1
2 /*--------------------------------------------------------------------*/
3 /*--- The leak checker. mc_leakcheck.c ---*/
4 /*--------------------------------------------------------------------*/
5
6 /*
7 This file is part of MemCheck, a heavyweight Valgrind tool for
8 detecting memory errors.
9
10 Copyright (C) 2000-2015 Julian Seward
11 jseward@acm.org
12
13 This program is free software; you can redistribute it and/or
14 modify it under the terms of the GNU General Public License as
15 published by the Free Software Foundation; either version 2 of the
16 License, or (at your option) any later version.
17
18 This program is distributed in the hope that it will be useful, but
19 WITHOUT ANY WARRANTY; without even the implied warranty of
20 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
21 General Public License for more details.
22
23 You should have received a copy of the GNU General Public License
24 along with this program; if not, write to the Free Software
25 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
26 02111-1307, USA.
27
28 The GNU General Public License is contained in the file COPYING.
29 */
30
31 #include "pub_tool_basics.h"
32 #include "pub_tool_vki.h"
33 #include "pub_tool_aspacehl.h"
34 #include "pub_tool_aspacemgr.h"
35 #include "pub_tool_execontext.h"
36 #include "pub_tool_hashtable.h"
37 #include "pub_tool_libcbase.h"
38 #include "pub_tool_libcassert.h"
39 #include "pub_tool_libcprint.h"
40 #include "pub_tool_libcsignal.h"
41 #include "pub_tool_machine.h"
42 #include "pub_tool_mallocfree.h"
43 #include "pub_tool_options.h"
44 #include "pub_tool_oset.h"
45 #include "pub_tool_poolalloc.h"
46 #include "pub_tool_signals.h" // Needed for mc_include.h
47 #include "pub_tool_libcsetjmp.h" // setjmp facilities
48 #include "pub_tool_tooliface.h" // Needed for mc_include.h
49
50 #include "mc_include.h"
51
52 /*------------------------------------------------------------*/
53 /*--- An overview of leak checking. ---*/
54 /*------------------------------------------------------------*/
55
56 // Leak-checking is a directed-graph traversal problem. The graph has
57 // two kinds of nodes:
58 // - root-set nodes:
59 // - GP registers of all threads;
60 // - valid, aligned, pointer-sized data words in valid client memory,
61 // including stacks, but excluding words within client heap-allocated
62 // blocks (they are excluded so that later on we can differentiate
63 // between heap blocks that are indirectly leaked vs. directly leaked).
64 // - heap-allocated blocks. A block is a mempool chunk or a malloc chunk
65 // that doesn't contain a mempool chunk. Nb: the terms "blocks" and
66 // "chunks" are used interchangeably below.
67 //
68 // There are two kinds of edges:
69 // - start-pointers, i.e. pointers to the start of a block;
70 // - interior-pointers, i.e. pointers to the interior of a block.
71 //
72 // We use "pointers" rather than "edges" below.
73 //
74 // Root set nodes only point to blocks. Blocks only point to blocks;
75 // a block can point to itself.
76 //
77 // The aim is to traverse the graph and determine the status of each block.
78 //
79 // There are 9 distinct cases. See memcheck/docs/mc-manual.xml for details.
80 // Presenting all nine categories to the user is probably too much.
81 // Currently we do this:
82 // - definitely lost: case 3
83 // - indirectly lost: case 4, 9
84 // - possibly lost: cases 5..8
85 // - still reachable: cases 1, 2
86 //
87 // It's far from clear that this is the best possible categorisation; it's
88 // accreted over time without any central guiding principle.
89
90 /*------------------------------------------------------------*/
91 /*--- XXX: Thoughts for improvement. ---*/
92 /*------------------------------------------------------------*/
93
94 // From the user's point of view:
95 // - If they aren't using interior-pointers, they just have to fix the
96 // directly lost blocks, and the indirectly lost ones will be fixed as
97 // part of that. Any possibly lost blocks will just be due to random
98 // pointer garbage and can be ignored.
99 //
100 // - If they are using interior-pointers, the fact that they currently are not
101 // being told which ones might be directly lost vs. indirectly lost makes
102 // it hard to know where to begin.
103 //
104 // All this makes me wonder if new option is warranted:
105 // --follow-interior-pointers. By default it would be off, the leak checker
106 // wouldn't follow interior-pointers and there would only be 3 categories:
107 // R, DL, IL.
108 //
109 // If turned on, then it would show 7 categories (R, DL, IL, DR/DL, IR/IL,
110 // IR/IL/DL, IL/DL). That output is harder to understand but it's your own
111 // damn fault for using interior-pointers...
112 //
113 // ----
114 //
115 // Also, why are two blank lines printed between each loss record?
116 // [bug 197930]
117 //
118 // ----
119 //
120 // Also, --show-reachable is a bad name because it also turns on the showing
121 // of indirectly leaked blocks(!) It would be better named --show-all or
122 // --show-all-heap-blocks, because that's the end result.
123 // We now have the option --show-leak-kinds=... which allows to specify =all.
124 //
125 // ----
126 //
127 // Also, the VALGRIND_LEAK_CHECK and VALGRIND_QUICK_LEAK_CHECK aren't great
128 // names. VALGRIND_FULL_LEAK_CHECK and VALGRIND_SUMMARY_LEAK_CHECK would be
129 // better.
130 //
131 // ----
132 //
133 // Also, VALGRIND_COUNT_LEAKS and VALGRIND_COUNT_LEAK_BLOCKS aren't great as
134 // they combine direct leaks and indirect leaks into one. New, more precise
135 // ones (they'll need new names) would be good. If more categories are
136 // used, as per the --follow-interior-pointers option, they should be
137 // updated accordingly. And they should use a struct to return the values.
138 //
139 // ----
140 //
141 // Also, for this case:
142 //
143 // (4) p4 BBB ---> AAA
144 //
145 // BBB is definitely directly lost. AAA is definitely indirectly lost.
146 // Here's the relevant loss records printed for a full check (each block is
147 // 16 bytes):
148 //
149 // ==20397== 16 bytes in 1 blocks are indirectly lost in loss record 9 of 15
150 // ==20397== at 0x4C2694E: malloc (vg_replace_malloc.c:177)
151 // ==20397== by 0x400521: mk (leak-cases.c:49)
152 // ==20397== by 0x400578: main (leak-cases.c:72)
153 //
154 // ==20397== 32 (16 direct, 16 indirect) bytes in 1 blocks are definitely
155 // lost in loss record 14 of 15
156 // ==20397== at 0x4C2694E: malloc (vg_replace_malloc.c:177)
157 // ==20397== by 0x400521: mk (leak-cases.c:49)
158 // ==20397== by 0x400580: main (leak-cases.c:72)
159 //
160 // The first one is fine -- it describes AAA.
