1
2 /*--------------------------------------------------------------------*/
3 /*--- The leak checker. mc_leakcheck.c ---*/
4 /*--------------------------------------------------------------------*/
5
6 /*
7 This file is part of MemCheck, a heavyweight Valgrind tool for
8 detecting memory errors.
9
10 Copyright (C) 2000-2013 Julian Seward
11 jseward@acm.org
12
13 This program is free software; you can redistribute it and/or
14 modify it under the terms of the GNU General Public License as
15 published by the Free Software Foundation; either version 2 of the
16 License, or (at your option) any later version.
17
18 This program is distributed in the hope that it will be useful, but
19 WITHOUT ANY WARRANTY; without even the implied warranty of
20 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
21 General Public License for more details.
22
23 You should have received a copy of the GNU General Public License
24 along with this program; if not, write to the Free Software
25 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
26 02111-1307, USA.
27
28 The GNU General Public License is contained in the file COPYING.
29 */
30
31 #include "pub_tool_basics.h"
32 #include "pub_tool_vki.h"
33 #include "pub_tool_aspacehl.h"
34 #include "pub_tool_aspacemgr.h"
35 #include "pub_tool_execontext.h"
36 #include "pub_tool_hashtable.h"
37 #include "pub_tool_libcbase.h"
38 #include "pub_tool_libcassert.h"
39 #include "pub_tool_libcprint.h"
40 #include "pub_tool_libcsignal.h"
41 #include "pub_tool_machine.h"
42 #include "pub_tool_mallocfree.h"
43 #include "pub_tool_options.h"
44 #include "pub_tool_oset.h"
45 #include "pub_tool_poolalloc.h"
46 #include "pub_tool_signals.h" // Needed for mc_include.h
47 #include "pub_tool_libcsetjmp.h" // setjmp facilities
48 #include "pub_tool_tooliface.h" // Needed for mc_include.h
49
50 #include "mc_include.h"
51
52 /*------------------------------------------------------------*/
53 /*--- An overview of leak checking. ---*/
54 /*------------------------------------------------------------*/
55
56 // Leak-checking is a directed-graph traversal problem. The graph has
57 // two kinds of nodes:
58 // - root-set nodes:
59 // - GP registers of all threads;
60 // - valid, aligned, pointer-sized data words in valid client memory,
61 // including stacks, but excluding words within client heap-allocated
62 // blocks (they are excluded so that later on we can differentiate
63 // between heap blocks that are indirectly leaked vs. directly leaked).
64 // - heap-allocated blocks. A block is a mempool chunk or a malloc chunk
65 // that doesn't contain a mempool chunk. Nb: the terms "blocks" and
66 // "chunks" are used interchangeably below.
67 //
68 // There are two kinds of edges:
69 // - start-pointers, i.e. pointers to the start of a block;
70 // - interior-pointers, i.e. pointers to the interior of a block.
71 //
72 // We use "pointers" rather than "edges" below.
73 //
74 // Root set nodes only point to blocks. Blocks only point to blocks;
75 // a block can point to itself.
76 //
77 // The aim is to traverse the graph and determine the status of each block.
78 //
79 // There are 9 distinct cases. See memcheck/docs/mc-manual.xml for details.
80 // Presenting all nine categories to the user is probably too much.
81 // Currently we do this:
82 // - definitely lost: case 3
83 // - indirectly lost: case 4, 9
84 // - possibly lost: cases 5..8
85 // - still reachable: cases 1, 2
86 //
87 // It's far from clear that this is the best possible categorisation; it's
88 // accreted over time without any central guiding principle.
89
90 /*------------------------------------------------------------*/
91 /*--- XXX: Thoughts for improvement. ---*/
92 /*------------------------------------------------------------*/
93
94 // From the user's point of view:
95 // - If they aren't using interior-pointers, they just have to fix the
96 // directly lost blocks, and the indirectly lost ones will be fixed as
97 // part of that. Any possibly lost blocks will just be due to random
98 // pointer garbage and can be ignored.
99 //
100 // - If they are using interior-pointers, the fact that they currently are not
101 // being told which ones might be directly lost vs. indirectly lost makes
102 // it hard to know where to begin.
103 //
104 // All this makes me wonder if new option is warranted:
105 // --follow-interior-pointers. By default it would be off, the leak checker
106 // wouldn't follow interior-pointers and there would only be 3 categories:
107 // R, DL, IL.
108 //
109 // If turned on, then it would show 7 categories (R, DL, IL, DR/DL, IR/IL,
110 // IR/IL/DL, IL/DL). That output is harder to understand but it's your own
111 // damn fault for using interior-pointers...
112 //
113 // ----
114 //
115 // Also, why are two blank lines printed between each loss record?
116 // [bug 197930]
117 //
118 // ----
119 //
120 // Also, --show-reachable is a bad name because it also turns on the showing
121 // of indirectly leaked blocks(!) It would be better named --show-all or
122 // --show-all-heap-blocks, because that's the end result.
123 // We now have the option --show-leak-kinds=... which allows to specify =all.
124 //
125 // ----
126 //
127 // Also, the VALGRIND_LEAK_CHECK and VALGRIND_QUICK_LEAK_CHECK aren't great
128 // names. VALGRIND_FULL_LEAK_CHECK and VALGRIND_SUMMARY_LEAK_CHECK would be
129 // better.
130 //
131 // ----
132 //
133 // Also, VALGRIND_COUNT_LEAKS and VALGRIND_COUNT_LEAK_BLOCKS aren't great as
134 // they combine direct leaks and indirect leaks into one. New, more precise
135 // ones (they'll need new names) would be good. If more categories are
136 // used, as per the --follow-interior-pointers option, they should be
137 // updated accordingly. And they should use a struct to return the values.
138 //
139 // ----
140 //
141 // Also, for this case:
142 //
143 // (4) p4 BBB ---> AAA
144 //
145 // BBB is definitely directly lost. AAA is definitely indirectly lost.
146 // Here's the relevant loss records printed for a full check (each block is
147 // 16 bytes):
148 //
149 // ==20397== 16 bytes in 1 blocks are indirectly lost in loss record 9 of 15
150 // ==20397== at 0x4C2694E: malloc (vg_replace_malloc.c:177)
151 // ==20397== by 0x400521: mk (leak-cases.c:49)
152 // ==20397== by 0x400578: main (leak-cases.c:72)
153 //
154 // ==20397== 32 (16 direct, 16 indirect) bytes in 1 blocks are definitely
155 // lost in loss record 14 of 15
156 // ==20397== at 0x4C2694E: malloc (vg_replace_malloc.c:177)
157 // ==20397== by 0x400521: mk (leak-cases.c:49)
158 // ==20397== by 0x400580: main (leak-cases.c:72)
159 //
160 // The first one is fine -- it describes AAA.
161 //
162 // The second one is for BBB. It's correct in that 16 bytes in 1 block are
163 // directly lost. It's also correct that 16 are indirectly lost as a result,
164 // but it means that AAA is being counted twice in the loss records. (It's
165 // not, thankfully, counted twice in the summary counts). Argh.
166 //
167 // This would be less confusing for the second one:
168 //
169 // ==20397== 16 bytes in 1 blocks are definitely lost in loss record 14
170 // of 15 (and 16 bytes in 1 block are indirectly lost as a result; they
171 // are mentioned elsewhere (if --show-reachable=yes or indirect is given
172 // in --show-leak-kinds=... !))
173 // ==20397== at 0x4C2694E: malloc (vg_replace_malloc.c:177)
174 // ==20397== by 0x400521: mk (leak-cases.c:49)
175 // ==20397== by 0x400580: main (leak-cases.c:72)
176 //
177 // But ideally we'd present the loss record for the directly lost block and
178 // then the resultant indirectly lost blocks and make it clear the
179 // dependence. Double argh.
180
181 /*------------------------------------------------------------*/
182 /*--- The actual algorithm. ---*/
183 /*------------------------------------------------------------*/
184
185 // - Find all the blocks (a.k.a. chunks) to check. Mempool chunks require
186 // some special treatment because they can be within malloc'd blocks.
187 // - Scan every word in the root set (GP registers and valid
188 // non-heap memory words).
189 // - First, we skip if it doesn't point to valid memory.
190 // - Then, we see if it points to the start or interior of a block. If
191 // so, we push the block onto the mark stack and mark it as having been
192 // reached.
193 // - Then, we process the mark stack, repeating the scanning for each block;
194 // this can push more blocks onto the mark stack. We repeat until the
195 // mark stack is empty. Each block is marked as definitely or possibly
196 // reachable, depending on whether interior-pointers were required to
197 // reach it.
198 // - At this point we know for every block if it's reachable or not.
199 // - We then push each unreached block onto the mark stack, using the block
200 // number as the "clique" number.
201 // - We process the mark stack again, this time grouping blocks into cliques
202 // in order to facilitate the directly/indirectly lost categorisation.
203 // - We group blocks by their ExeContexts and categorisation, and print them
204 // if --leak-check=full. We also print summary numbers.
205 //
206 // A note on "cliques":
207 // - A directly lost block is one with no pointers to it. An indirectly
208 // lost block is one that is pointed to by a directly or indirectly lost
209 // block.
210 // - Each directly lost block has zero or more indirectly lost blocks
211 // hanging off it. All these blocks together form a "clique". The
212 // directly lost block is called the "clique leader". The clique number
213 // is the number (in lc_chunks[]) of the clique leader.
214 // - Actually, a directly lost block may be pointed to if it's part of a
215 // cycle. In that case, there may be more than one choice for the clique
216 // leader, and the choice is arbitrary. Eg. if you have A-->B and B-->A
217 // either A or B could be the clique leader.
218 // - Cliques cannot overlap, and will be truncated to avoid this. Eg. if we
219 // have A-->C and B-->C, the two cliques will be {A,C} and {B}, or {A} and
220 // {B,C} (again the choice is arbitrary). This is because we don't want
221 // to count a block as indirectly lost more than once.
222 //
223 // A note on 'is_prior_definite':
224 // - This is a boolean used in various places that indicates if the chain
225 // up to the prior node (prior to the one being considered) is definite.
226 // - In the clique == -1 case:
227 // - if True it means that the prior node is a root-set node, or that the
228 // prior node is a block which is reachable from the root-set via
229 // start-pointers.
230 // - if False it means that the prior node is a block that is only
231 // reachable from the root-set via a path including at least one
232 // interior-pointer.
233 // - In the clique != -1 case, currently it's always True because we treat
234 // start-pointers and interior-pointers the same for direct/indirect leak
235 // checking. If we added a PossibleIndirectLeak state then this would
236 // change.
237
238
239 // Define to debug the memory-leak-detector.
