This is an archive of the discontinued LLVM Phabricator instance.

Differential D48199

[scudo] Add verbose failures in place of CHECK(0)
ClosedPublic

Authored by cryptoad on Jun 14 2018, 2:31 PM.

Details

Reviewers
alekseyshl
Commits
rG4adf24502ec8: [scudo] Add verbose failures in place of CHECK(0)
rL334843: [scudo] Add verbose failures in place of CHECK(0)
rCRT334843: [scudo] Add verbose failures in place of CHECK(0)
Summary

The current FailureHandler mechanism was fairly opaque with regard to the
failure reason due to using CHECK(0). Scudo is a bit different from the other
Sanitizers as it prefers to avoid spurious processing in its failure path. So
we just dieWithMessage using a somewhat explicit string.

Adapted the tests for the new strings.

While this takes care of the OnBadRequest & OnOOM failures, the next step
is probably to migrate the other Scudo failures in the same failes (header
corruption, invalid state and so on).

Diff Detail

Event Timeline

cryptoad created this revision.Jun 14 2018, 2:31 PM
Herald added subscribers: Restricted Project, delcypher, mgorny. · View Herald TranscriptJun 14 2018, 2:31 PM
Harbormaster completed remote builds in B19363: Diff 151427.Jun 14 2018, 2:31 PM
alekseyshl accepted this revision.Jun 14 2018, 3:14 PM
This revision is now accepted and ready to land.Jun 14 2018, 3:14 PM
filcab added a subscriber: filcab.Jun 15 2018, 3:30 AM
filcab added inline comments.
lib/scudo/scudo_allocator.cpp
328

Maybe also define it out of line? No use making the class definition harder to read if we don't even want to inline this function.

cryptoad added inline comments.Jun 15 2018, 8:16 AM
lib/scudo/scudo_allocator.cpp
328

Let me remove that from this CL, and in another I can add it and move definitions of isRssLimitExceeded & performSanityChecks out of line.

cryptoad updated this revision to Diff 151514.Jun 15 2018, 8:16 AM

Removing a NOINLINE that doesn't belong to this CL.

Harbormaster completed remote builds in B19386: Diff 151514.Jun 15 2018, 8:17 AM
cryptoad marked 2 inline comments as done.Jun 15 2018, 8:26 AM
Closed by commit rCRT334843: [scudo] Add verbose failures in place of CHECK(0) (authored by cryptoad). · Explain WhyJun 15 2018, 9:49 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
lib/
scudo/
1 line
65 lines
2 lines
35 lines
77 lines
3 lines
test/
scudo/
6 lines
3 lines
14 lines
3 lines

Diff 151529

lib/scudo/CMakeLists.txt

Show All 30 Lines list(APPEND SCUDO_OBJECT_LIBS
RTSanitizerCommonSymbolizer RTSanitizerCommonSymbolizer
RTUbsan) RTUbsan)
list(APPEND SCUDO_DYNAMIC_LIBS ${SANITIZER_CXX_ABI_LIBRARY}) list(APPEND SCUDO_DYNAMIC_LIBS ${SANITIZER_CXX_ABI_LIBRARY})
endif() endif()
set(SCUDO_SOURCES set(SCUDO_SOURCES
scudo_allocator.cpp scudo_allocator.cpp
scudo_crc32.cpp scudo_crc32.cpp
scudo_errors.cpp
scudo_flags.cpp scudo_flags.cpp
scudo_malloc.cpp scudo_malloc.cpp
scudo_termination.cpp scudo_termination.cpp
scudo_tsd_exclusive.cpp scudo_tsd_exclusive.cpp
scudo_tsd_shared.cpp scudo_tsd_shared.cpp
scudo_utils.cpp) scudo_utils.cpp)
set(SCUDO_CXX_SOURCES set(SCUDO_CXX_SOURCES
Show All 40 Lines