161 //
162 // The second one is for BBB. It's correct in that 16 bytes in 1 block are
163 // directly lost. It's also correct that 16 are indirectly lost as a result,
164 // but it means that AAA is being counted twice in the loss records. (It's
165 // not, thankfully, counted twice in the summary counts). Argh.
166 //
167 // This would be less confusing for the second one:
168 //
169 // ==20397== 16 bytes in 1 blocks are definitely lost in loss record 14
170 // of 15 (and 16 bytes in 1 block are indirectly lost as a result; they
171 // are mentioned elsewhere (if --show-reachable=yes or indirect is given
172 // in --show-leak-kinds=... !))
173 // ==20397== at 0x4C2694E: malloc (vg_replace_malloc.c:177)
174 // ==20397== by 0x400521: mk (leak-cases.c:49)
175 // ==20397== by 0x400580: main (leak-cases.c:72)
176 //
177 // But ideally we'd present the loss record for the directly lost block and
178 // then the resultant indirectly lost blocks and make it clear the
179 // dependence. Double argh.
180
181 /*------------------------------------------------------------*/
182 /*--- The actual algorithm. ---*/
183 /*------------------------------------------------------------*/
184
185 // - Find all the blocks (a.k.a. chunks) to check. Mempool chunks require
186 // some special treatment because they can be within malloc'd blocks.
187 // - Scan every word in the root set (GP registers and valid
188 // non-heap memory words).
189 // - First, we skip if it doesn't point to valid memory.
190 // - Then, we see if it points to the start or interior of a block. If
191 // so, we push the block onto the mark stack and mark it as having been
192 // reached.
193 // - Then, we process the mark stack, repeating the scanning for each block;
194 // this can push more blocks onto the mark stack. We repeat until the
195 // mark stack is empty. Each block is marked as definitely or possibly
196 // reachable, depending on whether interior-pointers were required to
197 // reach it.
198 // - At this point we know for every block if it's reachable or not.
199 // - We then push each unreached block onto the mark stack, using the block
200 // number as the "clique" number.
201 // - We process the mark stack again, this time grouping blocks into cliques
202 // in order to facilitate the directly/indirectly lost categorisation.
203 // - We group blocks by their ExeContexts and categorisation, and print them
204 // if --leak-check=full. We also print summary numbers.
205 //
206 // A note on "cliques":
207 // - A directly lost block is one with no pointers to it. An indirectly
208 // lost block is one that is pointed to by a directly or indirectly lost
209 // block.
210 // - Each directly lost block has zero or more indirectly lost blocks
211 // hanging off it. All these blocks together form a "clique". The
212 // directly lost block is called the "clique leader". The clique number
213 // is the number (in lc_chunks[]) of the clique leader.
214 // - Actually, a directly lost block may be pointed to if it's part of a
215 // cycle. In that case, there may be more than one choice for the clique
216 // leader, and the choice is arbitrary. Eg. if you have A-->B and B-->A
217 // either A or B could be the clique leader.
218 // - Cliques cannot overlap, and will be truncated to avoid this. Eg. if we
219 // have A-->C and B-->C, the two cliques will be {A,C} and {B}, or {A} and
220 // {B,C} (again the choice is arbitrary). This is because we don't want
221 // to count a block as indirectly lost more than once.
222 //
223 // A note on 'is_prior_definite':
224 // - This is a boolean used in various places that indicates if the chain
225 // up to the prior node (prior to the one being considered) is definite.
226 // - In the clique == -1 case:
227 // - if True it means that the prior node is a root-set node, or that the
228 // prior node is a block which is reachable from the root-set via
229 // start-pointers.
230 // - if False it means that the prior node is a block that is only
231 // reachable from the root-set via a path including at least one
232 // interior-pointer.
233 // - In the clique != -1 case, currently it's always True because we treat
234 // start-pointers and interior-pointers the same for direct/indirect leak
235 // checking. If we added a PossibleIndirectLeak state then this would
236 // change.
237
238
239 // Define to debug the memory-leak-detector.
240 #define VG_DEBUG_LEAKCHECK 0
241 #define VG_DEBUG_CLIQUE 0
242
243
244 /*------------------------------------------------------------*/
245 /*--- Getting the initial chunks, and searching them. ---*/
246 /*------------------------------------------------------------*/
247
248 // Compare the MC_Chunks by 'data' (i.e. the address of the block).
compare_MC_Chunks(const void * n1,const void * n2)249 static Int compare_MC_Chunks(const void* n1, const void* n2)
250 {
251 const MC_Chunk* mc1 = *(const MC_Chunk *const *)n1;
252 const MC_Chunk* mc2 = *(const MC_Chunk *const *)n2;
253 if (mc1->data < mc2->data) return -1;
254 if (mc1->data > mc2->data) return 1;
255 return 0;
256 }
257
258 #if VG_DEBUG_LEAKCHECK
259 // Used to sanity-check the fast binary-search mechanism.
260 static
find_chunk_for_OLD(Addr ptr,MC_Chunk ** chunks,Int n_chunks)261 Int find_chunk_for_OLD ( Addr ptr,
262 MC_Chunk** chunks,
263 Int n_chunks )
264
265 {
266 Int i;
267 Addr a_lo, a_hi;
268 PROF_EVENT(MCPE_FIND_CHUNK_FOR_OLD);
269 for (i = 0; i < n_chunks; i++) {
270 PROF_EVENT(MCPE_FIND_CHUNK_FOR_OLD_LOOP);
271 a_lo = chunks[i]->data;
272 a_hi = ((Addr)chunks[i]->data) + chunks[i]->szB;
273 if (a_lo <= ptr && ptr < a_hi)
274 return i;
275 }
276 return -1;
277 }
278 #endif
279
280 // Find the i such that ptr points at or inside the block described by
281 // chunks[i]. Return -1 if none found. This assumes that chunks[]
282 // has been sorted on the 'data' field.
283 static
find_chunk_for(Addr ptr,MC_Chunk ** chunks,Int n_chunks)284 Int find_chunk_for ( Addr ptr,
285 MC_Chunk** chunks,
286 Int n_chunks )
287 {
288 Addr a_mid_lo, a_mid_hi;
289 Int lo, mid, hi, retVal;
290 // VG_(printf)("find chunk for %p = ", ptr);
291 retVal = -1;
292 lo = 0;
293 hi = n_chunks-1;
294 while (True) {
295 // Invariant: current unsearched space is from lo to hi, inclusive.
