Fix s390x_dirtyhelper_vec_op signature for non-s390x case.
[valgrind.git] / memcheck / mc_leakcheck.c
blob782244481f8222a587384f62894cdc379b77733c
2 /*--------------------------------------------------------------------*/
3 /*--- The leak checker. mc_leakcheck.c ---*/
4 /*--------------------------------------------------------------------*/
6 /*
7 This file is part of MemCheck, a heavyweight Valgrind tool for
8 detecting memory errors.
10 Copyright (C) 2000-2017 Julian Seward
11 jseward@acm.org
13 This program is free software; you can redistribute it and/or
14 modify it under the terms of the GNU General Public License as
15 published by the Free Software Foundation; either version 2 of the
16 License, or (at your option) any later version.
18 This program is distributed in the hope that it will be useful, but
19 WITHOUT ANY WARRANTY; without even the implied warranty of
20 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
21 General Public License for more details.
23 You should have received a copy of the GNU General Public License
24 along with this program; if not, write to the Free Software
25 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
26 02111-1307, USA.
28 The GNU General Public License is contained in the file COPYING.
31 #include "pub_tool_basics.h"
32 #include "pub_tool_vki.h"
33 #include "pub_tool_aspacehl.h"
34 #include "pub_tool_aspacemgr.h"
35 #include "pub_tool_execontext.h"
36 #include "pub_tool_hashtable.h"
37 #include "pub_tool_libcbase.h"
38 #include "pub_tool_libcassert.h"
39 #include "pub_tool_libcprint.h"
40 #include "pub_tool_libcsignal.h"
41 #include "pub_tool_machine.h"
42 #include "pub_tool_mallocfree.h"
43 #include "pub_tool_options.h"
44 #include "pub_tool_oset.h"
45 #include "pub_tool_poolalloc.h"
46 #include "pub_tool_signals.h" // Needed for mc_include.h
47 #include "pub_tool_libcsetjmp.h" // setjmp facilities
48 #include "pub_tool_tooliface.h" // Needed for mc_include.h
49 #include "pub_tool_xarray.h"
50 #include "pub_tool_xtree.h"
52 #include "mc_include.h"
54 /*------------------------------------------------------------*/
55 /*--- An overview of leak checking. ---*/
56 /*------------------------------------------------------------*/
58 // Leak-checking is a directed-graph traversal problem. The graph has
59 // two kinds of nodes:
60 // - root-set nodes:
61 // - GP registers of all threads;
62 // - valid, aligned, pointer-sized data words in valid client memory,
63 // including stacks, but excluding words within client heap-allocated
64 // blocks (they are excluded so that later on we can differentiate
65 // between heap blocks that are indirectly leaked vs. directly leaked).
66 // - heap-allocated blocks. A block is a mempool chunk or a malloc chunk
67 // that doesn't contain a mempool chunk. Nb: the terms "blocks" and
68 // "chunks" are used interchangeably below.
70 // There are two kinds of edges:
71 // - start-pointers, i.e. pointers to the start of a block;
72 // - interior-pointers, i.e. pointers to the interior of a block.
74 // We use "pointers" rather than "edges" below.
76 // Root set nodes only point to blocks. Blocks only point to blocks;
77 // a block can point to itself.
79 // The aim is to traverse the graph and determine the status of each block.
81 // There are 9 distinct cases. See memcheck/docs/mc-manual.xml for details.
82 // Presenting all nine categories to the user is probably too much.
83 // Currently we do this:
84 // - definitely lost: case 3
85 // - indirectly lost: case 4, 9
86 // - possibly lost: cases 5..8
87 // - still reachable: cases 1, 2
88 //
89 // It's far from clear that this is the best possible categorisation; it's
90 // accreted over time without any central guiding principle.
92 /*------------------------------------------------------------*/
93 /*--- XXX: Thoughts for improvement. ---*/
94 /*------------------------------------------------------------*/
96 // From the user's point of view:
97 // - If they aren't using interior-pointers, they just have to fix the
98 // directly lost blocks, and the indirectly lost ones will be fixed as
99 // part of that. Any possibly lost blocks will just be due to random
100 // pointer garbage and can be ignored.
102 // - If they are using interior-pointers, the fact that they currently are not
103 // being told which ones might be directly lost vs. indirectly lost makes
104 // it hard to know where to begin.
106 // All this makes me wonder if new option is warranted:
107 // --follow-interior-pointers. By default it would be off, the leak checker
108 // wouldn't follow interior-pointers and there would only be 3 categories:
109 // R, DL, IL.
111 // If turned on, then it would show 7 categories (R, DL, IL, DR/DL, IR/IL,
112 // IR/IL/DL, IL/DL). That output is harder to understand but it's your own
113 // damn fault for using interior-pointers...
115 // ----
117 // Also, why are two blank lines printed between each loss record?
118 // [bug 197930]
120 // ----
122 // Also, --show-reachable is a bad name because it also turns on the showing
123 // of indirectly leaked blocks(!) It would be better named --show-all or
124 // --show-all-heap-blocks, because that's the end result.
125 // We now have the option --show-leak-kinds=... which allows to specify =all.
127 // ----
129 // Also, the VALGRIND_LEAK_CHECK and VALGRIND_QUICK_LEAK_CHECK aren't great
130 // names. VALGRIND_FULL_LEAK_CHECK and VALGRIND_SUMMARY_LEAK_CHECK would be
131 // better.
133 // ----
135 // Also, VALGRIND_COUNT_LEAKS and VALGRIND_COUNT_LEAK_BLOCKS aren't great as
136 // they combine direct leaks and indirect leaks into one. New, more precise
137 // ones (they'll need new names) would be good. If more categories are
138 // used, as per the --follow-interior-pointers option, they should be
139 // updated accordingly. And they should use a struct to return the values.
141 // ----
143 // Also, for this case:
145 // (4) p4 BBB ---> AAA
147 // BBB is definitely directly lost. AAA is definitely indirectly lost.
148 // Here's the relevant loss records printed for a full check (each block is
149 // 16 bytes):
151 // ==20397== 16 bytes in 1 blocks are indirectly lost in loss record 9 of 15
152 // ==20397== at 0x4C2694E: malloc (vg_replace_malloc.c:177)
153 // ==20397== by 0x400521: mk (leak-cases.c:49)
154 // ==20397== by 0x400578: main (leak-cases.c:72)
156 // ==20397== 32 (16 direct, 16 indirect) bytes in 1 blocks are definitely
157 // lost in loss record 14 of 15
158 // ==20397== at 0x4C2694E: malloc (vg_replace_malloc.c:177)
159 // ==20397== by 0x400521: mk (leak-cases.c:49)
160 // ==20397== by 0x400580: main (leak-cases.c:72)
162 // The first one is fine -- it describes AAA.
164 // The second one is for BBB. It's correct in that 16 bytes in 1 block are
165 // directly lost. It's also correct that 16 are indirectly lost as a result,
166 // but it means that AAA is being counted twice in the loss records. (It's
167 // not, thankfully, counted twice in the summary counts). Argh.
169 // This would be less confusing for the second one:
171 // ==20397== 16 bytes in 1 blocks are definitely lost in loss record 14
172 // of 15 (and 16 bytes in 1 block are indirectly lost as a result; they
173 // are mentioned elsewhere (if --show-reachable=yes or indirect is given
174 // in --show-leak-kinds=... !))
175 // ==20397== at 0x4C2694E: malloc (vg_replace_malloc.c:177)
176 // ==20397== by 0x400521: mk (leak-cases.c:49)
177 // ==20397== by 0x400580: main (leak-cases.c:72)
179 // But ideally we'd present the loss record for the directly lost block and
180 // then the resultant indirectly lost blocks and make it clear the
181 // dependence. Double argh.
183 /*------------------------------------------------------------*/
184 /*--- The actual algorithm. ---*/
185 /*------------------------------------------------------------*/
187 // - Find all the blocks (a.k.a. chunks) to check. Mempool chunks require
188 // some special treatment because they can be within malloc'd blocks.
189 // - Scan every word in the root set (GP registers and valid
190 // non-heap memory words).
191 // - First, we skip if it doesn't point to valid memory.
192 // - Then, we see if it points to the start or interior of a block. If
193 // so, we push the block onto the mark stack and mark it as having been
194 // reached.
195 // - Then, we process the mark stack, repeating the scanning for each block;
196 // this can push more blocks onto the mark stack. We repeat until the
197 // mark stack is empty. Each block is marked as definitely or possibly
198 // reachable, depending on whether interior-pointers were required to
199 // reach it.
200 // - At this point we know for every block if it's reachable or not.
201 // - We then push each unreached block onto the mark stack, using the block
202 // number as the "clique" number.
203 // - We process the mark stack again, this time grouping blocks into cliques
204 // in order to facilitate the directly/indirectly lost categorisation.
205 // - We group blocks by their ExeContexts and categorisation, and print them
206 // if --leak-check=full. We also print summary numbers.
208 // A note on "cliques":
209 // - A directly lost block is one with no pointers to it. An indirectly
210 // lost block is one that is pointed to by a directly or indirectly lost
211 // block.
212 // - Each directly lost block has zero or more indirectly lost blocks
213 // hanging off it. All these blocks together form a "clique". The
214 // directly lost block is called the "clique leader". The clique number
215 // is the number (in lc_chunks[]) of the clique leader.
216 // - Actually, a directly lost block may be pointed to if it's part of a
217 // cycle. In that case, there may be more than one choice for the clique
218 // leader, and the choice is arbitrary. Eg. if you have A-->B and B-->A
219 // either A or B could be the clique leader.
220 // - Cliques cannot overlap, and will be truncated to avoid this. Eg. if we
221 // have A-->C and B-->C, the two cliques will be {A,C} and {B}, or {A} and
222 // {B,C} (again the choice is arbitrary). This is because we don't want
223 // to count a block as indirectly lost more than once.
225 // A note on 'is_prior_definite':
226 // - This is a boolean used in various places that indicates if the chain
227 // up to the prior node (prior to the one being considered) is definite.
228 // - In the clique == -1 case:
229 // - if True it means that the prior node is a root-set node, or that the
230 // prior node is a block which is reachable from the root-set via
231 // start-pointers.
232 // - if False it means that the prior node is a block that is only
233 // reachable from the root-set via a path including at least one
234 // interior-pointer.
235 // - In the clique != -1 case, currently it's always True because we treat
236 // start-pointers and interior-pointers the same for direct/indirect leak
237 // checking. If we added a PossibleIndirectLeak state then this would
238 // change.
241 // Define to debug the memory-leak-detector.
242 #define VG_DEBUG_FIND_CHUNK 0
243 #define VG_DEBUG_LEAKCHECK 0
244 #define VG_DEBUG_CLIQUE 0
247 /*------------------------------------------------------------*/
248 /*--- Getting the initial chunks, and searching them. ---*/
249 /*------------------------------------------------------------*/
251 // Compare the MC_Chunks by 'data' (i.e. the address of the block).
252 static Int compare_MC_Chunks(const void* n1, const void* n2)
254 const MC_Chunk* mc1 = *(const MC_Chunk *const *)n1;
255 const MC_Chunk* mc2 = *(const MC_Chunk *const *)n2;
256 if (mc1->data < mc2->data) return -1;
257 if (mc1->data > mc2->data) return 1;
258 return 0;
261 #if VG_DEBUG_FIND_CHUNK
262 // Used to sanity-check the fast binary-search mechanism.
263 static
264 Int find_chunk_for_OLD ( Addr ptr,
265 MC_Chunk** chunks,
266 Int n_chunks )
269 Int i;
270 Addr a_lo, a_hi;
271 PROF_EVENT(MCPE_FIND_CHUNK_FOR_OLD);
272 for (i = 0; i < n_chunks; i++) {
273 PROF_EVENT(MCPE_FIND_CHUNK_FOR_OLD_LOOP);
274 a_lo = chunks[i]->data;
275 a_hi = ((Addr)chunks[i]->data) + chunks[i]->szB;
276 if (a_lo == a_hi)
277 a_hi++; // Special case for szB 0. See find_chunk_for.
278 if (a_lo <= ptr && ptr < a_hi)
279 return i;
281 return -1;
283 #endif
285 // Find the i such that ptr points at or inside the block described by
286 // chunks[i]. Return -1 if none found. This assumes that chunks[]
287 // has been sorted on the 'data' field.