lib/scudo/scudo_allocator.cpp

Show All 10 Lines
/// It uses the sanitizer_common allocator as a base and aims at mitigating /// It uses the sanitizer_common allocator as a base and aims at mitigating
/// heap corruption vulnerabilities. It provides a checksum-guarded chunk /// heap corruption vulnerabilities. It provides a checksum-guarded chunk
/// header, a delayed free list, and additional sanity checks. /// header, a delayed free list, and additional sanity checks.
/// ///
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "scudo_allocator.h" #include "scudo_allocator.h"
#include "scudo_crc32.h" #include "scudo_crc32.h"
#include "scudo_errors.h"
#include "scudo_flags.h" #include "scudo_flags.h"
#include "scudo_interface_internal.h" #include "scudo_interface_internal.h"
#include "scudo_tsd.h" #include "scudo_tsd.h"
#include "scudo_utils.h" #include "scudo_utils.h"
#include "sanitizer_common/sanitizer_allocator_checks.h" #include "sanitizer_common/sanitizer_allocator_checks.h"
#include "sanitizer_common/sanitizer_allocator_interface.h" #include "sanitizer_common/sanitizer_allocator_interface.h"
#include "sanitizer_common/sanitizer_quarantine.h" #include "sanitizer_common/sanitizer_quarantine.h"
▲ Show 20 LinesShow All 192 Lines▼ Show 20 LinesScudoQuarantineCache *getQuarantineCache(ScudoTSD *TSD) {
return reinterpret_cast<ScudoQuarantineCache *>( return reinterpret_cast<ScudoQuarantineCache *>(
TSD->QuarantineCachePlaceHolder); TSD->QuarantineCachePlaceHolder);
} }
struct ScudoAllocator { struct ScudoAllocator {
static const uptr MaxAllowedMallocSize = static const uptr MaxAllowedMallocSize =
FIRST_32_SECOND_64(2UL << 30, 1ULL << 40); FIRST_32_SECOND_64(2UL << 30, 1ULL << 40);
typedef ReturnNullOrDieOnFailure FailureHandler;
ScudoBackendAllocator BackendAllocator; ScudoBackendAllocator BackendAllocator;
ScudoQuarantine AllocatorQuarantine; ScudoQuarantine AllocatorQuarantine;
u32 QuarantineChunksUpToSize; u32 QuarantineChunksUpToSize;
bool DeallocationTypeMismatch; bool DeallocationTypeMismatch;
bool ZeroContents; bool ZeroContents;
bool DeleteSizeMismatch; bool DeleteSizeMismatch;
▲ Show 20 LinesShow All 84 Lines▼ Show 20 Lines if (UNLIKELY(!Ptr))
return false; return false;
if (!Chunk::isAligned(Ptr)) if (!Chunk::isAligned(Ptr))
return false; return false;
return Chunk::isValid(Ptr); return Chunk::isValid(Ptr);
} }
// Opportunistic RSS limit check. This will update the RSS limit status, if // Opportunistic RSS limit check. This will update the RSS limit status, if
// it can, every 100ms, otherwise it will just return the current one. // it can, every 100ms, otherwise it will just return the current one.
bool isRssLimitExceeded() { bool isRssLimitExceeded() {
filcabUnsubmitted
Done
ReplyInline Actions

Maybe also define it out of line? No use making the class definition harder to read if we don't even want to inline this function.

filcab: Maybe also define it out of line? No use making the class definition harder to read if we don't…
cryptoadAuthorUnsubmitted
Done
ReplyInline Actions

Let me remove that from this CL, and in another I can add it and move definitions of isRssLimitExceeded & performSanityChecks out of line.