240 #define VG_DEBUG_LEAKCHECK 0
241 #define VG_DEBUG_CLIQUE 0
242
243
244 /*------------------------------------------------------------*/
245 /*--- Getting the initial chunks, and searching them. ---*/
246 /*------------------------------------------------------------*/
247
248 // Compare the MC_Chunks by 'data' (i.e. the address of the block).
compare_MC_Chunks(const void * n1,const void * n2)249 static Int compare_MC_Chunks(const void* n1, const void* n2)
250 {
251 const MC_Chunk* mc1 = *(const MC_Chunk *const *)n1;
252 const MC_Chunk* mc2 = *(const MC_Chunk *const *)n2;
253 if (mc1->data < mc2->data) return -1;
254 if (mc1->data > mc2->data) return 1;
255 return 0;
256 }
257
258 #if VG_DEBUG_LEAKCHECK
259 // Used to sanity-check the fast binary-search mechanism.
260 static
find_chunk_for_OLD(Addr ptr,MC_Chunk ** chunks,Int n_chunks)261 Int find_chunk_for_OLD ( Addr ptr,
262 MC_Chunk** chunks,
263 Int n_chunks )
264
265 {
266 Int i;
267 Addr a_lo, a_hi;
268 PROF_EVENT(70, "find_chunk_for_OLD");
269 for (i = 0; i < n_chunks; i++) {
270 PROF_EVENT(71, "find_chunk_for_OLD(loop)");
271 a_lo = chunks[i]->data;
272 a_hi = ((Addr)chunks[i]->data) + chunks[i]->szB;
273 if (a_lo <= ptr && ptr < a_hi)
274 return i;
275 }
276 return -1;
277 }
278 #endif
279
280 // Find the i such that ptr points at or inside the block described by
281 // chunks[i]. Return -1 if none found. This assumes that chunks[]
282 // has been sorted on the 'data' field.
283 static
find_chunk_for(Addr ptr,MC_Chunk ** chunks,Int n_chunks)284 Int find_chunk_for ( Addr ptr,
285 MC_Chunk** chunks,
286 Int n_chunks )
287 {
288 Addr a_mid_lo, a_mid_hi;
289 Int lo, mid, hi, retVal;
290 // VG_(printf)("find chunk for %p = ", ptr);
291 retVal = -1;
292 lo = 0;
293 hi = n_chunks-1;
294 while (True) {
295 // Invariant: current unsearched space is from lo to hi, inclusive.
296 if (lo > hi) break; // not found
297
298 mid = (lo + hi) / 2;
299 a_mid_lo = chunks[mid]->data;
300 a_mid_hi = chunks[mid]->data + chunks[mid]->szB;
301 // Extent of block 'mid' is [a_mid_lo .. a_mid_hi).
302 // Special-case zero-sized blocks - treat them as if they had
303 // size 1. Not doing so causes them to not cover any address
304 // range at all and so will never be identified as the target of
305 // any pointer, which causes them to be incorrectly reported as
306 // definitely leaked.
307 if (chunks[mid]->szB == 0)
308 a_mid_hi++;
309
310 if (ptr < a_mid_lo) {
311 hi = mid-1;
312 continue;
313 }
314 if (ptr >= a_mid_hi) {
315 lo = mid+1;
316 continue;
317 }
318 tl_assert(ptr >= a_mid_lo && ptr < a_mid_hi);
319 retVal = mid;
320 break;
321 }
322
323 # if VG_DEBUG_LEAKCHECK
324 tl_assert(retVal == find_chunk_for_OLD ( ptr, chunks, n_chunks ));
325 # endif
326 // VG_(printf)("%d\n", retVal);
327 return retVal;
328 }
329
330
331 static MC_Chunk**
find_active_chunks(Int * pn_chunks)332 find_active_chunks(Int* pn_chunks)
333 {
334 // Our goal is to construct a set of chunks that includes every
335 // mempool chunk, and every malloc region that *doesn't* contain a
336 // mempool chunk.
337 MC_Mempool *mp;
338 MC_Chunk **mallocs, **chunks, *mc;
339 UInt n_mallocs, n_chunks, m, s;
340 Bool *malloc_chunk_holds_a_pool_chunk;
341
342 // First we collect all the malloc chunks into an array and sort it.
343 // We do this because we want to query the chunks by interior
344 // pointers, requiring binary search.
345 mallocs = (MC_Chunk**) VG_(HT_to_array)( MC_(malloc_list), &n_mallocs );
346 if (n_mallocs == 0) {
347 tl_assert(mallocs == NULL);
348 *pn_chunks = 0;
349 return NULL;
350 }
351 VG_(ssort)(mallocs, n_mallocs, sizeof(VgHashNode*), compare_MC_Chunks);
352
353 // Then we build an array containing a Bool for each malloc chunk,
354 // indicating whether it contains any mempools.
355 malloc_chunk_holds_a_pool_chunk = VG_(calloc)( "mc.fas.1",
356 n_mallocs, sizeof(Bool) );
357 n_chunks = n_mallocs;
358
359 // Then we loop over the mempool tables. For each chunk in each
360 // pool, we set the entry in the Bool array corresponding to the
361 // malloc chunk containing the mempool chunk.
362 VG_(HT_ResetIter)(MC_(mempool_list));
363 while ( (mp = VG_(HT_Next)(MC_(mempool_list))) ) {
364 VG_(HT_ResetIter)(mp->chunks);
365 while ( (mc = VG_(HT_Next)(mp->chunks)) ) {
366
367 // We'll need to record this chunk.
368 n_chunks++;
369
370 // Possibly invalidate the malloc holding the beginning of this chunk.
371 m = find_chunk_for(mc->data, mallocs, n_mallocs);
372 if (m != -1 && malloc_chunk_holds_a_pool_chunk[m] == False) {
373 tl_assert(n_chunks > 0);
374 n_chunks--;
375 malloc_chunk_holds_a_pool_chunk[m] = True;
376 }
377
378 // Possibly invalidate the malloc holding the end of this chunk.
379 if (mc->szB > 1) {
380 m = find_chunk_for(mc->data + (mc->szB - 1), mallocs, n_mallocs);
381 if (m != -1 && malloc_chunk_holds_a_pool_chunk[m] == False) {
382 tl_assert(n_chunks > 0);
383 n_chunks--;
384 malloc_chunk_holds_a_pool_chunk[m] = True;
385 }
386 }
387 }
388 }
389 tl_assert(n_chunks > 0);
390
391 // Create final chunk array.
392 chunks = VG_(malloc)("mc.fas.2", sizeof(VgHashNode*) * (n_chunks));
393 s = 0;
394
395 // Copy the mempool chunks and the non-marked malloc chunks into a
396 // combined array of chunks.
397 VG_(HT_ResetIter)(MC_(mempool_list));
398 while ( (mp = VG_(HT_Next)(MC_(mempool_list))) ) {
399 VG_(HT_ResetIter)(mp->chunks);
400 while ( (mc = VG_(HT_Next)(mp->chunks)) ) {
401 tl_assert(s < n_chunks);
402 chunks[s++] = mc;
403 }
404 }
405 for (m = 0; m < n_mallocs; ++m) {
406 if (!malloc_chunk_holds_a_pool_chunk[m]) {
407 tl_assert(s < n_chunks);
408 chunks[s++] = mallocs[m];
409 }
410 }
411 tl_assert(s == n_chunks);
412
413 // Free temporaries.
414 VG_(free)(mallocs);
415 VG_(free)(malloc_chunk_holds_a_pool_chunk);
416
417 *pn_chunks = n_chunks;
418
419 return chunks;
420 }
421
422 /*------------------------------------------------------------*/
423 /*--- The leak detector proper. ---*/
424 /*------------------------------------------------------------*/
425
426 // Holds extra info about each block during leak checking.
427 typedef
428 struct {
429 UInt state:2; // Reachedness.
430 UInt pending:1; // Scan pending.
431 UInt heuristic: (sizeof(UInt)*8)-3;
432 // Heuristic with which this block was considered reachable.
433 // LchNone if state != Reachable or no heuristic needed to
434 // consider it reachable.
435
436 union {
437 SizeT indirect_szB;
438 // If Unreached, how many bytes are unreachable from here.
439 SizeT clique;
440 // if IndirectLeak, clique leader to which it belongs.
441 } IorC;
442 }
443 LC_Extra;
444
445 // An array holding pointers to every chunk we're checking. Sorted by address.
446 // lc_chunks is initialised during leak search. It is kept after leak search
447 // to support printing the list of blocks belonging to a loss record.
448 // lc_chunk array can only be used validly till the next "free" operation
449 // (as a free operation potentially destroys one or more chunks).
450 // To detect lc_chunk is valid, we store the nr of frees operations done
451 // when lc_chunk was build : lc_chunks (and lc_extras) stays valid as
452 // long as no free operations has been done since lc_chunks building.
453 static MC_Chunk** lc_chunks;
454 // How many chunks we're dealing with.
455 static Int lc_n_chunks;
456 static SizeT lc_chunks_n_frees_marker;
457 // This has the same number of entries as lc_chunks, and each entry
458 // in lc_chunks corresponds with the entry here (ie. lc_chunks[i] and
459 // lc_extras[i] describe the same block).
460 static LC_Extra* lc_extras;
461
462 // chunks will be converted and merged in loss record, maintained in lr_table
463 // lr_table elements are kept from one leak_search to another to implement
464 // the "print new/changed leaks" client request
465 static OSet* lr_table;
466 // Array of sorted loss record (produced during last leak search).
467 static LossRecord** lr_array;
468
469 // Value of the heuristics parameter used in the current (or last) leak check.
470 static UInt detect_memory_leaks_last_heuristics;
471
472 // DeltaMode used the last time we called detect_memory_leaks.
473 // The recorded leak errors are output using a logic based on this delta_mode.
474 // The below avoids replicating the delta_mode in each LossRecord.
475 LeakCheckDeltaMode MC_(detect_memory_leaks_last_delta_mode);
476
477 // Each leak search run increments the below generation counter.
478 // A used suppression during a leak search will contain this
479 // generation number.
480 UInt MC_(leak_search_gen);
481
482 // Records chunks that are currently being processed. Each element in the
483 // stack is an index into lc_chunks and lc_extras. Its size is
484 // 'lc_n_chunks' because in the worst case that's how many chunks could be
485 // pushed onto it (actually I think the maximum is lc_n_chunks-1 but let's
486 // be conservative).
487 static Int* lc_markstack;
488 // The index of the top element of the stack; -1 if the stack is empty, 0 if
489 // the stack has one element, 1 if it has two, etc.
490 static Int lc_markstack_top;
491
492 // Keeps track of how many bytes of memory we've scanned, for printing.
493 // (Nb: We don't keep track of how many register bytes we've scanned.)
494 static SizeT lc_scanned_szB;
495 // Keeps track of how many bytes we have not scanned due to read errors that
496 // caused a signal such as SIGSEGV.
497 static SizeT lc_sig_skipped_szB;
498
499
500 SizeT MC_(bytes_leaked) = 0;
501 SizeT MC_(bytes_indirect) = 0;
502 SizeT MC_(bytes_dubious) = 0;
503 SizeT MC_(bytes_reachable) = 0;
504 SizeT MC_(bytes_suppressed) = 0;
505
506 SizeT MC_(blocks_leaked) = 0;
507 SizeT MC_(blocks_indirect) = 0;
508 SizeT MC_(blocks_dubious) = 0;
509 SizeT MC_(blocks_reachable) = 0;
510 SizeT MC_(blocks_suppressed) = 0;
511
512 // Subset of MC_(bytes_reachable) and MC_(blocks_reachable) which
513 // are considered reachable due to the corresponding heuristic.
