| blob | 0b68ee3292820ad7b3e1b3655a01b433e82eaa4c |
1 /* $NetBSD$ */
3 /*
4 * Electric Fence - Red-Zone memory allocator.
5 * Bruce Perens, 1988, 1993
6 *
7 * This is a special version of malloc() and company for debugging software
8 * that is suspected of overrunning or underrunning the boundaries of a
9 * malloc buffer, or touching free memory.
10 *
11 * It arranges for each malloc buffer to be followed (or preceded)
12 * in the address space by an inaccessable virtual memory page,
13 * and for free memory to be inaccessable. If software touches the
14 * inaccessable page, it will get an immediate segmentation
15 * fault. It is then trivial to uncover the offending code using a debugger.
16 *
17 * An advantage of this product over most malloc debuggers is that this one
18 * detects reading out of bounds as well as writing, and this one stops on
19 * the exact instruction that causes the error, rather than waiting until the
20 * next boundary check.
21 *
22 * There is one product that debugs malloc buffer overruns
23 * better than Electric Fence: "Purify" from Purify Systems, and that's only
24 * a small part of what Purify does. I'm not affiliated with Purify, I just
25 * respect a job well done.
26 *
27 * This version of malloc() should not be linked into production software,
28 * since it tremendously increases the time and memory overhead of malloc().
29 * Each malloc buffer will consume a minimum of two virtual memory pages,
30 * this is 16 kilobytes on many systems. On some systems it will be necessary
31 * to increase the amount of swap space in order to debug large programs that
32 * perform lots of allocation, because of the per-buffer overhead.
33 */
35 #include <stdlib.h>
36 #include <unistd.h>
37 #include <memory.h>
38 #include <string.h>
40 #ifdef malloc
41 #undef malloc
42 #endif
44 #ifdef calloc
45 #undef calloc
46 #endif
51 /*
52 * MEMORY_CREATION_SIZE is the amount of memory to get from the operating
53 * system at one time. We'll break that memory down into smaller pieces for
54 * malloc buffers. One megabyte is probably a good value.
55 */
56 #define MEMORY_CREATION_SIZE 1024 * 1024
58 /*
59 * Enum Mode indicates the status of a malloc buffer.
60 */
66 INTERNAL_USE /* A buffer used internally by malloc(). */
67 };
70 /*
71 * Struct Slot contains all of the information about a malloc buffer except
72 * for the contents of its memory.
73 */
79 Mode mode;
80 };
83 /*
84 * EF_ALIGNMENT is a global variable used to control the default alignment
85 * of buffers returned by malloc(), calloc(), and realloc(). It is all-caps
86 * so that its name matches the name of the environment variable that is used
87 * to set it. This gives the programmer one less name to remember.
88 * If the value is -1, it will be set from the environment or sizeof(int)
89 * at run time.
90 */
93 /*
94 * EF_PROTECT_FREE is a global variable used to control the disposition of
95 * memory that is released using free(). It is all-caps so that its name
96 * matches the name of the environment variable that is used to set it.
97 * If its value is greater non-zero, memory released by free is made
98 * inaccessable and never allocated again. Any software that touches free
99 * memory will then get a segmentation fault. If its value is zero, freed
100 * memory will be available for reallocation, but will still be inaccessable
101 * until it is reallocated.
102 * If the value is -1, it will be set from the environment or to 0 at run-time.
103 */
106 /*
107 * EF_PROTECT_BELOW is used to modify the behavior of the allocator. When
108 * its value is non-zero, the allocator will place an inaccessable page
109 * immediately _before_ the malloc buffer in the address space, instead
110 * of _after_ it. Use this to detect malloc buffer under-runs, rather than
111 * over-runs. It won't detect both at the same time, so you should test your
112 * software twice, once with this value clear, and once with it set.
113 * If the value is -1, it will be set from the environment or to zero at
114 * run-time
115 */
118 /*
119 * EF_ALLOW_MALLOC_0 is set if Electric Fence is to allow malloc(0). I
120 * trap malloc(0) by default because it is a common source of bugs.
121 */
124 /*
125 * allocationList points to the array of slot structures used to manage the
126 * malloc arena.
127 */
130 /*
131 * allocationListSize is the size of the allocation list. This will always
132 * be a multiple of the page size.
133 */
136 /*
137 * slotCount is the number of Slot structures in allocationList.