cryptoad: Let me remove that from this CL, and in another I can add it and move definitions of…
u64 LastCheck = atomic_load_relaxed(&RssLastCheckedAtNS); u64 LastCheck = atomic_load_relaxed(&RssLastCheckedAtNS);
const u64 CurrentCheck = MonotonicNanoTime(); const u64 CurrentCheck = MonotonicNanoTime();
if (LIKELY(CurrentCheck < LastCheck + (100ULL * 1000000ULL))) if (LIKELY(CurrentCheck < LastCheck + (100ULL * 1000000ULL)))
return atomic_load_relaxed(&RssLimitExceeded); return atomic_load_relaxed(&RssLimitExceeded);
if (!atomic_compare_exchange_weak(&RssLastCheckedAtNS, &LastCheck, if (!atomic_compare_exchange_weak(&RssLastCheckedAtNS, &LastCheck,
CurrentCheck, memory_order_relaxed)) CurrentCheck, memory_order_relaxed))
return atomic_load_relaxed(&RssLimitExceeded); return atomic_load_relaxed(&RssLimitExceeded);
// TODO(kostyak): We currently use sanitizer_common's GetRSS which reads the // TODO(kostyak): We currently use sanitizer_common's GetRSS which reads the
Show All 17 Lines bool isRssLimitExceeded() {
} }
return atomic_load_relaxed(&RssLimitExceeded); return atomic_load_relaxed(&RssLimitExceeded);
} }
// Allocates a chunk. // Allocates a chunk.
void *allocate(uptr Size, uptr Alignment, AllocType Type, void *allocate(uptr Size, uptr Alignment, AllocType Type,
bool ForceZeroContents = false) { bool ForceZeroContents = false) {
initThreadMaybe(); initThreadMaybe();
if (UNLIKELY(Alignment > MaxAlignment)) if (UNLIKELY(Alignment > MaxAlignment)) {
return FailureHandler::OnBadRequest(); if (AllocatorMayReturnNull())
return nullptr;
reportAllocationAlignmentTooBig(Alignment, MaxAlignment);
}
if (UNLIKELY(Alignment < MinAlignment)) if (UNLIKELY(Alignment < MinAlignment))
Alignment = MinAlignment; Alignment = MinAlignment;
if (UNLIKELY(Size >= MaxAllowedMallocSize))
return FailureHandler::OnBadRequest();
if (UNLIKELY(Size == 0))
Size = 1;
const uptr NeededSize = RoundUpTo(Size, MinAlignment) + const uptr NeededSize = RoundUpTo(Size ? Size : 1, MinAlignment) +
Chunk::getHeaderSize(); Chunk::getHeaderSize();
const uptr AlignedSize = (Alignment > MinAlignment) ? const uptr AlignedSize = (Alignment > MinAlignment) ?
NeededSize + (Alignment - Chunk::getHeaderSize()) : NeededSize; NeededSize + (Alignment - Chunk::getHeaderSize()) : NeededSize;
if (UNLIKELY(AlignedSize >= MaxAllowedMallocSize)) if (UNLIKELY(Size >= MaxAllowedMallocSize) ||
return FailureHandler::OnBadRequest(); UNLIKELY(AlignedSize >= MaxAllowedMallocSize)) {
if (AllocatorMayReturnNull())
return nullptr;
reportAllocationSizeTooBig(Size, AlignedSize, MaxAllowedMallocSize);
}
if (CheckRssLimit && UNLIKELY(isRssLimitExceeded())) if (CheckRssLimit && UNLIKELY(isRssLimitExceeded())) {
return FailureHandler::OnOOM(); if (AllocatorMayReturnNull())
return nullptr;
reportRssLimitExceeded();
}
// Primary and Secondary backed allocations have a different treatment. We // Primary and Secondary backed allocations have a different treatment. We
// deal with alignment requirements of Primary serviced allocations here, // deal with alignment requirements of Primary serviced allocations here,
// but the Secondary will take care of its own alignment needs. // but the Secondary will take care of its own alignment needs.
void *BackendPtr; void *BackendPtr;
uptr BackendSize; uptr BackendSize;
u8 ClassId; u8 ClassId;
if (PrimaryAllocator::CanAllocate(AlignedSize, MinAlignment)) { if (PrimaryAllocator::CanAllocate(AlignedSize, MinAlignment)) {
BackendSize = AlignedSize; BackendSize = AlignedSize;
ClassId = SizeClassMap::ClassID(BackendSize); ClassId = SizeClassMap::ClassID(BackendSize);
bool UnlockRequired; bool UnlockRequired;
ScudoTSD *TSD = getTSDAndLock(&UnlockRequired); ScudoTSD *TSD = getTSDAndLock(&UnlockRequired);
BackendPtr = BackendAllocator.allocatePrimary(&TSD->Cache, ClassId); BackendPtr = BackendAllocator.allocatePrimary(&TSD->Cache, ClassId);
if (UnlockRequired) if (UnlockRequired)
TSD->unlock(); TSD->unlock();
} else { } else {
BackendSize = NeededSize; BackendSize = NeededSize;
ClassId = 0; ClassId = 0;
BackendPtr = BackendAllocator.allocateSecondary(BackendSize, Alignment); BackendPtr = BackendAllocator.allocateSecondary(BackendSize, Alignment);
} }
if (UNLIKELY(!BackendPtr)) if (UNLIKELY(!BackendPtr)) {
return FailureHandler::OnOOM(); SetAllocatorOutOfMemory();
if (AllocatorMayReturnNull())
return nullptr;
reportOutOfMemory(Size);
}
// If requested, we will zero out the entire contents of the returned chunk. // If requested, we will zero out the entire contents of the returned chunk.
if ((ForceZeroContents || ZeroContents) && ClassId) if ((ForceZeroContents || ZeroContents) && ClassId)
memset(BackendPtr, 0, PrimaryAllocator::ClassIdToSize(ClassId)); memset(BackendPtr, 0, PrimaryAllocator::ClassIdToSize(ClassId));
UnpackedHeader Header = {}; UnpackedHeader Header = {};
uptr UserPtr = reinterpret_cast<uptr>(BackendPtr) + Chunk::getHeaderSize(); uptr UserPtr = reinterpret_cast<uptr>(BackendPtr) + Chunk::getHeaderSize();
if (UNLIKELY(!IsAligned(UserPtr, Alignment))) { if (UNLIKELY(!IsAligned(UserPtr, Alignment))) {
▲ Show 20 LinesShow All 157 Lines▼ Show 20 Lines uptr getUsableSize(const void *Ptr) {
// Getting the usable size of a chunk only makes sense if it's allocated. // Getting the usable size of a chunk only makes sense if it's allocated.
