1 /*
2  * Copyright (C) 2012 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #pragma once
18 
19 /**
20  * @file malloc.h
21  * @brief Heap memory allocation.
22  *
23  * [Debugging Native Memory Use](https://source.android.com/devices/tech/debug/native-memory)
24  * is the canonical source for documentation on Android's heap debugging
25  * features.
26  */
27 
28 #include <sys/cdefs.h>
29 #include <stddef.h>
30 #include <stdio.h>
31 
32 __BEGIN_DECLS
33 
34 #define __BIONIC_ALLOC_SIZE(...) __attribute__((__alloc_size__(__VA_ARGS__)))
35 
36 /**
37  * [malloc(3)](http://man7.org/linux/man-pages/man3/malloc.3.html) allocates
38  * memory on the heap.
39  *
40  * Returns a pointer to the allocated memory on success and returns a null
41  * pointer and sets `errno` on failure.
42  */
43 void* malloc(size_t __byte_count) __mallocfunc __BIONIC_ALLOC_SIZE(1) __wur;
44 
45 /**
46  * [calloc(3)](http://man7.org/linux/man-pages/man3/calloc.3.html) allocates
47  * and clears memory on the heap.
48  *
49  * Returns a pointer to the allocated memory on success and returns a null
50  * pointer and sets `errno` on failure.
51  */
52 void* calloc(size_t __item_count, size_t __item_size) __mallocfunc __BIONIC_ALLOC_SIZE(1,2) __wur;
53 
54 /**
55  * [realloc(3)](http://man7.org/linux/man-pages/man3/realloc.3.html) resizes
56  * allocated memory on the heap.
57  *
58  * Returns a pointer (which may be different from `__ptr`) to the resized
59  * memory on success and returns a null pointer and sets `errno` on failure.
60  */
61 void* realloc(void* __ptr, size_t __byte_count) __BIONIC_ALLOC_SIZE(2) __wur;
62 
63 /**
64  * [reallocarray(3)](http://man7.org/linux/man-pages/man3/realloc.3.html) resizes
65  * allocated memory on the heap.
66  *
67  * Equivalent to `realloc(__ptr, __item_count * __item_size)` but fails if the
68  * multiplication overflows.
69  *
70  * Returns a pointer (which may be different from `__ptr`) to the resized
71  * memory on success and returns a null pointer and sets `errno` on failure.
72  */
73 void* reallocarray(void* __ptr, size_t __item_count, size_t __item_size) __BIONIC_ALLOC_SIZE(2, 3) __wur __INTRODUCED_IN(29);
74 
75 /**
76  * [free(3)](http://man7.org/linux/man-pages/man3/free.3.html) deallocates
77  * memory on the heap.
78  */
79 void free(void* __ptr);
80 
81 /**
82  * [memalign(3)](http://man7.org/linux/man-pages/man3/memalign.3.html) allocates
83  * memory on the heap with the required alignment.
84  *
85  * Returns a pointer to the allocated memory on success and returns a null
86  * pointer and sets `errno` on failure.
87  *
88  * See also posix_memalign().
89  */
90 void* memalign(size_t __alignment, size_t __byte_count) __mallocfunc __BIONIC_ALLOC_SIZE(2) __wur;
91 
92 /**
93  * [malloc_usable_size(3)](http://man7.org/linux/man-pages/man3/malloc_usable_size.3.html)
94  * returns the actual size of the given heap block.
95  *
96  * Available since API level 17.
97  */
98 size_t malloc_usable_size(const void* __ptr) __INTRODUCED_IN(17);
99 
100 #ifndef STRUCT_MALLINFO_DECLARED
101 #define STRUCT_MALLINFO_DECLARED 1
102 struct mallinfo {
103   /** Total number of non-mmapped bytes currently allocated from OS. */
104   size_t arena;
105   /** Number of free chunks. */
106   size_t ordblks;
107   /** (Unused.) */
108   size_t smblks;
109   /** (Unused.) */
110   size_t hblks;
111   /** Total number of bytes in mmapped regions. */
112   size_t hblkhd;
113   /** Maximum total allocated space; greater than total if trimming has occurred. */
114   size_t usmblks;
115   /** (Unused.) */
116   size_t fsmblks;
117   /** Total allocated space (normal or mmapped.) */
118   size_t uordblks;
119   /** Total free space. */
120   size_t fordblks;
121   /** Upper bound on number of bytes releasable by a trim operation. */
122   size_t keepcost;
123 };
124 #endif
125 
126 /**
127  * [mallinfo(3)](http://man7.org/linux/man-pages/man3/mallinfo.3.html) returns
128  * information about the current state of the heap. Note that mallinfo() is
129  * inherently unreliable and consider using malloc_info() instead.