514 static SizeT MC_(bytes_heuristically_reachable)[N_LEAK_CHECK_HEURISTICS]
515 = {0,0,0,0};
516 static SizeT MC_(blocks_heuristically_reachable)[N_LEAK_CHECK_HEURISTICS]
517 = {0,0,0,0};
518
519 // Determines if a pointer is to a chunk. Returns the chunk number et al
520 // via call-by-reference.
521 static Bool
lc_is_a_chunk_ptr(Addr ptr,Int * pch_no,MC_Chunk ** pch,LC_Extra ** pex)522 lc_is_a_chunk_ptr(Addr ptr, Int* pch_no, MC_Chunk** pch, LC_Extra** pex)
523 {
524 Int ch_no;
525 MC_Chunk* ch;
526 LC_Extra* ex;
527
528 // Quick filter. Note: implemented with am, not with get_vabits2
529 // as ptr might be random data pointing anywhere. On 64 bit
530 // platforms, getting va bits for random data can be quite costly
531 // due to the secondary map.
532 if (!VG_(am_is_valid_for_client)(ptr, 1, VKI_PROT_READ)) {
533 return False;
534 } else {
535 ch_no = find_chunk_for(ptr, lc_chunks, lc_n_chunks);
536 tl_assert(ch_no >= -1 && ch_no < lc_n_chunks);
537
538 if (ch_no == -1) {
539 return False;
540 } else {
541 // Ok, we've found a pointer to a chunk. Get the MC_Chunk and its
542 // LC_Extra.
543 ch = lc_chunks[ch_no];
544 ex = &(lc_extras[ch_no]);
545
546 tl_assert(ptr >= ch->data);
547 tl_assert(ptr < ch->data + ch->szB + (ch->szB==0 ? 1 : 0));
548
549 if (VG_DEBUG_LEAKCHECK)
550 VG_(printf)("ptr=%#lx -> block %d\n", ptr, ch_no);
551
552 *pch_no = ch_no;
553 *pch = ch;
554 *pex = ex;
555
556 return True;
557 }
558 }
559 }
560
561 // Push a chunk (well, just its index) onto the mark stack.
lc_push(Int ch_no,MC_Chunk * ch)562 static void lc_push(Int ch_no, MC_Chunk* ch)
563 {
564 if (!lc_extras[ch_no].pending) {
565 if (0) {
566 VG_(printf)("pushing %#lx-%#lx\n", ch->data, ch->data + ch->szB);
567 }
568 lc_markstack_top++;
569 tl_assert(lc_markstack_top < lc_n_chunks);
570 lc_markstack[lc_markstack_top] = ch_no;
571 tl_assert(!lc_extras[ch_no].pending);
572 lc_extras[ch_no].pending = True;
573 }
574 }
575
576 // Return the index of the chunk on the top of the mark stack, or -1 if
577 // there isn't one.
lc_pop(Int * ret)578 static Bool lc_pop(Int* ret)
579 {
580 if (-1 == lc_markstack_top) {
581 return False;
582 } else {
583 tl_assert(0 <= lc_markstack_top && lc_markstack_top < lc_n_chunks);
584 *ret = lc_markstack[lc_markstack_top];
585 lc_markstack_top--;
586 tl_assert(lc_extras[*ret].pending);
587 lc_extras[*ret].pending = False;
588 return True;
589 }
590 }
591
pp_heuristic(LeakCheckHeuristic h)592 static const HChar* pp_heuristic(LeakCheckHeuristic h)
593 {
594 switch(h) {
595 case LchNone: return "none";
596 case LchStdString: return "stdstring";
597 case LchLength64: return "length64";
598 case LchNewArray: return "newarray";
599 case LchMultipleInheritance: return "multipleinheritance";
600 default: return "???invalid heuristic???";
601 }
602 }
603
604 // True if ptr looks like the address of a vtable, i.e. if ptr
605 // points to an array of pointers to functions.
606 // It is assumed the only caller of this function is heuristic_reachedness
607 // which must check that ptr is aligned and above page 0.
608 // Checking that ptr is above page 0 is an optimisation : it is assumed
609 // that no vtable is located in the page 0. So, all small integer values
610 // encountered during the scan will not incur the cost of calling this
611 // function.
aligned_ptr_above_page0_is_vtable_addr(Addr ptr)612 static Bool aligned_ptr_above_page0_is_vtable_addr(Addr ptr)
613 {
614 // ??? If performance problem:
615 // ??? maybe implement a cache (array indexed by ptr % primenr)
616 // ??? of "I am a vtable ptr" ???
617
618 // ??? Maybe the debug info could (efficiently?) be used to detect vtables ?
619
620 // We consider ptr as a vtable ptr if it points to a table
621 // where we find only NULL pointers or pointers pointing at an
622 // executable region. We must find at least 2 non NULL pointers
623 // before considering ptr as a vtable pointer.
624 // We scan a maximum of VTABLE_MAX_CHECK words for these 2 non NULL
625 // pointers.
626 #define VTABLE_MAX_CHECK 20
627
628 NSegment const *seg;
629 UInt nr_fn_ptrs = 0;
630 Addr scan;
631 Addr scan_max;
632
633 // First verify ptr points inside a client mapped file section.
634 // ??? is a vtable always in a file mapped readable section ?
635 seg = VG_(am_find_nsegment) (ptr);
636 if (seg == NULL
637 || seg->kind != SkFileC
638 || !seg->hasR)
639 return False;
640
641 // Check potential function pointers, up to a maximum of VTABLE_MAX_CHECK.
642 scan_max = ptr + VTABLE_MAX_CHECK*sizeof(Addr);
643 // If ptr is near the end of seg, avoid scan_max exceeding the end of seg:
644 if (scan_max > seg->end - sizeof(Addr))
645 scan_max = seg->end - sizeof(Addr);
646 for (scan = ptr; scan <= scan_max; scan+=sizeof(Addr)) {
647 Addr pot_fn = *((Addr *)scan);
648 if (pot_fn == 0)
649 continue; // NULL fn pointer. Seems it can happen in vtable.
650 seg = VG_(am_find_nsegment) (pot_fn);
651 #if defined(VGA_ppc64be)
652 // ppc64BE uses a thunk table (function descriptors), so we have one
653 // more level of indirection to follow.
654 if (seg == NULL
655 || seg->kind != SkFileC
656 || !seg->hasR
657 || !seg->hasW)
658 return False; // ptr to nowhere, or not a ptr to thunks.
659 pot_fn = *((Addr *)pot_fn);
660 if (pot_fn == 0)
661 continue; // NULL fn pointer. Seems it can happen in vtable.
662 seg = VG_(am_find_nsegment) (pot_fn);
663 #endif
664 if (seg == NULL
665 || seg->kind != SkFileC
666 || !seg->hasT)
667 return False; // ptr to nowhere, or not a fn ptr.
668 nr_fn_ptrs++;
669 if (nr_fn_ptrs == 2)
670 return True;
671 }
672
673 return False;
674 }
675
676 // true if a is properly aligned and points to 64bits of valid memory
is_valid_aligned_ULong(Addr a)677 static Bool is_valid_aligned_ULong ( Addr a )
678 {
679 if (sizeof(Word) == 8)
680 return MC_(is_valid_aligned_word)(a);
681
682 return MC_(is_valid_aligned_word)(a)
683 && MC_(is_valid_aligned_word)(a + 4);
684 }
685
686 // If ch is heuristically reachable via an heuristic member of heur_set,
687 // returns this heuristic.
688 // If ch cannot be considered reachable using one of these heuristics,
689 // return LchNone.
690 // This should only be called when ptr is an interior ptr to ch.
691 // The StdString/NewArray/MultipleInheritance heuristics are directly
692 // inspired from DrMemory:
693 // see http://www.burningcutlery.com/derek/docs/drmem-CGO11.pdf [section VI,C]
694 // and bug 280271.
heuristic_reachedness(Addr ptr,MC_Chunk * ch,LC_Extra * ex,UInt heur_set)695 static LeakCheckHeuristic heuristic_reachedness (Addr ptr,
696 MC_Chunk *ch, LC_Extra *ex,
697 UInt heur_set)
698 {
699 if (HiS(LchStdString, heur_set)) {
700 // Detects inner pointers to Std::String for layout being
701 // length capacity refcount char_array[] \0
702 // where ptr points to the beginning of the char_array.
703 // Note: we check definedness for length and capacity but
704 // not for refcount, as refcount size might be smaller than
705 // a SizeT, giving a uninitialised hole in the first 3 SizeT.
706 if ( ptr == ch->data + 3 * sizeof(SizeT)
707 && MC_(is_valid_aligned_word)(ch->data + sizeof(SizeT))) {
708 const SizeT capacity = *((SizeT*)(ch->data + sizeof(SizeT)));
709 if (3 * sizeof(SizeT) + capacity + 1 == ch->szB
710 && MC_(is_valid_aligned_word)(ch->data)) {
711 const SizeT length = *((SizeT*)ch->data);
712 if (length <= capacity) {
713 // ??? could check there is no null byte from ptr to ptr+length-1
714 // ??? and that there is a null byte at ptr+length.
715 // ???
716 // ??? could check that ch->allockind is MC_AllocNew ???
717 // ??? probably not a good idea, as I guess stdstring
718 // ??? allocator can be done via custom allocator
719 // ??? or even a call to malloc ????
720 return LchStdString;
721 }
722 }
723 }
724 }
725
726 if (HiS(LchLength64, heur_set)) {
727 // Detects inner pointers that point at 64bit offset (8 bytes) into a
728 // block following the length of the remaining as 64bit number
729 // (=total block size - 8).
730 // This is used e.g. by sqlite for tracking the total size of allocated
731 // memory.
732 // Note that on 64bit platforms, a block matching LchLength64 will
733 // also be matched by LchNewArray.
734 if ( ptr == ch->data + sizeof(ULong)
735 && is_valid_aligned_ULong(ch->data)) {
736 const ULong size = *((ULong*)ch->data);
737 if (size > 0 && (ch->szB - sizeof(ULong)) == size) {
738 return LchLength64;
739 }
740 }
741 }
742
743 if (HiS(LchNewArray, heur_set)) {
744 // Detects inner pointers at second word of new[] array, following
745 // a plausible nr of elements.
746 // Such inner pointers are used for arrays of elements
747 // having a destructor, as the delete[] of the array must know
748 // how many elements to destroy.
749 //
750 // We have a strange/wrong case for 'ptr = new MyClass[0];' :
751 // For such a case, the returned ptr points just outside the
752 // allocated chunk. This chunk is then seen as a definite
753 // leak by Valgrind, as it is not considered an interior pointer.
754 // It is the c++ equivalent of bug 99923 (malloc(0) wrongly considered
755 // as definitely leaked). See the trick in find_chunk_for handling
756 // 0-sized block. This trick does not work for 'new MyClass[0]'
757 // because a chunk "word-sized" is allocated to store the (0) nr
758 // of elements.