if (UNLIKELY(Header.State != ChunkAllocated)) if (UNLIKELY(Header.State != ChunkAllocated))
dieWithMessage("invalid chunk state when sizing address %p\n", Ptr); dieWithMessage("invalid chunk state when sizing address %p\n", Ptr);
return Chunk::getUsableSize(Ptr, &Header); return Chunk::getUsableSize(Ptr, &Header);
} }
void *calloc(uptr NMemB, uptr Size) { void *calloc(uptr NMemB, uptr Size) {
initThreadMaybe(); initThreadMaybe();
if (UNLIKELY(CheckForCallocOverflow(NMemB, Size))) if (UNLIKELY(CheckForCallocOverflow(NMemB, Size))) {
return FailureHandler::OnBadRequest(); if (AllocatorMayReturnNull())
return nullptr;
reportCallocOverflow(NMemB, Size);
}
return allocate(NMemB * Size, MinAlignment, FromMalloc, true); return allocate(NMemB * Size, MinAlignment, FromMalloc, true);
} }
void commitBack(ScudoTSD *TSD) { void commitBack(ScudoTSD *TSD) {
AllocatorQuarantine.Drain(getQuarantineCache(TSD), AllocatorQuarantine.Drain(getQuarantineCache(TSD),
QuarantineCallback(&TSD->Cache)); QuarantineCallback(&TSD->Cache));
BackendAllocator.destroyCache(&TSD->Cache); BackendAllocator.destroyCache(&TSD->Cache);
} }
uptr getStats(AllocatorStat StatType) { uptr getStats(AllocatorStat StatType) {
initThreadMaybe(); initThreadMaybe();
uptr stats[AllocatorStatCount]; uptr stats[AllocatorStatCount];
BackendAllocator.getStats(stats); BackendAllocator.getStats(stats);
return stats[StatType]; return stats[StatType];
} }
void *handleBadRequest() { bool canReturnNull() {
initThreadMaybe(); initThreadMaybe();
return FailureHandler::OnBadRequest(); return AllocatorMayReturnNull();
} }
void setRssLimit(uptr LimitMb, bool HardLimit) { void setRssLimit(uptr LimitMb, bool HardLimit) {
if (HardLimit) if (HardLimit)
HardRssLimitMb = LimitMb; HardRssLimitMb = LimitMb;
else else
SoftRssLimitMb = LimitMb; SoftRssLimitMb = LimitMb;
CheckRssLimit = HardRssLimitMb || SoftRssLimitMb; CheckRssLimit = HardRssLimitMb || SoftRssLimitMb;
Show All 22 Lines
void ScudoTSD::commitBack() { void ScudoTSD::commitBack() {
Instance.commitBack(this); Instance.commitBack(this);
} }
void *scudoAllocate(uptr Size, uptr Alignment, AllocType Type) { void *scudoAllocate(uptr Size, uptr Alignment, AllocType Type) {
if (Alignment && UNLIKELY(!IsPowerOfTwo(Alignment))) { if (Alignment && UNLIKELY(!IsPowerOfTwo(Alignment))) {
errno = EINVAL; errno = EINVAL;
return Instance.handleBadRequest(); if (Instance.canReturnNull())
return nullptr;
reportAllocationAlignmentNotPowerOfTwo(Alignment);
} }
return SetErrnoOnNull(Instance.allocate(Size, Alignment, Type)); return SetErrnoOnNull(Instance.allocate(Size, Alignment, Type));
} }
void scudoDeallocate(void *Ptr, uptr Size, uptr Alignment, AllocType Type) { void scudoDeallocate(void *Ptr, uptr Size, uptr Alignment, AllocType Type) {
Instance.deallocate(Ptr, Size, Alignment, Type); Instance.deallocate(Ptr, Size, Alignment, Type);
} }
Show All 15 Linesvoid *scudoValloc(uptr Size) {
return SetErrnoOnNull( return SetErrnoOnNull(
Instance.allocate(Size, GetPageSizeCached(), FromMemalign)); Instance.allocate(Size, GetPageSizeCached(), FromMemalign));
} }
void *scudoPvalloc(uptr Size) { void *scudoPvalloc(uptr Size) {
uptr PageSize = GetPageSizeCached(); uptr PageSize = GetPageSizeCached();
if (UNLIKELY(CheckForPvallocOverflow(Size, PageSize))) { if (UNLIKELY(CheckForPvallocOverflow(Size, PageSize))) {
errno = ENOMEM; errno = ENOMEM;
return Instance.handleBadRequest(); if (Instance.canReturnNull())
return nullptr;
reportPvallocOverflow(Size);
} }
// pvalloc(0) should allocate one page. // pvalloc(0) should allocate one page.
Size = Size ? RoundUpTo(Size, PageSize) : PageSize; Size = Size ? RoundUpTo(Size, PageSize) : PageSize;
return SetErrnoOnNull(Instance.allocate(Size, PageSize, FromMemalign)); return SetErrnoOnNull(Instance.allocate(Size, PageSize, FromMemalign));
} }
int scudoPosixMemalign(void **MemPtr, uptr Alignment, uptr Size) { int scudoPosixMemalign(void **MemPtr, uptr Alignment, uptr Size) {
if (UNLIKELY(!CheckPosixMemalignAlignment(Alignment))) { if (UNLIKELY(!CheckPosixMemalignAlignment(Alignment))) {
Instance.handleBadRequest(); if (!Instance.canReturnNull())
reportInvalidPosixMemalignAlignment(Alignment);
return EINVAL; return EINVAL;
} }
void *Ptr = Instance.allocate(Size, Alignment, FromMemalign); void *Ptr = Instance.allocate(Size, Alignment, FromMemalign);
if (UNLIKELY(!Ptr)) if (UNLIKELY(!Ptr))
return ENOMEM; return ENOMEM;
*MemPtr = Ptr; *MemPtr = Ptr;
return 0; return 0;
} }
void *scudoAlignedAlloc(uptr Alignment, uptr Size) { void *scudoAlignedAlloc(uptr Alignment, uptr Size) {
if (UNLIKELY(!CheckAlignedAllocAlignmentAndSize(Alignment, Size))) { if (UNLIKELY(!CheckAlignedAllocAlignmentAndSize(Alignment, Size))) {
errno = EINVAL; errno = EINVAL;
return Instance.handleBadRequest(); if (Instance.canReturnNull())
return nullptr;
reportInvalidAlignedAllocAlignment(Size, Alignment);
} }
return SetErrnoOnNull(Instance.allocate(Size, Alignment, FromMalloc)); return SetErrnoOnNull(Instance.allocate(Size, Alignment, FromMalloc));
} }
uptr scudoMallocUsableSize(void *Ptr) { uptr scudoMallocUsableSize(void *Ptr) {
return Instance.getUsableSize(Ptr); return Instance.getUsableSize(Ptr);
} }
▲ Show 20 LinesShow All 57 LinesShow Last 20 Lines

