Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / compiler-rt / 4616633bb9e20f66d83bfac70c9afce1922d1eec / . / lib / asan / asan_allocator.cc
blob: 70576ff7f676cab15770f6b91a9f2a2fcd999b5f [file] [log] [blame]
Kostya Serebryany1e172b42011-11-30 01:07:02 +0000[diff] [blame]1//===-- asan_allocator.cc ---------------------------------------*- C++ -*-===//
2//
3// The LLVM Compiler Infrastructure
4//
5// This file is distributed under the University of Illinois Open Source
6// License. See LICENSE.TXT for details.
7//
8//===----------------------------------------------------------------------===//
9//
10// This file is a part of AddressSanitizer, an address sanity checker.
11//
12// Implementation of ASan's memory allocator.
13// Evey piece of memory (AsanChunk) allocated by the allocator
14// has a left redzone of REDZONE bytes and
15// a right redzone such that the end of the chunk is aligned by REDZONE
16// (i.e. the right redzone is between 0 and REDZONE-1).
17// The left redzone is always poisoned.
18// The right redzone is poisoned on malloc, the body is poisoned on free.
19// Once freed, a chunk is moved to a quarantine (fifo list).
20// After quarantine, a chunk is returned to freelists.
21//
22// The left redzone contains ASan's internal data and the stack trace of
23// the malloc call.
24// Once freed, the body of the chunk contains the stack trace of the free call.
25//
26//===----------------------------------------------------------------------===//
27
28#include "asan_allocator.h"
29#include "asan_interceptors.h"
30#include "asan_interface.h"
31#include "asan_internal.h"
32#include "asan_lock.h"
33#include "asan_mapping.h"
34#include "asan_stats.h"
35#include "asan_thread.h"
36#include "asan_thread_registry.h"
37
38#include <sys/mman.h>
39#include <stdint.h>
40#include <string.h>
41#include <unistd.h>
42#include <algorithm>
43
44namespace __asan {
45
46#define REDZONE FLAG_redzone
47static const size_t kMinAllocSize = REDZONE * 2;
48static const size_t kMinMmapSize = 4UL << 20; // 4M
49static const uint64_t kMaxAvailableRam = 128ULL << 30; // 128G
50static const size_t kMaxThreadLocalQuarantine = 1 << 20; // 1M
51static const size_t kMaxSizeForThreadLocalFreeList = 1 << 17;
52
53// Size classes less than kMallocSizeClassStep are powers of two.
54// All other size classes are multiples of kMallocSizeClassStep.
55static const size_t kMallocSizeClassStepLog = 26;
56static const size_t kMallocSizeClassStep = 1UL << kMallocSizeClassStepLog;
57
58#if __WORDSIZE == 32
59static const size_t kMaxAllowedMallocSize = 3UL << 30; // 3G
60#else
61static const size_t kMaxAllowedMallocSize = 8UL << 30; // 8G
62#endif
63
64static void OutOfMemoryMessage(const char *mem_type, size_t size) {
65 AsanThread *t = asanThreadRegistry().GetCurrent();
66 CHECK(t);
67 Report("ERROR: AddressSanitizer failed to allocate "
68 "0x%lx (%lu) bytes (%s) in T%d\n",
69 size, size, mem_type, t->tid());
70}
71
72static inline bool IsAligned(uintptr_t a, uintptr_t alignment) {
73 return (a & (alignment - 1)) == 0;
74}
75
76static inline bool IsPowerOfTwo(size_t x) {
77 return (x & (x - 1)) == 0;
78}
79
80static inline size_t Log2(size_t x) {
81 CHECK(IsPowerOfTwo(x));
82 return __builtin_ctzl(x);
83}
84
85static inline size_t RoundUpTo(size_t size, size_t boundary) {
86 CHECK(IsPowerOfTwo(boundary));
87 return (size + boundary - 1) & ~(boundary - 1);
88}
89
90static inline size_t RoundUpToPowerOfTwo(size_t size) {
91 CHECK(size);
92 if (IsPowerOfTwo(size)) return size;
93 size_t up = __WORDSIZE - __builtin_clzl(size);
94 CHECK(size < (1ULL << up));
95 CHECK(size > (1ULL << (up - 1)));
96 return 1UL << up;
97}
98
99static inline size_t SizeClassToSize(uint8_t size_class) {
100 CHECK(size_class < kNumberOfSizeClasses);
101 if (size_class <= kMallocSizeClassStepLog) {
102 return 1UL << size_class;
103 } else {
104 return (size_class - kMallocSizeClassStepLog) * kMallocSizeClassStep;
105 }
106}
107
108static inline uint8_t SizeToSizeClass(size_t size) {
109 uint8_t res = 0;
110 if (size <= kMallocSizeClassStep) {
111 size_t rounded = RoundUpToPowerOfTwo(size);
112 res = Log2(rounded);
113 } else {
114 res = ((size + kMallocSizeClassStep - 1) / kMallocSizeClassStep)
115 + kMallocSizeClassStepLog;
116 }
117 CHECK(res < kNumberOfSizeClasses);
118 CHECK(size <= SizeClassToSize(res));
119 return res;
120}
121
Kostya Serebryany1e172b42011-11-30 01:07:02 +0000[diff] [blame]122// Given REDZONE bytes, we need to mark first size bytes
123// as addressable and the rest REDZONE-size bytes as unaddressable.
