *new_ptr = Allocate(0, new_size, stack);
752 if (new_ptr) {
753 real_memcpy(new_ptr, old_ptr, memcpy_size);
754 Deallocate(old_ptr, stack);
755 }
756 return new_ptr;
757}
758
759} // namespace __asan
760
761// Malloc hooks declaration.
762// ASAN_NEW_HOOK(ptr, size) is called immediately after
763// allocation of "size" bytes, which returned "ptr".
764// ASAN_DELETE_HOOK(ptr) is called immediately before
765// deallocation of "ptr".
766// If ASAN_NEW_HOOK or ASAN_DELETE_HOOK is defined, user
767// program must provide implementation of this hook.
768// If macro is undefined, the hook is no-op.
769#ifdef ASAN_NEW_HOOK
770extern "C" void ASAN_NEW_HOOK(void *ptr, size_t size);
771#else
772static inline void ASAN_NEW_HOOK(void *ptr, size_t size) { }
773#endif
774
775#ifdef ASAN_DELETE_HOOK
776extern "C" void ASAN_DELETE_HOOK(void *ptr);
777#else
778static inline void ASAN_DELETE_HOOK(void *ptr) { }
779#endif
780
781namespace __asan {
782
783void *asan_memalign(size_t alignment, size_t size, AsanStackTrace *stack) {
784 void *ptr = (void*)Allocate(alignment, size, stack);
785 ASAN_NEW_HOOK(ptr, size);
786 return ptr;
787}
788
789void asan_free(void *ptr, AsanStackTrace *stack) {
790 ASAN_DELETE_HOOK(ptr);
791 Deallocate((uint8_t*)ptr, stack);
792}
793
794void *asan_malloc(size_t size, AsanStackTrace *stack) {
795 void *ptr = (void*)Allocate(0, size, stack);
796 ASAN_NEW_HOOK(ptr, size);
797 return ptr;
798}
799
800void *asan_calloc(size_t nmemb, size_t size, AsanStackTrace *stack) {
801 void *ptr = (void*)Allocate(0, nmemb * size, stack);
802 if (ptr)
803 real_memset(ptr, 0, nmemb * size);
804 ASAN_NEW_HOOK(ptr, nmemb * size);
805 return ptr;
806}
807
808void *asan_realloc(void *p, size_t size, AsanStackTrace *stack) {
809 if (p == NULL) {
810 void *ptr = (void*)Allocate(0, size, stack);
811 ASAN_NEW_HOOK(ptr, size);
812 return ptr;
813 } else if (size == 0) {
814 ASAN_DELETE_HOOK(p);
815 Deallocate((uint8_t*)p, stack);
816 return NULL;
817 }
818 return Reallocate((uint8_t*)p, size, stack);
819}
820
821void *asan_valloc(size_t size, AsanStackTrace *stack) {
822 void *ptr = (void*)Allocate(kPageSize, size, stack);
823 ASAN_NEW_HOOK(ptr, size);
824 return ptr;
825}
826
827void *asan_pvalloc(size_t size, AsanStackTrace *stack) {
828 size = RoundUpTo(size, kPageSize);
829 if (size == 0) {
830 // pvalloc(0) should allocate one page.
831 size = kPageSize;
832 }
833 void *ptr = (void*)Allocate(kPageSize, size, stack);
834 ASAN_NEW_HOOK(ptr, size);
835 return ptr;
836}
837
838int asan_posix_memalign(void **memptr, size_t alignment, size_t size,
839 AsanStackTrace *stack) {
840 void *ptr = Allocate(alignment, size, stack);
841 CHECK(IsAligned((uintptr_t)ptr, alignment));
842 ASAN_NEW_HOOK(ptr, size);
843 *memptr = ptr;
844 return 0;
845}
846
847size_t __asan_mz_size(const void *ptr) {
848 return malloc_info.AllocationSize((uintptr_t)ptr);
849}
850
851void DescribeHeapAddress(uintptr_t addr, uintptr_t access_size) {
852 Describe(addr, access_size);
853}
854
855void __asan_mz_force_lock() {
856 malloc_info.ForceLock();
857}
858
859void __asan_mz_force_unlock() {
860 malloc_info.ForceUnlock();
861}
862
863// ---------------------- Fake stack-------------------- {{{1
864FakeStack::FakeStack() {
865 CHECK(real_memset);
866 real_memset(this, 0, sizeof(*this));
867}
868
869bool FakeStack::AddrIsInSizeClass(uintptr_t addr, size_t size_class) {
870 uintptr_t mem = allocated_size_classes_[size_class];
871 uintptr_t size = ClassMmapSize(size_class);
872 bool res = mem && addr >= mem && addr < mem + size;
873 return res;
874}
875
876uintptr_t FakeStack::AddrIsInFakeStack(uintptr_t addr) {
877 if (!alive_) return 0;
878 for (size_t i = 0; i < kNumberOfSizeClasses; i++) {
879 if (AddrIsInSizeClass(addr, i)) return allocated_size_classes_[i];
880 }
881 return 0;
882}
883
884// We may want to compute this during compilation.