lib/scudo/scudo_allocator_secondary.h

Show First 20 LinesShow All 81 Lines▼ Show 20 Lines void *Allocate(AllocatorStats *Stats, uptr Size, uptr Alignment) {
const uptr PageSize = GetPageSizeCached(); const uptr PageSize = GetPageSizeCached();
ReservedSize = RoundUpTo(ReservedSize, PageSize); ReservedSize = RoundUpTo(ReservedSize, PageSize);
// Account for 2 guard pages, one before and one after the chunk. // Account for 2 guard pages, one before and one after the chunk.
ReservedSize += 2 * PageSize; ReservedSize += 2 * PageSize;
ReservedAddressRange AddressRange; ReservedAddressRange AddressRange;
uptr ReservedBeg = AddressRange.Init(ReservedSize, SecondaryAllocatorName); uptr ReservedBeg = AddressRange.Init(ReservedSize, SecondaryAllocatorName);
if (UNLIKELY(ReservedBeg == ~static_cast<uptr>(0))) if (UNLIKELY(ReservedBeg == ~static_cast<uptr>(0)))
return ReturnNullOrDieOnFailure::OnOOM(); return nullptr;
// A page-aligned pointer is assumed after that, so check it now. // A page-aligned pointer is assumed after that, so check it now.
DCHECK(IsAligned(ReservedBeg, PageSize)); DCHECK(IsAligned(ReservedBeg, PageSize));
uptr ReservedEnd = ReservedBeg + ReservedSize; uptr ReservedEnd = ReservedBeg + ReservedSize;
// The beginning of the user area for that allocation comes after the // The beginning of the user area for that allocation comes after the
// initial guard page, and both headers. This is the pointer that has to // initial guard page, and both headers. This is the pointer that has to
// abide by alignment requirements. // abide by alignment requirements.
uptr CommittedBeg = ReservedBeg + PageSize; uptr CommittedBeg = ReservedBeg + PageSize;
uptr UserBeg = CommittedBeg + HeadersSize; uptr UserBeg = CommittedBeg + HeadersSize;
▲ Show 20 LinesShow All 95 LinesShow Last 20 Lines

lib/scudo/scudo_errors.h

//===-- scudo_errors.h ------------------------------------------*- C++ -*-===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
///
/// Header for scudo_errors.cpp.
///
//===----------------------------------------------------------------------===//
#ifndef SCUDO_ERRORS_H_
#define SCUDO_ERRORS_H_
#include "sanitizer_common/sanitizer_internal_defs.h"
namespace __scudo {
void NORETURN reportCallocOverflow(uptr Count, uptr Size);
void NORETURN reportPvallocOverflow(uptr Size);
void NORETURN reportAllocationAlignmentTooBig(uptr Alignment,
uptr MaxAlignment);
void NORETURN reportAllocationAlignmentNotPowerOfTwo(uptr Alignment);
void NORETURN reportInvalidPosixMemalignAlignment(uptr Alignment);
void NORETURN reportInvalidAlignedAllocAlignment(uptr Size, uptr Alignment);
void NORETURN reportAllocationSizeTooBig(uptr UserSize, uptr TotalSize,
uptr MaxSize);
void NORETURN reportRssLimitExceeded();
void NORETURN reportOutOfMemory(uptr RequestedSize);
} // namespace __scudo
#endif // SCUDO_ERRORS_H_