Kostya Serebryany218a9b72011-11-30 18:50:23 +0000[diff] [blame]124static void PoisonHeapPartialRightRedzone(uintptr_t mem, size_t size) {
Kostya Serebryany1e172b42011-11-30 01:07:02 +0000[diff] [blame]125 CHECK(size <= REDZONE);
126 CHECK(IsAligned(mem, REDZONE));
127 CHECK(IsPowerOfTwo(SHADOW_GRANULARITY));
128 CHECK(IsPowerOfTwo(REDZONE));
129 CHECK(REDZONE >= SHADOW_GRANULARITY);
Kostya Serebryany218a9b72011-11-30 18:50:23 +0000[diff] [blame]130 PoisonShadowPartialRightRedzone(mem, size, REDZONE,
Kostya Serebryany1e172b42011-11-30 01:07:02 +0000[diff] [blame]131 kAsanHeapRightRedzoneMagic);
132}
133
134static uint8_t *MmapNewPagesAndPoisonShadow(size_t size) {
135 CHECK(IsAligned(size, kPageSize));
136 uint8_t *res = (uint8_t*)asan_mmap(0, size,
137 PROT_READ | PROT_WRITE,
138 MAP_PRIVATE | MAP_ANON, -1, 0);
139 if (res == (uint8_t*)-1) {
140 OutOfMemoryMessage(__FUNCTION__, size);
141 PRINT_CURRENT_STACK();
142 ASAN_DIE;
143 }
144 PoisonShadow((uintptr_t)res, size, kAsanHeapLeftRedzoneMagic);
145 if (FLAG_debug) {
146 Printf("ASAN_MMAP: [%p, %p)\n", res, res + size);
147 }
148 return res;
149}
150
151// Every chunk of memory allocated by this allocator can be in one of 3 states:
152// CHUNK_AVAILABLE: the chunk is in the free list and ready to be allocated.
153// CHUNK_ALLOCATED: the chunk is allocated and not yet freed.
154// CHUNK_QUARANTINE: the chunk was freed and put into quarantine zone.
155//
156// The pseudo state CHUNK_MEMALIGN is used to mark that the address is not
157// the beginning of a AsanChunk (in which case 'next' contains the address
158// of the AsanChunk).
159//
160// The magic numbers for the enum values are taken randomly.
161enum {
162 CHUNK_AVAILABLE = 0x573B,
163 CHUNK_ALLOCATED = 0x3204,
164 CHUNK_QUARANTINE = 0x1978,
165 CHUNK_MEMALIGN = 0xDC68,
166};
167
168struct ChunkBase {
169 uint16_t chunk_state;
170 uint8_t size_class;
171 uint32_t offset; // User-visible memory starts at this+offset (beg()).
172 int32_t alloc_tid;
173 int32_t free_tid;
174 size_t used_size; // Size requested by the user.
175 AsanChunk *next;
176
177 uintptr_t beg() { return (uintptr_t)this + offset; }
178 size_t Size() { return SizeClassToSize(size_class); }
179 uint8_t SizeClass() { return size_class; }
180};
181
182struct AsanChunk: public ChunkBase {
183 uint32_t *compressed_alloc_stack() {
184 CHECK(REDZONE >= sizeof(ChunkBase));
185 return (uint32_t*)((uintptr_t)this + sizeof(ChunkBase));
186 }
187 uint32_t *compressed_free_stack() {
188 CHECK(REDZONE >= sizeof(ChunkBase));
189 return (uint32_t*)((uintptr_t)this + REDZONE);
190 }
191
192 // The left redzone after the ChunkBase is given to the alloc stack trace.
193 size_t compressed_alloc_stack_size() {
194 return (REDZONE - sizeof(ChunkBase)) / sizeof(uint32_t);
195 }
196 size_t compressed_free_stack_size() {
197 return (REDZONE) / sizeof(uint32_t);
198 }
199
200 bool AddrIsInside(uintptr_t addr, size_t access_size, size_t *offset) {
201 if (addr >= beg() && (addr + access_size) <= (beg() + used_size)) {
202 *offset = addr - beg();
203 return true;
204 }
205 return false;
206 }
207
208 bool AddrIsAtLeft(uintptr_t addr, size_t access_size, size_t *offset) {
209 if (addr < beg()) {
210 *offset = beg() - addr;
211 return true;
212 }
213 return false;
214 }
215
216 bool AddrIsAtRight(uintptr_t addr, size_t access_size, size_t *offset) {
217 if (addr + access_size >= beg() + used_size) {
218 if (addr <= beg() + used_size)
219 *offset = 0;
220 else
221 *offset = addr - (beg() + used_size);
222 return true;
223 }
224 return false;
225 }
226
227 void DescribeAddress(uintptr_t addr, size_t access_size) {
228 size_t offset;
229 Printf("%p is located ", addr);
230 if (AddrIsInside(addr, access_size, &offset)) {
231 Printf("%ld bytes inside of", offset);
232 } else if (AddrIsAtLeft(addr, access_size, &offset)) {
233 Printf("%ld bytes to the left of", offset);
234 } else if (AddrIsAtRight(addr, access_size, &offset)) {
235 Printf("%ld bytes to the right of", offset);
236 } else {
237 Printf(" somewhere around (this is AddressSanitizer bug!)");
238 }
239 Printf(" %lu-byte region [%p,%p)\n",
240 used_size, beg(), beg() + used_size);
241 }
242};
243
244static AsanChunk *PtrToChunk(uintptr_t ptr) {
245 AsanChunk *m = (AsanChunk*)(ptr - REDZONE);
246 if (m->chunk_state == CHUNK_MEMALIGN) {
247 m = m->next;
248 }
249 return m;
250}
251
252
253void AsanChunkFifoList::PushList(AsanChunkFifoList *q) {
254 if (last_) {
255 CHECK(first_);
256 CHECK(!last_->next);
257 last_->next = q->first_;
258 last_ = q->last_;
259 } else {
260 CHECK(!first_);
261 last_ = q->last_;
262 first_ = q->first_;
263 }
264 size_ += q->size();
265 q->clear();
266}
267
268void AsanChunkFifoList::Push(AsanChunk *n) {
269 CHECK(n->next == NULL);
270 if (last_) {
271 CHECK(first_);
272 CHECK(!last_->next);
273 last_->next = n;
274 last_ = n;
275 } else {
276 CHECK(!first_);
277 last_ = first_ = n;
278 }
279 size_ += n->Size();
280}
281
282// Interesting performance observation: this function takes up to 15% of overal
283// allocator time. That's because *first_ has been evicted from cache long time
284// ago. Not sure if we can or want to do anything with this.