759 if ( ptr == ch->data + sizeof(SizeT)
760 && MC_(is_valid_aligned_word)(ch->data)) {
761 const SizeT nr_elts = *((SizeT*)ch->data);
762 if (nr_elts > 0 && (ch->szB - sizeof(SizeT)) % nr_elts == 0) {
763 // ??? could check that ch->allockind is MC_AllocNewVec ???
764 return LchNewArray;
765 }
766 }
767 }
768
769 if (HiS(LchMultipleInheritance, heur_set)) {
770 // Detect inner pointer used for multiple inheritance.
771 // Assumption is that the vtable pointers are before the object.
772 if (VG_IS_WORD_ALIGNED(ptr)
773 && MC_(is_valid_aligned_word)(ptr)) {
774 Addr first_addr;
775 Addr inner_addr;
776
777 // Avoid the call to is_vtable_addr when the addr is not
778 // aligned or points in the page0, as it is unlikely
779 // a vtable is located in this page. This last optimisation
780 // avoids to call aligned_ptr_above_page0_is_vtable_addr
781 // for all small integers.
782 // Note: we could possibly also avoid calling this function
783 // for small negative integers, as no vtable should be located
784 // in the last page.
785 inner_addr = *((Addr*)ptr);
786 if (VG_IS_WORD_ALIGNED(inner_addr)
787 && inner_addr >= (Addr)VKI_PAGE_SIZE
788 && MC_(is_valid_aligned_word)(ch->data)) {
789 first_addr = *((Addr*)ch->data);
790 if (VG_IS_WORD_ALIGNED(first_addr)
791 && first_addr >= (Addr)VKI_PAGE_SIZE
792 && aligned_ptr_above_page0_is_vtable_addr(inner_addr)
793 && aligned_ptr_above_page0_is_vtable_addr(first_addr)) {
794 // ??? could check that ch->allockind is MC_AllocNew ???
795 return LchMultipleInheritance;
796 }
797 }
798 }
799 }
800
801 return LchNone;
802 }
803
804
805 // If 'ptr' is pointing to a heap-allocated block which hasn't been seen
806 // before, push it onto the mark stack.
807 static void
lc_push_without_clique_if_a_chunk_ptr(Addr ptr,Bool is_prior_definite)808 lc_push_without_clique_if_a_chunk_ptr(Addr ptr, Bool is_prior_definite)
809 {
810 Int ch_no;
811 MC_Chunk* ch;
812 LC_Extra* ex;
813 Reachedness ch_via_ptr; // Is ch reachable via ptr, and how ?
814
815 if ( ! lc_is_a_chunk_ptr(ptr, &ch_no, &ch, &ex) )
816 return;
817
818 if (ex->state == Reachable) {
819 if (ex->heuristic && ptr == ch->data)
820 // If block was considered reachable via an heuristic, and it is now
821 // directly reachable via ptr, clear the heuristic field.
822 ex->heuristic = LchNone;
823 return;
824 }
825
826 // Possibly upgrade the state, ie. one of:
827 // - Unreached --> Possible
828 // - Unreached --> Reachable
829 // - Possible --> Reachable
830
831 if (ptr == ch->data)
832 ch_via_ptr = Reachable;
833 else if (detect_memory_leaks_last_heuristics) {
834 ex->heuristic
835 = heuristic_reachedness (ptr, ch, ex,
836 detect_memory_leaks_last_heuristics);
837 if (ex->heuristic)
838 ch_via_ptr = Reachable;
839 else
840 ch_via_ptr = Possible;
841 } else
842 ch_via_ptr = Possible;
843
844 if (ch_via_ptr == Reachable && is_prior_definite) {
845 // 'ptr' points to the start of the block or is to be considered as
846 // pointing to the start of the block, and the prior node is
847 // definite, which means that this block is definitely reachable.
848 ex->state = Reachable;
849
850 // State has changed to Reachable so (re)scan the block to make
851 // sure any blocks it points to are correctly marked.
852 lc_push(ch_no, ch);
853
854 } else if (ex->state == Unreached) {
855 // Either 'ptr' is a interior-pointer, or the prior node isn't definite,
856 // which means that we can only mark this block as possibly reachable.
857 ex->state = Possible;
858
859 // State has changed to Possible so (re)scan the block to make
860 // sure any blocks it points to are correctly marked.
861 lc_push(ch_no, ch);
862 }
863 }
864
865 static void
lc_push_if_a_chunk_ptr_register(ThreadId tid,const HChar * regname,Addr ptr)866 lc_push_if_a_chunk_ptr_register(ThreadId tid, const HChar* regname, Addr ptr)
867 {
868 lc_push_without_clique_if_a_chunk_ptr(ptr, /*is_prior_definite*/True);
869 }
870
871 // If ptr is pointing to a heap-allocated block which hasn't been seen
872 // before, push it onto the mark stack. Clique is the index of the
873 // clique leader.
874 static void
lc_push_with_clique_if_a_chunk_ptr(Addr ptr,Int clique,Int cur_clique)875 lc_push_with_clique_if_a_chunk_ptr(Addr ptr, Int clique, Int cur_clique)
876 {
877 Int ch_no;
878 MC_Chunk* ch;
879 LC_Extra* ex;
880
881 tl_assert(0 <= clique && clique < lc_n_chunks);
882
883 if ( ! lc_is_a_chunk_ptr(ptr, &ch_no, &ch, &ex) )
884 return;
885
886 // If it's not Unreached, it's already been handled so ignore it.
887 // If ch_no==clique, it's the clique leader, which means this is a cyclic
888 // structure; again ignore it because it's already been handled.
889 if (ex->state == Unreached && ch_no != clique) {
890 // Note that, unlike reachable blocks, we currently don't distinguish
891 // between start-pointers and interior-pointers here. We probably
892 // should, though.
893 lc_push(ch_no, ch);
894
895 // Add the block to the clique, and add its size to the
896 // clique-leader's indirect size. Also, if the new block was
897 // itself a clique leader, it isn't any more, so add its
898 // indirect_szB to the new clique leader.
899 if (VG_DEBUG_CLIQUE) {
900 if (ex->IorC.indirect_szB > 0)
901 VG_(printf)(" clique %d joining clique %d adding %lu+%lu\n",
902 ch_no, clique, (unsigned long)ch->szB,
903 (unsigned long)ex->IorC.indirect_szB);
904 else
905 VG_(printf)(" block %d joining clique %d adding %lu\n",
906 ch_no, clique, (unsigned long)ch->szB);
907 }
908
909 lc_extras[clique].IorC.indirect_szB += ch->szB;
910 lc_extras[clique].IorC.indirect_szB += ex->IorC.indirect_szB;
911 ex->state = IndirectLeak;
912 ex->IorC.clique = (SizeT) cur_clique;
913 }
914 }
915
916 static void
lc_push_if_a_chunk_ptr(Addr ptr,Int clique,Int cur_clique,Bool is_prior_definite)917 lc_push_if_a_chunk_ptr(Addr ptr,
918 Int clique, Int cur_clique, Bool is_prior_definite)
919 {
920 if (-1 == clique)
921 lc_push_without_clique_if_a_chunk_ptr(ptr, is_prior_definite);
922 else
923 lc_push_with_clique_if_a_chunk_ptr(ptr, clique, cur_clique);
924 }
925
926
927 static VG_MINIMAL_JMP_BUF(memscan_jmpbuf);
928 static volatile Addr bad_scanned_addr;
929
930 static
scan_all_valid_memory_catcher(Int sigNo,Addr addr)931 void scan_all_valid_memory_catcher ( Int sigNo, Addr addr )
932 {
933 if (0)
934 VG_(printf)("OUCH! sig=%d addr=%#lx\n", sigNo, addr);
935 if (sigNo == VKI_SIGSEGV || sigNo == VKI_SIGBUS) {
936 bad_scanned_addr = addr;
937 VG_MINIMAL_LONGJMP(memscan_jmpbuf);
938 }
939 }
940
941 // lc_scan_memory has 2 modes:
942 //
943 // 1. Leak check mode (searched == 0).
944 // -----------------------------------
945 // Scan a block of memory between [start, start+len). This range may
946 // be bogus, inaccessable, or otherwise strange; we deal with it. For each
947 // valid aligned word we assume it's a pointer to a chunk a push the chunk
948 // onto the mark stack if so.
949 // clique is the "highest level clique" in which indirectly leaked blocks have
950 // to be collected. cur_clique is the current "lower" level clique through which
951 // the memory to be scanned has been found.
952 // Example: in the below tree if A is leaked, the top level clique will
953 // be A, while lower level cliques will be B and C.
954 /*
955 A
956 / \
957 B C
958 / \ / \
959 D E F G
960 */
961 // Proper handling of top and lowest level clique allows block_list of a loss
962 // record to describe the hierarchy of indirectly leaked blocks.
963 //
964 // 2. Search ptr mode (searched != 0).
965 // -----------------------------------
966 // In this mode, searches for pointers to a specific address range
967 // In such a case, lc_scan_memory just scans [start..start+len[ for pointers
968 // to searched and outputs the places where searched is found.
969 // It does not recursively scans the found memory.
970 static void
lc_scan_memory(Addr start,SizeT len,Bool is_prior_definite,Int clique,Int cur_clique,Addr searched,SizeT szB)971 lc_scan_memory(Addr start, SizeT len, Bool is_prior_definite,
972 Int clique, Int cur_clique,
973 Addr searched, SizeT szB)
974 {
975 /* memory scan is based on the assumption that valid pointers are aligned
976 on a multiple of sizeof(Addr). So, we can (and must) skip the begin and
977 end portions of the block if they are not aligned on sizeof(Addr):
978 These cannot be a valid pointer, and calls to MC_(is_valid_aligned_word)
979 will assert for a non aligned address. */
980 #if defined(VGA_s390x)
981 // Define ptr as volatile, as on this platform, the value of ptr
982 // is read in code executed via a longjmp.
983 volatile
984 #endif
985 Addr ptr = VG_ROUNDUP(start, sizeof(Addr));
986 const Addr end = VG_ROUNDDN(start+len, sizeof(Addr));
987 vki_sigset_t sigmask;
988
989 if (VG_DEBUG_LEAKCHECK)
990 VG_(printf)("scan %#lx-%#lx (%lu)\n", start, end, len);
991
992 VG_(sigprocmask)(VKI_SIG_SETMASK, NULL, &sigmask);
993 VG_(set_fault_catcher)(scan_all_valid_memory_catcher);
994
995 /* Optimisation: the loop below will check for each begin
996 of SM chunk if the chunk is fully unaddressable. The idea is to
997 skip efficiently such fully unaddressable SM chunks.
998 So, we preferrably start the loop on a chunk boundary.
999 If the chunk is not fully unaddressable, we might be in
1000 an unaddressable page. Again, the idea is to skip efficiently
1001 such unaddressable page : this is the "else" part.
1002 We use an "else" so that two consecutive fully unaddressable
1003 SM chunks will be skipped efficiently: first one is skipped
1004 by this piece of code. The next SM chunk will be skipped inside
1005 the loop. */
1006 if ( ! MC_(is_within_valid_secondary)(ptr) ) {
1007 // Skip an invalid SM chunk till the beginning of the next SM Chunk.