lib/scudo/scudo_errors.cpp

//===-- scudo_errors.cpp ----------------------------------------*- C++ -*-===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
///
/// Verbose termination functions.
///
//===----------------------------------------------------------------------===//
#include "scudo_utils.h"
#include "sanitizer_common/sanitizer_flags.h"
namespace __scudo {
void NORETURN reportCallocOverflow(uptr Count, uptr Size) {
dieWithMessage("calloc parameters overflow: count * size (%zd * %zd) cannot "
"be represented with type size_t\n", Count, Size);
}
void NORETURN reportPvallocOverflow(uptr Size) {
dieWithMessage("pvalloc parameters overflow: size 0x%zx rounded up to system "
"page size 0x%zx cannot be represented in type size_t\n", Size,
GetPageSizeCached());
}
void NORETURN reportAllocationAlignmentTooBig(uptr Alignment,
uptr MaxAlignment) {
dieWithMessage("invalid allocation alignment: %zd exceeds maximum supported "
"allocation of %zd\n", Alignment, MaxAlignment);
}
void NORETURN reportAllocationAlignmentNotPowerOfTwo(uptr Alignment) {
dieWithMessage("invalid allocation alignment: %zd, alignment must be a power "
"of two\n", Alignment);
}
void NORETURN reportInvalidPosixMemalignAlignment(uptr Alignment) {
dieWithMessage("invalid alignment requested in posix_memalign: %zd, alignment"
" must be a power of two and a multiple of sizeof(void *) == %zd\n",
Alignment, sizeof(void *)); // NOLINT
}
void NORETURN reportInvalidAlignedAllocAlignment(uptr Size, uptr Alignment) {
#if SANITIZER_POSIX
dieWithMessage("invalid alignment requested in aligned_alloc: %zd, alignment "
"must be a power of two and the requested size 0x%zx must be a multiple "
"of alignment\n", Alignment, Size);
#else
dieWithMessage("invalid alignment requested in aligned_alloc: %zd, the "
"requested size 0x%zx must be a multiple of alignment\n", Alignment,
Size);
#endif
}
void NORETURN reportAllocationSizeTooBig(uptr UserSize, uptr TotalSize,
uptr MaxSize) {
dieWithMessage("requested allocation size 0x%zx (0x%zx after adjustments) "
"exceeds maximum supported size of 0x%zx\n", UserSize, TotalSize,
MaxSize);
}
void NORETURN reportRssLimitExceeded() {
dieWithMessage("specified RSS limit exceeded, currently set to "
"soft_rss_limit_mb=%zd\n", common_flags()->soft_rss_limit_mb);
}
void NORETURN reportOutOfMemory(uptr RequestedSize) {
dieWithMessage("allocator is out of memory trying to allocate 0x%zx bytes\n",
RequestedSize);
}
} // namespace __scudo

lib/scudo/scudo_new_delete.cpp

//===-- scudo_new_delete.cpp ------------------------------------*- C++ -*-===// //===-- scudo_new_delete.cpp ------------------------------------*- C++ -*-===//
// //
// The LLVM Compiler Infrastructure // The LLVM Compiler Infrastructure
// //
// This file is distributed under the University of Illinois Open Source // This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details. // License. See LICENSE.TXT for details.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
/// ///
/// Interceptors for operators new and delete. /// Interceptors for operators new and delete.
/// ///
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "scudo_allocator.h" #include "scudo_allocator.h"
#include "scudo_errors.h"
#include "interception/interception.h" #include "interception/interception.h"
#include <stddef.h> #include <stddef.h>
using namespace __scudo; using namespace __scudo;
#define CXX_OPERATOR_ATTRIBUTE INTERCEPTOR_ATTRIBUTE #define CXX_OPERATOR_ATTRIBUTE INTERCEPTOR_ATTRIBUTE
// Fake std::nothrow_t to avoid including <new>. // Fake std::nothrow_t to avoid including <new>.
namespace std { namespace std {
struct nothrow_t {}; struct nothrow_t {};
enum class align_val_t: size_t {}; enum class align_val_t: size_t {};
} // namespace std } // namespace std
// TODO(alekseys): throw std::bad_alloc instead of dying on OOM. // TODO(alekseys): throw std::bad_alloc instead of dying on OOM.
#define OPERATOR_NEW_BODY_ALIGN(Type, Align, NoThrow) \ #define OPERATOR_NEW_BODY_ALIGN(Type, Align, NoThrow) \
void *Ptr = scudoAllocate(size, static_cast<uptr>(Align), Type); \ void *Ptr = scudoAllocate(size, static_cast<uptr>(Align), Type); \
if (!NoThrow && UNLIKELY(!Ptr)) DieOnFailure::OnOOM(); \ if (!NoThrow && UNLIKELY(!Ptr)) reportOutOfMemory(size); \
return Ptr; return Ptr;
#define OPERATOR_NEW_BODY(Type, NoThrow) \ #define OPERATOR_NEW_BODY(Type, NoThrow) \
OPERATOR_NEW_BODY_ALIGN(Type, 0, NoThrow) OPERATOR_NEW_BODY_ALIGN(Type, 0, NoThrow)
CXX_OPERATOR_ATTRIBUTE CXX_OPERATOR_ATTRIBUTE
void *operator new(size_t size) void *operator new(size_t size)
{ OPERATOR_NEW_BODY(FromNew, /*NoThrow=*/false); } { OPERATOR_NEW_BODY(FromNew, /*NoThrow=*/false); }
CXX_OPERATOR_ATTRIBUTE CXX_OPERATOR_ATTRIBUTE
▲ Show 20 LinesShow All 66 LinesShow Last 20 Lines

