generic-library/bionic
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Prevent a crash in the memory leak checker (which happened in chk_free())

Browse Source 
Simplify the code a little, removing un-necessary mutex locks/unlocks.
Provide slightly better diagnostic message in case of corruption.
Use snprintf/strlcat instead of sprintf/strcat
This commit is contained in:
David 'Digit' Turner 2009-07-08 14:22:41 +02:00
parent 6ee8f1b044
commit c4eee3765b
3 changed files with 88 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
libc/bionic/logd_write.c
View File

@ -126,8 +126,8 @@ static int __android_log_write(int prio, const char *tag, const char *msg)
} }
static int __android_log_vprint(int prio, const char *tag, const char *fmt, int __libc_android_log_vprint(int prio, const char *tag, const char *fmt,
va_list ap) va_list ap)
{ {
char buf[LOG_BUF_SIZE]; char buf[LOG_BUF_SIZE];

140
libc/bionic/malloc_leak.c
View File

@ -515,8 +515,8 @@ static void dump_stack_trace()
tmp[0] = 0; // Need to initialize tmp[0] for the first strcat tmp[0] = 0; // Need to initialize tmp[0] for the first strcat
for (i=0 ; i<c; i++) { for (i=0 ; i<c; i++) {
sprintf(buf, "%2d: %08x\n", i, addrs[i]); snprintf(buf, sizeof buf, "%2d: %08x\n", i, addrs[i]);
strcat(tmp, buf); strlcat(tmp, buf, sizeof tmp);
} }
__libc_android_log_print(ANDROID_LOG_ERROR, "libc", "call stack:\n%s", tmp); __libc_android_log_print(ANDROID_LOG_ERROR, "libc", "call stack:\n%s", tmp);
} }
@ -526,69 +526,90 @@ static int is_valid_malloc_pointer(void* addr)
return 1; return 1;
} }
static void assert_log_message(const char* format, ...)
{
va_list args;
pthread_mutex_lock(&gAllocationsMutex);
gMallocDispatch = &gMallocEngineTable[INDEX_NORMAL];
va_start(args, format);
__libc_android_log_vprint(ANDROID_LOG_ERROR, "libc",
format, args);
va_end(args);
dump_stack_trace();
if (gTrapOnError) {
__builtin_trap();
}
gMallocDispatch = &gMallocEngineTable[INDEX_MALLOC_CHECK];
pthread_mutex_unlock(&gAllocationsMutex);
}
static void assert_valid_malloc_pointer(void* mem) static void assert_valid_malloc_pointer(void* mem)
{ {
if (mem && !is_valid_malloc_pointer(mem)) { if (mem && !is_valid_malloc_pointer(mem)) {
pthread_mutex_lock(&gAllocationsMutex); assert_log_message(
gMallocDispatch = &gMallocEngineTable[INDEX_NORMAL]; "*** MALLOC CHECK: buffer %p, is not a valid "
__libc_android_log_print(ANDROID_LOG_ERROR, "libc", "malloc pointer (are you mixing up new/delete "
"*** MALLOC CHECK: buffer %p, is not a valid " "and malloc/free?)", mem);
"malloc pointer (are you mixing up new/delete "
"and malloc/free?)", mem);
dump_stack_trace();
if (gTrapOnError) {
__builtin_trap();
}
gMallocDispatch = &gMallocEngineTable[INDEX_MALLOC_CHECK];
pthread_mutex_unlock(&gAllocationsMutex);
} }
} }
static void chk_out_of_bounds_check__locked(void* buffer, size_t size) /* Check that a given address corresponds to a guarded block,
* and returns its original allocation size in '*allocated'.
* 'func' is the capitalized name of the caller function.
* Returns 0 on success, or -1 on failure.
* NOTE: Does not return if gTrapOnError is set.
*/
static int chk_mem_check(void* mem,
size_t* allocated,
const char* func)
{ {
int i; char* buffer;
char* buf = (char*)buffer - CHK_SENTINEL_HEAD_SIZE; size_t offset, bytes;
int i;
char* buf;
/* first check the bytes in the sentinel header */
buf = (char*)mem - CHK_SENTINEL_HEAD_SIZE;
for (i=0 ; i<CHK_SENTINEL_HEAD_SIZE ; i++) { for (i=0 ; i<CHK_SENTINEL_HEAD_SIZE ; i++) {
if (buf[i] != CHK_SENTINEL_VALUE) { if (buf[i] != CHK_SENTINEL_VALUE) {
gMallocDispatch = &gMallocEngineTable[INDEX_NORMAL]; assert_log_message(
__libc_android_log_print(ANDROID_LOG_ERROR, "libc", "*** %s CHECK: buffer %p "
"*** MALLOC CHECK: buffer %p, size=%lu, " "corrupted %d bytes before allocation",
"corrupted %d bytes before allocation", func, mem, CHK_SENTINEL_HEAD_SIZE-i);
buffer, size, CHK_SENTINEL_HEAD_SIZE-i); return -1;
dump_stack_trace();
if (gTrapOnError) {
__builtin_trap();
}
gMallocDispatch = &gMallocEngineTable[INDEX_MALLOC_CHECK];
} }
} }