138 */
141 /*
142 * unUsedSlots is the number of Slot structures that are currently available
143 * to represent new malloc buffers. When this number gets too low, we will
144 * create new slots.
145 */
148 /*
149 * slotsPerPage is the number of slot structures that fit in a virtual
150 * memory page.
151 */
154 /*
155 * internalUse is set when allocating and freeing the allocatior-internal
156 * data structures.
157 */
160 /*
161 * noAllocationListProtection is set to tell malloc() and free() not to
162 * manipulate the protection of the allocation list. This is only set in
163 * realloc(), which does it to save on slow system calls, and in
164 * allocateMoreSlots(), which does it because it changes the allocation list.
165 */
168 /*
169 * bytesPerPage is set at run-time to the number of bytes per virtual-memory
170 * page, as returned by Page_Size().
171 */
174 /*
175 * internalError is called for those "shouldn't happen" errors in the
176 * allocator.
177 */
178 static void
180 {
182 }
184 /*
185 * initialize sets up the memory allocation arena and the run-time
186 * configuration information.
187 */
188 static void
190 {
198 /*
199 * Import the user's environment specification of the default
200 * alignment for malloc(). We want that alignment to be under
201 * user control, since smaller alignment lets us catch more bugs,
202 * however some software will break if malloc() returns a buffer
203 * that is not word-aligned.
204 *
205 * I would like
206 * alignment to be zero so that we could catch all one-byte
207 * overruns, however if malloc() is asked to allocate an odd-size
208 * buffer and returns an address that is not word-aligned, or whose
209 * size is not a multiple of the word size, software breaks.
210 * This was the case with the Sun string-handling routines,
211 * which can do word fetches up to three bytes beyond the end of a
212 * string. I handle this problem in part by providing
213 * byte-reference-only versions of the string library functions, but
214 * there are other functions that break, too. Some in X Windows, one
215 * in Sam Leffler's TIFF library, and doubtless many others.
216 */
220 else
222 }
224 /*
225 * See if the user wants to protect the address space below a buffer,
226 * rather than that above a buffer.
227 */
231 else
233 }
235 /*
236 * See if the user wants to protect memory that has been freed until
237 * the program exits, rather than until it is re-allocated.
238 */
242 else
244 }
246 /*
247 * See if the user wants to allow malloc(0).
248 */
252 else
254 }
256 /*
257 * Get the run-time configuration of the virtual memory page size.
258 */
261 /*
262 * Figure out how many Slot structures to allocate at one time.
263 */
273 /*
274 * Allocate memory, and break it up into two malloc buffers. The
275 * first buffer will be used for Slot structures, the second will
276 * be marked free.
277 */
290 }
292 /*
293 * Deny access to the free page, so that we will detect any software
294 * that treads upon free memory.
295 */
298 /*
299 * Account for the two slot structures that we've used.
300 */
302 }
304 /*
305 * allocateMoreSlots is called when there are only enough slot structures
306 * left to support the allocation of a single malloc buffer.
307 */
308 static void
310 {
330 /*
331 * Keep access to the allocation list open at this point, because
332 * I am returning to memalign(), which needs that access.
333 */
336 }
338 /*
339 * This is the memory allocator. When asked to allocate a buffer, allocate
340 * it in such a way that the end of the buffer is followed by an inaccessable
341 * memory page. If software overruns that buffer, it will touch the bad page
342 * and get an immediate segmentation fault. It's then easy to zero in on the
343 * offending code with a debugger.
344 *
345 * There are a few complications. If the user asks for an odd-sized buffer,
346 * we would have to have that buffer start on an odd address if the byte after
347 * the end of the buffer was to be on the inaccessable page. Unfortunately,
348 * there is lots of software that asks for odd-sized buffers and then
349 * requires that the returned address be word-aligned, or the size of the
350 * buffer be a multiple of the word size. An example are the string-processing
351 * functions on Sun systems, which do word references to the string memory
352 * and may refer to memory up to three bytes beyond the end of the string.
353 * For this reason, I take the alignment requests to memalign() and valloc()
354 * seriously, and
355 *
356 * Electric Fence wastes lots of memory. I do a best-fit allocator here
357 * so that it won't waste even more. It's slow, but thrashing because your
358 * working set is too big for a system's RAM is even slower.
359 */
362 {
377 /*
378 * If EF_PROTECT_BELOW is set, all addresses returned by malloc()
379 * and company will be page-aligned.
380 */
384 }
386 /*
387 * The internal size of the buffer is rounded up to the next page-size
388 * boudary, and then we add another page's worth of memory for the
389 * dead page.