288 static
289 Int find_chunk_for ( Addr ptr,
290 MC_Chunk** chunks,
291 Int n_chunks )
293 Addr a_mid_lo, a_mid_hi;
294 Int lo, mid, hi, retVal;
295 // VG_(printf)("find chunk for %p = ", ptr);
296 retVal = -1;
297 lo = 0;
298 hi = n_chunks-1;
299 while (True) {
300 // Invariant: current unsearched space is from lo to hi, inclusive.
301 if (lo > hi) break; // not found
303 mid = (lo + hi) / 2;
304 a_mid_lo = chunks[mid]->data;
305 a_mid_hi = chunks[mid]->data + chunks[mid]->szB;
306 // Extent of block 'mid' is [a_mid_lo .. a_mid_hi).
307 // Special-case zero-sized blocks - treat them as if they had
308 // size 1. Not doing so causes them to not cover any address
309 // range at all and so will never be identified as the target of
310 // any pointer, which causes them to be incorrectly reported as
311 // definitely leaked.
312 if (chunks[mid]->szB == 0)
313 a_mid_hi++;
315 if (ptr < a_mid_lo) {
316 hi = mid-1;
317 continue;
319 if (ptr >= a_mid_hi) {
320 lo = mid+1;
321 continue;
323 tl_assert(ptr >= a_mid_lo && ptr < a_mid_hi);
324 retVal = mid;
325 break;
328 # if VG_DEBUG_FIND_CHUNK
329 tl_assert(retVal == find_chunk_for_OLD ( ptr, chunks, n_chunks ));
330 # endif
331 // VG_(printf)("%d\n", retVal);
332 return retVal;
336 static MC_Chunk**
337 find_active_chunks(Int* pn_chunks)
339 // Our goal is to construct a set of chunks that includes every
340 // mempool chunk, and every malloc region that *doesn't* contain a
341 // mempool chunk.
342 MC_Mempool *mp;
343 MC_Chunk **mallocs, **chunks, *mc;
344 UInt n_mallocs, n_chunks, m, s;
345 Bool *malloc_chunk_holds_a_pool_chunk;
347 // First we collect all the malloc chunks into an array and sort it.
348 // We do this because we want to query the chunks by interior
349 // pointers, requiring binary search.
350 mallocs = (MC_Chunk**) VG_(HT_to_array)( MC_(malloc_list), &n_mallocs );
351 if (n_mallocs == 0) {
352 tl_assert(mallocs == NULL);
353 *pn_chunks = 0;
354 return NULL;
356 VG_(ssort)(mallocs, n_mallocs, sizeof(VgHashNode*), compare_MC_Chunks);
358 // Then we build an array containing a Bool for each malloc chunk,
359 // indicating whether it contains any mempools.
360 malloc_chunk_holds_a_pool_chunk = VG_(calloc)( "mc.fas.1",
361 n_mallocs, sizeof(Bool) );
362 n_chunks = n_mallocs;
364 // Then we loop over the mempool tables. For each chunk in each
365 // pool, we set the entry in the Bool array corresponding to the
366 // malloc chunk containing the mempool chunk.
367 VG_(HT_ResetIter)(MC_(mempool_list));
368 while ( (mp = VG_(HT_Next)(MC_(mempool_list))) ) {
369 VG_(HT_ResetIter)(mp->chunks);
370 while ( (mc = VG_(HT_Next)(mp->chunks)) ) {
372 // We'll need to record this chunk.
373 n_chunks++;
375 // Possibly invalidate the malloc holding the beginning of this chunk.
376 m = find_chunk_for(mc->data, mallocs, n_mallocs);
377 if (m != -1 && malloc_chunk_holds_a_pool_chunk[m] == False) {
378 tl_assert(n_chunks > 0);
379 n_chunks--;
380 malloc_chunk_holds_a_pool_chunk[m] = True;
383 // Possibly invalidate the malloc holding the end of this chunk.
384 if (mc->szB > 1) {
385 m = find_chunk_for(mc->data + (mc->szB - 1), mallocs, n_mallocs);
386 if (m != -1 && malloc_chunk_holds_a_pool_chunk[m] == False) {
387 tl_assert(n_chunks > 0);
388 n_chunks--;
389 malloc_chunk_holds_a_pool_chunk[m] = True;
394 tl_assert(n_chunks > 0);
396 // Create final chunk array.
397 chunks = VG_(malloc)("mc.fas.2", sizeof(VgHashNode*) * (n_chunks));
398 s = 0;
400 // Copy the mempool chunks and the non-marked malloc chunks into a
401 // combined array of chunks.
402 VG_(HT_ResetIter)(MC_(mempool_list));
403 while ( (mp = VG_(HT_Next)(MC_(mempool_list))) ) {
404 VG_(HT_ResetIter)(mp->chunks);
405 while ( (mc = VG_(HT_Next)(mp->chunks)) ) {
406 tl_assert(s < n_chunks);
407 chunks[s++] = mc;
410 for (m = 0; m < n_mallocs; ++m) {
411 if (!malloc_chunk_holds_a_pool_chunk[m]) {
412 tl_assert(s < n_chunks);
413 chunks[s++] = mallocs[m];
416 tl_assert(s == n_chunks);
418 // Free temporaries.
419 VG_(free)(mallocs);
420 VG_(free)(malloc_chunk_holds_a_pool_chunk);
422 *pn_chunks = n_chunks;
424 return chunks;
427 /*------------------------------------------------------------*/
428 /*--- The leak detector proper. ---*/
429 /*------------------------------------------------------------*/
431 // Holds extra info about each block during leak checking.
432 typedef
433 struct {
434 UInt state:2; // Reachedness.
435 UInt pending:1; // Scan pending.
436 UInt heuristic: (sizeof(UInt)*8)-3;
437 // Heuristic with which this block was considered reachable.
438 // LchNone if state != Reachable or no heuristic needed to
439 // consider it reachable.
441 union {
442 SizeT indirect_szB;
443 // If Unreached, how many bytes are unreachable from here.
444 SizeT clique;
445 // if IndirectLeak, clique leader to which it belongs.
446 } IorC;
448 LC_Extra;
450 // An array holding pointers to every chunk we're checking. Sorted by address.
451 // lc_chunks is initialised during leak search. It is kept after leak search
452 // to support printing the list of blocks belonging to a loss record.
453 // lc_chunk array can only be used validly till the next "free" operation
454 // (as a free operation potentially destroys one or more chunks).
455 // To detect lc_chunk is valid, we store the nr of frees operations done
456 // when lc_chunk was build : lc_chunks (and lc_extras) stays valid as
457 // long as no free operations has been done since lc_chunks building.
458 static MC_Chunk** lc_chunks;
459 // How many chunks we're dealing with.
460 static Int lc_n_chunks;
461 static SizeT lc_chunks_n_frees_marker;
462 // This has the same number of entries as lc_chunks, and each entry
463 // in lc_chunks corresponds with the entry here (ie. lc_chunks[i] and
464 // lc_extras[i] describe the same block).
465 static LC_Extra* lc_extras;
467 // chunks will be converted and merged in loss record, maintained in lr_table
468 // lr_table elements are kept from one leak_search to another to implement
469 // the "print new/changed leaks" client request
470 static OSet* lr_table;
471 // Array of sorted loss record (produced during last leak search).
472 static LossRecord** lr_array;
474 // Value of the heuristics parameter used in the current (or last) leak check.
475 static UInt detect_memory_leaks_last_heuristics;
477 // DeltaMode used the last time we called detect_memory_leaks.
478 // The recorded leak errors are output using a logic based on this delta_mode.
479 // The below avoids replicating the delta_mode in each LossRecord.
480 LeakCheckDeltaMode MC_(detect_memory_leaks_last_delta_mode);
482 // Each leak search run increments the below generation counter.
483 // A used suppression during a leak search will contain this
484 // generation number.
485 UInt MC_(leak_search_gen);
487 // Records chunks that are currently being processed. Each element in the
488 // stack is an index into lc_chunks and lc_extras. Its size is
489 // 'lc_n_chunks' because in the worst case that's how many chunks could be
490 // pushed onto it (actually I think the maximum is lc_n_chunks-1 but let's
491 // be conservative).
492 static Int* lc_markstack;
493 // The index of the top element of the stack; -1 if the stack is empty, 0 if
494 // the stack has one element, 1 if it has two, etc.
495 static Int lc_markstack_top;
497 // Keeps track of how many bytes of memory we've scanned, for printing.
498 // (Nb: We don't keep track of how many register bytes we've scanned.)
499 static SizeT lc_scanned_szB;
500 // Keeps track of how many bytes we have not scanned due to read errors that
501 // caused a signal such as SIGSEGV.
502 static SizeT lc_sig_skipped_szB;
505 SizeT MC_(bytes_leaked) = 0;
506 SizeT MC_(bytes_indirect) = 0;
507 SizeT MC_(bytes_dubious) = 0;
508 SizeT MC_(bytes_reachable) = 0;
509 SizeT MC_(bytes_suppressed) = 0;
511 SizeT MC_(blocks_leaked) = 0;
512 SizeT MC_(blocks_indirect) = 0;
513 SizeT MC_(blocks_dubious) = 0;
514 SizeT MC_(blocks_reachable) = 0;
515 SizeT MC_(blocks_suppressed) = 0;
517 // Subset of MC_(bytes_reachable) and MC_(blocks_reachable) which
518 // are considered reachable due to the corresponding heuristic.
519 static SizeT MC_(bytes_heuristically_reachable)[N_LEAK_CHECK_HEURISTICS]
520 = {0,0,0,0};
521 static SizeT MC_(blocks_heuristically_reachable)[N_LEAK_CHECK_HEURISTICS]
522 = {0,0,0,0};
524 // Determines if a pointer is to a chunk. Returns the chunk number et al
525 // via call-by-reference.
526 static Bool
527 lc_is_a_chunk_ptr(Addr ptr, Int* pch_no, MC_Chunk** pch, LC_Extra** pex)
529 Int ch_no;
530 MC_Chunk* ch;
531 LC_Extra* ex;
533 // Quick filter. Note: implemented with am, not with get_vabits2
534 // as ptr might be random data pointing anywhere. On 64 bit
535 // platforms, getting va bits for random data can be quite costly
536 // due to the secondary map.
537 if (!VG_(am_is_valid_for_client)(ptr, 1, VKI_PROT_READ)) {
538 return False;
539 } else {
540 ch_no = find_chunk_for(ptr, lc_chunks, lc_n_chunks);
541 tl_assert(ch_no >= -1 && ch_no < lc_n_chunks);
543 if (ch_no == -1) {
544 return False;
545 } else {
546 // Ok, we've found a pointer to a chunk. Get the MC_Chunk and its
547 // LC_Extra.
548 ch = lc_chunks[ch_no];
549 ex = &(lc_extras[ch_no]);
551 tl_assert(ptr >= ch->data);
552 tl_assert(ptr < ch->data + ch->szB + (ch->szB==0 ? 1 : 0));
554 if (VG_DEBUG_LEAKCHECK)
555 VG_(printf)("ptr=%#lx -> block %d\n", ptr, ch_no);
557 *pch_no = ch_no;
558 *pch = ch;
559 *pex = ex;
561 return True;
566 // Push a chunk (well, just its index) onto the mark stack.
567 static void lc_push(Int ch_no, MC_Chunk* ch)
569 if (!lc_extras[ch_no].pending) {
570 if (0) {
571 VG_(printf)("pushing %#lx-%#lx\n", ch->data, ch->data + ch->szB);
573 lc_markstack_top++;
574 tl_assert(lc_markstack_top < lc_n_chunks);
575 lc_markstack[lc_markstack_top] = ch_no;
576 tl_assert(!lc_extras[ch_no].pending);
577 lc_extras[ch_no].pending = True;
581 // Return the index of the chunk on the top of the mark stack, or -1 if
582 // there isn't one.
583 static Bool lc_pop(Int* ret)
585 if (-1 == lc_markstack_top) {
586 return False;
587 } else {
588 tl_assert(0 <= lc_markstack_top && lc_markstack_top < lc_n_chunks);
589 *ret = lc_markstack[lc_markstack_top];
590 lc_markstack_top--;
591 tl_assert(lc_extras[*ret].pending);
592 lc_extras[*ret].pending = False;
593 return True;
597 static const HChar* pp_heuristic(LeakCheckHeuristic h)
599 switch(h) {
600 case LchNone: return "none";
601 case LchStdString: return "stdstring";
602 case LchLength64: return "length64";
603 case LchNewArray: return "newarray";
604 case LchMultipleInheritance: return "multipleinheritance";
605 default: return "???invalid heuristic???";
609 // True if ptr looks like the address of a vtable, i.e. if ptr
610 // points to an array of pointers to functions.