296 if (lo > hi) break; // not found
297
298 mid = (lo + hi) / 2;
299 a_mid_lo = chunks[mid]->data;
300 a_mid_hi = chunks[mid]->data + chunks[mid]->szB;
301 // Extent of block 'mid' is [a_mid_lo .. a_mid_hi).
302 // Special-case zero-sized blocks - treat them as if they had
303 // size 1. Not doing so causes them to not cover any address
304 // range at all and so will never be identified as the target of
305 // any pointer, which causes them to be incorrectly reported as
306 // definitely leaked.
307 if (chunks[mid]->szB == 0)
308 a_mid_hi++;
309
310 if (ptr < a_mid_lo) {
311 hi = mid-1;
312 continue;
313 }
314 if (ptr >= a_mid_hi) {
315 lo = mid+1;
316 continue;
317 }
318 tl_assert(ptr >= a_mid_lo && ptr < a_mid_hi);
319 retVal = mid;
320 break;
321 }
322
323 # if VG_DEBUG_LEAKCHECK
324 tl_assert(retVal == find_chunk_for_OLD ( ptr, chunks, n_chunks ));
325 # endif
326 // VG_(printf)("%d\n", retVal);
327 return retVal;
328 }
329
330
331 static MC_Chunk**
find_active_chunks(Int * pn_chunks)332 find_active_chunks(Int* pn_chunks)
333 {
334 // Our goal is to construct a set of chunks that includes every
335 // mempool chunk, and every malloc region that *doesn't* contain a
336 // mempool chunk.
337 MC_Mempool *mp;
338 MC_Chunk **mallocs, **chunks, *mc;
339 UInt n_mallocs, n_chunks, m, s;
340 Bool *malloc_chunk_holds_a_pool_chunk;
341
342 // First we collect all the malloc chunks into an array and sort it.
343 // We do this because we want to query the chunks by interior
344 // pointers, requiring binary search.
345 mallocs = (MC_Chunk**) VG_(HT_to_array)( MC_(malloc_list), &n_mallocs );
346 if (n_mallocs == 0) {
347 tl_assert(mallocs == NULL);
348 *pn_chunks = 0;
349 return NULL;
350 }
351 VG_(ssort)(mallocs, n_mallocs, sizeof(VgHashNode*), compare_MC_Chunks);
352
353 // Then we build an array containing a Bool for each malloc chunk,
354 // indicating whether it contains any mempools.
355 malloc_chunk_holds_a_pool_chunk = VG_(calloc)( "mc.fas.1",
356 n_mallocs, sizeof(Bool) );
357 n_chunks = n_mallocs;
358
359 // Then we loop over the mempool tables. For each chunk in each
360 // pool, we set the entry in the Bool array corresponding to the
361 // malloc chunk containing the mempool chunk.
362 VG_(HT_ResetIter)(MC_(mempool_list));
363 while ( (mp = VG_(HT_Next)(MC_(mempool_list))) ) {
364 VG_(HT_ResetIter)(mp->chunks);
365 while ( (mc = VG_(HT_Next)(mp->chunks)) ) {
366
367 // We'll need to record this chunk.
368 n_chunks++;
369
370 // Possibly invalidate the malloc holding the beginning of this chunk.
371 m = find_chunk_for(mc->data, mallocs, n_mallocs);
372 if (m != -1 && malloc_chunk_holds_a_pool_chunk[m] == False) {
373 tl_assert(n_chunks > 0);
374 n_chunks--;
375 malloc_chunk_holds_a_pool_chunk[m] = True;
376 }
377
378 // Possibly invalidate the malloc holding the end of this chunk.
379 if (mc->szB > 1) {
380 m = find_chunk_for(mc->data + (mc->szB - 1), mallocs, n_mallocs);
381 if (m != -1 && malloc_chunk_holds_a_pool_chunk[m] == False) {
382 tl_assert(n_chunks > 0);
383 n_chunks--;
384 malloc_chunk_holds_a_pool_chunk[m] = True;
385 }
386 }
387 }
388 }
389 tl_assert(n_chunks > 0);
390
391 // Create final chunk array.
392 chunks = VG_(malloc)("mc.fas.2", sizeof(VgHashNode*) * (n_chunks));
393 s = 0;
394
395 // Copy the mempool chunks and the non-marked malloc chunks into a
396 // combined array of chunks.
397 VG_(HT_ResetIter)(MC_(mempool_list));
398 while ( (mp = VG_(HT_Next)(MC_(mempool_list))) ) {
399 VG_(HT_ResetIter)(mp->chunks);
400 while ( (mc = VG_(HT_Next)(mp->chunks)) ) {
401 tl_assert(s < n_chunks);
402 chunks[s++] = mc;
403 }
404 }
405 for (m = 0; m < n_mallocs; ++m) {
406 if (!malloc_chunk_holds_a_pool_chunk[m]) {
407 tl_assert(s < n_chunks);
408 chunks[s++] = mallocs[m];
409 }
410 }
411 tl_assert(s == n_chunks);
412
413 // Free temporaries.
414 VG_(free)(mallocs);
415 VG_(free)(malloc_chunk_holds_a_pool_chunk);
416
417 *pn_chunks = n_chunks;
418
419 return chunks;
420 }
421
422 /*------------------------------------------------------------*/
423 /*--- The leak detector proper. ---*/
424 /*------------------------------------------------------------*/
425
426 // Holds extra info about each block during leak checking.
427 typedef
428 struct {
429 UInt state:2; // Reachedness.
430 UInt pending:1; // Scan pending.
431 UInt heuristic: (sizeof(UInt)*8)-3;
432 // Heuristic with which this block was considered reachable.
433 // LchNone if state != Reachable or no heuristic needed to
434 // consider it reachable.
435
436 union {
437 SizeT indirect_szB;
438 // If Unreached, how many bytes are unreachable from here.
439 SizeT clique;
440 // if IndirectLeak, clique leader to which it belongs.
441 } IorC;
442 }
443 LC_Extra;
444
445 // An array holding pointers to every chunk we're checking. Sorted by address.
446 // lc_chunks is initialised during leak search. It is kept after leak search
447 // to support printing the list of blocks belonging to a loss record.
448 // lc_chunk array can only be used validly till the next "free" operation
449 // (as a free operation potentially destroys one or more chunks).
450 // To detect lc_chunk is valid, we store the nr of frees operations done
451 // when lc_chunk was build : lc_chunks (and lc_extras) stays valid as
452 // long as no free operations has been done since lc_chunks building.
453 static MC_Chunk** lc_chunks;
454 // How many chunks we're dealing with.