285AsanChunk *AsanChunkFifoList::Pop() {
286 CHECK(first_);
287 AsanChunk *res = first_;
288 first_ = first_->next;
289 if (first_ == NULL)
290 last_ = NULL;
291 CHECK(size_ >= res->Size());
292 size_ -= res->Size();
293 if (last_) {
294 CHECK(!last_->next);
295 }
296 return res;
297}
298
299// All pages we ever allocated.
300struct PageGroup {
301 uintptr_t beg;
302 uintptr_t end;
303 size_t size_of_chunk;
304 uintptr_t last_chunk;
305 bool InRange(uintptr_t addr) {
306 return addr >= beg && addr < end;
307 }
308};
309
310class MallocInfo {
311 public:
312
313 explicit MallocInfo(LinkerInitialized x) : mu_(x) { }
314
315 AsanChunk *AllocateChunks(uint8_t size_class, size_t n_chunks) {
316 AsanChunk *m = NULL;
317 AsanChunk **fl = &free_lists_[size_class];
318 {
319 ScopedLock lock(&mu_);
320 for (size_t i = 0; i < n_chunks; i++) {
321 if (!(*fl)) {
322 *fl = GetNewChunks(size_class);
323 }
324 AsanChunk *t = *fl;
325 *fl = t->next;
326 t->next = m;
327 CHECK(t->chunk_state == CHUNK_AVAILABLE);
328 m = t;
329 }
330 }
331 return m;
332 }
333
334 void SwallowThreadLocalMallocStorage(AsanThreadLocalMallocStorage *x,
335 bool eat_free_lists) {
336 CHECK(FLAG_quarantine_size > 0);
337 ScopedLock lock(&mu_);
338 AsanChunkFifoList *q = &x->quarantine_;
339 if (q->size() > 0) {
340 quarantine_.PushList(q);
341 while (quarantine_.size() > FLAG_quarantine_size) {
342 QuarantinePop();
343 }
344 }
345 if (eat_free_lists) {
346 for (size_t size_class = 0; size_class < kNumberOfSizeClasses;
347 size_class++) {
348 AsanChunk *m = x->free_lists_[size_class];
349 while (m) {
350 AsanChunk *t = m->next;
351 m->next = free_lists_[size_class];
352 free_lists_[size_class] = m;
353 m = t;
354 }
355 x->free_lists_[size_class] = 0;
356 }
357 }
358 }
359
360 void BypassThreadLocalQuarantine(AsanChunk *chunk) {
361 ScopedLock lock(&mu_);
362 quarantine_.Push(chunk);
363 }
364
365 AsanChunk *FindMallocedOrFreed(uintptr_t addr, size_t access_size) {
366 ScopedLock lock(&mu_);
367 return FindChunkByAddr(addr);
368 }
369
370 // TODO(glider): AllocationSize() may become very slow if the size of
371 // page_groups_ grows. This can be fixed by increasing kMinMmapSize,
372 // but a better solution is to speed up the search somehow.
373 size_t AllocationSize(uintptr_t ptr) {
374 ScopedLock lock(&mu_);
375
376 // first, check if this is our memory
377 PageGroup *g = FindPageGroupUnlocked(ptr);
378 if (!g) return 0;
379 AsanChunk *m = PtrToChunk(ptr);
380 if (m->chunk_state == CHUNK_ALLOCATED) {
381 return m->used_size;
382 } else {
383 return 0;
384 }
385 }
386
387 void ForceLock() {
388 mu_.Lock();
389 }
390
391 void ForceUnlock() {
392 mu_.Unlock();
393 }
394
395 void PrintStatus() {
396 ScopedLock lock(&mu_);
397 size_t malloced = 0;
398
399 Printf(" MallocInfo: in quarantine: %ld malloced: %ld; ",
400 quarantine_.size() >> 20, malloced >> 20);
401 for (size_t j = 1; j < kNumberOfSizeClasses; j++) {
402 AsanChunk *i = free_lists_[j];
403 if (!i) continue;
404 size_t t = 0;
405 for (; i; i = i->next) {
406 t += i->Size();
407 }
408 Printf("%ld:%ld ", j, t >> 20);
409 }
410 Printf("\n");
411 }
412
413 PageGroup *FindPageGroup(uintptr_t addr) {
414 ScopedLock lock(&mu_);
415 return FindPageGroupUnlocked(addr);
416 }
417
418 private:
419 PageGroup *FindPageGroupUnlocked(uintptr_t addr) {
420 for (int i = 0; i < n_page_groups_; i++) {
421 PageGroup *g = page_groups_[i];
422 if (g->InRange(addr)) {
423 return g;
424 }
425 }
426 return NULL;
427 }
428
429 // We have an address between two chunks, and we want to report just one.