130  */
131 struct mallinfo mallinfo(void);
132 
133 /**
134  * [malloc_info(3)](http://man7.org/linux/man-pages/man3/malloc_info.3.html)
135  * writes information about the current state of the heap to the given stream.
136  *
137  * The XML structure for malloc_info() is as follows:
138  * ```
139  * <malloc version="jemalloc-1">
140  *   <heap nr="INT">
141  *     <allocated-large>INT</allocated-large>
142  *     <allocated-huge>INT</allocated-huge>
143  *     <allocated-bins>INT</allocated-bins>
144  *     <bins-total>INT</bins-total>
145  *     <bin nr="INT">
146  *       <allocated>INT</allocated>
147  *       <nmalloc>INT</nmalloc>
148  *       <ndalloc>INT</ndalloc>
149  *     </bin>
150  *     <!-- more bins -->
151  *   </heap>
152  *   <!-- more heaps -->
153  * </malloc>
154  * ```
155  *
156  * Available since API level 23.
157  */
158 int malloc_info(int __must_be_zero, FILE* __fp) __INTRODUCED_IN(23);
159 
160 /**
161  * mallopt() option to set the decay time. Valid values are 0 and 1.
162  *
163  * Available since API level 27.
164  */
165 #define M_DECAY_TIME (-100)
166 /**
167  * mallopt() option to immediately purge any memory not in use. This
168  * will release the memory back to the kernel. The value is ignored.
169  *
170  * Available since API level 28.
171  */
172 #define M_PURGE (-101)
173 
174 
175 /**
176  * mallopt() option to tune the allocator's choice of memory tags to
177  * make it more likely that a certain class of memory errors will be
178  * detected. This is only relevant if MTE is enabled in this process
179  * and ignored otherwise. The value argument should be one of the
180  * M_MEMTAG_TUNING_* flags.
181  * NOTE: This is only available in scudo.
182  *
183  * Available since API level 31.
184  */
185 #define M_MEMTAG_TUNING (-102)
186 
187 /**
188  * When passed as a value of M_MEMTAG_TUNING mallopt() call, enables
189  * deterministic detection of linear buffer overflow and underflow
190  * bugs by assigning distinct tag values to adjacent allocations. This
191  * mode has a slightly reduced chance to detect use-after-free bugs
192  * because only half of the possible tag values are available for each
193  * memory location.
194  *
195  * Please keep in mind that MTE can not detect overflow within the
196  * same tag granule (16-byte aligned chunk), and can miss small
197  * overflows even in this mode. Such overflow can not be the cause of
198  * a memory corruption, because the memory within one granule is never
199  * used for multiple allocations.
200  */
201 #define M_MEMTAG_TUNING_BUFFER_OVERFLOW 0
202 
203 /**
204  * When passed as a value of M_MEMTAG_TUNING mallopt() call, enables
205  * independently randomized tags for uniform ~93% probability of
206  * detecting both spatial (buffer overflow) and temporal (use after
207  * free) bugs.
208  */
209 #define M_MEMTAG_TUNING_UAF 1
210 
211 /**
212  * mallopt() option for per-thread memory initialization tuning.
213  * The value argument should be one of:
214  * 1: Disable automatic heap initialization and, where possible, memory tagging,
215  *    on this thread.
216  * 0: Normal behavior.
217  *
218  * Available since API level 31.
219  */
220 #define M_THREAD_DISABLE_MEM_INIT (-103)
221 /**
222  * mallopt() option to set the maximum number of items in the secondary
223  * cache of the scudo allocator.
224  *
225  * Available since API level 31.
226  */
227 #define M_CACHE_COUNT_MAX (-200)
228 /**
229  * mallopt() option to set the maximum size in bytes of a cacheable item in
230  * the secondary cache of the scudo allocator.
231  *
232  * Available since API level 31.
233  */
234 #define M_CACHE_SIZE_MAX (-201)
235 /**
236  * mallopt() option to increase the maximum number of shared thread-specific
237  * data structures that can be created. This number cannot be decreased,
238  * only increased and only applies to the scudo allocator.
239  *
240  * Available since API level 31.
241  */
242 #define M_TSDS_COUNT_MAX (-202)
243 
244 /**
245  * mallopt() option to decide whether heap memory is zero-initialized on
246  * allocation across the whole process. May be called at any time, including
247  * when multiple threads are running. An argument of zero indicates memory
248  * should not be zero-initialized, any other value indicates to initialize heap
249  * memory to zero.
250  *
251  * Note that this memory mitigation is only implemented in scudo and therefore
252  * this will have no effect when using another allocator (such as jemalloc on
253  * Android Go devices).