611 // It is assumed the only caller of this function is heuristic_reachedness
612 // which must check that ptr is aligned and above page 0.
613 // Checking that ptr is above page 0 is an optimisation : it is assumed
614 // that no vtable is located in the page 0. So, all small integer values
615 // encountered during the scan will not incur the cost of calling this
616 // function.
617 static Bool aligned_ptr_above_page0_is_vtable_addr(Addr ptr)
619 // ??? If performance problem:
620 // ??? maybe implement a cache (array indexed by ptr % primenr)
621 // ??? of "I am a vtable ptr" ???
623 // ??? Maybe the debug info could (efficiently?) be used to detect vtables ?
625 // We consider ptr as a vtable ptr if it points to a table
626 // where we find only NULL pointers or pointers pointing at an
627 // executable region. We must find at least 2 non NULL pointers
628 // before considering ptr as a vtable pointer.
629 // We scan a maximum of VTABLE_MAX_CHECK words for these 2 non NULL
630 // pointers.
631 #define VTABLE_MAX_CHECK 20
633 NSegment const *seg;
634 UInt nr_fn_ptrs = 0;
635 Addr scan;
636 Addr scan_max;
638 // First verify ptr points inside a client mapped file section.
639 // ??? is a vtable always in a file mapped readable section ?
640 seg = VG_(am_find_nsegment) (ptr);
641 if (seg == NULL
642 || seg->kind != SkFileC
643 || !seg->hasR)
644 return False;
646 // Check potential function pointers, up to a maximum of VTABLE_MAX_CHECK.
647 scan_max = ptr + VTABLE_MAX_CHECK*sizeof(Addr);
648 // If ptr is near the end of seg, avoid scan_max exceeding the end of seg:
649 if (scan_max > seg->end - sizeof(Addr))
650 scan_max = seg->end - sizeof(Addr);
651 for (scan = ptr; scan <= scan_max; scan+=sizeof(Addr)) {
652 Addr pot_fn = *((Addr *)scan);
653 if (pot_fn == 0)
654 continue; // NULL fn pointer. Seems it can happen in vtable.
655 seg = VG_(am_find_nsegment) (pot_fn);
656 #if defined(VGA_ppc64be)
657 // ppc64BE uses a thunk table (function descriptors), so we have one
658 // more level of indirection to follow.
659 if (seg == NULL
660 || seg->kind != SkFileC
661 || !seg->hasR
662 || !seg->hasW)
663 return False; // ptr to nowhere, or not a ptr to thunks.
664 pot_fn = *((Addr *)pot_fn);
665 if (pot_fn == 0)
666 continue; // NULL fn pointer. Seems it can happen in vtable.
667 seg = VG_(am_find_nsegment) (pot_fn);
668 #endif
669 if (seg == NULL
670 || seg->kind != SkFileC
671 || !seg->hasT)
672 return False; // ptr to nowhere, or not a fn ptr.
673 nr_fn_ptrs++;
674 if (nr_fn_ptrs == 2)
675 return True;
678 return False;
681 // true if a is properly aligned and points to 64bits of valid memory
682 static Bool is_valid_aligned_ULong ( Addr a )
684 if (sizeof(Word) == 8)
685 return MC_(is_valid_aligned_word)(a);
687 return MC_(is_valid_aligned_word)(a)
688 && MC_(is_valid_aligned_word)(a + 4);
691 /* The below leak_search_fault_catcher is used to catch memory access
692 errors happening during leak_search. During the scan, we check
693 with aspacemgr and/or VA bits that each page or dereferenced location is
694 readable and belongs to the client. However, we still protect
695 against SIGSEGV and SIGBUS e.g. in case aspacemgr is desynchronised
696 with the real page mappings. Such a desynchronisation could happen
697 due to an aspacemgr bug. Note that if the application is using
698 mprotect(NONE), then a page can be unreadable but have addressable
699 and defined VA bits (see mc_main.c function mc_new_mem_mprotect).
700 Currently, 2 functions are dereferencing client memory during leak search:
701 heuristic_reachedness and lc_scan_memory.
702 Each such function has its own fault catcher, that will call
703 leak_search_fault_catcher with the proper 'who' and jmpbuf parameters. */
704 static volatile Addr bad_scanned_addr;
705 static
706 void leak_search_fault_catcher ( Int sigNo, Addr addr,
707 const HChar *who, VG_MINIMAL_JMP_BUF(jmpbuf) )
709 vki_sigset_t sigmask;
711 if (0)
712 VG_(printf)("OUCH! sig=%d addr=%#lx who=%s\n", sigNo, addr, who);
714 /* Signal handler runs with the signal masked.
715 Unmask the handled signal before longjmp-ing or return-ing.
716 Note that during leak search, we expect only SIGSEGV or SIGBUS
717 and we do not expect another occurrence until we longjmp-ed!return-ed
718 to resume the leak search. So, it is safe to unmask the signal
719 here. */
720 /* First get current mask (by passing NULL as first arg) */
721 VG_(sigprocmask)(VKI_SIG_SETMASK, NULL, &sigmask);
722 /* Then set a new sigmask, with this signal removed from the mask. */
723 VG_(sigdelset)(&sigmask, sigNo);
724 VG_(sigprocmask)(VKI_SIG_SETMASK, &sigmask, NULL);
726 if (sigNo == VKI_SIGSEGV || sigNo == VKI_SIGBUS) {
727 bad_scanned_addr = addr;
728 VG_MINIMAL_LONGJMP(jmpbuf);
729 } else {
730 /* ??? During leak search, we are not supposed to receive any
731 other sync signal that these 2.
732 In theory, we should not call VG_(umsg) in a signal handler,
733 but better (try to) report this unexpected behaviour. */
734 VG_(umsg)("leak_search_fault_catcher:"
735 " unexpected signal %d, catcher %s ???\n",
736 sigNo, who);
740 // jmpbuf and fault_catcher used during heuristic_reachedness
741 static VG_MINIMAL_JMP_BUF(heuristic_reachedness_jmpbuf);
742 static
743 void heuristic_reachedness_fault_catcher ( Int sigNo, Addr addr )
745 leak_search_fault_catcher (sigNo, addr,
746 "heuristic_reachedness_fault_catcher",
747 heuristic_reachedness_jmpbuf);
750 // If ch is heuristically reachable via an heuristic member of heur_set,
751 // returns this heuristic.
752 // If ch cannot be considered reachable using one of these heuristics,
753 // return LchNone.
754 // This should only be called when ptr is an interior ptr to ch.
755 // The StdString/NewArray/MultipleInheritance heuristics are directly
756 // inspired from DrMemory:
757 // see http://www.burningcutlery.com/derek/docs/drmem-CGO11.pdf [section VI,C]
758 // and bug 280271.
759 static LeakCheckHeuristic heuristic_reachedness (Addr ptr,
760 MC_Chunk *ch, LC_Extra *ex,
761 UInt heur_set)
764 fault_catcher_t prev_catcher;
766 prev_catcher = VG_(set_fault_catcher)(heuristic_reachedness_fault_catcher);
768 // See leak_search_fault_catcher
769 if (VG_MINIMAL_SETJMP(heuristic_reachedness_jmpbuf) != 0) {
770 VG_(set_fault_catcher) (prev_catcher);
771 return LchNone;
774 if (HiS(LchStdString, heur_set)) {
775 // Detects inner pointers to Std::String for layout being
776 // length capacity refcount char_array[] \0
777 // where ptr points to the beginning of the char_array.
778 // Note: we check definedness for length and capacity but
779 // not for refcount, as refcount size might be smaller than
780 // a SizeT, giving a uninitialised hole in the first 3 SizeT.
781 if ( ptr == ch->data + 3 * sizeof(SizeT)
782 && MC_(is_valid_aligned_word)(ch->data + sizeof(SizeT))) {
783 const SizeT capacity = *((SizeT*)(ch->data + sizeof(SizeT)));
784 if (3 * sizeof(SizeT) + capacity + 1 == ch->szB
785 && MC_(is_valid_aligned_word)(ch->data)) {
786 const SizeT length = *((SizeT*)ch->data);
787 if (length <= capacity) {
788 // ??? could check there is no null byte from ptr to ptr+length-1
789 // ??? and that there is a null byte at ptr+length.
790 // ???
791 // ??? could check that ch->allockind is MC_AllocNew ???
792 // ??? probably not a good idea, as I guess stdstring
793 // ??? allocator can be done via custom allocator
794 // ??? or even a call to malloc ????
795 VG_(set_fault_catcher) (prev_catcher);
796 return LchStdString;
802 if (HiS(LchLength64, heur_set)) {
803 // Detects inner pointers that point at 64bit offset (8 bytes) into a
804 // block following the length of the remaining as 64bit number
805 // (=total block size - 8).
806 // This is used e.g. by sqlite for tracking the total size of allocated
807 // memory.
808 // Note that on 64bit platforms, a block matching LchLength64 will
809 // also be matched by LchNewArray.
810 if ( ptr == ch->data + sizeof(ULong)
811 && is_valid_aligned_ULong(ch->data)) {
812 const ULong size = *((ULong*)ch->data);
813 if (size > 0 && (ch->szB - sizeof(ULong)) == size) {
814 VG_(set_fault_catcher) (prev_catcher);
815 return LchLength64;
820 if (HiS(LchNewArray, heur_set)) {
821 // Detects inner pointers at second word of new[] array, following
822 // a plausible nr of elements.
823 // Such inner pointers are used for arrays of elements
824 // having a destructor, as the delete[] of the array must know
825 // how many elements to destroy.
827 // We have a strange/wrong case for 'ptr = new MyClass[0];' :
828 // For such a case, the returned ptr points just outside the
829 // allocated chunk. This chunk is then seen as a definite
830 // leak by Valgrind, as it is not considered an interior pointer.
831 // It is the c++ equivalent of bug 99923 (malloc(0) wrongly considered
832 // as definitely leaked). See the trick in find_chunk_for handling
833 // 0-sized block. This trick does not work for 'new MyClass[0]'
834 // because a chunk "word-sized" is allocated to store the (0) nr
835 // of elements.
836 if ( ptr == ch->data + sizeof(SizeT)
837 && MC_(is_valid_aligned_word)(ch->data)) {
838 const SizeT nr_elts = *((SizeT*)ch->data);
839 if (nr_elts > 0 && (ch->szB - sizeof(SizeT)) % nr_elts == 0) {
840 // ??? could check that ch->allockind is MC_AllocNewVec ???
841 VG_(set_fault_catcher) (prev_catcher);
842 return LchNewArray;
847 if (HiS(LchMultipleInheritance, heur_set)) {
848 // Detect inner pointer used for multiple inheritance.
849 // Assumption is that the vtable pointers are before the object.
850 if (VG_IS_WORD_ALIGNED(ptr)
851 && MC_(is_valid_aligned_word)(ptr)) {
852 Addr first_addr;
853 Addr inner_addr;
855 // Avoid the call to is_vtable_addr when the addr is not
856 // aligned or points in the page0, as it is unlikely
857 // a vtable is located in this page. This last optimisation
858 // avoids to call aligned_ptr_above_page0_is_vtable_addr
859 // for all small integers.
860 // Note: we could possibly also avoid calling this function
861 // for small negative integers, as no vtable should be located
862 // in the last page.
863 inner_addr = *((Addr*)ptr);
864 if (VG_IS_WORD_ALIGNED(inner_addr)
865 && inner_addr >= (Addr)VKI_PAGE_SIZE
866 && MC_(is_valid_aligned_word)(ch->data)) {
867 first_addr = *((Addr*)ch->data);
868 if (VG_IS_WORD_ALIGNED(first_addr)
869 && first_addr >= (Addr)VKI_PAGE_SIZE
870 && aligned_ptr_above_page0_is_vtable_addr(inner_addr)
871 && aligned_ptr_above_page0_is_vtable_addr(first_addr)) {
872 // ??? could check that ch->allockind is MC_AllocNew ???