430 AsanChunk *ChooseChunk(uintptr_t addr,
431 AsanChunk *left_chunk, AsanChunk *right_chunk) {
432 // Prefer an allocated chunk or a chunk from quarantine.
433 if (left_chunk->chunk_state == CHUNK_AVAILABLE &&
434 right_chunk->chunk_state != CHUNK_AVAILABLE)
435 return right_chunk;
436 if (right_chunk->chunk_state == CHUNK_AVAILABLE &&
437 left_chunk->chunk_state != CHUNK_AVAILABLE)
438 return left_chunk;
439 // Choose based on offset.
440 uintptr_t l_offset = 0, r_offset = 0;
441 CHECK(left_chunk->AddrIsAtRight(addr, 1, &l_offset));
442 CHECK(right_chunk->AddrIsAtLeft(addr, 1, &r_offset));
443 if (l_offset < r_offset)
444 return left_chunk;
445 return right_chunk;
446 }
447
448 AsanChunk *FindChunkByAddr(uintptr_t addr) {
449 PageGroup *g = FindPageGroupUnlocked(addr);
450 if (!g) return 0;
451 CHECK(g->size_of_chunk);
452 uintptr_t offset_from_beg = addr - g->beg;
453 uintptr_t this_chunk_addr = g->beg +
454 (offset_from_beg / g->size_of_chunk) * g->size_of_chunk;
455 CHECK(g->InRange(this_chunk_addr));
456 AsanChunk *m = (AsanChunk*)this_chunk_addr;
457 CHECK(m->chunk_state == CHUNK_ALLOCATED ||
458 m->chunk_state == CHUNK_AVAILABLE ||
459 m->chunk_state == CHUNK_QUARANTINE);
460 uintptr_t offset = 0;
461 if (m->AddrIsInside(addr, 1, &offset))
462 return m;
463
464 if (m->AddrIsAtRight(addr, 1, &offset)) {
465 if (this_chunk_addr == g->last_chunk) // rightmost chunk
466 return m;
467 uintptr_t right_chunk_addr = this_chunk_addr + g->size_of_chunk;
468 CHECK(g->InRange(right_chunk_addr));
469 return ChooseChunk(addr, m, (AsanChunk*)right_chunk_addr);
470 } else {
471 CHECK(m->AddrIsAtLeft(addr, 1, &offset));
472 if (this_chunk_addr == g->beg) // leftmost chunk
473 return m;
474 uintptr_t left_chunk_addr = this_chunk_addr - g->size_of_chunk;
475 CHECK(g->InRange(left_chunk_addr));
476 return ChooseChunk(addr, (AsanChunk*)left_chunk_addr, m);
477 }
478 }
479
480 void QuarantinePop() {
481 CHECK(quarantine_.size() > 0);
482 AsanChunk *m = quarantine_.Pop();
483 CHECK(m);
484 // if (F_v >= 2) Printf("MallocInfo::pop %p\n", m);
485
486 CHECK(m->chunk_state == CHUNK_QUARANTINE);
487 m->chunk_state = CHUNK_AVAILABLE;
488 CHECK(m->alloc_tid >= 0);
489 CHECK(m->free_tid >= 0);
490
491 size_t size_class = m->SizeClass();
492 m->next = free_lists_[size_class];
493 free_lists_[size_class] = m;
494
495 if (FLAG_stats) {
496 AsanStats &thread_stats = asanThreadRegistry().GetCurrentThreadStats();
497 thread_stats.real_frees++;
498 thread_stats.really_freed += m->used_size;
499 thread_stats.really_freed_redzones += m->Size() - m->used_size;
500 thread_stats.really_freed_by_size[m->SizeClass()]++;
501 }
502 }
503
504 // Get a list of newly allocated chunks.
505 AsanChunk *GetNewChunks(uint8_t size_class) {
506 size_t size = SizeClassToSize(size_class);
507 CHECK(IsPowerOfTwo(kMinMmapSize));
508 CHECK(size < kMinMmapSize || (size % kMinMmapSize) == 0);
509 size_t mmap_size = std::max(size, kMinMmapSize);
510 size_t n_chunks = mmap_size / size;
511 CHECK(n_chunks * size == mmap_size);
512 if (size < kPageSize) {
513 // Size is small, just poison the last chunk.
514 n_chunks--;
515 } else {
516 // Size is large, allocate an extra page at right and poison it.
517 mmap_size += kPageSize;
518 }
519 CHECK(n_chunks > 0);
520 uint8_t *mem = MmapNewPagesAndPoisonShadow(mmap_size);
521 if (FLAG_stats) {
522 AsanStats &thread_stats = asanThreadRegistry().GetCurrentThreadStats();
523 thread_stats.mmaps++;
524 thread_stats.mmaped += mmap_size;
525 thread_stats.mmaped_by_size[size_class] += n_chunks;
526 }
527 AsanChunk *res = NULL;
528 for (size_t i = 0; i < n_chunks; i++) {
529 AsanChunk *m = (AsanChunk*)(mem + i * size);
530 m->chunk_state = CHUNK_AVAILABLE;
531 m->size_class = size_class;
532 m->next = res;
533 res = m;
534 }
535 PageGroup *pg = (PageGroup*)(mem + n_chunks * size);
536 // This memory is already poisoned, no need to poison it again.