buf = (char*)buffer + size;
/* then the ones in the sentinel trailer */
buffer = (char*)mem - CHK_SENTINEL_HEAD_SIZE;
offset = dlmalloc_usable_size(buffer) - sizeof(size_t);
bytes = *(size_t *)(buffer + offset);
buf = (char*)mem + bytes;
for (i=CHK_SENTINEL_TAIL_SIZE-1 ; i>=0 ; i--) { for (i=CHK_SENTINEL_TAIL_SIZE-1 ; i>=0 ; i--) {
if (buf[i] != CHK_SENTINEL_VALUE) { if (buf[i] != CHK_SENTINEL_VALUE) {
gMallocDispatch = &gMallocEngineTable[INDEX_NORMAL]; assert_log_message(
__libc_android_log_print(ANDROID_LOG_ERROR, "libc", "*** %s CHECK: buffer %p, size=%lu, "
"*** MALLOC CHECK: buffer %p, size=%lu, " "corrupted %d bytes after allocation",
"corrupted %d bytes after allocation", func, buffer, bytes, i+1);
buffer, size, i+1); return -1;
dump_stack_trace();
if (gTrapOnError) {
__builtin_trap();
}
gMallocDispatch = &gMallocEngineTable[INDEX_MALLOC_CHECK];
} }
} }
*allocated = bytes;
return 0;
} }
void* chk_malloc(size_t bytes) void* chk_malloc(size_t bytes)
{ {
char* buffer = (char*)dlmalloc(bytes + CHK_OVERHEAD_SIZE); char* buffer = (char*)dlmalloc(bytes + CHK_OVERHEAD_SIZE);
if (buffer) { if (buffer) {
pthread_mutex_lock(&gAllocationsMutex); memset(buffer, CHK_SENTINEL_VALUE, bytes + CHK_OVERHEAD_SIZE);
memset(buffer, CHK_SENTINEL_VALUE, bytes + CHK_OVERHEAD_SIZE); size_t offset = dlmalloc_usable_size(buffer) - sizeof(size_t);
size_t offset = dlmalloc_usable_size(buffer) - sizeof(size_t); *(size_t *)(buffer + offset) = bytes;
*(size_t *)(buffer + offset) = bytes; buffer += CHK_SENTINEL_HEAD_SIZE;
buffer += CHK_SENTINEL_HEAD_SIZE;
pthread_mutex_unlock(&gAllocationsMutex);
} }
return buffer; return buffer;
} }
@ -597,14 +618,14 @@ void chk_free(void* mem)
{ {
assert_valid_malloc_pointer(mem); assert_valid_malloc_pointer(mem);
if (mem) { if (mem) {
pthread_mutex_lock(&gAllocationsMutex); size_t size;
char* buffer = (char*)mem - CHK_SENTINEL_HEAD_SIZE; char* buffer;
size_t offset = dlmalloc_usable_size(buffer) - sizeof(size_t);
size_t bytes = *(size_t *)(buffer + offset); if (chk_mem_check(mem, &size, "FREE") == 0) {
chk_out_of_bounds_check__locked(mem, bytes); buffer = (char*)mem - CHK_SENTINEL_HEAD_SIZE;
pthread_mutex_unlock(&gAllocationsMutex); memset(buffer, CHK_FILL_FREE, size + CHK_OVERHEAD_SIZE);
memset(buffer, CHK_FILL_FREE, bytes); dlfree(buffer);
dlfree(buffer); }
} }
} }
@ -628,19 +649,20 @@ void* chk_calloc(size_t n_elements, size_t elem_size)
void* chk_realloc(void* mem, size_t bytes) void* chk_realloc(void* mem, size_t bytes)
{ {
char* buffer;
int ret;
size_t old_bytes = 0;
assert_valid_malloc_pointer(mem); assert_valid_malloc_pointer(mem);
if (mem != NULL && chk_mem_check(mem, &old_bytes, "REALLOC") < 0)
return NULL;
char* new_buffer = chk_malloc(bytes); char* new_buffer = chk_malloc(bytes);
if (mem == NULL) { if (mem == NULL) {
return new_buffer; return new_buffer;
} }
pthread_mutex_lock(&gAllocationsMutex);
char* buffer = (char*)mem - CHK_SENTINEL_HEAD_SIZE;
size_t offset = dlmalloc_usable_size(buffer) - sizeof(size_t);
size_t old_bytes = *(size_t *)(buffer + offset);
chk_out_of_bounds_check__locked(mem, old_bytes);
pthread_mutex_unlock(&gAllocationsMutex);
if (new_buffer) { if (new_buffer) {
size_t size = (bytes < old_bytes)?(bytes):(old_bytes); size_t size = (bytes < old_bytes)?(bytes):(old_bytes);
memcpy(new_buffer, mem, size); memcpy(new_buffer, mem, size);

3
libc/private/logd.h
View File

@ -28,6 +28,8 @@
#ifndef _ANDROID_BIONIC_LOGD_H #ifndef _ANDROID_BIONIC_LOGD_H
#define _ANDROID_BIONIC_LOGD_H #define _ANDROID_BIONIC_LOGD_H
#include <stdarg.h>
enum { enum {
ANDROID_LOG_UNKNOWN = 0, ANDROID_LOG_UNKNOWN = 0,
ANDROID_LOG_DEFAULT, /* only for SetMinPriority() */ ANDROID_LOG_DEFAULT, /* only for SetMinPriority() */
@ -43,5 +45,6 @@ enum {
}; };
int __libc_android_log_print(int prio, const char *tag, const char *fmt, ...); int __libc_android_log_print(int prio, const char *tag, const char *fmt, ...);
int __libc_android_log_vprint(int prio, const char *tag, const char *fmt, va_list ap);
#endif /* _ANDROID_BIONIC_LOGD_H */ #endif /* _ANDROID_BIONIC_LOGD_H */