455 static Int lc_n_chunks;
456 static SizeT lc_chunks_n_frees_marker;
457 // This has the same number of entries as lc_chunks, and each entry
458 // in lc_chunks corresponds with the entry here (ie. lc_chunks[i] and
459 // lc_extras[i] describe the same block).
460 static LC_Extra* lc_extras;
461
462 // chunks will be converted and merged in loss record, maintained in lr_table
463 // lr_table elements are kept from one leak_search to another to implement
464 // the "print new/changed leaks" client request
465 static OSet* lr_table;
466 // Array of sorted loss record (produced during last leak search).
467 static LossRecord** lr_array;
468
469 // Value of the heuristics parameter used in the current (or last) leak check.
470 static UInt detect_memory_leaks_last_heuristics;
471
472 // DeltaMode used the last time we called detect_memory_leaks.
473 // The recorded leak errors are output using a logic based on this delta_mode.
474 // The below avoids replicating the delta_mode in each LossRecord.
475 LeakCheckDeltaMode MC_(detect_memory_leaks_last_delta_mode);
476
477 // Each leak search run increments the below generation counter.
478 // A used suppression during a leak search will contain this
479 // generation number.
480 UInt MC_(leak_search_gen);
481
482 // Records chunks that are currently being processed. Each element in the
483 // stack is an index into lc_chunks and lc_extras. Its size is
484 // 'lc_n_chunks' because in the worst case that's how many chunks could be
485 // pushed onto it (actually I think the maximum is lc_n_chunks-1 but let's
486 // be conservative).
487 static Int* lc_markstack;
488 // The index of the top element of the stack; -1 if the stack is empty, 0 if
489 // the stack has one element, 1 if it has two, etc.
490 static Int lc_markstack_top;
491
492 // Keeps track of how many bytes of memory we've scanned, for printing.
493 // (Nb: We don't keep track of how many register bytes we've scanned.)
494 static SizeT lc_scanned_szB;
495 // Keeps track of how many bytes we have not scanned due to read errors that
496 // caused a signal such as SIGSEGV.
497 static SizeT lc_sig_skipped_szB;
498
499
500 SizeT MC_(bytes_leaked) = 0;
501 SizeT MC_(bytes_indirect) = 0;
502 SizeT MC_(bytes_dubious) = 0;
503 SizeT MC_(bytes_reachable) = 0;
504 SizeT MC_(bytes_suppressed) = 0;
505
506 SizeT MC_(blocks_leaked) = 0;
507 SizeT MC_(blocks_indirect) = 0;
508 SizeT MC_(blocks_dubious) = 0;
509 SizeT MC_(blocks_reachable) = 0;
510 SizeT MC_(blocks_suppressed) = 0;
511
512 // Subset of MC_(bytes_reachable) and MC_(blocks_reachable) which
513 // are considered reachable due to the corresponding heuristic.
514 static SizeT MC_(bytes_heuristically_reachable)[N_LEAK_CHECK_HEURISTICS]
515 = {0,0,0,0};
516 static SizeT MC_(blocks_heuristically_reachable)[N_LEAK_CHECK_HEURISTICS]
517 = {0,0,0,0};
518
519 // Determines if a pointer is to a chunk. Returns the chunk number et al
520 // via call-by-reference.
521 static Bool
lc_is_a_chunk_ptr(Addr ptr,Int * pch_no,MC_Chunk ** pch,LC_Extra ** pex)522 lc_is_a_chunk_ptr(Addr ptr, Int* pch_no, MC_Chunk** pch, LC_Extra** pex)
523 {
524 Int ch_no;
525 MC_Chunk* ch;
526 LC_Extra* ex;
527
528 // Quick filter. Note: implemented with am, not with get_vabits2
529 // as ptr might be random data pointing anywhere. On 64 bit
530 // platforms, getting va bits for random data can be quite costly
531 // due to the secondary map.
532 if (!VG_(am_is_valid_for_client)(ptr, 1, VKI_PROT_READ)) {
533 return False;
534 } else {
535 ch_no = find_chunk_for(ptr, lc_chunks, lc_n_chunks);
536 tl_assert(ch_no >= -1 && ch_no < lc_n_chunks);
537
538 if (ch_no == -1) {
539 return False;
540 } else {
541 // Ok, we've found a pointer to a chunk. Get the MC_Chunk and its
542 // LC_Extra.
543 ch = lc_chunks[ch_no];
544 ex = &(lc_extras[ch_no]);
545
546 tl_assert(ptr >= ch->data);
547 tl_assert(ptr < ch->data + ch->szB + (ch->szB==0 ? 1 : 0));
548
549 if (VG_DEBUG_LEAKCHECK)
550 VG_(printf)("ptr=%#lx -> block %d\n", ptr, ch_no);
551
552 *pch_no = ch_no;
553 *pch = ch;
554 *pex = ex;
555
556 return True;
557 }
558 }
559 }
560
561 // Push a chunk (well, just its index) onto the mark stack.
lc_push(Int ch_no,MC_Chunk * ch)562 static void lc_push(Int ch_no, MC_Chunk* ch)
563 {
564 if (!lc_extras[ch_no].pending) {
565 if (0) {
566 VG_(printf)("pushing %#lx-%#lx\n", ch->data, ch->data + ch->szB);
567 }
568 lc_markstack_top++;
569 tl_assert(lc_markstack_top < lc_n_chunks);
570 lc_markstack[lc_markstack_top] = ch_no;
571 tl_assert(!lc_extras[ch_no].pending);
572 lc_extras[ch_no].pending = True;
573 }
574 }
575
576 // Return the index of the chunk on the top of the mark stack, or -1 if
577 // there isn't one.
lc_pop(Int * ret)578 static Bool lc_pop(Int* ret)
579 {
580 if (-1 == lc_markstack_top) {
581 return False;
582 } else {
583 tl_assert(0 <= lc_markstack_top && lc_markstack_top < lc_n_chunks);
584 *ret = lc_markstack[lc_markstack_top];
585 lc_markstack_top--;
586 tl_assert(lc_extras[*ret].pending);
587 lc_extras[*ret].pending = False;
588 return True;
589 }
590 }
591
pp_heuristic(LeakCheckHeuristic h)592 static const HChar* pp_heuristic(LeakCheckHeuristic h)
593 {
594 switch(h) {
595 case LchNone: return "none";
596 case LchStdString: return "stdstring";
597 case LchLength64: return "length64";
598 case LchNewArray: return "newarray";
599 case LchMultipleInheritance: return "multipleinheritance";
600 default: return "???invalid heuristic???";
601 }
602 }
603
604 // True if ptr looks like the address of a vtable, i.e. if ptr
605 // points to an array of pointers to functions.