1008 ptr = VG_ROUNDUP(ptr+1, SM_SIZE);
1009 } else if (!VG_(am_is_valid_for_client)(ptr, sizeof(Addr), VKI_PROT_READ)) {
1010 // else we are in a (at least partially) valid SM chunk.
1011 // We might be in the middle of an unreadable page.
1012 // Do a cheap check to see if it's valid;
1013 // if not, skip onto the next page.
1014 ptr = VG_PGROUNDUP(ptr+1); // First page is bad - skip it.
1015 }
1016 /* The above optimisation and below loop is based on some relationships
1017 between VKI_PAGE_SIZE, SM_SIZE and sizeof(Addr) which are asserted in
1018 MC_(detect_memory_leaks). */
1019
1020 // During scan, we check with aspacemgr that each page is readable and
1021 // belongs to client.
1022 // We still protect against SIGSEGV and SIGBUS e.g. in case aspacemgr is
1023 // desynchronised with the real page mappings.
1024 // Such a desynchronisation could happen due to an aspacemgr bug.
1025 // Note that if the application is using mprotect(NONE), then
1026 // a page can be unreadable but have addressable and defined
1027 // VA bits (see mc_main.c function mc_new_mem_mprotect).
1028 if (VG_MINIMAL_SETJMP(memscan_jmpbuf) != 0) {
1029 // Catch read error ...
1030 // We need to restore the signal mask, because we were
1031 // longjmped out of a signal handler.
1032 VG_(sigprocmask)(VKI_SIG_SETMASK, &sigmask, NULL);
1033 # if defined(VGA_s390x)
1034 // For a SIGSEGV, s390 delivers the page address of the bad address.
1035 // For a SIGBUS, old s390 kernels deliver a NULL address.
1036 // bad_scanned_addr can thus not be used.
1037 // So, on this platform, we always skip a full page from ptr.
1038 // The below implies to mark ptr as volatile, as we read the value
1039 // after a longjmp to here.
1040 lc_sig_skipped_szB += VKI_PAGE_SIZE;
1041 ptr = ptr + VKI_PAGE_SIZE; // Unaddressable, - skip it.
1042 # else
1043 // On other platforms, just skip one Addr.
1044 lc_sig_skipped_szB += sizeof(Addr);
1045 tl_assert(bad_scanned_addr >= VG_ROUNDUP(start, sizeof(Addr)));
1046 tl_assert(bad_scanned_addr < VG_ROUNDDN(start+len, sizeof(Addr)));
1047 ptr = bad_scanned_addr + sizeof(Addr); // Unaddressable, - skip it.
1048 #endif
1049 }
1050 while (ptr < end) {
1051 Addr addr;
1052
1053 // Skip invalid chunks.
1054 if (UNLIKELY((ptr % SM_SIZE) == 0)) {
1055 if (! MC_(is_within_valid_secondary)(ptr) ) {
1056 ptr = VG_ROUNDUP(ptr+1, SM_SIZE);
1057 continue;
1058 }
1059 }
1060
1061 // Look to see if this page seems reasonable.
1062 if (UNLIKELY((ptr % VKI_PAGE_SIZE) == 0)) {
1063 if (!VG_(am_is_valid_for_client)(ptr, sizeof(Addr), VKI_PROT_READ)) {
1064 ptr += VKI_PAGE_SIZE; // Bad page - skip it.
1065 continue;
1066 }
1067 }
1068
1069 if ( MC_(is_valid_aligned_word)(ptr) ) {
1070 lc_scanned_szB += sizeof(Addr);
1071 // If the below read fails, we will longjmp to the loop begin.
1072 addr = *(Addr *)ptr;
1073 // If we get here, the scanned word is in valid memory. Now
1074 // let's see if its contents point to a chunk.
1075 if (UNLIKELY(searched)) {
1076 if (addr >= searched && addr < searched + szB) {
1077 if (addr == searched) {
1078 VG_(umsg)("*%#lx points at %#lx\n", ptr, searched);
1079 MC_(pp_describe_addr) (ptr);
1080 } else {
1081 Int ch_no;
1082 MC_Chunk *ch;
1083 LC_Extra *ex;
1084 VG_(umsg)("*%#lx interior points at %lu bytes inside %#lx\n",
1085 ptr, (long unsigned) addr - searched, searched);
1086 MC_(pp_describe_addr) (ptr);
1087 if (lc_is_a_chunk_ptr(addr, &ch_no, &ch, &ex) ) {
1088 Int h;
1089 for (h = LchStdString; h < N_LEAK_CHECK_HEURISTICS; h++) {
1090 if (heuristic_reachedness(addr, ch, ex, H2S(h)) == h) {
1091 VG_(umsg)("block at %#lx considered reachable "
1092 "by ptr %#lx using %s heuristic\n",
1093 ch->data, addr, pp_heuristic(h));
1094 }
1095 }
1096 // Verify the loop above has properly scanned all
1097 // heuristics. If the below fails, it probably means the
1098 // LeakCheckHeuristic enum is not in sync anymore with the
1099 // above loop and/or with N_LEAK_CHECK_HEURISTICS.
1100 tl_assert (h == N_LEAK_CHECK_HEURISTICS);
1101 }
1102 }
1103 }
1104 } else {
1105 lc_push_if_a_chunk_ptr(addr, clique, cur_clique, is_prior_definite);
1106 }
1107 } else if (0 && VG_DEBUG_LEAKCHECK) {
1108 VG_(printf)("%#lx not valid\n", ptr);
1109 }
1110 ptr += sizeof(Addr);
1111 }
1112
1113 VG_(sigprocmask)(VKI_SIG_SETMASK, &sigmask, NULL);
1114 VG_(set_fault_catcher)(NULL);
1115 }
1116
1117
1118 // Process the mark stack until empty.
lc_process_markstack(Int clique)1119 static void lc_process_markstack(Int clique)
1120 {
1121 Int top = -1; // shut gcc up
1122 Bool is_prior_definite;
1123
1124 while (lc_pop(&top)) {
1125 tl_assert(top >= 0 && top < lc_n_chunks);
1126
1127 // See comment about 'is_prior_definite' at the top to understand this.
1128 is_prior_definite = ( Possible != lc_extras[top].state );
1129
1130 lc_scan_memory(lc_chunks[top]->data, lc_chunks[top]->szB,
1131 is_prior_definite, clique, (clique == -1 ? -1 : top),
1132 /*searched*/ 0, 0);
1133 }
1134 }
1135
cmp_LossRecordKey_LossRecord(const void * key,const void * elem)1136 static Word cmp_LossRecordKey_LossRecord(const void* key, const void* elem)
1137 {
1138 const LossRecordKey* a = key;
1139 const LossRecordKey* b = &(((const LossRecord*)elem)->key);
1140
1141 // Compare on states first because that's fast.
1142 if (a->state < b->state) return -1;
1143 if (a->state > b->state) return 1;
1144 // Ok, the states are equal. Now compare the locations, which is slower.
1145 if (VG_(eq_ExeContext)(
1146 MC_(clo_leak_resolution), a->allocated_at, b->allocated_at))
1147 return 0;
1148 // Different locations. Ordering is arbitrary, just use the ec pointer.
1149 if (a->allocated_at < b->allocated_at) return -1;
1150 if (a->allocated_at > b->allocated_at) return 1;
1151 VG_(tool_panic)("bad LossRecord comparison");
1152 }
1153
cmp_LossRecords(const void * va,const void * vb)1154 static Int cmp_LossRecords(const void* va, const void* vb)
1155 {
1156 const LossRecord* lr_a = *(const LossRecord *const *)va;
1157 const LossRecord* lr_b = *(const LossRecord *const *)vb;
1158 SizeT total_szB_a = lr_a->szB + lr_a->indirect_szB;
1159 SizeT total_szB_b = lr_b->szB + lr_b->indirect_szB;
1160
1161 // First compare by sizes.
1162 if (total_szB_a < total_szB_b) return -1;
1163 if (total_szB_a > total_szB_b) return 1;
1164 // If size are equal, compare by states.
1165 if (lr_a->key.state < lr_b->key.state) return -1;
1166 if (lr_a->key.state > lr_b->key.state) return 1;
1167 // If they're still equal here, it doesn't matter that much, but we keep
1168 // comparing other things so that regtests are as deterministic as
1169 // possible. So: compare num_blocks.
1170 if (lr_a->num_blocks < lr_b->num_blocks) return -1;
1171 if (lr_a->num_blocks > lr_b->num_blocks) return 1;
1172 // Finally, compare ExeContext addresses... older ones are likely to have
1173 // lower addresses.
1174 if (lr_a->key.allocated_at < lr_b->key.allocated_at) return -1;
1175 if (lr_a->key.allocated_at > lr_b->key.allocated_at) return 1;
1176 return 0;
1177 }
1178
1179 // allocates or reallocates lr_array, and set its elements to the loss records
1180 // contains in lr_table.
get_lr_array_from_lr_table(void)1181 static Int get_lr_array_from_lr_table(void) {
1182 Int i, n_lossrecords;
1183 LossRecord* lr;
1184
1185 n_lossrecords = VG_(OSetGen_Size)(lr_table);
1186
1187 // (re-)create the array of pointers to the loss records.
1188 // lr_array is kept to allow producing the block list from gdbserver.
1189 if (lr_array != NULL)
1190 VG_(free)(lr_array);
1191 lr_array = VG_(malloc)("mc.pr.2", n_lossrecords * sizeof(LossRecord*));
1192 i = 0;
1193 VG_(OSetGen_ResetIter)(lr_table);
1194 while ( (lr = VG_(OSetGen_Next)(lr_table)) ) {
1195 lr_array[i++] = lr;
1196 }
1197 tl_assert(i == n_lossrecords);
1198 return n_lossrecords;
1199 }
1200
1201
get_printing_rules(LeakCheckParams * lcp,LossRecord * lr,Bool * count_as_error,Bool * print_record)1202 static void get_printing_rules(LeakCheckParams* lcp,
1203 LossRecord* lr,
1204 Bool* count_as_error,
1205 Bool* print_record)
1206 {
1207 // Rules for printing:
1208 // - We don't show suppressed loss records ever (and that's controlled
1209 // within the error manager).
1210 // - We show non-suppressed loss records that are specified in
1211 // --show-leak-kinds=... if --leak-check=yes.
1212
1213 Bool delta_considered;
1214
1215 switch (lcp->deltamode) {
1216 case LCD_Any:
1217 delta_considered = lr->num_blocks > 0;
1218 break;
1219 case LCD_Increased:
1220 delta_considered
1221 = lr->szB > lr->old_szB
1222 || lr->indirect_szB > lr->old_indirect_szB
1223 || lr->num_blocks > lr->old_num_blocks;
1224 break;
1225 case LCD_Changed:
1226 delta_considered = lr->szB != lr->old_szB
1227 || lr->indirect_szB != lr->old_indirect_szB
1228 || lr->num_blocks != lr->old_num_blocks;
1229 break;
1230 default:
1231 tl_assert(0);
1232 }
1233
1234 *print_record = lcp->mode == LC_Full && delta_considered
1235 && RiS(lr->key.state,lcp->show_leak_kinds);
1236 // We don't count a leaks as errors with lcp->mode==LC_Summary.