873 VG_(set_fault_catcher) (prev_catcher);
874 return LchMultipleInheritance;
880 VG_(set_fault_catcher) (prev_catcher);
881 return LchNone;
885 // If 'ptr' is pointing to a heap-allocated block which hasn't been seen
886 // before, push it onto the mark stack.
887 static void
888 lc_push_without_clique_if_a_chunk_ptr(Addr ptr, Bool is_prior_definite)
890 Int ch_no;
891 MC_Chunk* ch;
892 LC_Extra* ex;
893 Reachedness ch_via_ptr; // Is ch reachable via ptr, and how ?
895 if ( ! lc_is_a_chunk_ptr(ptr, &ch_no, &ch, &ex) )
896 return;
898 if (ex->state == Reachable) {
899 if (ex->heuristic && ptr == ch->data)
900 // If block was considered reachable via an heuristic, and it is now
901 // directly reachable via ptr, clear the heuristic field.
902 ex->heuristic = LchNone;
903 return;
906 // Possibly upgrade the state, ie. one of:
907 // - Unreached --> Possible
908 // - Unreached --> Reachable
909 // - Possible --> Reachable
911 if (ptr == ch->data)
912 ch_via_ptr = Reachable;
913 else if (detect_memory_leaks_last_heuristics) {
914 ex->heuristic
915 = heuristic_reachedness (ptr, ch, ex,
916 detect_memory_leaks_last_heuristics);
917 if (ex->heuristic)
918 ch_via_ptr = Reachable;
919 else
920 ch_via_ptr = Possible;
921 } else
922 ch_via_ptr = Possible;
924 if (ch_via_ptr == Reachable && is_prior_definite) {
925 // 'ptr' points to the start of the block or is to be considered as
926 // pointing to the start of the block, and the prior node is
927 // definite, which means that this block is definitely reachable.
928 ex->state = Reachable;
930 // State has changed to Reachable so (re)scan the block to make
931 // sure any blocks it points to are correctly marked.
932 lc_push(ch_no, ch);
934 } else if (ex->state == Unreached) {
935 // Either 'ptr' is a interior-pointer, or the prior node isn't definite,
936 // which means that we can only mark this block as possibly reachable.
937 ex->state = Possible;
939 // State has changed to Possible so (re)scan the block to make
940 // sure any blocks it points to are correctly marked.
941 lc_push(ch_no, ch);
945 static void
946 lc_push_if_a_chunk_ptr_register(ThreadId tid, const HChar* regname, Addr ptr)
948 lc_push_without_clique_if_a_chunk_ptr(ptr, /*is_prior_definite*/True);
951 // If ptr is pointing to a heap-allocated block which hasn't been seen
952 // before, push it onto the mark stack. Clique is the index of the
953 // clique leader.
954 static void
955 lc_push_with_clique_if_a_chunk_ptr(Addr ptr, Int clique, Int cur_clique)
957 Int ch_no;
958 MC_Chunk* ch;
959 LC_Extra* ex;
961 tl_assert(0 <= clique && clique < lc_n_chunks);
963 if ( ! lc_is_a_chunk_ptr(ptr, &ch_no, &ch, &ex) )
964 return;
966 // If it's not Unreached, it's already been handled so ignore it.
967 // If ch_no==clique, it's the clique leader, which means this is a cyclic
968 // structure; again ignore it because it's already been handled.
969 if (ex->state == Unreached && ch_no != clique) {
970 // Note that, unlike reachable blocks, we currently don't distinguish
971 // between start-pointers and interior-pointers here. We probably
972 // should, though.
973 lc_push(ch_no, ch);
975 // Add the block to the clique, and add its size to the
976 // clique-leader's indirect size. Also, if the new block was
977 // itself a clique leader, it isn't any more, so add its
978 // indirect_szB to the new clique leader.
979 if (VG_DEBUG_CLIQUE) {
980 if (ex->IorC.indirect_szB > 0)
981 VG_(printf)(" clique %d joining clique %d adding %lu+%lu\n",
982 ch_no, clique, (SizeT)ch->szB, ex->IorC.indirect_szB);
983 else
984 VG_(printf)(" block %d joining clique %d adding %lu\n",
985 ch_no, clique, (SizeT)ch->szB);
988 lc_extras[clique].IorC.indirect_szB += ch->szB;
989 lc_extras[clique].IorC.indirect_szB += ex->IorC.indirect_szB;
990 ex->state = IndirectLeak;
991 ex->IorC.clique = (SizeT) cur_clique;
995 static void
996 lc_push_if_a_chunk_ptr(Addr ptr,
997 Int clique, Int cur_clique, Bool is_prior_definite)
999 if (-1 == clique)
1000 lc_push_without_clique_if_a_chunk_ptr(ptr, is_prior_definite);
1001 else
1002 lc_push_with_clique_if_a_chunk_ptr(ptr, clique, cur_clique);
1006 static VG_MINIMAL_JMP_BUF(lc_scan_memory_jmpbuf);
1007 static
1008 void lc_scan_memory_fault_catcher ( Int sigNo, Addr addr )
1010 leak_search_fault_catcher (sigNo, addr,
1011 "lc_scan_memory_fault_catcher",
1012 lc_scan_memory_jmpbuf);
1015 // lc_scan_memory has 2 modes:
1017 // 1. Leak check mode (searched == 0).
1018 // -----------------------------------
1019 // Scan a block of memory between [start, start+len). This range may
1020 // be bogus, inaccessible, or otherwise strange; we deal with it. For each
1021 // valid aligned word we assume it's a pointer to a chunk a push the chunk
1022 // onto the mark stack if so.
1023 // clique is the "highest level clique" in which indirectly leaked blocks have
1024 // to be collected. cur_clique is the current "lower" level clique through which
1025 // the memory to be scanned has been found.
1026 // Example: in the below tree if A is leaked, the top level clique will
1027 // be A, while lower level cliques will be B and C.
1032 / \ / \
1033 D E F G
1035 // Proper handling of top and lowest level clique allows block_list of a loss
1036 // record to describe the hierarchy of indirectly leaked blocks.
1038 // 2. Search ptr mode (searched != 0).
1039 // -----------------------------------
1040 // In this mode, searches for pointers to a specific address range
1041 // In such a case, lc_scan_memory just scans [start..start+len[ for pointers
1042 // to searched and outputs the places where searched is found.
1043 // It does not recursively scans the found memory.
1044 static void
1045 lc_scan_memory(Addr start, SizeT len, Bool is_prior_definite,
1046 Int clique, Int cur_clique,
1047 Addr searched, SizeT szB)
1049 /* memory scan is based on the assumption that valid pointers are aligned
1050 on a multiple of sizeof(Addr). So, we can (and must) skip the begin and
1051 end portions of the block if they are not aligned on sizeof(Addr):
1052 These cannot be a valid pointer, and calls to MC_(is_valid_aligned_word)
1053 will assert for a non aligned address. */
1054 #if defined(VGA_s390x)
1055 // Define ptr as volatile, as on this platform, the value of ptr
1056 // is read in code executed via a longjmp.
1057 volatile
1058 #endif
1059 Addr ptr = VG_ROUNDUP(start, sizeof(Addr));
1060 const Addr end = VG_ROUNDDN(start+len, sizeof(Addr));
1061 fault_catcher_t prev_catcher;
1063 if (VG_DEBUG_LEAKCHECK)
1064 VG_(printf)("scan %#lx-%#lx (%lu)\n", start, end, len);
1066 prev_catcher = VG_(set_fault_catcher)(lc_scan_memory_fault_catcher);
1068 /* Optimisation: the loop below will check for each begin
1069 of SM chunk if the chunk is fully unaddressable. The idea is to
1070 skip efficiently such fully unaddressable SM chunks.
1071 So, we preferably start the loop on a chunk boundary.
1072 If the chunk is not fully unaddressable, we might be in
1073 an unaddressable page. Again, the idea is to skip efficiently
1074 such unaddressable page : this is the "else" part.
1075 We use an "else" so that two consecutive fully unaddressable
1076 SM chunks will be skipped efficiently: first one is skipped
1077 by this piece of code. The next SM chunk will be skipped inside
1078 the loop. */
1079 if ( ! MC_(is_within_valid_secondary)(ptr) ) {
1080 // Skip an invalid SM chunk till the beginning of the next SM Chunk.
1081 ptr = VG_ROUNDUP(ptr+1, SM_SIZE);
1082 } else if (!VG_(am_is_valid_for_client)(ptr, sizeof(Addr), VKI_PROT_READ)) {
1083 // else we are in a (at least partially) valid SM chunk.
1084 // We might be in the middle of an unreadable page.
1085 // Do a cheap check to see if it's valid;
1086 // if not, skip onto the next page.
1087 ptr = VG_PGROUNDUP(ptr+1); // First page is bad - skip it.
1089 /* The above optimisation and below loop is based on some relationships
1090 between VKI_PAGE_SIZE, SM_SIZE and sizeof(Addr) which are asserted in
1091 MC_(detect_memory_leaks). */
1093 // See leak_search_fault_catcher
1094 if (VG_MINIMAL_SETJMP(lc_scan_memory_jmpbuf) != 0) {
1095 // Catch read error ...
1096 # if defined(VGA_s390x)
1097 // For a SIGSEGV, s390 delivers the page address of the bad address.
1098 // For a SIGBUS, old s390 kernels deliver a NULL address.
1099 // bad_scanned_addr can thus not be used.
1100 // So, on this platform, we always skip a full page from ptr.
1101 // The below implies to mark ptr as volatile, as we read the value
1102 // after a longjmp to here.
1103 lc_sig_skipped_szB += VKI_PAGE_SIZE;
1104 ptr = ptr + VKI_PAGE_SIZE; // Unaddressable, - skip it.
1105 # else
1106 // On other platforms, just skip one Addr.
1107 lc_sig_skipped_szB += sizeof(Addr);
1108 tl_assert(bad_scanned_addr >= VG_ROUNDUP(start, sizeof(Addr)));
1109 tl_assert(bad_scanned_addr < VG_ROUNDDN(start+len, sizeof(Addr)));
1110 ptr = bad_scanned_addr + sizeof(Addr); // Unaddressable, - skip it.
1111 #endif
1113 while (ptr < end) {
1114 Addr addr;
1116 // Skip invalid chunks.
1117 if (UNLIKELY((ptr % SM_SIZE) == 0)) {
1118 if (! MC_(is_within_valid_secondary)(ptr) ) {
1119 ptr = VG_ROUNDUP(ptr+1, SM_SIZE);
1120 continue;
1124 // Look to see if this page seems reasonable.
1125 if (UNLIKELY((ptr % VKI_PAGE_SIZE) == 0)) {
1126 if (!VG_(am_is_valid_for_client)(ptr, sizeof(Addr), VKI_PROT_READ)) {
1127 ptr += VKI_PAGE_SIZE; // Bad page - skip it.
1128 continue;
1132 if ( MC_(is_valid_aligned_word)(ptr) ) {
1133 lc_scanned_szB += sizeof(Addr);
1134 // If the below read fails, we will longjmp to the loop begin.
1135 addr = *(Addr *)ptr;
1136 // If we get here, the scanned word is in valid memory. Now
1137 // let's see if its contents point to a chunk.
1138 if (UNLIKELY(searched)) {
1139 if (addr >= searched && addr < searched + szB) {
1140 const DiEpoch cur_ep = VG_(current_DiEpoch)();
1141 // The found addr is 'live', so use cur_ep to describe it.
1142 if (addr == searched) {
1143 VG_(umsg)("*%#lx points at %#lx\n", ptr, searched);
1144 MC_(pp_describe_addr) (cur_ep, ptr);
1145 } else {
1146 Int ch_no;
1147 MC_Chunk *ch;
1148 LC_Extra *ex;
1149 VG_(umsg)("*%#lx interior points at %lu bytes inside %#lx\n",
1150 ptr, (long unsigned) addr - searched, searched);
1151 MC_(pp_describe_addr) (cur_ep, ptr);
1152 if (lc_is_a_chunk_ptr(addr, &ch_no, &ch, &ex) ) {
1153 Int h;
1154 for (h = LchStdString; h < N_LEAK_CHECK_HEURISTICS; h++) {
1155 if (heuristic_reachedness(addr, ch, ex, H2S(h)) == h) {
1156 VG_(umsg)("block at %#lx considered reachable "
1157 "by ptr %#lx using %s heuristic\n",
1158 ch->data, addr, pp_heuristic(h));
1161 // Verify the loop above has properly scanned all
1162 // heuristics. If the below fails, it probably means the
1163 // LeakCheckHeuristic enum is not in sync anymore with the
1164 // above loop and/or with N_LEAK_CHECK_HEURISTICS.