606 // It is assumed the only caller of this function is heuristic_reachedness
607 // which must check that ptr is aligned and above page 0.
608 // Checking that ptr is above page 0 is an optimisation : it is assumed
609 // that no vtable is located in the page 0. So, all small integer values
610 // encountered during the scan will not incur the cost of calling this
611 // function.
aligned_ptr_above_page0_is_vtable_addr(Addr ptr)612 static Bool aligned_ptr_above_page0_is_vtable_addr(Addr ptr)
613 {
614 // ??? If performance problem:
615 // ??? maybe implement a cache (array indexed by ptr % primenr)
616 // ??? of "I am a vtable ptr" ???
617
618 // ??? Maybe the debug info could (efficiently?) be used to detect vtables ?
619
620 // We consider ptr as a vtable ptr if it points to a table
621 // where we find only NULL pointers or pointers pointing at an
622 // executable region. We must find at least 2 non NULL pointers
623 // before considering ptr as a vtable pointer.
624 // We scan a maximum of VTABLE_MAX_CHECK words for these 2 non NULL
625 // pointers.
626 #define VTABLE_MAX_CHECK 20
627
628 NSegment const *seg;
629 UInt nr_fn_ptrs = 0;
630 Addr scan;
631 Addr scan_max;
632
633 // First verify ptr points inside a client mapped file section.
634 // ??? is a vtable always in a file mapped readable section ?
635 seg = VG_(am_find_nsegment) (ptr);
636 if (seg == NULL
637 || seg->kind != SkFileC
638 || !seg->hasR)
639 return False;
640
641 // Check potential function pointers, up to a maximum of VTABLE_MAX_CHECK.
642 scan_max = ptr + VTABLE_MAX_CHECK*sizeof(Addr);
643 // If ptr is near the end of seg, avoid scan_max exceeding the end of seg:
644 if (scan_max > seg->end - sizeof(Addr))
645 scan_max = seg->end - sizeof(Addr);
646 for (scan = ptr; scan <= scan_max; scan+=sizeof(Addr)) {
647 Addr pot_fn = *((Addr *)scan);
648 if (pot_fn == 0)
649 continue; // NULL fn pointer. Seems it can happen in vtable.
650 seg = VG_(am_find_nsegment) (pot_fn);
651 #if defined(VGA_ppc64be)
652 // ppc64BE uses a thunk table (function descriptors), so we have one
653 // more level of indirection to follow.
654 if (seg == NULL
655 || seg->kind != SkFileC
656 || !seg->hasR
657 || !seg->hasW)
658 return False; // ptr to nowhere, or not a ptr to thunks.
659 pot_fn = *((Addr *)pot_fn);
660 if (pot_fn == 0)
661 continue; // NULL fn pointer. Seems it can happen in vtable.
662 seg = VG_(am_find_nsegment) (pot_fn);
663 #endif
664 if (seg == NULL
665 || seg->kind != SkFileC
666 || !seg->hasT)
667 return False; // ptr to nowhere, or not a fn ptr.
668 nr_fn_ptrs++;
669 if (nr_fn_ptrs == 2)
670 return True;
671 }
672
673 return False;
674 }
675
676 // true if a is properly aligned and points to 64bits of valid memory
is_valid_aligned_ULong(Addr a)677 static Bool is_valid_aligned_ULong ( Addr a )
678 {
679 if (sizeof(Word) == 8)
680 return MC_(is_valid_aligned_word)(a);
681
682 return MC_(is_valid_aligned_word)(a)
683 && MC_(is_valid_aligned_word)(a + 4);
684 }
685
686 /* The below leak_search_fault_catcher is used to catch memory access
687 errors happening during leak_search. During the scan, we check
688 with aspacemgr and/or VA bits that each page or dereferenced location is
689 readable and belongs to the client. However, we still protect
690 against SIGSEGV and SIGBUS e.g. in case aspacemgr is desynchronised
691 with the real page mappings. Such a desynchronisation could happen
692 due to an aspacemgr bug. Note that if the application is using
693 mprotect(NONE), then a page can be unreadable but have addressable
694 and defined VA bits (see mc_main.c function mc_new_mem_mprotect).
695 Currently, 2 functions are dereferencing client memory during leak search:
696 heuristic_reachedness and lc_scan_memory.
697 Each such function has its own fault catcher, that will call
698 leak_search_fault_catcher with the proper 'who' and jmpbuf parameters. */
699 static volatile Addr bad_scanned_addr;
700 static
leak_search_fault_catcher(Int sigNo,Addr addr,const HChar * who,VG_MINIMAL_JMP_BUF (jmpbuf))701 void leak_search_fault_catcher ( Int sigNo, Addr addr,
702 const HChar *who, VG_MINIMAL_JMP_BUF(jmpbuf) )
703 {
704 vki_sigset_t sigmask;
705
706 if (0)
707 VG_(printf)("OUCH! sig=%d addr=%#lx who=%s\n", sigNo, addr, who);
708
709 /* Signal handler runs with the signal masked.
710 Unmask the handled signal before longjmp-ing or return-ing.
711 Note that during leak search, we expect only SIGSEGV or SIGBUS
712 and we do not expect another occurence until we longjmp-ed!return-ed
713 to resume the leak search. So, it is safe to unmask the signal
714 here. */
715 /* First get current mask (by passing NULL as first arg) */
716 VG_(sigprocmask)(VKI_SIG_SETMASK, NULL, &sigmask);
717 /* Then set a new sigmask, with this signal removed from the mask. */
718 VG_(sigdelset)(&sigmask, sigNo);
719 VG_(sigprocmask)(VKI_SIG_SETMASK, &sigmask, NULL);
720
721 if (sigNo == VKI_SIGSEGV || sigNo == VKI_SIGBUS) {
722 bad_scanned_addr = addr;
723 VG_MINIMAL_LONGJMP(jmpbuf);
724 } else {
725 /* ??? During leak search, we are not supposed to receive any
726 other sync signal that these 2.
727 In theory, we should not call VG_(umsg) in a signal handler,
728 but better (try to) report this unexpected behaviour. */
729 VG_(umsg)("leak_search_fault_catcher:"
730 " unexpected signal %d, catcher %s ???\n",
731 sigNo, who);
732 }
733 }
734
735 // jmpbuf and fault_catcher used during heuristic_reachedness
736 static VG_MINIMAL_JMP_BUF(heuristic_reachedness_jmpbuf);
737 static
heuristic_reachedness_fault_catcher(Int sigNo,Addr addr)738 void heuristic_reachedness_fault_catcher ( Int sigNo, Addr addr )
739 {
740 leak_search_fault_catcher (sigNo, addr,
741 "heuristic_reachedness_fault_catcher",
742 heuristic_reachedness_jmpbuf);
743 }
744
745 // If ch is heuristically reachable via an heuristic member of heur_set,
746 // returns this heuristic.