1237 // Otherwise you can get high error counts with few or no error
1238 // messages, which can be confusing. Otherwise, we count as errors
1239 // the leak kinds requested by --errors-for-leak-kinds=...
1240 *count_as_error = lcp->mode == LC_Full && delta_considered
1241 && RiS(lr->key.state,lcp->errors_for_leak_kinds);
1242 }
1243
print_results(ThreadId tid,LeakCheckParams * lcp)1244 static void print_results(ThreadId tid, LeakCheckParams* lcp)
1245 {
1246 Int i, n_lossrecords, start_lr_output_scan;
1247 LossRecord* lr;
1248 Bool is_suppressed;
1249 /* old_* variables are used to report delta in summary. */
1250 SizeT old_bytes_leaked = MC_(bytes_leaked);
1251 SizeT old_bytes_indirect = MC_(bytes_indirect);
1252 SizeT old_bytes_dubious = MC_(bytes_dubious);
1253 SizeT old_bytes_reachable = MC_(bytes_reachable);
1254 SizeT old_bytes_suppressed = MC_(bytes_suppressed);
1255 SizeT old_blocks_leaked = MC_(blocks_leaked);
1256 SizeT old_blocks_indirect = MC_(blocks_indirect);
1257 SizeT old_blocks_dubious = MC_(blocks_dubious);
1258 SizeT old_blocks_reachable = MC_(blocks_reachable);
1259 SizeT old_blocks_suppressed = MC_(blocks_suppressed);
1260
1261 SizeT old_bytes_heuristically_reachable[N_LEAK_CHECK_HEURISTICS];
1262 SizeT old_blocks_heuristically_reachable[N_LEAK_CHECK_HEURISTICS];
1263
1264 for (i = 0; i < N_LEAK_CHECK_HEURISTICS; i++) {
1265 old_bytes_heuristically_reachable[i]
1266 = MC_(bytes_heuristically_reachable)[i];
1267 MC_(bytes_heuristically_reachable)[i] = 0;
1268 old_blocks_heuristically_reachable[i]
1269 = MC_(blocks_heuristically_reachable)[i];
1270 MC_(blocks_heuristically_reachable)[i] = 0;
1271 }
1272
1273 if (lr_table == NULL)
1274 // Create the lr_table, which holds the loss records.
1275 // If the lr_table already exists, it means it contains
1276 // loss_records from the previous leak search. The old_*
1277 // values in these records are used to implement the
1278 // leak check delta mode
1279 lr_table =
1280 VG_(OSetGen_Create)(offsetof(LossRecord, key),
1281 cmp_LossRecordKey_LossRecord,
1282 VG_(malloc), "mc.pr.1",
1283 VG_(free));
1284
1285 // If we have loss records from a previous search, reset values to have
1286 // proper printing of the deltas between previous search and this search.
1287 n_lossrecords = get_lr_array_from_lr_table();
1288 for (i = 0; i < n_lossrecords; i++) {
1289 if (lr_array[i]->num_blocks == 0) {
1290 // remove from lr_table the old loss_records with 0 bytes found
1291 VG_(OSetGen_Remove) (lr_table, &lr_array[i]->key);
1292 VG_(OSetGen_FreeNode)(lr_table, lr_array[i]);
1293 } else {
1294 // move the leak sizes to old_* and zero the current sizes
1295 // for next leak search
1296 lr_array[i]->old_szB = lr_array[i]->szB;
1297 lr_array[i]->old_indirect_szB = lr_array[i]->indirect_szB;
1298 lr_array[i]->old_num_blocks = lr_array[i]->num_blocks;
1299 lr_array[i]->szB = 0;
1300 lr_array[i]->indirect_szB = 0;
1301 lr_array[i]->num_blocks = 0;
1302 }
1303 }
1304 // lr_array now contains "invalid" loss records => free it.
1305 // lr_array will be re-created below with the kept and new loss records.
1306 VG_(free) (lr_array);
1307 lr_array = NULL;
1308
1309 // Convert the chunks into loss records, merging them where appropriate.
1310 for (i = 0; i < lc_n_chunks; i++) {
1311 MC_Chunk* ch = lc_chunks[i];
1312 LC_Extra* ex = &(lc_extras)[i];
1313 LossRecord* old_lr;
1314 LossRecordKey lrkey;
1315 lrkey.state = ex->state;
1316 lrkey.allocated_at = MC_(allocated_at)(ch);
1317
1318 if (ex->heuristic) {
1319 MC_(bytes_heuristically_reachable)[ex->heuristic] += ch->szB;
1320 MC_(blocks_heuristically_reachable)[ex->heuristic]++;
1321 if (VG_DEBUG_LEAKCHECK)
1322 VG_(printf)("heuristic %s %#lx len %lu\n",
1323 pp_heuristic(ex->heuristic),
1324 ch->data, (unsigned long)ch->szB);
1325 }
1326
1327 old_lr = VG_(OSetGen_Lookup)(lr_table, &lrkey);
1328 if (old_lr) {
1329 // We found an existing loss record matching this chunk. Update the
1330 // loss record's details in-situ. This is safe because we don't
1331 // change the elements used as the OSet key.
1332 old_lr->szB += ch->szB;
1333 if (ex->state == Unreached)
1334 old_lr->indirect_szB += ex->IorC.indirect_szB;
1335 old_lr->num_blocks++;
1336 } else {
1337 // No existing loss record matches this chunk. Create a new loss
1338 // record, initialise it from the chunk, and insert it into lr_table.
1339 lr = VG_(OSetGen_AllocNode)(lr_table, sizeof(LossRecord));
1340 lr->key = lrkey;
1341 lr->szB = ch->szB;
1342 if (ex->state == Unreached)
1343 lr->indirect_szB = ex->IorC.indirect_szB;
1344 else
1345 lr->indirect_szB = 0;
1346 lr->num_blocks = 1;
1347 lr->old_szB = 0;
1348 lr->old_indirect_szB = 0;
1349 lr->old_num_blocks = 0;
1350 VG_(OSetGen_Insert)(lr_table, lr);
1351 }
1352 }
1353
1354 // (re-)create the array of pointers to the (new) loss records.
1355 n_lossrecords = get_lr_array_from_lr_table ();
1356 tl_assert(VG_(OSetGen_Size)(lr_table) == n_lossrecords);
1357
1358 // Sort the array by loss record sizes.
1359 VG_(ssort)(lr_array, n_lossrecords, sizeof(LossRecord*),
1360 cmp_LossRecords);
1361
1362 // Zero totals.
1363 MC_(blocks_leaked) = MC_(bytes_leaked) = 0;
1364 MC_(blocks_indirect) = MC_(bytes_indirect) = 0;
1365 MC_(blocks_dubious) = MC_(bytes_dubious) = 0;
1366 MC_(blocks_reachable) = MC_(bytes_reachable) = 0;
1367 MC_(blocks_suppressed) = MC_(bytes_suppressed) = 0;
1368
1369 // If there is a maximum nr of loss records we can output, then first
1370 // compute from where the output scan has to start.
1371 // By default, start from the first loss record. Compute a higher
1372 // value if there is a maximum to respect. We need to print the last
1373 // records, as the one with the biggest sizes are more interesting.
1374 start_lr_output_scan = 0;
1375 if (lcp->mode == LC_Full && lcp->max_loss_records_output < n_lossrecords) {
1376 Int nr_printable_records = 0;
1377 for (i = n_lossrecords - 1; i >= 0 && start_lr_output_scan == 0; i--) {
1378 Bool count_as_error, print_record;
1379 lr = lr_array[i];
1380 get_printing_rules (lcp, lr, &count_as_error, &print_record);
1381 // Do not use get_printing_rules results for is_suppressed, as we
1382 // only want to check if the record would be suppressed.
1383 is_suppressed =
1384 MC_(record_leak_error) ( tid, i+1, n_lossrecords, lr,
1385 False /* print_record */,
1386 False /* count_as_error */);
1387 if (print_record && !is_suppressed) {
1388 nr_printable_records++;
1389 if (nr_printable_records == lcp->max_loss_records_output)
1390 start_lr_output_scan = i;
1391 }
1392 }
1393 }
1394
1395 // Print the loss records (in size order) and collect summary stats.