1165 tl_assert (h == N_LEAK_CHECK_HEURISTICS);
1169 } else {
1170 lc_push_if_a_chunk_ptr(addr, clique, cur_clique, is_prior_definite);
1172 } else if (0 && VG_DEBUG_LEAKCHECK) {
1173 VG_(printf)("%#lx not valid\n", ptr);
1175 ptr += sizeof(Addr);
1178 VG_(set_fault_catcher)(prev_catcher);
1182 // Process the mark stack until empty.
1183 static void lc_process_markstack(Int clique)
1185 Int top = -1; // shut gcc up
1186 Bool is_prior_definite;
1188 while (lc_pop(&top)) {
1189 tl_assert(top >= 0 && top < lc_n_chunks);
1191 // See comment about 'is_prior_definite' at the top to understand this.
1192 is_prior_definite = ( Possible != lc_extras[top].state );
1194 lc_scan_memory(lc_chunks[top]->data, lc_chunks[top]->szB,
1195 is_prior_definite, clique, (clique == -1 ? -1 : top),
1196 /*searched*/ 0, 0);
1200 static Word cmp_LossRecordKey_LossRecord(const void* key, const void* elem)
1202 const LossRecordKey* a = key;
1203 const LossRecordKey* b = &(((const LossRecord*)elem)->key);
1205 // Compare on states first because that's fast.
1206 if (a->state < b->state) return -1;
1207 if (a->state > b->state) return 1;
1208 // Ok, the states are equal. Now compare the locations, which is slower.
1209 if (VG_(eq_ExeContext)(
1210 MC_(clo_leak_resolution), a->allocated_at, b->allocated_at))
1211 return 0;
1212 // Different locations. Ordering is arbitrary, just use the ec pointer.
1213 if (a->allocated_at < b->allocated_at) return -1;
1214 if (a->allocated_at > b->allocated_at) return 1;
1215 VG_(tool_panic)("bad LossRecord comparison");
1218 static Int cmp_LossRecords(const void* va, const void* vb)
1220 const LossRecord* lr_a = *(const LossRecord *const *)va;
1221 const LossRecord* lr_b = *(const LossRecord *const *)vb;
1222 SizeT total_szB_a = lr_a->szB + lr_a->indirect_szB;
1223 SizeT total_szB_b = lr_b->szB + lr_b->indirect_szB;
1225 // First compare by sizes.
1226 if (total_szB_a < total_szB_b) return -1;
1227 if (total_szB_a > total_szB_b) return 1;
1228 // If size are equal, compare by states.
1229 if (lr_a->key.state < lr_b->key.state) return -1;
1230 if (lr_a->key.state > lr_b->key.state) return 1;
1231 // If they're still equal here, it doesn't matter that much, but we keep
1232 // comparing other things so that regtests are as deterministic as
1233 // possible. So: compare num_blocks.
1234 if (lr_a->num_blocks < lr_b->num_blocks) return -1;
1235 if (lr_a->num_blocks > lr_b->num_blocks) return 1;
1236 // Finally, compare ExeContext addresses... older ones are likely to have
1237 // lower addresses.
1238 if (lr_a->key.allocated_at < lr_b->key.allocated_at) return -1;
1239 if (lr_a->key.allocated_at > lr_b->key.allocated_at) return 1;
1240 return 0;
1243 // allocates or reallocates lr_array, and set its elements to the loss records
1244 // contains in lr_table.
1245 static UInt get_lr_array_from_lr_table(void) {
1246 UInt i, n_lossrecords;
1247 LossRecord* lr;
1249 n_lossrecords = VG_(OSetGen_Size)(lr_table);
1251 // (re-)create the array of pointers to the loss records.
1252 // lr_array is kept to allow producing the block list from gdbserver.
1253 if (lr_array != NULL)
1254 VG_(free)(lr_array);
1255 lr_array = VG_(malloc)("mc.pr.2", n_lossrecords * sizeof(LossRecord*));
1256 i = 0;
1257 VG_(OSetGen_ResetIter)(lr_table);
1258 while ( (lr = VG_(OSetGen_Next)(lr_table)) ) {
1259 lr_array[i++] = lr;
1261 tl_assert(i == n_lossrecords);
1262 return n_lossrecords;
1266 static void get_printing_rules(LeakCheckParams* lcp,
1267 LossRecord* lr,
1268 Bool* count_as_error,
1269 Bool* print_record)
1271 // Rules for printing:
1272 // - We don't show suppressed loss records ever (and that's controlled
1273 // within the error manager).
1274 // - We show non-suppressed loss records that are specified in
1275 // --show-leak-kinds=... if --leak-check=yes.
1277 Bool delta_considered;
1279 switch (lcp->deltamode) {
1280 case LCD_Any:
1281 delta_considered = lr->num_blocks > 0;
1282 break;
1283 case LCD_Increased:
1284 delta_considered
1285 = lr->szB > lr->old_szB
1286 || lr->indirect_szB > lr->old_indirect_szB
1287 || lr->num_blocks > lr->old_num_blocks;
1288 break;
1289 case LCD_Changed:
1290 delta_considered = lr->szB != lr->old_szB
1291 || lr->indirect_szB != lr->old_indirect_szB
1292 || lr->num_blocks != lr->old_num_blocks;
1293 break;
1294 default:
1295 tl_assert(0);
1298 *print_record = lcp->mode == LC_Full && delta_considered
1299 && RiS(lr->key.state,lcp->show_leak_kinds);
1300 // We don't count a leaks as errors with lcp->mode==LC_Summary.
1301 // Otherwise you can get high error counts with few or no error
1302 // messages, which can be confusing. Otherwise, we count as errors
1303 // the leak kinds requested by --errors-for-leak-kinds=...
1304 *count_as_error = lcp->mode == LC_Full && delta_considered
1305 && RiS(lr->key.state,lcp->errors_for_leak_kinds);
1309 // Types and functions for xtree leak report.
1312 static XTree* leak_xt;
1314 /* Sizes and delta sizes for a loss record output in an xtree.
1315 As the output format can only show positive values, we need values for
1316 the increase and decrease cases. */
1317 typedef
1318 struct _XT_BIBK {
1319 ULong szB; // Current values
1320 ULong indirect_szB;
1321 ULong num_blocks;
1322 } XT_BIBK; // Bytes, Indirect bytes, BlocKs
1324 typedef
1325 enum {
1326 XT_Value =0,
1327 XT_Increase =1,
1328 XT_Decrease =2
1330 XT_VID; // Value or Increase or Decrease
1332 typedef
1333 struct _XT_lr {
1334 XT_BIBK vid[3]; // indexed by XT_VID
1335 } XT_lr;
1337 typedef
1338 struct _XT_Leak {
1339 XT_lr xt_lr[4]; // indexed by Reachedness
1340 } XT_Leak;
1342 static void MC_(XT_Leak_init)(void* xtl)
1344 VG_(memset) (xtl, 0, sizeof(XT_Leak));
1346 static void MC_(XT_Leak_add) (void* to, const void* xtleak)
1348 XT_Leak* xto = to;
1349 const XT_Leak* xtl = xtleak;
1351 for (int r = Reachable; r <= Unreached; r++)
1352 for (int d = 0; d < 3; d++) {
1353 xto->xt_lr[r].vid[d].szB += xtl->xt_lr[r].vid[d].szB;
1354 xto->xt_lr[r].vid[d].indirect_szB += xtl->xt_lr[r].vid[d].indirect_szB;
1355 xto->xt_lr[r].vid[d].num_blocks += xtl->xt_lr[r].vid[d].num_blocks;
1358 static void XT_insert_lr (LossRecord* lr)
1360 XT_Leak xtl;
1361 Reachedness i = lr->key.state;
1363 MC_(XT_Leak_init)(&xtl);
1365 xtl.xt_lr[i].vid[XT_Value].szB = lr->szB;
1366 xtl.xt_lr[i].vid[XT_Value].indirect_szB = lr->indirect_szB;
1367 xtl.xt_lr[i].vid[XT_Value].num_blocks = lr->num_blocks;
1369 if (lr->szB > lr->old_szB)
1370 xtl.xt_lr[i].vid[XT_Increase].szB = lr->szB - lr->old_szB;
1371 else
1372 xtl.xt_lr[i].vid[XT_Decrease].szB = lr->old_szB - lr->szB;
1373 if (lr->indirect_szB > lr->old_indirect_szB)
1374 xtl.xt_lr[i].vid[XT_Increase].indirect_szB
1375 = lr->indirect_szB - lr->old_indirect_szB;
1376 else
1377 xtl.xt_lr[i].vid[XT_Decrease].indirect_szB
1378 = lr->old_indirect_szB - lr->indirect_szB;
1379 if (lr->num_blocks > lr->old_num_blocks)
1380 xtl.xt_lr[i].vid[XT_Increase].num_blocks
1381 = lr->num_blocks - lr->old_num_blocks;
1382 else
1383 xtl.xt_lr[i].vid[XT_Decrease].num_blocks
1384 = lr->old_num_blocks - lr->num_blocks;
1386 VG_(XT_add_to_ec)(leak_xt, lr->key.allocated_at, &xtl);
1389 static void MC_(XT_Leak_sub) (void* from, const void* xtleak)
1391 tl_assert(0); // Should not be called.
1393 static const HChar* MC_(XT_Leak_img) (const void* xtleak)
1395 static XT_Leak zero;
1396 static HChar buf[600];
1397 UInt off = 0;
1399 const XT_Leak* xtl = xtleak;
1401 if (VG_(memcmp)(xtl, &zero, sizeof(XT_Leak)) != 0) {
1402 for (UInt d = XT_Value; d <= XT_Decrease; d++) {
1403 // print szB. We add indirect_szB to have the Unreachable showing
1404 // the total bytes loss, including indirect loss. This is similar
1405 // to the textual and xml reports.
1406 for (UInt r = Reachable; r <= Unreached; r++)
1407 off += VG_(sprintf) (buf + off, " %llu",
1408 xtl->xt_lr[r].vid[d].szB
1409 + xtl->xt_lr[r].vid[d].indirect_szB);
1410 // print indirect_szB, only for reachedness having such values)
1411 for (UInt r = Reachable; r <= Unreached; r++)
1412 if (r == Unreached)
1413 off += VG_(sprintf) (buf + off, " %llu",
1414 xtl->xt_lr[r].vid[d].indirect_szB);
1415 // print num_blocks
1416 for (UInt r = Reachable; r <= Unreached; r++)
1417 off += VG_(sprintf) (buf + off, " %llu",
1418 xtl->xt_lr[r].vid[d].num_blocks);
1420 return buf + 1; // + 1 to skip the useless first space
1421 } else {
1422 return NULL;
1426 /* The short event name is made of 2 or 3 or 4 letters:
1427 an optional delta indication: i = increase d = decrease
1428 a loss kind: R = Reachable P = Possibly I = Indirectly D = Definitely
1429 an optional i to indicate this loss record has indirectly lost bytes
1430 B = Bytes or Bk = Blocks.
1431 Note that indirectly lost bytes/blocks can thus be counted in 2
1432 loss records: the loss records for their "own" allocation stack trace,
1433 and the loss record of the 'main' Definitely or Possibly loss record
1434 in the indirectly lost count for these loss records. */
1435 static const HChar* XT_Leak_events =
1436 ////// XT_Value szB
1437 "RB : Reachable Bytes" ","
1438 "PB : Possibly lost Bytes" ","
1439 "IB : Indirectly lost Bytes" ","
1440 "DB : Definitely lost Bytes (direct plus indirect)" ","
1442 ////// XT_Value indirect_szB
1443 // no RIB
1444 // no PIB
1445 // no IIB
1446 "DIB : Definitely Indirectly lost Bytes (subset of DB)" ","
1448 ////// XT_Value num_blocks
1449 "RBk : reachable Blocks" ","
1450 "PBk : Possibly lost Blocks" ","
1451 "IBk : Indirectly lost Blocks" ","
1452 "DBk : Definitely lost Blocks" ","
1454 ////// XT_Increase szB
1455 "iRB : increase Reachable Bytes" ","
1456 "iPB : increase Possibly lost Bytes" ","
1457 "iIB : increase Indirectly lost Bytes" ","
1458 "iDB : increase Definitely lost Bytes" ","
1460 ////// XT_Increase indirect_szB
1461 // no iRIB
1462 // no iPIB
1463 // no iIIB
1464 "iDIB : increase Definitely Indirectly lost Bytes" ","
1466 ////// XT_Increase num_blocks
1467 "iRBk : increase reachable Blocks" ","
1468 "iPBk : increase Possibly lost Blocks" ","
1469 "iIBk : increase Indirectly lost Blocks" ","
1470 "iDBk : increase Definitely lost Blocks" ","
1473 ////// XT_Decrease szB
1474 "dRB : decrease Reachable Bytes" ","
1475 "dPB : decrease Possibly lost Bytes" ","
1476 "dIB : decrease Indirectly lost Bytes" ","
1477 "dDB : decrease Definitely lost Bytes" ","
1479 ////// XT_Decrease indirect_szB
1480 // no dRIB
1481 // no dPIB
1482 // no dIIB
1483 "dDIB : decrease Definitely Indirectly lost Bytes" ","
1485 ////// XT_Decrease num_blocks
1486 "dRBk : decrease reachable Blocks" ","
1487 "dPBk : decrease Possibly lost Blocks" ","
1488 "dIBk : decrease Indirectly lost Blocks" ","
1489 "dDBk : decrease Definitely lost Blocks";
1491 static void print_results(ThreadId tid, LeakCheckParams* lcp)
1493 Int i, n_lossrecords, start_lr_output_scan;
1494 LossRecord* lr;
1495 Bool is_suppressed;
1496 /* old_* variables are used to report delta in summary. */
1497 SizeT old_bytes_leaked = MC_(bytes_leaked);
1498 SizeT old_bytes_indirect = MC_(bytes_indirect);
1499 SizeT old_bytes_dubious = MC_(bytes_dubious);
1500 SizeT old_bytes_reachable = MC_(bytes_reachable);
1501 SizeT old_bytes_suppressed = MC_(bytes_suppressed);
1502 SizeT old_blocks_leaked = MC_(blocks_leaked);
1503 SizeT old_blocks_indirect = MC_(blocks_indirect);
1504 SizeT old_blocks_dubious = MC_(blocks_dubious);
1505 SizeT old_blocks_reachable = MC_(blocks_reachable);
1506 SizeT old_blocks_suppressed = MC_(blocks_suppressed);
1508 SizeT old_bytes_heuristically_reachable[N_LEAK_CHECK_HEURISTICS];
1509 SizeT old_blocks_heuristically_reachable[N_LEAK_CHECK_HEURISTICS];
1511 for (i = 0; i < N_LEAK_CHECK_HEURISTICS; i++) {
1512 old_bytes_heuristically_reachable[i]
1513 = MC_(bytes_heuristically_reachable)[i];
1514 MC_(bytes_heuristically_reachable)[i] = 0;
1515 old_blocks_heuristically_reachable[i]
1516 = MC_(blocks_heuristically_reachable)[i];
1517 MC_(blocks_heuristically_reachable)[i] = 0;
1520 if (lr_table == NULL)
1521 // Create the lr_table, which holds the loss records.
1522 // If the lr_table already exists, it means it contains
1523 // loss_records from the previous leak search. The old_*
1524 // values in these records are used to implement the
1525 // leak check delta mode
1526 lr_table =
1527 VG_(OSetGen_Create)(offsetof(LossRecord, key),
1528 cmp_LossRecordKey_LossRecord,
1529 VG_(malloc), "mc.pr.1",
1530 VG_(free));
1532 // If we have loss records from a previous search, reset values to have
1533 // proper printing of the deltas between previous search and this search.
1534 n_lossrecords = get_lr_array_from_lr_table();
1535 for (i = 0; i < n_lossrecords; i++) {
1536 if (lr_array[i]->num_blocks == 0) {
1537 // remove from lr_table the old loss_records with 0 bytes found
1538 VG_(OSetGen_Remove) (lr_table, &lr_array[i]->key);
1539 VG_(OSetGen_FreeNode)(lr_table, lr_array[i]);
1540 } else {
1541 // move the leak sizes to old_* and zero the current sizes
1542 // for next leak search
1543 lr_array[i]->old_szB = lr_array[i]->szB;
1544 lr_array[i]->old_indirect_szB = lr_array[i]->indirect_szB;
1545 lr_array[i]->old_num_blocks = lr_array[i]->num_blocks;
1546 lr_array[i]->szB = 0;
1547 lr_array[i]->indirect_szB = 0;
1548 lr_array[i]->num_blocks = 0;
1551 // lr_array now contains "invalid" loss records => free it.
1552 // lr_array will be re-created below with the kept and new loss records.
1553 VG_(free) (lr_array);
1554 lr_array = NULL;
1556 // Convert the chunks into loss records, merging them where appropriate.
1557 for (i = 0; i < lc_n_chunks; i++) {
1558 MC_Chunk* ch = lc_chunks[i];
1559 LC_Extra* ex = &(lc_extras)[i];
1560 LossRecord* old_lr;
1561 LossRecordKey lrkey;
1562 lrkey.state = ex->state;
1563 lrkey.allocated_at = MC_(allocated_at)(ch);
1565 if (ex->heuristic) {
1566 MC_(bytes_heuristically_reachable)[ex->heuristic] += ch->szB;
1567 MC_(blocks_heuristically_reachable)[ex->heuristic]++;
1568 if (VG_DEBUG_LEAKCHECK)
1569 VG_(printf)("heuristic %s %#lx len %lu\n",
1570 pp_heuristic(ex->heuristic),
1571 ch->data, (SizeT)ch->szB);
1574 old_lr = VG_(OSetGen_Lookup)(lr_table, &lrkey);
1575 if (old_lr) {
1576 // We found an existing loss record matching this chunk. Update the
1577 // loss record's details in-situ. This is safe because we don't
1578 // change the elements used as the OSet key.
1579 old_lr->szB += ch->szB;
1580 if (ex->state == Unreached)
1581 old_lr->indirect_szB += ex->IorC.indirect_szB;
1582 old_lr->num_blocks++;
1583 } else {
1584 // No existing loss record matches this chunk. Create a new loss
1585 // record, initialise it from the chunk, and insert it into lr_table.
1586 lr = VG_(OSetGen_AllocNode)(lr_table, sizeof(LossRecord));
1587 lr->key = lrkey;
1588 lr->szB = ch->szB;
1589 if (ex->state == Unreached)
1590 lr->indirect_szB = ex->IorC.indirect_szB;
1591 else
1592 lr->indirect_szB = 0;
1593 lr->num_blocks = 1;
1594 lr->old_szB = 0;
1595 lr->old_indirect_szB = 0;
1596 lr->old_num_blocks = 0;
1597 VG_(OSetGen_Insert)(lr_table, lr);
1601 // (re-)create the array of pointers to the (new) loss records.
1602 n_lossrecords = get_lr_array_from_lr_table ();
1603 tl_assert(VG_(OSetGen_Size)(lr_table) == n_lossrecords);
1605 // Sort the array by loss record sizes.
1606 VG_(ssort)(lr_array, n_lossrecords, sizeof(LossRecord*),
1607 cmp_LossRecords);
1609 // Zero totals.
1610 MC_(blocks_leaked) = MC_(bytes_leaked) = 0;
1611 MC_(blocks_indirect) = MC_(bytes_indirect) = 0;
1612 MC_(blocks_dubious) = MC_(bytes_dubious) = 0;
1613 MC_(blocks_reachable) = MC_(bytes_reachable) = 0;
1614 MC_(blocks_suppressed) = MC_(bytes_suppressed) = 0;
1616 // If there is a maximum nr of loss records we can output, then first
1617 // compute from where the output scan has to start.
1618 // By default, start from the first loss record. Compute a higher
1619 // value if there is a maximum to respect. We need to print the last
1620 // records, as the one with the biggest sizes are more interesting.
1621 start_lr_output_scan = 0;
1622 if (lcp->mode == LC_Full && lcp->max_loss_records_output < n_lossrecords) {
1623 Int nr_printable_records = 0;
1624 for (i = n_lossrecords - 1; i >= 0 && start_lr_output_scan == 0; i--) {
1625 Bool count_as_error, print_record;
1626 lr = lr_array[i];
1627 get_printing_rules (lcp, lr, &count_as_error, &print_record);
1628 // Do not use get_printing_rules results for is_suppressed, as we
1629 // only want to check if the record would be suppressed.
1630 is_suppressed =
1631 MC_(record_leak_error) ( tid, i+1, n_lossrecords, lr,
1632 False /* print_record */,
1633 False /* count_as_error */);
1634 if (print_record && !is_suppressed) {
1635 nr_printable_records++;
1636 if (nr_printable_records == lcp->max_loss_records_output)
1637 start_lr_output_scan = i;
1642 if (lcp->xt_filename != NULL)
1643 leak_xt = VG_(XT_create) (VG_(malloc),
1644 "mc_leakcheck.leak_xt",
1645 VG_(free),
1646 sizeof(XT_Leak),
1647 MC_(XT_Leak_init),
1648 MC_(XT_Leak_add),
1649 MC_(XT_Leak_sub),
1650 VG_(XT_filter_maybe_below_main));
1652 // Print the loss records (in size order) and collect summary stats.