747 // If ch cannot be considered reachable using one of these heuristics,
748 // return LchNone.
749 // This should only be called when ptr is an interior ptr to ch.
750 // The StdString/NewArray/MultipleInheritance heuristics are directly
751 // inspired from DrMemory:
752 // see http://www.burningcutlery.com/derek/docs/drmem-CGO11.pdf [section VI,C]
753 // and bug 280271.
heuristic_reachedness(Addr ptr,MC_Chunk * ch,LC_Extra * ex,UInt heur_set)754 static LeakCheckHeuristic heuristic_reachedness (Addr ptr,
755 MC_Chunk *ch, LC_Extra *ex,
756 UInt heur_set)
757 {
758
759 fault_catcher_t prev_catcher;
760
761 prev_catcher = VG_(set_fault_catcher)(heuristic_reachedness_fault_catcher);
762
763 // See leak_search_fault_catcher
764 if (VG_MINIMAL_SETJMP(heuristic_reachedness_jmpbuf) != 0) {
765 VG_(set_fault_catcher) (prev_catcher);
766 return LchNone;
767 }
768
769 if (HiS(LchStdString, heur_set)) {
770 // Detects inner pointers to Std::String for layout being
771 // length capacity refcount char_array[] \0
772 // where ptr points to the beginning of the char_array.
773 // Note: we check definedness for length and capacity but
774 // not for refcount, as refcount size might be smaller than
775 // a SizeT, giving a uninitialised hole in the first 3 SizeT.
776 if ( ptr == ch->data + 3 * sizeof(SizeT)
777 && MC_(is_valid_aligned_word)(ch->data + sizeof(SizeT))) {
778 const SizeT capacity = *((SizeT*)(ch->data + sizeof(SizeT)));
779 if (3 * sizeof(SizeT) + capacity + 1 == ch->szB
780 && MC_(is_valid_aligned_word)(ch->data)) {
781 const SizeT length = *((SizeT*)ch->data);
782 if (length <= capacity) {
783 // ??? could check there is no null byte from ptr to ptr+length-1
784 // ??? and that there is a null byte at ptr+length.
785 // ???
786 // ??? could check that ch->allockind is MC_AllocNew ???
787 // ??? probably not a good idea, as I guess stdstring
788 // ??? allocator can be done via custom allocator
789 // ??? or even a call to malloc ????
790 VG_(set_fault_catcher) (prev_catcher);
791 return LchStdString;
792 }
793 }
794 }
795 }
796
797 if (HiS(LchLength64, heur_set)) {
798 // Detects inner pointers that point at 64bit offset (8 bytes) into a
799 // block following the length of the remaining as 64bit number
800 // (=total block size - 8).
801 // This is used e.g. by sqlite for tracking the total size of allocated
802 // memory.
803 // Note that on 64bit platforms, a block matching LchLength64 will
804 // also be matched by LchNewArray.
805 if ( ptr == ch->data + sizeof(ULong)
806 && is_valid_aligned_ULong(ch->data)) {
807 const ULong size = *((ULong*)ch->data);
808 if (size > 0 && (ch->szB - sizeof(ULong)) == size) {
809 VG_(set_fault_catcher) (prev_catcher);
810 return LchLength64;
811 }
812 }
813 }
814
815 if (HiS(LchNewArray, heur_set)) {
816 // Detects inner pointers at second word of new[] array, following
817 // a plausible nr of elements.
818 // Such inner pointers are used for arrays of elements
819 // having a destructor, as the delete[] of the array must know
820 // how many elements to destroy.
821 //
822 // We have a strange/wrong case for 'ptr = new MyClass[0];' :
823 // For such a case, the returned ptr points just outside the
824 // allocated chunk. This chunk is then seen as a definite
825 // leak by Valgrind, as it is not considered an interior pointer.
826 // It is the c++ equivalent of bug 99923 (malloc(0) wrongly considered
827 // as definitely leaked). See the trick in find_chunk_for handling
828 // 0-sized block. This trick does not work for 'new MyClass[0]'
829 // because a chunk "word-sized" is allocated to store the (0) nr
830 // of elements.
831 if ( ptr == ch->data + sizeof(SizeT)
832 && MC_(is_valid_aligned_word)(ch->data)) {
833 const SizeT nr_elts = *((SizeT*)ch->data);
834 if (nr_elts > 0 && (ch->szB - sizeof(SizeT)) % nr_elts == 0) {
835 // ??? could check that ch->allockind is MC_AllocNewVec ???
836 VG_(set_fault_catcher) (prev_catcher);
837 return LchNewArray;
838 }
839 }
840 }
841
842 if (HiS(LchMultipleInheritance, heur_set)) {
843 // Detect inner pointer used for multiple inheritance.
844 // Assumption is that the vtable pointers are before the object.
845 if (VG_IS_WORD_ALIGNED(ptr)
846 && MC_(is_valid_aligned_word)(ptr)) {
847 Addr first_addr;
848 Addr inner_addr;
849
850 // Avoid the call to is_vtable_addr when the addr is not
851 // aligned or points in the page0, as it is unlikely
852 // a vtable is located in this page. This last optimisation
853 // avoids to call aligned_ptr_above_page0_is_vtable_addr
854 // for all small integers.
855 // Note: we could possibly also avoid calling this function
856 // for small negative integers, as no vtable should be located
857 // in the last page.
858 inner_addr = *((Addr*)ptr);
859 if (VG_IS_WORD_ALIGNED(inner_addr)
860 && inner_addr >= (Addr)VKI_PAGE_SIZE
861 && MC_(is_valid_aligned_word)(ch->data)) {
862 first_addr = *((Addr*)ch->data);
863 if (VG_IS_WORD_ALIGNED(first_addr)
864 && first_addr >= (Addr)VKI_PAGE_SIZE
865 && aligned_ptr_above_page0_is_vtable_addr(inner_addr)
866 && aligned_ptr_above_page0_is_vtable_addr(first_addr)) {
867 // ??? could check that ch->allockind is MC_AllocNew ???
868 VG_(set_fault_catcher) (prev_catcher);
869 return LchMultipleInheritance;
870 }
871 }
872 }
873 }
874
875 VG_(set_fault_catcher) (prev_catcher);
876 return LchNone;
877 }
878
879
880 // If 'ptr' is pointing to a heap-allocated block which hasn't been seen
881 // before, push it onto the mark stack.