1396 for (i = start_lr_output_scan; i < n_lossrecords; i++) {
1397 Bool count_as_error, print_record;
1398 lr = lr_array[i];
1399 get_printing_rules(lcp, lr, &count_as_error, &print_record);
1400 is_suppressed =
1401 MC_(record_leak_error) ( tid, i+1, n_lossrecords, lr, print_record,
1402 count_as_error );
1403
1404 if (is_suppressed) {
1405 MC_(blocks_suppressed) += lr->num_blocks;
1406 MC_(bytes_suppressed) += lr->szB;
1407
1408 } else if (Unreached == lr->key.state) {
1409 MC_(blocks_leaked) += lr->num_blocks;
1410 MC_(bytes_leaked) += lr->szB;
1411
1412 } else if (IndirectLeak == lr->key.state) {
1413 MC_(blocks_indirect) += lr->num_blocks;
1414 MC_(bytes_indirect) += lr->szB;
1415
1416 } else if (Possible == lr->key.state) {
1417 MC_(blocks_dubious) += lr->num_blocks;
1418 MC_(bytes_dubious) += lr->szB;
1419
1420 } else if (Reachable == lr->key.state) {
1421 MC_(blocks_reachable) += lr->num_blocks;
1422 MC_(bytes_reachable) += lr->szB;
1423
1424 } else {
1425 VG_(tool_panic)("unknown loss mode");
1426 }
1427 }
1428
1429 if (VG_(clo_verbosity) > 0 && !VG_(clo_xml)) {
1430 HChar d_bytes[31];
1431 HChar d_blocks[31];
1432 # define DBY(new,old) \
1433 MC_(snprintf_delta) (d_bytes, sizeof(d_bytes), (new), (old), \
1434 lcp->deltamode)
1435 # define DBL(new,old) \
1436 MC_(snprintf_delta) (d_blocks, sizeof(d_blocks), (new), (old), \
1437 lcp->deltamode)
1438
1439 VG_(umsg)("LEAK SUMMARY:\n");
1440 VG_(umsg)(" definitely lost: %'lu%s bytes in %'lu%s blocks\n",
1441 MC_(bytes_leaked),
1442 DBY (MC_(bytes_leaked), old_bytes_leaked),
1443 MC_(blocks_leaked),
1444 DBL (MC_(blocks_leaked), old_blocks_leaked));
1445 VG_(umsg)(" indirectly lost: %'lu%s bytes in %'lu%s blocks\n",
1446 MC_(bytes_indirect),
1447 DBY (MC_(bytes_indirect), old_bytes_indirect),
1448 MC_(blocks_indirect),
1449 DBL (MC_(blocks_indirect), old_blocks_indirect));
1450 VG_(umsg)(" possibly lost: %'lu%s bytes in %'lu%s blocks\n",
1451 MC_(bytes_dubious),
1452 DBY (MC_(bytes_dubious), old_bytes_dubious),
1453 MC_(blocks_dubious),
1454 DBL (MC_(blocks_dubious), old_blocks_dubious));
1455 VG_(umsg)(" still reachable: %'lu%s bytes in %'lu%s blocks\n",
1456 MC_(bytes_reachable),
1457 DBY (MC_(bytes_reachable), old_bytes_reachable),
1458 MC_(blocks_reachable),
1459 DBL (MC_(blocks_reachable), old_blocks_reachable));
1460 for (i = 0; i < N_LEAK_CHECK_HEURISTICS; i++)
1461 if (old_blocks_heuristically_reachable[i] > 0
1462 || MC_(blocks_heuristically_reachable)[i] > 0) {
1463 VG_(umsg)(" of which "
1464 "reachable via heuristic:\n");
1465 break;
1466 }
1467 for (i = 0; i < N_LEAK_CHECK_HEURISTICS; i++)
1468 if (old_blocks_heuristically_reachable[i] > 0
1469 || MC_(blocks_heuristically_reachable)[i] > 0)
1470 VG_(umsg)(" %-19s: "
1471 "%'lu%s bytes in %'lu%s blocks\n",
1472 pp_heuristic(i),
1473 MC_(bytes_heuristically_reachable)[i],
1474 DBY (MC_(bytes_heuristically_reachable)[i],
1475 old_bytes_heuristically_reachable[i]),
1476 MC_(blocks_heuristically_reachable)[i],
1477 DBL (MC_(blocks_heuristically_reachable)[i],
1478 old_blocks_heuristically_reachable[i]));
1479 VG_(umsg)(" suppressed: %'lu%s bytes in %'lu%s blocks\n",
1480 MC_(bytes_suppressed),
1481 DBY (MC_(bytes_suppressed), old_bytes_suppressed),
1482 MC_(blocks_suppressed),
1483 DBL (MC_(blocks_suppressed), old_blocks_suppressed));
1484 if (lcp->mode != LC_Full &&
1485 (MC_(blocks_leaked) + MC_(blocks_indirect) +
1486 MC_(blocks_dubious) + MC_(blocks_reachable)) > 0) {
1487 if (lcp->requested_by_monitor_command)
1488 VG_(umsg)("To see details of leaked memory, "
1489 "give 'full' arg to leak_check\n");
1490 else
1491 VG_(umsg)("Rerun with --leak-check=full to see details "
1492 "of leaked memory\n");
1493 }
1494 if (lcp->mode == LC_Full &&
1495 MC_(blocks_reachable) > 0 && !RiS(Reachable,lcp->show_leak_kinds)) {
1496 VG_(umsg)("Reachable blocks (those to which a pointer "
1497 "was found) are not shown.\n");
1498 if (lcp->requested_by_monitor_command)
1499 VG_(umsg)("To see them, add 'reachable any' args to leak_check\n");
1500 else
1501 VG_(umsg)("To see them, rerun with: --leak-check=full "
1502 "--show-leak-kinds=all\n");
1503 }
1504 VG_(umsg)("\n");
1505 #undef DBL
1506 #undef DBY
1507 }
1508 }
1509
1510 // print recursively all indirectly leaked blocks collected in clique.
print_clique(Int clique,UInt level)1511 static void print_clique (Int clique, UInt level)
1512 {
1513 Int ind;
1514 Int i, n_lossrecords;;
1515
1516 n_lossrecords = VG_(OSetGen_Size)(lr_table);
1517
1518 for (ind = 0; ind < lc_n_chunks; ind++) {
1519 LC_Extra* ind_ex = &(lc_extras)[ind];
1520 if (ind_ex->state == IndirectLeak
1521 && ind_ex->IorC.clique == (SizeT) clique) {
1522 MC_Chunk* ind_ch = lc_chunks[ind];
1523 LossRecord* ind_lr;
1524 LossRecordKey ind_lrkey;
1525 Int lr_i;
1526 ind_lrkey.state = ind_ex->state;
1527 ind_lrkey.allocated_at = MC_(allocated_at)(ind_ch);
1528 ind_lr = VG_(OSetGen_Lookup)(lr_table, &ind_lrkey);
1529 for (lr_i = 0; lr_i < n_lossrecords; lr_i++)
1530 if (ind_lr == lr_array[lr_i])
1531 break;
1532 for (i = 0; i < level; i++)
1533 VG_(umsg)(" ");
1534 VG_(umsg)("%p[%lu] indirect loss record %d\n",
1535 (void *)ind_ch->data, (unsigned long)ind_ch->szB,
1536 lr_i+1); // lr_i+1 for user numbering.
1537 if (lr_i >= n_lossrecords)
1538 VG_(umsg)
1539 ("error: no indirect loss record found for %p[%lu]?????\n",
1540 (void *)ind_ch->data, (unsigned long)ind_ch->szB);
1541 print_clique(ind, level+1);
1542 }
1543 }
1544 }
1545
MC_(print_block_list)1546 Bool MC_(print_block_list) ( UInt loss_record_nr)
1547 {
1548 Int i, n_lossrecords;
1549 LossRecord* lr;
1550
1551 if (lr_table == NULL || lc_chunks == NULL || lc_extras == NULL) {
1552 VG_(umsg)("Can't print block list : no valid leak search result\n");
1553 return False;
1554 }
1555
1556 if (lc_chunks_n_frees_marker != MC_(get_cmalloc_n_frees)()) {
1557 VG_(umsg)("Can't print obsolete block list : redo a leak search first\n");
1558 return False;
1559 }
1560
1561 n_lossrecords = VG_(OSetGen_Size)(lr_table);
1562 if (loss_record_nr >= n_lossrecords)
1563 return False; // Invalid loss record nr.
1564
1565 tl_assert (lr_array);
1566 lr = lr_array[loss_record_nr];
1567
1568 // (re-)print the loss record details.
1569 // (+1 on loss_record_nr as user numbering for loss records starts at 1).
1570 MC_(pp_LossRecord)(loss_record_nr+1, n_lossrecords, lr);
1571
1572 // Match the chunks with loss records.
1573 for (i = 0; i < lc_n_chunks; i++) {
1574 MC_Chunk* ch = lc_chunks[i];
1575 LC_Extra* ex = &(lc_extras)[i];
1576 LossRecord* old_lr;
1577 LossRecordKey lrkey;
1578 lrkey.state = ex->state;
1579 lrkey.allocated_at = MC_(allocated_at)(ch);
1580
1581 old_lr = VG_(OSetGen_Lookup)(lr_table, &lrkey);
1582 if (old_lr) {
1583 // We found an existing loss record matching this chunk.
1584 // If this is the loss record we are looking for, output the pointer.
1585 if (old_lr == lr_array[loss_record_nr]) {
1586 VG_(umsg)("%p[%lu]\n",
1587 (void *)ch->data, (unsigned long) ch->szB);
1588 if (ex->state != Reachable) {
1589 // We can print the clique in all states, except Reachable.
1590 // In Unreached state, lc_chunk[i] is the clique leader.
1591 // In IndirectLeak, lc_chunk[i] might have been a clique leader
1592 // which was later collected in another clique.
1593 // For Possible, lc_chunk[i] might be the top of a clique
1594 // or an intermediate clique.
1595 print_clique(i, 1);
1596 }
1597 }
1598 } else {
1599 // No existing loss record matches this chunk ???
1600 VG_(umsg)("error: no loss record found for %p[%lu]?????\n",
1601 (void *)ch->data, (unsigned long) ch->szB);
1602 }
1603 }
1604 return True;
1605 }
1606
1607 // If searched = 0, scan memory root set, pushing onto the mark stack the blocks
1608 // encountered.
1609 // Otherwise (searched != 0), scan the memory root set searching for ptr
1610 // pointing inside [searched, searched+szB[.
scan_memory_root_set(Addr searched,SizeT szB)1611 static void scan_memory_root_set(Addr searched, SizeT szB)
1612 {
1613 Int i;
1614 Int n_seg_starts;
1615 Addr* seg_starts = VG_(get_segment_starts)( SkFileC | SkAnonC | SkShmC,
1616 &n_seg_starts );
1617
1618 tl_assert(seg_starts && n_seg_starts > 0);
1619
1620 lc_scanned_szB = 0;
1621 lc_sig_skipped_szB = 0;
1622
1623 // VG_(am_show_nsegments)( 0, "leakcheck");
1624 for (i = 0; i < n_seg_starts; i++) {
1625 SizeT seg_size;
1626 NSegment const* seg = VG_(am_find_nsegment)( seg_starts[i] );
1627 tl_assert(seg);
1628 tl_assert(seg->kind == SkFileC || seg->kind == SkAnonC ||
1629 seg->kind == SkShmC);
1630
1631 if (!(seg->hasR && seg->hasW)) continue;
1632 if (seg->isCH) continue;
1633
1634 // Don't poke around in device segments as this may cause
1635 // hangs. Include /dev/zero just in case someone allocated
1636 // memory by explicitly mapping /dev/zero.
1637 if (seg->kind == SkFileC
1638 && (VKI_S_ISCHR(seg->mode) || VKI_S_ISBLK(seg->mode))) {
1639 const HChar* dev_name = VG_(am_get_filename)( seg );
1640 if (dev_name && 0 == VG_(strcmp)(dev_name, "/dev/zero")) {
1641 // Don't skip /dev/zero.
1642 } else {
1643 // Skip this device mapping.
1644 continue;
1645 }
1646 }
1647
1648 if (0)
1649 VG_(printf)("ACCEPT %2d %#lx %#lx\n", i, seg->start, seg->end);
1650
1651 // Scan the segment. We use -1 for the clique number, because this
1652 // is a root-set.
1653 seg_size = seg->end - seg->start + 1;
1654 if (VG_(clo_verbosity) > 2) {
1655 VG_(message)(Vg_DebugMsg,
1656 " Scanning root segment: %#lx..%#lx (%lu)\n",
1657 seg->start, seg->end, seg_size);
1658 }
1659 lc_scan_memory(seg->start, seg_size, /*is_prior_definite*/True,
1660 /*clique*/-1, /*cur_clique*/-1,
1661 searched, szB);
1662 }
1663 VG_(free)(seg_starts);
1664 }
1665
1666 /*------------------------------------------------------------*/
1667 /*--- Top-level entry point. ---*/
1668 /*------------------------------------------------------------*/
1669
MC_(detect_memory_leaks)1670 void MC_(detect_memory_leaks) ( ThreadId tid, LeakCheckParams* lcp)
1671 {
1672 Int i, j;
1673
1674 tl_assert(lcp->mode != LC_Off);
1675
1676 // Verify some assertions which are used in lc_scan_memory.
1677 tl_assert((VKI_PAGE_SIZE % sizeof(Addr)) == 0);
1678 tl_assert((SM_SIZE % sizeof(Addr)) == 0);
1679 // Above two assertions are critical, while below assertion
1680 // ensures that the optimisation in the loop is done in the
1681 // correct order : the loop checks for (big) SM chunk skipping
1682 // before checking for (smaller) page skipping.