test/scudo/aligned-new.cpp

// RUN: %clangxx_scudo -std=c++1z -faligned-allocation %s -o %t // RUN: %clangxx_scudo -std=c++1z -faligned-allocation %s -o %t
// RUN: %run %t valid 2>&1 // RUN: %run %t valid 2>&1
// RUN: %env_scudo_opts=allocator_may_return_null=1 %run %t invalid 2>&1 // RUN: %env_scudo_opts=allocator_may_return_null=1 %run %t invalid 2>&1
// RUN: %env_scudo_opts=allocator_may_return_null=0 not %run %t invalid 2>&1 | FileCheck %s
// Tests that the C++17 aligned new/delete operators are working as expected. // Tests that the C++17 aligned new/delete operators are working as expected.
// Currently we do not check the consistency of the alignment on deallocation, // Currently we do not check the consistency of the alignment on deallocation,
// so this just tests that the APIs work. // so this just tests that the APIs work.
#include <assert.h> #include <assert.h>
#include <stdio.h> #include <stdio.h>
#include <stdint.h> #include <stdint.h>
▲ Show 20 LinesShow All 60 Lines▼ Show 20 Lines if (!strcmp(argv[1], "valid")) {
assert((reinterpret_cast<uintptr_t>(p) & (alignment - 1)) == 0); assert((reinterpret_cast<uintptr_t>(p) & (alignment - 1)) == 0);
operator delete(p, static_cast<std::align_val_t>(alignment)); operator delete(p, static_cast<std::align_val_t>(alignment));
} }
if (!strcmp(argv[1], "invalid")) { if (!strcmp(argv[1], "invalid")) {
// Alignment must be a power of 2. // Alignment must be a power of 2.
const size_t alignment = (1U << 8) - 1; const size_t alignment = (1U << 8) - 1;
void *p = operator new(1, static_cast<std::align_val_t>(alignment), void *p = operator new(1, static_cast<std::align_val_t>(alignment),
std::nothrow); std::nothrow);
// CHECK: Scudo ERROR: invalid allocation alignment
assert(!p); assert(!p);
} }
return 0; return 0;
} }

test/scudo/memalign.c

// RUN: %clang_scudo %s -o %t // RUN: %clang_scudo %s -o %t
// RUN: %run %t valid 2>&1 // RUN: %run %t valid 2>&1
// RUN: not %run %t invalid 2>&1 // RUN: not %run %t invalid 2>&1 | FileCheck --check-prefix=CHECK-align %s
// RUN: %env_scudo_opts=allocator_may_return_null=1 %run %t invalid 2>&1 // RUN: %env_scudo_opts=allocator_may_return_null=1 %run %t invalid 2>&1
// RUN: not %run %t double-free 2>&1 | FileCheck --check-prefix=CHECK-double-free %s // RUN: not %run %t double-free 2>&1 | FileCheck --check-prefix=CHECK-double-free %s
// RUN: %env_scudo_opts=DeallocationTypeMismatch=1 not %run %t realloc 2>&1 | FileCheck --check-prefix=CHECK-realloc %s // RUN: %env_scudo_opts=DeallocationTypeMismatch=1 not %run %t realloc 2>&1 | FileCheck --check-prefix=CHECK-realloc %s
// RUN: %env_scudo_opts=DeallocationTypeMismatch=0 %run %t realloc 2>&1 // RUN: %env_scudo_opts=DeallocationTypeMismatch=0 %run %t realloc 2>&1
// Tests that the various aligned allocation functions work as intended. Also // Tests that the various aligned allocation functions work as intended. Also
// tests for the condition where the alignment is not a power of 2. // tests for the condition where the alignment is not a power of 2.
▲ Show 20 LinesShow All 49 Lines▼ Show 20 Lines for (int i = 19; i <= 24; i++) {
assert(((uintptr_t)p & (alignment - 1)) == 0); assert(((uintptr_t)p & (alignment - 1)) == 0);
free(p); free(p);
} }
} }
} }
if (!strcmp(argv[1], "invalid")) { if (!strcmp(argv[1], "invalid")) {
// Alignment is not a power of 2. // Alignment is not a power of 2.
p = memalign(alignment - 1, size); p = memalign(alignment - 1, size);
// CHECK-align: Scudo ERROR: invalid allocation alignment
assert(!p); assert(!p);
// Size is not a multiple of alignment. // Size is not a multiple of alignment.
p = aligned_alloc(alignment, size >> 1); p = aligned_alloc(alignment, size >> 1);
assert(!p); assert(!p);
void *p_unchanged = (void *)0x42UL; void *p_unchanged = (void *)0x42UL;
p = p_unchanged; p = p_unchanged;
// Alignment is not a power of 2. // Alignment is not a power of 2.
err = posix_memalign(&p, 3, size); err = posix_memalign(&p, 3, size);
Show All 26 Lines