537 pg->beg = (uintptr_t)mem;
538 pg->end = pg->beg + mmap_size;
539 pg->size_of_chunk = size;
540 pg->last_chunk = (uintptr_t)(mem + size * (n_chunks - 1));
541 int page_group_idx = AtomicInc(&n_page_groups_) - 1;
542 CHECK(page_group_idx < (int)ASAN_ARRAY_SIZE(page_groups_));
543 page_groups_[page_group_idx] = pg;
544 return res;
545 }
546
547 AsanChunk *free_lists_[kNumberOfSizeClasses];
548 AsanChunkFifoList quarantine_;
549 AsanLock mu_;
550
551 PageGroup *page_groups_[kMaxAvailableRam / kMinMmapSize];
552 int n_page_groups_; // atomic
553};
554
555static MallocInfo malloc_info(LINKER_INITIALIZED);
556
557void AsanThreadLocalMallocStorage::CommitBack() {
558 malloc_info.SwallowThreadLocalMallocStorage(this, true);
559}
560
561static void Describe(uintptr_t addr, size_t access_size) {
562 AsanChunk *m = malloc_info.FindMallocedOrFreed(addr, access_size);
563 if (!m) return;
564 m->DescribeAddress(addr, access_size);
565 CHECK(m->alloc_tid >= 0);
566 AsanThreadSummary *alloc_thread =
567 asanThreadRegistry().FindByTid(m->alloc_tid);
568 AsanStackTrace alloc_stack;
569 AsanStackTrace::UncompressStack(&alloc_stack, m->compressed_alloc_stack(),
570 m->compressed_alloc_stack_size());
571 AsanThread *t = asanThreadRegistry().GetCurrent();
572 CHECK(t);
573 if (m->free_tid >= 0) {
574 AsanThreadSummary *free_thread =
575 asanThreadRegistry().FindByTid(m->free_tid);
576 Printf("freed by thread T%d here:\n", free_thread->tid());
577 AsanStackTrace free_stack;
578 AsanStackTrace::UncompressStack(&free_stack, m->compressed_free_stack(),
579 m->compressed_free_stack_size());
580 free_stack.PrintStack();
581 Printf("previously allocated by thread T%d here:\n",
582 alloc_thread->tid());
583
584 alloc_stack.PrintStack();
585 t->summary()->Announce();
586 free_thread->Announce();
587 alloc_thread->Announce();
588 } else {
589 Printf("allocated by thread T%d here:\n", alloc_thread->tid());
590 alloc_stack.PrintStack();
591 t->summary()->Announce();
592 alloc_thread->Announce();
593 }
594}
595
596static uint8_t *Allocate(size_t alignment, size_t size, AsanStackTrace *stack) {
597 __asan_init();
598 CHECK(stack);
599 if (size == 0) {
600 size = 1; // TODO(kcc): do something smarter
601 }
602 CHECK(IsPowerOfTwo(alignment));
603 size_t rounded_size = RoundUpTo(size, REDZONE);
604 size_t needed_size = rounded_size + REDZONE;
605 if (alignment > REDZONE) {
606 needed_size += alignment;
607 }
608 CHECK(IsAligned(needed_size, REDZONE));
609 if (size > kMaxAllowedMallocSize || needed_size > kMaxAllowedMallocSize) {
610 Report("WARNING: AddressSanitizer failed to allocate %p bytes\n", size);
611 return 0;
612 }
613
614 uint8_t size_class = SizeToSizeClass(needed_size);
615 size_t size_to_allocate = SizeClassToSize(size_class);
616 CHECK(size_to_allocate >= kMinAllocSize);
617 CHECK(size_to_allocate >= needed_size);
618 CHECK(IsAligned(size_to_allocate, REDZONE));
619
620 if (FLAG_v >= 2) {
621 Printf("Allocate align: %ld size: %ld class: %d real: %ld\n",
622 alignment, size, size_class, size_to_allocate);
623 }
624
625 AsanThread *t = asanThreadRegistry().GetCurrent();
626 AsanStats &thread_stats = asanThreadRegistry().GetCurrentThreadStats();
627 if (FLAG_stats) {
628 thread_stats.mallocs++;
629 thread_stats.malloced += size;
630 thread_stats.malloced_redzones += size_to_allocate - size;
631 thread_stats.malloced_by_size[size_class]++;
632 }
633
634 AsanChunk *m = NULL;
635 if (!t || size_to_allocate >= kMaxSizeForThreadLocalFreeList) {
636 // get directly from global storage.
637 m = malloc_info.AllocateChunks(size_class, 1);
638 if (FLAG_stats) {
639 thread_stats.malloc_large++;
640 }
641 } else {
642 // get from the thread-local storage.