882 static void
lc_push_without_clique_if_a_chunk_ptr(Addr ptr,Bool is_prior_definite)883 lc_push_without_clique_if_a_chunk_ptr(Addr ptr, Bool is_prior_definite)
884 {
885 Int ch_no;
886 MC_Chunk* ch;
887 LC_Extra* ex;
888 Reachedness ch_via_ptr; // Is ch reachable via ptr, and how ?
889
890 if ( ! lc_is_a_chunk_ptr(ptr, &ch_no, &ch, &ex) )
891 return;
892
893 if (ex->state == Reachable) {
894 if (ex->heuristic && ptr == ch->data)
895 // If block was considered reachable via an heuristic, and it is now
896 // directly reachable via ptr, clear the heuristic field.
897 ex->heuristic = LchNone;
898 return;
899 }
900
901 // Possibly upgrade the state, ie. one of:
902 // - Unreached --> Possible
903 // - Unreached --> Reachable
904 // - Possible --> Reachable
905
906 if (ptr == ch->data)
907 ch_via_ptr = Reachable;
908 else if (detect_memory_leaks_last_heuristics) {
909 ex->heuristic
910 = heuristic_reachedness (ptr, ch, ex,
911 detect_memory_leaks_last_heuristics);
912 if (ex->heuristic)
913 ch_via_ptr = Reachable;
914 else
915 ch_via_ptr = Possible;
916 } else
917 ch_via_ptr = Possible;
918
919 if (ch_via_ptr == Reachable && is_prior_definite) {
920 // 'ptr' points to the start of the block or is to be considered as
921 // pointing to the start of the block, and the prior node is
922 // definite, which means that this block is definitely reachable.
923 ex->state = Reachable;
924
925 // State has changed to Reachable so (re)scan the block to make
926 // sure any blocks it points to are correctly marked.
927 lc_push(ch_no, ch);
928
929 } else if (ex->state == Unreached) {
930 // Either 'ptr' is a interior-pointer, or the prior node isn't definite,
931 // which means that we can only mark this block as possibly reachable.
932 ex->state = Possible;
933
934 // State has changed to Possible so (re)scan the block to make
935 // sure any blocks it points to are correctly marked.
936 lc_push(ch_no, ch);
937 }
938 }
939
940 static void
lc_push_if_a_chunk_ptr_register(ThreadId tid,const HChar * regname,Addr ptr)941 lc_push_if_a_chunk_ptr_register(ThreadId tid, const HChar* regname, Addr ptr)
942 {
943 lc_push_without_clique_if_a_chunk_ptr(ptr, /*is_prior_definite*/True);
944 }
945
946 // If ptr is pointing to a heap-allocated block which hasn't been seen
947 // before, push it onto the mark stack. Clique is the index of the
948 // clique leader.
949 static void
lc_push_with_clique_if_a_chunk_ptr(Addr ptr,Int clique,Int cur_clique)950 lc_push_with_clique_if_a_chunk_ptr(Addr ptr, Int clique, Int cur_clique)
951 {
952 Int ch_no;
953 MC_Chunk* ch;
954 LC_Extra* ex;
955
956 tl_assert(0 <= clique && clique < lc_n_chunks);
957
958 if ( ! lc_is_a_chunk_ptr(ptr, &ch_no, &ch, &ex) )
959 return;
960
961 // If it's not Unreached, it's already been handled so ignore it.
962 // If ch_no==clique, it's the clique leader, which means this is a cyclic
963 // structure; again ignore it because it's already been handled.
964 if (ex->state == Unreached && ch_no != clique) {
965 // Note that, unlike reachable blocks, we currently don't distinguish
966 // between start-pointers and interior-pointers here. We probably
967 // should, though.
968 lc_push(ch_no, ch);
969
970 // Add the block to the clique, and add its size to the
971 // clique-leader's indirect size. Also, if the new block was
972 // itself a clique leader, it isn't any more, so add its
973 // indirect_szB to the new clique leader.
974 if (VG_DEBUG_CLIQUE) {
975 if (ex->IorC.indirect_szB > 0)
976 VG_(printf)(" clique %d joining clique %d adding %lu+%lu\n",
977 ch_no, clique, (SizeT)ch->szB, ex->IorC.indirect_szB);
978 else
979 VG_(printf)(" block %d joining clique %d adding %lu\n",
980 ch_no, clique, (SizeT)ch->szB);
981 }
982
983 lc_extras[clique].IorC.indirect_szB += ch->szB;
984 lc_extras[clique].IorC.indirect_szB += ex->IorC.indirect_szB;
985 ex->state = IndirectLeak;
986 ex->IorC.clique = (SizeT) cur_clique;
987 }
988 }
989
990 static void
lc_push_if_a_chunk_ptr(Addr ptr,Int clique,Int cur_clique,Bool is_prior_definite)991 lc_push_if_a_chunk_ptr(Addr ptr,
992 Int clique, Int cur_clique, Bool is_prior_definite)
993 {
994 if (-1 == clique)
995 lc_push_without_clique_if_a_chunk_ptr(ptr, is_prior_definite);
996 else
997 lc_push_with_clique_if_a_chunk_ptr(ptr, clique, cur_clique);
998 }
999
1000
1001 static VG_MINIMAL_JMP_BUF(lc_scan_memory_jmpbuf);
1002 static
lc_scan_memory_fault_catcher(Int sigNo,Addr addr)1003 void lc_scan_memory_fault_catcher ( Int sigNo, Addr addr )
1004 {
1005 leak_search_fault_catcher (sigNo, addr,
1006 "lc_scan_memory_fault_catcher",
1007 lc_scan_memory_jmpbuf);
1008 }
1009
1010 // lc_scan_memory has 2 modes:
1011 //
1012 // 1. Leak check mode (searched == 0).
1013 // -----------------------------------
1014 // Scan a block of memory between [start, start+len). This range may
1015 // be bogus, inaccessible, or otherwise strange; we deal with it. For each
1016 // valid aligned word we assume it's a pointer to a chunk a push the chunk
1017 // onto the mark stack if so.
1018 // clique is the "highest level clique" in which indirectly leaked blocks have
1019 // to be collected. cur_clique is the current "lower" level clique through which
1020 // the memory to be scanned has been found.
1021 // Example: in the below tree if A is leaked, the top level clique will
1022 // be A, while lower level cliques will be B and C.
1023 /*
1024 A
1025 / \
1026 B C
1027 / \ / \
1028 D E F G
1029 */
1030 // Proper handling of top and lowest level clique allows block_list of a loss
1031 // record to describe the hierarchy of indirectly leaked blocks.
1032 //
1033 // 2. Search ptr mode (searched != 0).