test/scudo/sizes.cpp

// RUN: %clangxx_scudo %s -lstdc++ -o %t // RUN: %clangxx_scudo %s -lstdc++ -o %t
// RUN: %env_scudo_opts=allocator_may_return_null=0 not %run %t malloc 2>&1 | FileCheck %s // RUN: %env_scudo_opts=allocator_may_return_null=0 not %run %t malloc 2>&1 | FileCheck %s --check-prefix=CHECK-max
// RUN: %env_scudo_opts=allocator_may_return_null=1 %run %t malloc 2>&1 // RUN: %env_scudo_opts=allocator_may_return_null=1 %run %t malloc 2>&1
// RUN: %env_scudo_opts=allocator_may_return_null=0 not %run %t calloc 2>&1 | FileCheck %s // RUN: %env_scudo_opts=allocator_may_return_null=0 not %run %t calloc 2>&1 | FileCheck %s --check-prefix=CHECK-calloc
// RUN: %env_scudo_opts=allocator_may_return_null=1 %run %t calloc 2>&1 // RUN: %env_scudo_opts=allocator_may_return_null=1 %run %t calloc 2>&1
// RUN: %env_scudo_opts=allocator_may_return_null=0 not %run %t new 2>&1 | FileCheck %s // RUN: %env_scudo_opts=allocator_may_return_null=0 not %run %t new 2>&1 | FileCheck %s --check-prefix=CHECK-max
// RUN: %env_scudo_opts=allocator_may_return_null=1 not %run %t new 2>&1 | FileCheck %s // RUN: %env_scudo_opts=allocator_may_return_null=1 not %run %t new 2>&1 | FileCheck %s --check-prefix=CHECK-oom
// RUN: %env_scudo_opts=allocator_may_return_null=0 not %run %t new-nothrow 2>&1 | FileCheck %s // RUN: %env_scudo_opts=allocator_may_return_null=0 not %run %t new-nothrow 2>&1 | FileCheck %s --check-prefix=CHECK-max
// RUN: %env_scudo_opts=allocator_may_return_null=1 %run %t new-nothrow 2>&1 // RUN: %env_scudo_opts=allocator_may_return_null=1 %run %t new-nothrow 2>&1
// RUN: %run %t usable 2>&1 // RUN: %run %t usable 2>&1
// Tests for various edge cases related to sizes, notably the maximum size the // Tests for various edge cases related to sizes, notably the maximum size the
// allocator can allocate. Tests that an integer overflow in the parameters of // allocator can allocate. Tests that an integer overflow in the parameters of
// calloc is caught. // calloc is caught.
#include <assert.h> #include <assert.h>
▲ Show 20 LinesShow All 48 Lines▼ Show 20 Lines if (!strcmp(argv[1], "malloc")) {
free(p); free(p);
} else { } else {
assert(0); assert(0);
} }
return 0; return 0;
} }
// CHECK: allocator is terminating the process // CHECK-max: {{Scudo ERROR: requested allocation size .* exceeds maximum supported size}}
// CHECK-oom: Scudo ERROR: allocator is out of memory
// CHECK-calloc: Scudo ERROR: calloc parameters overflow

test/scudo/valloc.c

// RUN: %clang_scudo %s -o %t // RUN: %clang_scudo %s -o %t
// RUN: %run %t valid 2>&1 // RUN: %run %t valid 2>&1
// RUN: not %run %t invalid 2>&1 // RUN: not %run %t invalid 2>&1 | FileCheck %s
// RUN: %env_scudo_opts=allocator_may_return_null=1 %run %t invalid 2>&1 // RUN: %env_scudo_opts=allocator_may_return_null=1 %run %t invalid 2>&1
// UNSUPPORTED: android // UNSUPPORTED: android
// Tests that valloc and pvalloc work as intended. // Tests that valloc and pvalloc work as intended.
#include <assert.h> #include <assert.h>
#include <errno.h> #include <errno.h>
#include <malloc.h> #include <malloc.h>
Show All 37 Lines for (int i = (sizeof(void *) == 4) ? 3 : 4; i < 21; i++) {
assert(((uintptr_t)p & (page_size - 1)) == 0); assert(((uintptr_t)p & (page_size - 1)) == 0);
assert(malloc_usable_size(p) >= round_up_to(size, page_size)); assert(malloc_usable_size(p) >= round_up_to(size, page_size));
free(p); free(p);
} }
} }
if (!strcmp(argv[1], "invalid")) { if (!strcmp(argv[1], "invalid")) {
// Size passed to pvalloc overflows when rounded up. // Size passed to pvalloc overflows when rounded up.
p = pvalloc((size_t)-1); p = pvalloc((size_t)-1);
// CHECK: Scudo ERROR: pvalloc parameters overflow
assert(!p); assert(!p);
assert(errno == ENOMEM); assert(errno == ENOMEM);
errno = 0; errno = 0;
p = pvalloc((size_t)-page_size); p = pvalloc((size_t)-page_size);
assert(!p); assert(!p);
assert(errno == ENOMEM); assert(errno == ENOMEM);
} }
return 0; return 0;
} }