643 AsanChunk **fl = &t->malloc_storage().free_lists_[size_class];
644 if (!*fl) {
645 size_t n_new_chunks = kMaxSizeForThreadLocalFreeList / size_to_allocate;
646 // n_new_chunks = std::min((size_t)32, n_new_chunks);
647 *fl = malloc_info.AllocateChunks(size_class, n_new_chunks);
648 if (FLAG_stats) {
649 thread_stats.malloc_small_slow++;
650 }
651 }
652 m = *fl;
653 *fl = (*fl)->next;
654 }
655 CHECK(m);
656 CHECK(m->chunk_state == CHUNK_AVAILABLE);
657 m->chunk_state = CHUNK_ALLOCATED;
658 m->next = NULL;
659 CHECK(m->Size() == size_to_allocate);
660 uintptr_t addr = (uintptr_t)m + REDZONE;
661 CHECK(addr == (uintptr_t)m->compressed_free_stack());
662
663 if (alignment > REDZONE && (addr & (alignment - 1))) {
664 addr = RoundUpTo(addr, alignment);
665 CHECK((addr & (alignment - 1)) == 0);
666 AsanChunk *p = (AsanChunk*)(addr - REDZONE);
667 p->chunk_state = CHUNK_MEMALIGN;
668 p->next = m;
669 }
670 CHECK(m == PtrToChunk(addr));
671 m->used_size = size;
672 m->offset = addr - (uintptr_t)m;
673 CHECK(m->beg() == addr);
674 m->alloc_tid = t ? t->tid() : 0;
675 m->free_tid = AsanThread::kInvalidTid;
676 AsanStackTrace::CompressStack(stack, m->compressed_alloc_stack(),
677 m->compressed_alloc_stack_size());
678 PoisonShadow(addr, rounded_size, 0);
679 if (size < rounded_size) {
Kostya Serebryany218a9b72011-11-30 18:50:23 +0000[diff] [blame]680 PoisonHeapPartialRightRedzone(addr + rounded_size - REDZONE,
681 size & (REDZONE - 1));
Kostya Serebryany1e172b42011-11-30 01:07:02 +0000[diff] [blame]682 }
683 if (size <= FLAG_max_malloc_fill_size) {
684 real_memset((void*)addr, 0, rounded_size);
685 }
686 return (uint8_t*)addr;
687}
688
689static void Deallocate(uint8_t *ptr, AsanStackTrace *stack) {
690 if (!ptr) return;
691 CHECK(stack);
692
693 if (FLAG_debug) {
694 CHECK(malloc_info.FindPageGroup((uintptr_t)ptr));
695 }
696
697 // Printf("Deallocate %p\n", ptr);
698 AsanChunk *m = PtrToChunk((uintptr_t)ptr);
699 if (m->chunk_state == CHUNK_QUARANTINE) {
700 Printf("attempting double-free on %p:\n", ptr);
701 stack->PrintStack();
702 m->DescribeAddress((uintptr_t)ptr, 1);
703 ShowStatsAndAbort();
704 } else if (m->chunk_state != CHUNK_ALLOCATED) {
705 Printf("attempting free on address which was not malloc()-ed: %p\n", ptr);
706 stack->PrintStack();
707 ShowStatsAndAbort();
708 }
709 CHECK(m->chunk_state == CHUNK_ALLOCATED);
710 CHECK(m->free_tid == AsanThread::kInvalidTid);
711 CHECK(m->alloc_tid >= 0);
712 AsanThread *t = asanThreadRegistry().GetCurrent();
713 m->free_tid = t ? t->tid() : 0;
714 AsanStackTrace::CompressStack(stack, m->compressed_free_stack(),
715 m->compressed_free_stack_size());
716 size_t rounded_size = RoundUpTo(m->used_size, REDZONE);
717 PoisonShadow((uintptr_t)ptr, rounded_size, kAsanHeapFreeMagic);
718
719 if (FLAG_stats) {
720 AsanStats &thread_stats = asanThreadRegistry().GetCurrentThreadStats();
721 thread_stats.frees++;
722 thread_stats.freed += m->used_size;
723 thread_stats.freed_by_size[m->SizeClass()]++;
724 }
725
726 m->chunk_state = CHUNK_QUARANTINE;
727 if (t) {
728 AsanThreadLocalMallocStorage *ms = &t->malloc_storage();
729 CHECK(!m->next);
730 ms->quarantine_.Push(m);
731
732 if (ms->quarantine_.size() > kMaxThreadLocalQuarantine) {
733 malloc_info.SwallowThreadLocalMallocStorage(ms, false);
734 }
735 } else {
736 CHECK(!m->next);
737 malloc_info.BypassThreadLocalQuarantine(m);
738 }
739}
740
741static uint8_t *Reallocate(uint8_t *old_ptr, size_t new_size,
742 AsanStackTrace *stack) {
743 CHECK(old_ptr && new_size);
744 if (FLAG_stats) {
745 AsanStats &thread_stats = asanThreadRegistry().GetCurrentThreadStats();
746 thread_stats.reallocs++;
747 thread_stats.realloced += new_size;
748 }
749 AsanChunk *m = PtrToChunk((uintptr_t)old_ptr);
750 CHECK(m->chunk_state == CHUNK_ALLOCATED);
751 size_t old_size = m->used_size;
752 size_t memcpy_size = std::min(new_size, old_size);
753 uint8_t *new_ptr = Allocate(0, new_size, stack);
754 if (new_ptr) {
755 real_memcpy(new_ptr, old_ptr, memcpy_size);
756 Deallocate(old_ptr, stack);
757 }
758 return new_ptr;
759}
760
761} // namespace __asan
762
763// Malloc hooks declaration.
764// ASAN_NEW_HOOK(ptr, size) is called immediately after
765// allocation of "size" bytes, which returned "ptr".
766// ASAN_DELETE_HOOK(ptr) is called immediately before
767// deallocation of "ptr".
768// If ASAN_NEW_HOOK or ASAN_DELETE_HOOK is defined, user
769// program must provide implementation of this hook.
770// If macro is undefined, the hook is no-op.