390 */
395 /*
396 * These will hold the addresses of two empty Slot structures, that
397 * can be used to hold information for any memory I create, and any
398 * memory that I mark free.
399 */
403 /*
404 * The internal memory used by the allocator is currently
405 * inaccessable, so that errant programs won't scrawl on the
406 * allocator's arena. I'll un-protect it here so that I can make
407 * a new allocation. I'll re-protect it before I return.
408 */
412 /*
413 * If I'm running out of empty slots, create some more before
414 * I don't have enough slots left to make an allocation.
415 */
418 }
420 /*
421 * Iterate through all of the slot structures. Attempt to find a slot
422 * containing free memory of the exact right size. Accept a slot with
423 * more memory than we want, if the exact right size is not available.
424 * Find two slot structures that are not in use. We will need one if
425 * we split a buffer into free and allocated parts, and the second if
426 * we have to create new memory and mark it as free.
427 *
428 */
439 }
440 }
449 }
450 slot++;
451 }
456 /*
457 * I get here if I haven't been able to find a free buffer
458 * with all of the memory I need. I'll have to create more
459 * memory. I'll mark it all as free, and then split it into
460 * free and allocated portions later.
461 */
473 /* Use up one of the empty slots to make the full slot. */
479 unUsedSlots--;
480 }
482 /*
483 * If I'm allocating memory for the allocator's own data structures,
484 * mark it INTERNAL_USE so that no errant software will be able to
485 * free it.
486 */
489 else
492 /*
493 * If the buffer I've found is larger than I need, split it into
494 * an allocated buffer with the exact amount of memory I need, and
495 * a free buffer containing the surplus memory.
496 */
504 unUsedSlots--;
505 }
508 /*
509 * Arrange the buffer so that it is followed by an inaccessable
510 * memory page. A buffer overrun that touches that page will
511 * cause a segmentation fault.
512 */
515 /* Set up the "live" page. */
518 fullSlot->internalAddress
523 /* Set up the "dead" page. */
526 else
529 /* Figure out what address to give the user. */
531 }
533 /*
534 * Arrange the buffer so that it is preceded by an inaccessable
535 * memory page. A buffer underrun that touches that page will
536 * cause a segmentation fault.
537 */
540 /* Set up the "dead" page. */
543 else
548 /* Set up the "live" page. */
551 }
556 /*
557 * Make the pool's internal memory inaccessable, so that the program
558 * being debugged can't stomp on it.
559 */
564 }
566 /*
567 * Find the slot structure for a user address.
568 */
571 {
578 slot++;
579 }
582 }
584 /*
585 * Find the slot structure for an internal address.
586 */
589 {
596 slot++;
597 }
599 }
601 /*
602 * Given the internal address of a buffer, find the buffer immediately
603 * before that buffer in the address space. This is used by free() to
604 * coalesce two free buffers into one.
605 */
608 {
616 slot++;
617 }
619 }
623 {
647 "free(%a): freeing free memory."
649 }
650 }
654 else
663 /* Coalesce previous slot with this one. */
672 unUsedSlots++;
673 }
676 /* Coalesce next slot with this one. */
681 unUsedSlots++;
682 }
687 /*
688 * Free memory is _always_ set to deny access. When EF_PROTECT_FREE
689 * is true, free memory is never reallocated, so it remains access
690 * denied for the life of the process. When EF_PROTECT_FREE is false,
691 * the memory may be re-allocated, at which time access to it will be
692 * allowed again.
693 *
694 * Some operating systems allow munmap() with single-page resolution,
695 * and allow you to un-map portions of a region, rather than the
696 * entire region that was mapped with mmap(). On those operating
697 * systems, we can release protected free pages with Page_Delete(),
698 * in the hope that the swap space attached to those pages will be
699 * released as well.
700 */
703 else
708 }
712 {
726 "realloc(%a, %d): address not from malloc()."
727 ,oldBuffer
743 /* Internal memory was re-protected in free() */
744 }
747 }
751 {
756 }
760 {
766 }
768 /*
769 * This will catch more bugs if you remove the page alignment, but it
770 * will break some software.
771 */
774 {
776 }
778 #ifdef __hpux
779 /*
780 * HP-UX 8/9.01 strcat reads a word past source when doing unaligned copies!
781 * Work around it here. The bug report has been filed with HP.
782 */
784 {
787 }
788 #endif