1683 tl_assert((SM_SIZE % VKI_PAGE_SIZE) == 0);
1684
1685 MC_(leak_search_gen)++;
1686 MC_(detect_memory_leaks_last_delta_mode) = lcp->deltamode;
1687 detect_memory_leaks_last_heuristics = lcp->heuristics;
1688
1689 // Get the chunks, stop if there were none.
1690 if (lc_chunks) {
1691 VG_(free)(lc_chunks);
1692 lc_chunks = NULL;
1693 }
1694 lc_chunks = find_active_chunks(&lc_n_chunks);
1695 lc_chunks_n_frees_marker = MC_(get_cmalloc_n_frees)();
1696 if (lc_n_chunks == 0) {
1697 tl_assert(lc_chunks == NULL);
1698 if (lr_table != NULL) {
1699 // forget the previous recorded LossRecords as next leak search
1700 // can in any case just create new leaks.
1701 // Maybe it would be better to rather call print_result ?
1702 // (at least when leak decreases are requested)
1703 // This will then output all LossRecords with a size decreasing to 0
1704 VG_(OSetGen_Destroy) (lr_table);
1705 lr_table = NULL;
1706 }
1707 if (VG_(clo_verbosity) >= 1 && !VG_(clo_xml)) {
1708 VG_(umsg)("All heap blocks were freed -- no leaks are possible\n");
1709 VG_(umsg)("\n");
1710 }
1711 return;
1712 }
1713
1714 // Sort the array so blocks are in ascending order in memory.
1715 VG_(ssort)(lc_chunks, lc_n_chunks, sizeof(VgHashNode*), compare_MC_Chunks);
1716
1717 // Sanity check -- make sure they're in order.
1718 for (i = 0; i < lc_n_chunks-1; i++) {
1719 tl_assert( lc_chunks[i]->data <= lc_chunks[i+1]->data);
1720 }
1721
1722 // Sanity check -- make sure they don't overlap. The one exception is that
1723 // we allow a MALLOCLIKE block to sit entirely within a malloc() block.
1724 // This is for bug 100628. If this occurs, we ignore the malloc() block
1725 // for leak-checking purposes. This is a hack and probably should be done
1726 // better, but at least it's consistent with mempools (which are treated
1727 // like this in find_active_chunks). Mempools have a separate VgHashTable
1728 // for mempool chunks, but if custom-allocated blocks are put in a separate
1729 // table from normal heap blocks it makes free-mismatch checking more
1730 // difficult.
1731 //
1732 // If this check fails, it probably means that the application
1733 // has done something stupid with VALGRIND_MALLOCLIKE_BLOCK client
1734 // requests, eg. has made overlapping requests (which are
1735 // nonsensical), or used VALGRIND_MALLOCLIKE_BLOCK for stack locations;
1736 // again nonsensical.
1737 //
1738 for (i = 0; i < lc_n_chunks-1; i++) {
1739 MC_Chunk* ch1 = lc_chunks[i];
1740 MC_Chunk* ch2 = lc_chunks[i+1];
1741
1742 Addr start1 = ch1->data;
1743 Addr start2 = ch2->data;
1744 Addr end1 = ch1->data + ch1->szB - 1;
1745 Addr end2 = ch2->data + ch2->szB - 1;
1746 Bool isCustom1 = ch1->allockind == MC_AllocCustom;
1747 Bool isCustom2 = ch2->allockind == MC_AllocCustom;
1748
1749 if (end1 < start2) {
1750 // Normal case - no overlap.
1751
1752 // We used to allow exact duplicates, I'm not sure why. --njn
1753 //} else if (start1 == start2 && end1 == end2) {
1754 // Degenerate case: exact duplicates.
1755
1756 } else if (start1 >= start2 && end1 <= end2 && isCustom1 && !isCustom2) {
1757 // Block i is MALLOCLIKE and entirely within block i+1.
1758 // Remove block i+1.
1759 for (j = i+1; j < lc_n_chunks-1; j++) {
1760 lc_chunks[j] = lc_chunks[j+1];
1761 }
1762 lc_n_chunks--;
1763
1764 } else if (start2 >= start1 && end2 <= end1 && isCustom2 && !isCustom1) {
1765 // Block i+1 is MALLOCLIKE and entirely within block i.
1766 // Remove block i.
1767 for (j = i; j < lc_n_chunks-1; j++) {
1768 lc_chunks[j] = lc_chunks[j+1];
1769 }
1770 lc_n_chunks--;
1771
1772 } else {
1773 VG_(umsg)("Block 0x%lx..0x%lx overlaps with block 0x%lx..0x%lx\n",
1774 start1, end1, start2, end2);
1775 VG_(umsg)("Blocks allocation contexts:\n"),
1776 VG_(pp_ExeContext)( MC_(allocated_at)(ch1));
1777 VG_(umsg)("\n"),
1778 VG_(pp_ExeContext)( MC_(allocated_at)(ch2));
1779 VG_(umsg)("This is usually caused by using VALGRIND_MALLOCLIKE_BLOCK");
1780 VG_(umsg)("in an inappropriate way.\n");
1781 tl_assert (0);
1782 }
1783 }
1784
1785 // Initialise lc_extras.
1786 if (lc_extras) {
1787 VG_(free)(lc_extras);
1788 lc_extras = NULL;
1789 }
1790 lc_extras = VG_(malloc)( "mc.dml.2", lc_n_chunks * sizeof(LC_Extra) );
1791 for (i = 0; i < lc_n_chunks; i++) {
1792 lc_extras[i].state = Unreached;
1793 lc_extras[i].pending = False;
1794 lc_extras[i].heuristic = LchNone;
1795 lc_extras[i].IorC.indirect_szB = 0;
1796 }
1797
1798 // Initialise lc_markstack.
1799 lc_markstack = VG_(malloc)( "mc.dml.2", lc_n_chunks * sizeof(Int) );
1800 for (i = 0; i < lc_n_chunks; i++) {
1801 lc_markstack[i] = -1;
1802 }
1803 lc_markstack_top = -1;
1804
1805 // Verbosity.
1806 if (VG_(clo_verbosity) > 1 && !VG_(clo_xml)) {
1807 VG_(umsg)( "Searching for pointers to %'d not-freed blocks\n",
1808 lc_n_chunks );
1809 }
1810
1811 // Scan the memory root-set, pushing onto the mark stack any blocks
1812 // pointed to.
1813 scan_memory_root_set(/*searched*/0, 0);
1814
1815 // Scan GP registers for chunk pointers.
1816 VG_(apply_to_GP_regs)(lc_push_if_a_chunk_ptr_register);
1817
1818 // Process the pushed blocks. After this, every block that is reachable
1819 // from the root-set has been traced.
1820 lc_process_markstack(/*clique*/-1);
1821
1822 if (VG_(clo_verbosity) > 1 && !VG_(clo_xml)) {
1823 VG_(umsg)("Checked %'lu bytes\n", lc_scanned_szB);
1824 if (lc_sig_skipped_szB > 0)
1825 VG_(umsg)("Skipped %'lu bytes due to read errors\n",
1826 lc_sig_skipped_szB);
1827 VG_(umsg)( "\n" );
1828 }
1829
1830 // Trace all the leaked blocks to determine which are directly leaked and
1831 // which are indirectly leaked. For each Unreached block, push it onto
1832 // the mark stack, and find all the as-yet-Unreached blocks reachable
1833 // from it. These form a clique and are marked IndirectLeak, and their
1834 // size is added to the clique leader's indirect size. If one of the
1835 // found blocks was itself a clique leader (from a previous clique), then
1836 // the cliques are merged.
1837 for (i = 0; i < lc_n_chunks; i++) {
1838 MC_Chunk* ch = lc_chunks[i];
1839 LC_Extra* ex = &(lc_extras[i]);
1840
1841 if (VG_DEBUG_CLIQUE)
1842 VG_(printf)("cliques: %d at %#lx -> Loss state %d\n",
1843 i, ch->data, ex->state);
1844
1845 tl_assert(lc_markstack_top == -1);
1846
1847 if (ex->state == Unreached) {
1848 if (VG_DEBUG_CLIQUE)
1849 VG_(printf)("%d: gathering clique %#lx\n", i, ch->data);
1850
1851 // Push this Unreached block onto the stack and process it.
1852 lc_push(i, ch);
1853 lc_process_markstack(/*clique*/i);
1854
1855 tl_assert(lc_markstack_top == -1);
1856 tl_assert(ex->state == Unreached);
1857 }
1858 }
1859
1860 print_results( tid, lcp);
1861
1862 VG_(free) ( lc_markstack );
1863 lc_markstack = NULL;
1864 // lc_chunks, lc_extras, lr_array and lr_table are kept (needed if user
1865 // calls MC_(print_block_list)). lr_table also used for delta leak reporting
1866 // between this leak search and the next leak search.
1867 }
1868
1869 static Addr searched_wpa;
1870 static SizeT searched_szB;
1871 static void
search_address_in_GP_reg(ThreadId tid,const HChar * regname,Addr addr_in_reg)1872 search_address_in_GP_reg(ThreadId tid, const HChar* regname, Addr addr_in_reg)
1873 {
1874 if (addr_in_reg >= searched_wpa
1875 && addr_in_reg < searched_wpa + searched_szB) {
1876 if (addr_in_reg == searched_wpa)
1877 VG_(umsg)
1878 ("tid %d register %s pointing at %#lx\n",
1879 tid, regname, searched_wpa);
1880 else
1881 VG_(umsg)
1882 ("tid %d register %s interior pointing %lu bytes inside %#lx\n",
1883 tid, regname, (long unsigned) addr_in_reg - searched_wpa,
1884 searched_wpa);
1885 }
1886 }
1887
MC_(who_points_at)1888 void MC_(who_points_at) ( Addr address, SizeT szB)
1889 {
1890 MC_Chunk** chunks;
1891 Int n_chunks;
1892 Int i;
1893
1894 if (szB == 1)
1895 VG_(umsg) ("Searching for pointers to %#lx\n", address);
1896 else
1897 VG_(umsg) ("Searching for pointers pointing in %lu bytes from %#lx\n",
1898 szB, address);
1899
1900 chunks = find_active_chunks(&n_chunks);
1901
1902 // Scan memory root-set, searching for ptr pointing in address[szB]
1903 scan_memory_root_set(address, szB);
1904
1905 // Scan active malloc-ed chunks
1906 for (i = 0; i < n_chunks; i++) {
1907 lc_scan_memory(chunks[i]->data, chunks[i]->szB,
1908 /*is_prior_definite*/True,
1909 /*clique*/-1, /*cur_clique*/-1,
1910 address, szB);
1911 }
1912 VG_(free) ( chunks );
1913
1914 // Scan GP registers for pointers to address range.
1915 searched_wpa = address;
1916 searched_szB = szB;
1917 VG_(apply_to_GP_regs)(search_address_in_GP_reg);
1918
1919 }
1920
1921 /*--------------------------------------------------------------------*/
1922 /*--- end ---*/
1923 /*--------------------------------------------------------------------*/
1924
1925