254  *
255  * Available since API level 31.
256  */
257 #define M_BIONIC_ZERO_INIT (-203)
258 
259 /**
260  * mallopt() option to change the heap tagging state. May be called at any
261  * time, including when multiple threads are running.
262  * The value must be one of the M_HEAP_TAGGING_LEVEL_ constants.
263  * NOTE: This is only available in scudo.
264  *
265  * Available since API level 31.
266  */
267 #define M_BIONIC_SET_HEAP_TAGGING_LEVEL (-204)
268 
269 /**
270  * Constants for use with the M_BIONIC_SET_HEAP_TAGGING_LEVEL mallopt() option.
271  */
272 enum HeapTaggingLevel {
273   /**
274    * Disable heap tagging and memory tag checks (if supported).
275    * Heap tagging may not be re-enabled after being disabled.
276    */
277   M_HEAP_TAGGING_LEVEL_NONE = 0,
278 #define M_HEAP_TAGGING_LEVEL_NONE M_HEAP_TAGGING_LEVEL_NONE
279   /**
280    * Address-only tagging. Heap pointers have a non-zero tag in the
281    * most significant ("top") byte which is checked in free(). Memory
282    * accesses ignore the tag using arm64's Top Byte Ignore (TBI) feature.
283    */
284   M_HEAP_TAGGING_LEVEL_TBI = 1,
285 #define M_HEAP_TAGGING_LEVEL_TBI M_HEAP_TAGGING_LEVEL_TBI
286   /**
287    * Enable heap tagging and asynchronous memory tag checks (if supported).
288    * Disable stack trace collection.
289    */
290   M_HEAP_TAGGING_LEVEL_ASYNC = 2,
291 #define M_HEAP_TAGGING_LEVEL_ASYNC M_HEAP_TAGGING_LEVEL_ASYNC
292   /**
293    * Enable heap tagging and synchronous memory tag checks (if supported).
294    * Enable stack trace collection.
295    */
296   M_HEAP_TAGGING_LEVEL_SYNC = 3,
297 #define M_HEAP_TAGGING_LEVEL_SYNC M_HEAP_TAGGING_LEVEL_SYNC
298 };
299 
300 /**
301  * [mallopt(3)](http://man7.org/linux/man-pages/man3/mallopt.3.html) modifies
302  * heap behavior. Values of `__option` are the `M_` constants from this header.
303  *
304  * Returns 1 on success, 0 on error.
305  *
306  * Available since API level 26.
307  */
308 int mallopt(int __option, int __value) __INTRODUCED_IN(26);
309 
310 /**
311  * [__malloc_hook(3)](http://man7.org/linux/man-pages/man3/__malloc_hook.3.html)
312  * is called to implement malloc(). By default this points to the system's
313  * implementation.
314  *
315  * Available since API level 28.
316  *
317  * See also: [extra documentation](https://android.googlesource.com/platform/bionic/+/master/libc/malloc_hooks/README.md)
318  */
319 extern void* (*volatile __malloc_hook)(size_t __byte_count, const void* __caller) __INTRODUCED_IN(28);
320 
321 /**
322  * [__realloc_hook(3)](http://man7.org/linux/man-pages/man3/__realloc_hook.3.html)
323  * is called to implement realloc(). By default this points to the system's
324  * implementation.
325  *
326  * Available since API level 28.
327  *
328  * See also: [extra documentation](https://android.googlesource.com/platform/bionic/+/master/libc/malloc_hooks/README.md)
329  */
330 extern void* (*volatile __realloc_hook)(void* __ptr, size_t __byte_count, const void* __caller) __INTRODUCED_IN(28);
331 
332 /**
333  * [__free_hook(3)](http://man7.org/linux/man-pages/man3/__free_hook.3.html)
334  * is called to implement free(). By default this points to the system's
335  * implementation.
336  *
337  * Available since API level 28.
338  *
339  * See also: [extra documentation](https://android.googlesource.com/platform/bionic/+/master/libc/malloc_hooks/README.md)
340  */
341 extern void (*volatile __free_hook)(void* __ptr, const void* __caller) __INTRODUCED_IN(28);
342 
343 /**
344  * [__memalign_hook(3)](http://man7.org/linux/man-pages/man3/__memalign_hook.3.html)
345  * is called to implement memalign(). By default this points to the system's
346  * implementation.
347  *
348  * Available since API level 28.
349  *
350  * See also: [extra documentation](https://android.googlesource.com/platform/bionic/+/master/libc/malloc_hooks/README.md)
351  */
352 extern void* (*volatile __memalign_hook)(size_t __alignment, size_t __byte_count, const void* __caller) __INTRODUCED_IN(28);
353 
354 __END_DECLS
355