771#ifdef ASAN_NEW_HOOK
772extern "C" void ASAN_NEW_HOOK(void *ptr, size_t size);
773#else
774static inline void ASAN_NEW_HOOK(void *ptr, size_t size) { }
775#endif
776
777#ifdef ASAN_DELETE_HOOK
778extern "C" void ASAN_DELETE_HOOK(void *ptr);
779#else
780static inline void ASAN_DELETE_HOOK(void *ptr) { }
781#endif
782
783namespace __asan {
784
785void *asan_memalign(size_t alignment, size_t size, AsanStackTrace *stack) {
786 void *ptr = (void*)Allocate(alignment, size, stack);
787 ASAN_NEW_HOOK(ptr, size);
788 return ptr;
789}
790
791void asan_free(void *ptr, AsanStackTrace *stack) {
792 ASAN_DELETE_HOOK(ptr);
793 Deallocate((uint8_t*)ptr, stack);
794}
795
796void *asan_malloc(size_t size, AsanStackTrace *stack) {
797 void *ptr = (void*)Allocate(0, size, stack);
798 ASAN_NEW_HOOK(ptr, size);
799 return ptr;
800}
801
802void *asan_calloc(size_t nmemb, size_t size, AsanStackTrace *stack) {
803 void *ptr = (void*)Allocate(0, nmemb * size, stack);
804 if (ptr)
805 real_memset(ptr, 0, nmemb * size);
806 ASAN_NEW_HOOK(ptr, nmemb * size);
807 return ptr;
808}
809
810void *asan_realloc(void *p, size_t size, AsanStackTrace *stack) {
811 if (p == NULL) {
812 void *ptr = (void*)Allocate(0, size, stack);
813 ASAN_NEW_HOOK(ptr, size);
814 return ptr;
815 } else if (size == 0) {
816 ASAN_DELETE_HOOK(p);
817 Deallocate((uint8_t*)p, stack);
818 return NULL;
819 }
820 return Reallocate((uint8_t*)p, size, stack);
821}
822
823void *asan_valloc(size_t size, AsanStackTrace *stack) {
824 void *ptr = (void*)Allocate(kPageSize, size, stack);
825 ASAN_NEW_HOOK(ptr, size);
826 return ptr;
827}
828
829void *asan_pvalloc(size_t size, AsanStackTrace *stack) {
830 size = RoundUpTo(size, kPageSize);
831 if (size == 0) {
832 // pvalloc(0) should allocate one page.
833 size = kPageSize;
834 }
835 void *ptr = (void*)Allocate(kPageSize, size, stack);
836 ASAN_NEW_HOOK(ptr, size);
837 return ptr;
838}
839
840int asan_posix_memalign(void **memptr, size_t alignment, size_t size,
841 AsanStackTrace *stack) {
842 void *ptr = Allocate(alignment, size, stack);
843 CHECK(IsAligned((uintptr_t)ptr, alignment));
844 ASAN_NEW_HOOK(ptr, size);
845 *memptr = ptr;
846 return 0;
847}
848
849size_t __asan_mz_size(const void *ptr) {
850 return malloc_info.AllocationSize((uintptr_t)ptr);
851}
852
853void DescribeHeapAddress(uintptr_t addr, uintptr_t access_size) {
854 Describe(addr, access_size);
855}
856
857void __asan_mz_force_lock() {
858 malloc_info.ForceLock();
859}
860
861void __asan_mz_force_unlock() {
862 malloc_info.ForceUnlock();
863}
864
865// ---------------------- Fake stack-------------------- {{{1
866FakeStack::FakeStack() {
867 CHECK(real_memset);
868 real_memset(this, 0, sizeof(*this));
869}
870
871bool FakeStack::AddrIsInSizeClass(uintptr_t addr, size_t size_class) {
872 uintptr_t mem = allocated_size_classes_[size_class];
873 uintptr_t size = ClassMmapSize(size_class);
874 bool res = mem && addr >= mem && addr < mem + size;
875 return res;
876}
877
878uintptr_t FakeStack::AddrIsInFakeStack(uintptr_t addr) {
879 if (!alive_) return 0;
880 for (size_t i = 0; i < kNumberOfSizeClasses; i++) {
881 if (AddrIsInSizeClass(addr, i)) return allocated_size_classes_[i];
882 }
883 return 0;
884}
885
886// We may want to compute this during compilation.
887inline size_t FakeStack::ComputeSizeClass(size_t alloc_size) {
888 size_t rounded_size = RoundUpToPowerOfTwo(alloc_size);
889 size_t log = Log2(rounded_size);
890 CHECK(alloc_size <= (1UL << log));
891 if (!(alloc_size > (1UL << (log-1)))) {
892 Printf("alloc_size %ld log %ld\n", alloc_size, log);
893 }
894 CHECK(alloc_size > (1UL << (log-1)));
895 size_t res = log < kMinStackFrameSizeLog ? 0 : log - kMinStackFrameSizeLog;
896 CHECK(res < kNumberOfSizeClasses);
897 CHECK(ClassSize(res) >= rounded_size);
898 return res;
899}
900
901void FakeFrameFifo::FifoPush(FakeFrame *node) {
902 CHECK(node);
903 node->next = 0;
904 if (first_ == 0 && last_ == 0) {
905 first_ = last_ = node;
906 } else {
907 CHECK(first_);
908 CHECK(last_);
909 last_->next = node;
910 last_ = node;
911 }
912}
913
914FakeFrame *FakeFrameFifo::FifoPop() {
915 CHECK(first_ && last_ && "Exhausted fake stack");
916 FakeFrame *res = 0;
917 if (first_ == last_) {
918 res = first_;
919 first_ = last_ = 0;
920 } else {
921 res = first_;
922 first_ = first_->next;
923 }
924 return res;
925}
926
927void FakeStack::Init(size_t stack_size) {