1653 for (i = start_lr_output_scan; i < n_lossrecords; i++) {
1654 Bool count_as_error, print_record;
1655 lr = lr_array[i];
1656 get_printing_rules(lcp, lr, &count_as_error, &print_record);
1657 is_suppressed =
1658 MC_(record_leak_error)
1659 ( tid, i+1, n_lossrecords, lr,
1660 lcp->xt_filename == NULL ? print_record : False,
1661 count_as_error );
1662 if (lcp->xt_filename != NULL && !is_suppressed && print_record)
1663 XT_insert_lr (lr);
1665 if (is_suppressed) {
1666 MC_(blocks_suppressed) += lr->num_blocks;
1667 MC_(bytes_suppressed) += lr->szB;
1669 } else if (Unreached == lr->key.state) {
1670 MC_(blocks_leaked) += lr->num_blocks;
1671 MC_(bytes_leaked) += lr->szB;
1673 } else if (IndirectLeak == lr->key.state) {
1674 MC_(blocks_indirect) += lr->num_blocks;
1675 MC_(bytes_indirect) += lr->szB;
1677 } else if (Possible == lr->key.state) {
1678 MC_(blocks_dubious) += lr->num_blocks;
1679 MC_(bytes_dubious) += lr->szB;
1681 } else if (Reachable == lr->key.state) {
1682 MC_(blocks_reachable) += lr->num_blocks;
1683 MC_(bytes_reachable) += lr->szB;
1685 } else {
1686 VG_(tool_panic)("unknown loss mode");
1690 if (lcp->xt_filename != NULL) {
1691 VG_(XT_callgrind_print)(leak_xt,
1692 lcp->xt_filename,
1693 XT_Leak_events,
1694 MC_(XT_Leak_img));
1695 if (VG_(clo_verbosity) >= 1 || lcp->requested_by_monitor_command)
1696 VG_(umsg)("xtree leak report: %s\n", lcp->xt_filename);
1697 VG_(XT_delete)(leak_xt);
1700 if (VG_(clo_verbosity) > 0 && !VG_(clo_xml)) {
1701 HChar d_bytes[31];
1702 HChar d_blocks[31];
1703 # define DBY(new,old) \
1704 MC_(snprintf_delta) (d_bytes, sizeof(d_bytes), (new), (old), \
1705 lcp->deltamode)
1706 # define DBL(new,old) \
1707 MC_(snprintf_delta) (d_blocks, sizeof(d_blocks), (new), (old), \
1708 lcp->deltamode)
1710 VG_(umsg)("LEAK SUMMARY:\n");
1711 VG_(umsg)(" definitely lost: %'lu%s bytes in %'lu%s blocks\n",
1712 MC_(bytes_leaked),
1713 DBY (MC_(bytes_leaked), old_bytes_leaked),
1714 MC_(blocks_leaked),
1715 DBL (MC_(blocks_leaked), old_blocks_leaked));
1716 VG_(umsg)(" indirectly lost: %'lu%s bytes in %'lu%s blocks\n",
1717 MC_(bytes_indirect),
1718 DBY (MC_(bytes_indirect), old_bytes_indirect),
1719 MC_(blocks_indirect),
1720 DBL (MC_(blocks_indirect), old_blocks_indirect));
1721 VG_(umsg)(" possibly lost: %'lu%s bytes in %'lu%s blocks\n",
1722 MC_(bytes_dubious),
1723 DBY (MC_(bytes_dubious), old_bytes_dubious),
1724 MC_(blocks_dubious),
1725 DBL (MC_(blocks_dubious), old_blocks_dubious));
1726 VG_(umsg)(" still reachable: %'lu%s bytes in %'lu%s blocks\n",
1727 MC_(bytes_reachable),
1728 DBY (MC_(bytes_reachable), old_bytes_reachable),
1729 MC_(blocks_reachable),
1730 DBL (MC_(blocks_reachable), old_blocks_reachable));
1731 for (i = 0; i < N_LEAK_CHECK_HEURISTICS; i++)
1732 if (old_blocks_heuristically_reachable[i] > 0
1733 || MC_(blocks_heuristically_reachable)[i] > 0) {
1734 VG_(umsg)(" of which "
1735 "reachable via heuristic:\n");
1736 break;
1738 for (i = 0; i < N_LEAK_CHECK_HEURISTICS; i++)
1739 if (old_blocks_heuristically_reachable[i] > 0
1740 || MC_(blocks_heuristically_reachable)[i] > 0)
1741 VG_(umsg)(" %-19s: "
1742 "%'lu%s bytes in %'lu%s blocks\n",
1743 pp_heuristic(i),
1744 MC_(bytes_heuristically_reachable)[i],
1745 DBY (MC_(bytes_heuristically_reachable)[i],
1746 old_bytes_heuristically_reachable[i]),
1747 MC_(blocks_heuristically_reachable)[i],
1748 DBL (MC_(blocks_heuristically_reachable)[i],
1749 old_blocks_heuristically_reachable[i]));
1750 VG_(umsg)(" suppressed: %'lu%s bytes in %'lu%s blocks\n",
1751 MC_(bytes_suppressed),
1752 DBY (MC_(bytes_suppressed), old_bytes_suppressed),
1753 MC_(blocks_suppressed),
1754 DBL (MC_(blocks_suppressed), old_blocks_suppressed));
1755 if (lcp->mode != LC_Full &&
1756 (MC_(blocks_leaked) + MC_(blocks_indirect) +
1757 MC_(blocks_dubious) + MC_(blocks_reachable)) > 0) {
1758 if (lcp->requested_by_monitor_command)
1759 VG_(umsg)("To see details of leaked memory, "
1760 "give 'full' arg to leak_check\n");
1761 else
1762 VG_(umsg)("Rerun with --leak-check=full to see details "
1763 "of leaked memory\n");
1765 if (lcp->mode == LC_Full &&
1766 MC_(blocks_reachable) > 0 && !RiS(Reachable,lcp->show_leak_kinds)) {
1767 VG_(umsg)("Reachable blocks (those to which a pointer "
1768 "was found) are not shown.\n");
1769 if (lcp->requested_by_monitor_command)
1770 VG_(umsg)("To see them, add 'reachable any' args to leak_check\n");
1771 else
1772 VG_(umsg)("To see them, rerun with: --leak-check=full "
1773 "--show-leak-kinds=all\n");
1775 VG_(umsg)("\n");
1776 #undef DBL
1777 #undef DBY
1781 // print recursively all indirectly leaked blocks collected in clique.
1782 // Printing stops when *remaining reaches 0.
1783 static void print_clique (Int clique, UInt level, UInt *remaining)
1785 Int ind;
1786 UInt i, n_lossrecords;
1788 n_lossrecords = VG_(OSetGen_Size)(lr_table);
1790 for (ind = 0; ind < lc_n_chunks && *remaining > 0; ind++) {
1791 LC_Extra* ind_ex = &(lc_extras)[ind];
1792 if (ind_ex->state == IndirectLeak
1793 && ind_ex->IorC.clique == (SizeT) clique) {
1794 MC_Chunk* ind_ch = lc_chunks[ind];
1795 LossRecord* ind_lr;
1796 LossRecordKey ind_lrkey;
1797 UInt lr_i;
1798 ind_lrkey.state = ind_ex->state;
1799 ind_lrkey.allocated_at = MC_(allocated_at)(ind_ch);
1800 ind_lr = VG_(OSetGen_Lookup)(lr_table, &ind_lrkey);
1801 for (lr_i = 0; lr_i < n_lossrecords; lr_i++)
1802 if (ind_lr == lr_array[lr_i])
1803 break;
1804 for (i = 0; i < level; i++)
1805 VG_(umsg)(" ");
1806 VG_(umsg)("%p[%lu] indirect loss record %u\n",
1807 (void *)ind_ch->data, (SizeT)ind_ch->szB,
1808 lr_i+1); // lr_i+1 for user numbering.
1809 (*remaining)--;
1810 if (lr_i >= n_lossrecords)
1811 VG_(umsg)
1812 ("error: no indirect loss record found for %p[%lu]?????\n",
1813 (void *)ind_ch->data, (SizeT)ind_ch->szB);
1814 print_clique(ind, level+1, remaining);
1819 Bool MC_(print_block_list) ( UInt loss_record_nr_from,
1820 UInt loss_record_nr_to,
1821 UInt max_blocks,
1822 UInt heuristics)
1824 UInt loss_record_nr;
1825 UInt i, n_lossrecords;
1826 LossRecord* lr;
1827 Bool lr_printed;
1828 UInt remaining = max_blocks;
1830 if (lr_table == NULL || lc_chunks == NULL || lc_extras == NULL) {
1831 VG_(umsg)("Can't print block list : no valid leak search result\n");
1832 return False;
1835 if (lc_chunks_n_frees_marker != MC_(get_cmalloc_n_frees)()) {
1836 VG_(umsg)("Can't print obsolete block list : redo a leak search first\n");
1837 return False;
1840 n_lossrecords = VG_(OSetGen_Size)(lr_table);
1841 if (loss_record_nr_from >= n_lossrecords)
1842 return False; // Invalid starting loss record nr.
1844 if (loss_record_nr_to >= n_lossrecords)
1845 loss_record_nr_to = n_lossrecords - 1;
1847 tl_assert (lr_array);
1849 for (loss_record_nr = loss_record_nr_from;
1850 loss_record_nr <= loss_record_nr_to && remaining > 0;
1851 loss_record_nr++) {
1852 lr = lr_array[loss_record_nr];
1853 lr_printed = False;
1855 /* If user asks to print a specific loss record, we print
1856 the block details, even if no block will be shown for this lr.
1857 If user asks to print a range of lr, we only print lr details
1858 when at least one block is shown. */
1859 if (loss_record_nr_from == loss_record_nr_to) {
1860 /* (+1 on loss_record_nr as user numbering for loss records
1861 starts at 1). */
1862 MC_(pp_LossRecord)(loss_record_nr+1, n_lossrecords, lr);
1863 lr_printed = True;
1866 // Match the chunks with loss records.
1867 for (i = 0; i < lc_n_chunks && remaining > 0; i++) {
1868 MC_Chunk* ch = lc_chunks[i];
1869 LC_Extra* ex = &(lc_extras)[i];
1870 LossRecord* old_lr;
1871 LossRecordKey lrkey;
1872 lrkey.state = ex->state;
1873 lrkey.allocated_at = MC_(allocated_at)(ch);
1875 old_lr = VG_(OSetGen_Lookup)(lr_table, &lrkey);
1876 if (old_lr) {
1877 // We found an existing loss record matching this chunk.
1878 // If this is the loss record we are looking for, output the
1879 // pointer.
1880 if (old_lr == lr_array[loss_record_nr]
1881 && (heuristics == 0 || HiS(ex->heuristic, heuristics))) {
1882 if (!lr_printed) {
1883 MC_(pp_LossRecord)(loss_record_nr+1, n_lossrecords, lr);
1884 lr_printed = True;
1887 if (ex->heuristic)
1888 VG_(umsg)("%p[%lu] (found via heuristic %s)\n",
1889 (void *)ch->data, (SizeT)ch->szB,
1890 pp_heuristic (ex->heuristic));
1891 else
1892 VG_(umsg)("%p[%lu]\n",
1893 (void *)ch->data, (SizeT)ch->szB);
1894 remaining--;
1895 if (ex->state != Reachable) {
1896 // We can print the clique in all states, except Reachable.
1897 // In Unreached state, lc_chunk[i] is the clique leader.
1898 // In IndirectLeak, lc_chunk[i] might have been a clique
1899 // leader which was later collected in another clique.
1900 // For Possible, lc_chunk[i] might be the top of a clique
1901 // or an intermediate clique.
1902 print_clique(i, 1, &remaining);
1905 } else {
1906 // No existing loss record matches this chunk ???
1907 VG_(umsg)("error: no loss record found for %p[%lu]?????\n",
1908 (void *)ch->data, (SizeT)ch->szB);
1912 return True;
1915 // If searched = 0, scan memory root set, pushing onto the mark stack the blocks
1916 // encountered.
1917 // Otherwise (searched != 0), scan the memory root set searching for ptr
1918 // pointing inside [searched, searched+szB[.
1919 static void scan_memory_root_set(Addr searched, SizeT szB)
1921 Int i;
1922 Int n_seg_starts;
1923 Addr* seg_starts = VG_(get_segment_starts)( SkFileC | SkAnonC | SkShmC,
1924 &n_seg_starts );
1926 tl_assert(seg_starts && n_seg_starts > 0);
1928 lc_scanned_szB = 0;
1929 lc_sig_skipped_szB = 0;
1931 // VG_(am_show_nsegments)( 0, "leakcheck");
1932 for (i = 0; i < n_seg_starts; i++) {
1933 SizeT seg_size;
1934 NSegment const* seg = VG_(am_find_nsegment)( seg_starts[i] );
1935 tl_assert(seg);
1936 tl_assert(seg->kind == SkFileC || seg->kind == SkAnonC ||
1937 seg->kind == SkShmC);
1939 if (!(seg->hasR && seg->hasW)) continue;
1940 if (seg->isCH) continue;
1942 // Don't poke around in device segments as this may cause
1943 // hangs. Include /dev/zero just in case someone allocated
1944 // memory by explicitly mapping /dev/zero.
1945 if (seg->kind == SkFileC
1946 && (VKI_S_ISCHR(seg->mode) || VKI_S_ISBLK(seg->mode))) {
1947 const HChar* dev_name = VG_(am_get_filename)( seg );
1948 if (dev_name && 0 == VG_(strcmp)(dev_name, "/dev/zero")) {
1949 // Don't skip /dev/zero.
1950 } else {
1951 // Skip this device mapping.
1952 continue;
1956 if (0)
1957 VG_(printf)("ACCEPT %2d %#lx %#lx\n", i, seg->start, seg->end);
1959 // Scan the segment. We use -1 for the clique number, because this
1960 // is a root-set.
1961 seg_size = seg->end - seg->start + 1;
1962 if (VG_(clo_verbosity) > 2) {
1963 VG_(message)(Vg_DebugMsg,
1964 " Scanning root segment: %#lx..%#lx (%lu)\n",
1965 seg->start, seg->end, seg_size);
1967 lc_scan_memory(seg->start, seg_size, /*is_prior_definite*/True,
1968 /*clique*/-1, /*cur_clique*/-1,
1969 searched, szB);
1971 VG_(free)(seg_starts);
1974 static MC_Mempool *find_mp_of_chunk (MC_Chunk* mc_search)
1976 MC_Mempool* mp;
1978 tl_assert( MC_(mempool_list) );
1980 VG_(HT_ResetIter)( MC_(mempool_list) );
1981 while ( (mp = VG_(HT_Next)(MC_(mempool_list))) ) {
1982 MC_Chunk* mc;
1983 VG_(HT_ResetIter)(mp->chunks);
1984 while ( (mc = VG_(HT_Next)(mp->chunks)) ) {
1985 if (mc == mc_search)
1986 return mp;
1990 return NULL;
1993 /*------------------------------------------------------------*/
1994 /*--- Top-level entry point. ---*/
1995 /*------------------------------------------------------------*/
1997 void MC_(detect_memory_leaks) ( ThreadId tid, LeakCheckParams* lcp)
1999 Int i, j;
2001 tl_assert(lcp->mode != LC_Off);
2003 // Verify some assertions which are used in lc_scan_memory.