885inline size_t FakeStack::ComputeSizeClass(size_t alloc_size) {
886 size_t rounded_size = RoundUpToPowerOfTwo(alloc_size);
887 size_t log = Log2(rounded_size);
888 CHECK(alloc_size <= (1UL << log));
889 if (!(alloc_size > (1UL << (log-1)))) {
890 Printf("alloc_size %ld log %ld\n", alloc_size, log);
891 }
892 CHECK(alloc_size > (1UL << (log-1)));
893 size_t res = log < kMinStackFrameSizeLog ? 0 : log - kMinStackFrameSizeLog;
894 CHECK(res < kNumberOfSizeClasses);
895 CHECK(ClassSize(res) >= rounded_size);
896 return res;
897}
898
899void FakeFrameFifo::FifoPush(FakeFrame *node) {
900 CHECK(node);
901 node->next = 0;
902 if (first_ == 0 && last_ == 0) {
903 first_ = last_ = node;
904 } else {
905 CHECK(first_);
906 CHECK(last_);
907 last_->next = node;
908 last_ = node;
909 }
910}
911
912FakeFrame *FakeFrameFifo::FifoPop() {
913 CHECK(first_ && last_ && "Exhausted fake stack");
914 FakeFrame *res = 0;
915 if (first_ == last_) {
916 res = first_;
917 first_ = last_ = 0;
918 } else {
919 res = first_;
920 first_ = first_->next;
921 }
922 return res;
923}
924
925void FakeStack::Init(size_t stack_size) {
926 stack_size_ = stack_size;
927 alive_ = true;
928}
929
930void FakeStack::Cleanup() {
931 alive_ = false;
932 for (size_t i = 0; i < kNumberOfSizeClasses; i++) {
933 uintptr_t mem = allocated_size_classes_[i];
934 if (mem) {
935 PoisonShadow(mem, ClassMmapSize(i), 0);
936 allocated_size_classes_[i] = 0;
937 int munmap_res = munmap((void*)mem, ClassMmapSize(i));
938 CHECK(munmap_res == 0);
939 }
940 }
941}
942
943size_t FakeStack::ClassMmapSize(size_t size_class) {
944 return RoundUpToPowerOfTwo(stack_size_);
945}
946
947void FakeStack::AllocateOneSizeClass(size_t size_class) {
948 CHECK(ClassMmapSize(size_class) >= kPageSize);
949 uintptr_t new_mem = (uintptr_t)asan_mmap(0, ClassMmapSize(size_class),
950 PROT_READ | PROT_WRITE,
951 MAP_PRIVATE | MAP_ANON, -1, 0);
952 CHECK(new_mem != (uintptr_t)-1);
953 // Printf("T%d new_mem[%ld]: %p-%p mmap %ld\n",
954 // asanThreadRegistry().GetCurrent()->tid(),
955 // size_class, new_mem, new_mem + ClassMmapSize(size_class),
956 // ClassMmapSize(size_class));
957 size_t i;
958 for (i = 0; i < ClassMmapSize(size_class);
959 i += ClassSize(size_class)) {
960 size_classes_[size_class].FifoPush((FakeFrame*)(new_mem + i));
961 }
962 CHECK(i == ClassMmapSize(size_class));
963 allocated_size_classes_[size_class] = new_mem;
964}
965
966uintptr_t FakeStack::AllocateStack(size_t size, size_t real_stack) {
967 CHECK(alive_);
968 CHECK(size <= kMaxStackMallocSize && size > 1);
969 size_t size_class = ComputeSizeClass(size);
970 if (!allocated_size_classes_[size_class]) {
971 AllocateOneSizeClass(size_class);
972 }
973 FakeFrame *fake_frame = size_classes_[size_class].FifoPop();
974 CHECK(fake_frame);
975 fake_frame->size_minus_one = size - 1;