928 stack_size_ = stack_size;
929 alive_ = true;
930}
931
932void FakeStack::Cleanup() {
933 alive_ = false;
934 for (size_t i = 0; i < kNumberOfSizeClasses; i++) {
935 uintptr_t mem = allocated_size_classes_[i];
936 if (mem) {
937 PoisonShadow(mem, ClassMmapSize(i), 0);
938 allocated_size_classes_[i] = 0;
939 int munmap_res = munmap((void*)mem, ClassMmapSize(i));
940 CHECK(munmap_res == 0);
941 }
942 }
943}
944
945size_t FakeStack::ClassMmapSize(size_t size_class) {
946 return RoundUpToPowerOfTwo(stack_size_);
947}
948
949void FakeStack::AllocateOneSizeClass(size_t size_class) {
950 CHECK(ClassMmapSize(size_class) >= kPageSize);
951 uintptr_t new_mem = (uintptr_t)asan_mmap(0, ClassMmapSize(size_class),
952 PROT_READ | PROT_WRITE,
953 MAP_PRIVATE | MAP_ANON, -1, 0);
954 CHECK(new_mem != (uintptr_t)-1);
955 // Printf("T%d new_mem[%ld]: %p-%p mmap %ld\n",
956 // asanThreadRegistry().GetCurrent()->tid(),
957 // size_class, new_mem, new_mem + ClassMmapSize(size_class),
958 // ClassMmapSize(size_class));
959 size_t i;
960 for (i = 0; i < ClassMmapSize(size_class);
961 i += ClassSize(size_class)) {
962 size_classes_[size_class].FifoPush((FakeFrame*)(new_mem + i));
963 }
964 CHECK(i == ClassMmapSize(size_class));
965 allocated_size_classes_[size_class] = new_mem;
966}
967
968uintptr_t FakeStack::AllocateStack(size_t size, size_t real_stack) {
969 CHECK(alive_);
970 CHECK(size <= kMaxStackMallocSize && size > 1);
971 size_t size_class = ComputeSizeClass(size);
972 if (!allocated_size_classes_[size_class]) {
973 AllocateOneSizeClass(size_class);
974 }
975 FakeFrame *fake_frame = size_classes_[size_class].FifoPop();
976 CHECK(fake_frame);
977 fake_frame->size_minus_one = size - 1;
978 fake_frame->real_stack = real_stack;
979 while (FakeFrame *top = call_stack_.top()) {
980 if (top->real_stack > real_stack) break;
981 call_stack_.LifoPop();
982 DeallocateFrame(top);
983 }
984 call_stack_.LifoPush(fake_frame);
985 uintptr_t ptr = (uintptr_t)fake_frame;
986 PoisonShadow(ptr, size, 0);
987 return ptr;
988}
989
990void FakeStack::DeallocateFrame(FakeFrame *fake_frame) {
991 CHECK(alive_);
992 size_t size = fake_frame->size_minus_one + 1;
993 size_t size_class = ComputeSizeClass(size);
994 CHECK(allocated_size_classes_[size_class]);
995 uintptr_t ptr = (uintptr_t)fake_frame;
996 CHECK(AddrIsInSizeClass(ptr, size_class));
997 CHECK(AddrIsInSizeClass(ptr + size - 1, size_class));
998 size_classes_[size_class].FifoPush(fake_frame);
999}
1000
1001void FakeStack::OnFree(size_t ptr, size_t size, size_t real_stack) {
1002 FakeFrame *fake_frame = (FakeFrame*)ptr;
1003 CHECK(fake_frame->magic = kRetiredStackFrameMagic);
1004 CHECK(fake_frame->descr != 0);
1005 CHECK(fake_frame->size_minus_one == size - 1);
1006 PoisonShadow(ptr, size, kAsanStackAfterReturnMagic);
1007}
1008
1009} // namespace __asan
1010
1011// ---------------------- Interface ---------------- {{{1
1012using namespace __asan; // NOLINT
1013
1014size_t __asan_stack_malloc(size_t size, size_t real_stack) {
1015 if (!FLAG_use_fake_stack) return real_stack;
1016 AsanThread *t = asanThreadRegistry().GetCurrent();
1017 if (!t) {
1018 // TSD is gone, use the real stack.
1019 return real_stack;
1020 }
1021 size_t ptr = t->fake_stack().AllocateStack(size, real_stack);
1022 // Printf("__asan_stack_malloc %p %ld %p\n", ptr, size, real_stack);
1023 return ptr;
1024}
1025
1026void __asan_stack_free(size_t ptr, size_t size, size_t real_stack) {
1027 if (!FLAG_use_fake_stack) return;
1028 if (ptr != real_stack) {
1029 FakeStack::OnFree(ptr, size, real_stack);
1030 }
1031}
1032
1033// ASan allocator doesn't reserve extra bytes, so normally we would
1034// just return "size".
1035size_t __asan_get_estimated_allocated_size(size_t size) {
1036 if (size == 0) return 1;
1037 return std::min(size, kMaxAllowedMallocSize);
1038}
1039
1040bool __asan_get_ownership(const void *p) {
1041 return (p == NULL) ||
1042 (malloc_info.AllocationSize((uintptr_t)p) > 0);
1043}
1044
1045size_t __asan_get_allocated_size(const void *p) {
1046 if (p == NULL) return 0;
1047 size_t allocated_size = malloc_info.AllocationSize((uintptr_t)p);
1048 // Die if p is not malloced or if it is already freed.
1049 if (allocated_size == 0) {
1050 Printf("__asan_get_allocated_size failed, ptr=%p is not owned\n", p);
1051 PRINT_CURRENT_STACK();
1052 ShowStatsAndAbort();
1053 }
1054 return allocated_size;
1055}