2004 tl_assert((VKI_PAGE_SIZE % sizeof(Addr)) == 0);
2005 tl_assert((SM_SIZE % sizeof(Addr)) == 0);
2006 // Above two assertions are critical, while below assertion
2007 // ensures that the optimisation in the loop is done in the
2008 // correct order : the loop checks for (big) SM chunk skipping
2009 // before checking for (smaller) page skipping.
2010 tl_assert((SM_SIZE % VKI_PAGE_SIZE) == 0);
2012 MC_(leak_search_gen)++;
2013 MC_(detect_memory_leaks_last_delta_mode) = lcp->deltamode;
2014 detect_memory_leaks_last_heuristics = lcp->heuristics;
2016 // Get the chunks, stop if there were none.
2017 if (lc_chunks) {
2018 VG_(free)(lc_chunks);
2019 lc_chunks = NULL;
2021 lc_chunks = find_active_chunks(&lc_n_chunks);
2022 lc_chunks_n_frees_marker = MC_(get_cmalloc_n_frees)();
2023 if (lc_n_chunks == 0) {
2024 tl_assert(lc_chunks == NULL);
2025 if (lr_table != NULL) {
2026 // forget the previous recorded LossRecords as next leak search
2027 // can in any case just create new leaks.
2028 // Maybe it would be better to rather call print_result ?
2029 // (at least when leak decreases are requested)
2030 // This will then output all LossRecords with a size decreasing to 0
2031 VG_(OSetGen_Destroy) (lr_table);
2032 lr_table = NULL;
2034 if (VG_(clo_verbosity) >= 1 && !VG_(clo_xml)) {
2035 VG_(umsg)("All heap blocks were freed -- no leaks are possible\n");
2036 VG_(umsg)("\n");
2038 return;
2041 // Sort the array so blocks are in ascending order in memory.
2042 VG_(ssort)(lc_chunks, lc_n_chunks, sizeof(VgHashNode*), compare_MC_Chunks);
2044 // Sanity check -- make sure they're in order.
2045 for (i = 0; i < lc_n_chunks-1; i++) {
2046 tl_assert( lc_chunks[i]->data <= lc_chunks[i+1]->data);
2049 // Sanity check -- make sure they don't overlap. One exception is that
2050 // we allow a MALLOCLIKE block to sit entirely within a malloc() block.
2051 // This is for bug 100628. If this occurs, we ignore the malloc() block
2052 // for leak-checking purposes. This is a hack and probably should be done
2053 // better, but at least it's consistent with mempools (which are treated
2054 // like this in find_active_chunks). Mempools have a separate VgHashTable
2055 // for mempool chunks, but if custom-allocated blocks are put in a separate
2056 // table from normal heap blocks it makes free-mismatch checking more
2057 // difficult.
2058 // Another exception: Metapool memory blocks overlap by definition. The meta-
2059 // block is allocated (by a custom allocator), and chunks of that block are
2060 // allocated again for use by the application: Not an error.
2062 // If this check fails, it probably means that the application
2063 // has done something stupid with VALGRIND_MALLOCLIKE_BLOCK client
2064 // requests, eg. has made overlapping requests (which are
2065 // nonsensical), or used VALGRIND_MALLOCLIKE_BLOCK for stack locations;
2066 // again nonsensical.
2068 for (i = 0; i < lc_n_chunks-1; i++) {
2069 MC_Chunk* ch1 = lc_chunks[i];
2070 MC_Chunk* ch2 = lc_chunks[i+1];
2072 Addr start1 = ch1->data;
2073 Addr start2 = ch2->data;
2074 Addr end1 = ch1->data + ch1->szB - 1;
2075 Addr end2 = ch2->data + ch2->szB - 1;
2076 Bool isCustom1 = ch1->allockind == MC_AllocCustom;
2077 Bool isCustom2 = ch2->allockind == MC_AllocCustom;
2079 if (end1 < start2) {
2080 // Normal case - no overlap.
2082 // We used to allow exact duplicates, I'm not sure why. --njn
2083 //} else if (start1 == start2 && end1 == end2) {
2084 // Degenerate case: exact duplicates.
2086 } else if (start1 >= start2 && end1 <= end2 && isCustom1 && !isCustom2) {
2087 // Block i is MALLOCLIKE and entirely within block i+1.
2088 // Remove block i+1.
2089 for (j = i+1; j < lc_n_chunks-1; j++) {
2090 lc_chunks[j] = lc_chunks[j+1];
2092 lc_n_chunks--;
2094 } else if (start2 >= start1 && end2 <= end1 && isCustom2 && !isCustom1) {
2095 // Block i+1 is MALLOCLIKE and entirely within block i.
2096 // Remove block i.
2097 for (j = i; j < lc_n_chunks-1; j++) {
2098 lc_chunks[j] = lc_chunks[j+1];
2100 lc_n_chunks--;
2102 } else {
2103 // Overlap is allowed ONLY when one of the two candicates is a block
2104 // from a memory pool that has the metapool attribute set.
2105 // All other mixtures trigger the error + assert.
2106 MC_Mempool* mp;
2107 Bool ch1_is_meta = False, ch2_is_meta = False;
2108 Bool Inappropriate = False;
2110 if (MC_(is_mempool_block)(ch1)) {
2111 mp = find_mp_of_chunk(ch1);
2112 if (mp && mp->metapool) {
2113 ch1_is_meta = True;
2117 if (MC_(is_mempool_block)(ch2)) {
2118 mp = find_mp_of_chunk(ch2);
2119 if (mp && mp->metapool) {
2120 ch2_is_meta = True;
2124 // If one of the blocks is a meta block, the other must be entirely
2125 // within that meta block, or something is really wrong with the custom
2126 // allocator.
2127 if (ch1_is_meta != ch2_is_meta) {
2128 if ( (ch1_is_meta && (start2 < start1 || end2 > end1)) ||
2129 (ch2_is_meta && (start1 < start2 || end1 > end2)) ) {
2130 Inappropriate = True;
2134 if (ch1_is_meta == ch2_is_meta || Inappropriate) {
2135 VG_(umsg)("Block 0x%lx..0x%lx overlaps with block 0x%lx..0x%lx\n",
2136 start1, end1, start2, end2);
2137 VG_(umsg)("Blocks allocation contexts:\n"),
2138 VG_(pp_ExeContext)( MC_(allocated_at)(ch1));
2139 VG_(umsg)("\n"),
2140 VG_(pp_ExeContext)( MC_(allocated_at)(ch2));
2141 VG_(umsg)("This is usually caused by using ");
2142 VG_(umsg)("VALGRIND_MALLOCLIKE_BLOCK in an inappropriate way.\n");
2143 tl_assert (0);
2148 // Initialise lc_extras.
2149 if (lc_extras) {
2150 VG_(free)(lc_extras);
2151 lc_extras = NULL;
2153 lc_extras = VG_(malloc)( "mc.dml.2", lc_n_chunks * sizeof(LC_Extra) );
2154 for (i = 0; i < lc_n_chunks; i++) {
2155 lc_extras[i].state = Unreached;
2156 lc_extras[i].pending = False;
2157 lc_extras[i].heuristic = LchNone;
2158 lc_extras[i].IorC.indirect_szB = 0;
2161 // Initialise lc_markstack.
2162 lc_markstack = VG_(malloc)( "mc.dml.2", lc_n_chunks * sizeof(Int) );
2163 for (i = 0; i < lc_n_chunks; i++) {
2164 lc_markstack[i] = -1;
2166 lc_markstack_top = -1;
2168 // Verbosity.
2169 if (VG_(clo_verbosity) > 1 && !VG_(clo_xml)) {
2170 VG_(umsg)( "Searching for pointers to %'d not-freed blocks\n",
2171 lc_n_chunks );
2174 // Scan the memory root-set, pushing onto the mark stack any blocks
2175 // pointed to.
2176 scan_memory_root_set(/*searched*/0, 0);
2178 // Scan GP registers for chunk pointers.
2179 VG_(apply_to_GP_regs)(lc_push_if_a_chunk_ptr_register);
2181 // Process the pushed blocks. After this, every block that is reachable
2182 // from the root-set has been traced.
2183 lc_process_markstack(/*clique*/-1);
2185 if (VG_(clo_verbosity) > 1 && !VG_(clo_xml)) {
2186 VG_(umsg)("Checked %'lu bytes\n", lc_scanned_szB);
2187 if (lc_sig_skipped_szB > 0)
2188 VG_(umsg)("Skipped %'lu bytes due to read errors\n",
2189 lc_sig_skipped_szB);
2190 VG_(umsg)( "\n" );
2193 // Trace all the leaked blocks to determine which are directly leaked and
2194 // which are indirectly leaked. For each Unreached block, push it onto
2195 // the mark stack, and find all the as-yet-Unreached blocks reachable
2196 // from it. These form a clique and are marked IndirectLeak, and their
2197 // size is added to the clique leader's indirect size. If one of the
2198 // found blocks was itself a clique leader (from a previous clique), then
2199 // the cliques are merged.
2200 for (i = 0; i < lc_n_chunks; i++) {
2201 MC_Chunk* ch = lc_chunks[i];
2202 LC_Extra* ex = &(lc_extras[i]);
2204 if (VG_DEBUG_CLIQUE)
2205 VG_(printf)("cliques: %d at %#lx -> Loss state %d\n",
2206 i, ch->data, ex->state);
2208 tl_assert(lc_markstack_top == -1);
2210 if (ex->state == Unreached) {
2211 if (VG_DEBUG_CLIQUE)
2212 VG_(printf)("%d: gathering clique %#lx\n", i, ch->data);
2214 // Push this Unreached block onto the stack and process it.
2215 lc_push(i, ch);
2216 lc_process_markstack(/*clique*/i);
2218 tl_assert(lc_markstack_top == -1);
2219 tl_assert(ex->state == Unreached);
2223 print_results( tid, lcp);
2225 VG_(free) ( lc_markstack );
2226 lc_markstack = NULL;
2227 // lc_chunks, lc_extras, lr_array and lr_table are kept (needed if user
2228 // calls MC_(print_block_list)). lr_table also used for delta leak reporting
2229 // between this leak search and the next leak search.
2232 static Addr searched_wpa;
2233 static SizeT searched_szB;
2234 static void
2235 search_address_in_GP_reg(ThreadId tid, const HChar* regname, Addr addr_in_reg)
2237 if (addr_in_reg >= searched_wpa
2238 && addr_in_reg < searched_wpa + searched_szB) {
2239 if (addr_in_reg == searched_wpa)
2240 VG_(umsg)
2241 ("tid %u register %s pointing at %#lx\n",
2242 tid, regname, searched_wpa);
2243 else
2244 VG_(umsg)
2245 ("tid %u register %s interior pointing %lu bytes inside %#lx\n",
2246 tid, regname, (long unsigned) addr_in_reg - searched_wpa,
2247 searched_wpa);
2251 void MC_(who_points_at) ( Addr address, SizeT szB)
2253 MC_Chunk** chunks;
2254 Int n_chunks;
2255 Int i;
2257 if (szB == 1)
2258 VG_(umsg) ("Searching for pointers to %#lx\n", address);
2259 else
2260 VG_(umsg) ("Searching for pointers pointing in %lu bytes from %#lx\n",
2261 szB, address);
2263 chunks = find_active_chunks(&n_chunks);
2265 // Scan memory root-set, searching for ptr pointing in address[szB]
2266 scan_memory_root_set(address, szB);
2268 // Scan active malloc-ed chunks
2269 for (i = 0; i < n_chunks; i++) {
2270 lc_scan_memory(chunks[i]->data, chunks[i]->szB,
2271 /*is_prior_definite*/True,
2272 /*clique*/-1, /*cur_clique*/-1,
2273 address, szB);
2275 VG_(free) ( chunks );
2277 // Scan GP registers for pointers to address range.
2278 searched_wpa = address;
2279 searched_szB = szB;
2280 VG_(apply_to_GP_regs)(search_address_in_GP_reg);
2284 /*--------------------------------------------------------------------*/
2285 /*--- end ---*/
2286 /*--------------------------------------------------------------------*/