976 fake_frame->real_stack = real_stack;
977 while (FakeFrame *top = call_stack_.top()) {
978 if (top->real_stack > real_stack) break;
979 call_stack_.LifoPop();
980 DeallocateFrame(top);
981 }
982 call_stack_.LifoPush(fake_frame);
983 uintptr_t ptr = (uintptr_t)fake_frame;
984 PoisonShadow(ptr, size, 0);
985 return ptr;
986}
987
988void FakeStack::DeallocateFrame(FakeFrame *fake_frame) {
989 CHECK(alive_);
990 size_t size = fake_frame->size_minus_one + 1;
991 size_t size_class = ComputeSizeClass(size);
992 CHECK(allocated_size_classes_[size_class]);
993 uintptr_t ptr = (uintptr_t)fake_frame;
994 CHECK(AddrIsInSizeClass(ptr, size_class));
995 CHECK(AddrIsInSizeClass(ptr + size - 1, size_class));
996 size_classes_[size_class].FifoPush(fake_frame);
997}
998
999void FakeStack::OnFree(size_t ptr, size_t size, size_t real_stack) {
1000 FakeFrame *fake_frame = (FakeFrame*)ptr;
1001 CHECK(fake_frame->magic = kRetiredStackFrameMagic);
1002 CHECK(fake_frame->descr != 0);
1003 CHECK(fake_frame->size_minus_one == size - 1);
1004 PoisonShadow(ptr, size, kAsanStackAfterReturnMagic);
1005}
1006
1007} // namespace __asan
1008
1009// ---------------------- Interface ---------------- {{{1
1010using namespace __asan; // NOLINT
1011
1012size_t __asan_stack_malloc(size_t size, size_t real_stack) {
1013 if (!FLAG_use_fake_stack) return real_stack;
1014 AsanThread *t = asanThreadRegistry().GetCurrent();
1015 if (!t) {
1016 // TSD is gone, use the real stack.
1017 return real_stack;
1018 }
1019 size_t ptr = t->fake_stack().AllocateStack(size, real_stack);
1020 // Printf("__asan_stack_malloc %p %ld %p\n", ptr, size, real_stack);
1021 return ptr;
1022}
1023
1024void __asan_stack_free(size_t ptr, size_t size, size_t real_stack) {
1025 if (!FLAG_use_fake_stack) return;
1026 if (ptr != real_stack) {
1027 FakeStack::OnFree(ptr, size, real_stack);
1028 }
1029}
1030
1031// ASan allocator doesn't reserve extra bytes, so normally we would
1032// just return "size".
1033size_t __asan_get_estimated_allocated_size(size_t size) {
1034 if (size == 0) return 1;
Kostya Serebryany2d8b3bd2011-12-02 18:42:04 +0000[diff] [blame^]1035 return Min(size, kMaxAllowedMallocSize);
Kostya Serebryany1e172b42011-11-30 01:07:02 +0000[diff] [blame]1036}
1037
1038bool __asan_get_ownership(const void *p) {
1039 return (p == NULL) ||
1040 (malloc_info.AllocationSize((uintptr_t)p) > 0);
1041}
1042
1043size_t __asan_get_allocated_size(const void *p) {
1044 if (p == NULL) return 0;
1045 size_t allocated_size = malloc_info.AllocationSize((uintptr_t)p);
1046 // Die if p is not malloced or if it is already freed.
1047 if (allocated_size == 0) {
1048 Printf("__asan_get_allocated_size failed, ptr=%p is not owned\n", p);
1049 PRINT_CURRENT_STACK();
1050 ShowStatsAndAbort();
1051 }
1052 return allocated_size;
1053}