1034 // -----------------------------------
1035 // In this mode, searches for pointers to a specific address range
1036 // In such a case, lc_scan_memory just scans [start..start+len[ for pointers
1037 // to searched and outputs the places where searched is found.
1038 // It does not recursively scans the found memory.
1039 static void
lc_scan_memory(Addr start,SizeT len,Bool is_prior_definite,Int clique,Int cur_clique,Addr searched,SizeT szB)1040 lc_scan_memory(Addr start, SizeT len, Bool is_prior_definite,
1041 Int clique, Int cur_clique,
1042 Addr searched, SizeT szB)
1043 {
1044 /* memory scan is based on the assumption that valid pointers are aligned
1045 on a multiple of sizeof(Addr). So, we can (and must) skip the begin and
1046 end portions of the block if they are not aligned on sizeof(Addr):
1047 These cannot be a valid pointer, and calls to MC_(is_valid_aligned_word)
1048 will assert for a non aligned address. */
1049 #if defined(VGA_s390x)
1050 // Define ptr as volatile, as on this platform, the value of ptr
1051 // is read in code executed via a longjmp.
1052 volatile
1053 #endif
1054 Addr ptr = VG_ROUNDUP(start, sizeof(Addr));
1055 const Addr end = VG_ROUNDDN(start+len, sizeof(Addr));
1056 fault_catcher_t prev_catcher;
1057
1058 if (VG_DEBUG_LEAKCHECK)
1059 VG_(printf)("scan %#lx-%#lx (%lu)\n", start, end, len);
1060
1061 prev_catcher = VG_(set_fault_catcher)(lc_scan_memory_fault_catcher);
1062
1063 /* Optimisation: the loop below will check for each begin
1064 of SM chunk if the chunk is fully unaddressable. The idea is to
1065 skip efficiently such fully unaddressable SM chunks.
1066 So, we preferably start the loop on a chunk boundary.
1067 If the chunk is not fully unaddressable, we might be in
1068 an unaddressable page. Again, the idea is to skip efficiently
1069 such unaddressable page : this is the "else" part.
1070 We use an "else" so that two consecutive fully unaddressable
1071 SM chunks will be skipped efficiently: first one is skipped
1072 by this piece of code. The next SM chunk will be skipped inside
1073 the loop. */
1074 if ( ! MC_(is_within_valid_secondary)(ptr) ) {
1075 // Skip an invalid SM chunk till the beginning of the next SM Chunk.
1076 ptr = VG_ROUNDUP(ptr+1, SM_SIZE);
1077 } else if (!VG_(am_is_valid_for_client)(ptr, sizeof(Addr), VKI_PROT_READ)) {
1078 // else we are in a (at least partially) valid SM chunk.
1079 // We might be in the middle of an unreadable page.
1080 // Do a cheap check to see if it's valid;
1081 // if not, skip onto the next page.
1082 ptr = VG_PGROUNDUP(ptr+1); // First page is bad - skip it.
1083 }
1084 /* The above optimisation and below loop is based on some relationships
1085 between VKI_PAGE_SIZE, SM_SIZE and sizeof(Addr) which are asserted in
1086 MC_(detect_memory_leaks). */
1087
1088 // See leak_search_fault_catcher
1089 if (VG_MINIMAL_SETJMP(lc_scan_memory_jmpbuf) != 0) {
1090 // Catch read error ...
1091 # if defined(VGA_s390x)
1092 // For a SIGSEGV, s390 delivers the page address of the bad address.
1093 // For a SIGBUS, old s390 kernels deliver a NULL address.
1094 // bad_scanned_addr can thus not be used.
1095 // So, on this platform, we always skip a full page from ptr.
1096 // The below implies to mark ptr as volatile, as we read the value
1097 // after a longjmp to here.
1098 lc_sig_skipped_szB += VKI_PAGE_SIZE;
1099 ptr = ptr + VKI_PAGE_SIZE; // Unaddressable, - skip it.
1100 # else
1101 // On other platforms, just skip one Addr.
1102 lc_sig_skipped_szB += sizeof(Addr);
1103 tl_assert(bad_scanned_addr >= VG_ROUNDUP(start, sizeof(Addr)));
1104 tl_assert(bad_scanned_addr < VG_ROUNDDN(start+len, sizeof(Addr)));
1105 ptr = bad_scanned_addr + sizeof(Addr); // Unaddressable, - skip it.
1106 #endif
1107 }
1108 while (ptr < end) {
1109 Addr addr;
1110
1111 // Skip invalid chunks.
1112 if (UNLIKELY((ptr % SM_SIZE) == 0)) {
1113 if (! MC_(is_within_valid_secondary)(ptr) ) {
1114 ptr = VG_ROUNDUP(ptr+1, SM_SIZE);
1115 continue;
1116 }
1117 }
1118
1119 // Look to see if this page seems reasonable.
1120 if (UNLIKELY((ptr % VKI_PAGE_SIZE) == 0)) {
1121 if (!VG_(am_is_valid_for_client)(ptr, sizeof(Addr), VKI_PROT_READ)) {
1122 ptr += VKI_PAGE_SIZE; // Bad page - skip it.
1123 continue;
1124 }
1125 }
1126
1127 if ( MC_(is_valid_aligned_word)(ptr) ) {
1128 lc_scanned_szB += sizeof(Addr);
1129 // If the below read fails, we will longjmp to the loop begin.
1130 addr = *(Addr *)ptr;
1131 // If we get here, the scanned word is in valid memory. Now
1132 // let's see if its contents point to a chunk.
1133 if (UNLIKELY(searched)) {
1134 if (addr >= searched && addr < searched + szB) {
1135 if (addr == searched) {
1136 VG_(umsg)("*%#lx points at %#lx\n", ptr, searched);
1137 MC_(pp_describe_addr) (ptr);
1138 } else {
1139 Int ch_no;
1140 MC_Chunk *ch;
1141 LC_Extra *ex;
1142 VG_(umsg)("*%#lx interior points at %lu bytes inside %#lx\n",
1143 ptr, (long unsigned) addr - searched, searched);
1144 MC_(pp_describe_addr) (ptr);
1145 if (lc_is_a_chunk_ptr(addr, &ch_no, &ch, &ex) ) {
1146 Int h;
1147 for (h = LchStdString; h < N_LEAK_CHECK_HEURISTICS; h++) {
1148 if (heuristic_reachedness(addr, ch, ex, H2S(h)) == h) {
1149 VG_(umsg)("block at %#lx considered reachable "
1150 "by ptr %#lx using %s heuristic\n",
1151 ch->data, addr, pp_heuristic(h));
1152 }
1153 }
1154 // Verify the loop above has properly scanned all
1155 // heuristics. If the below fails, it probably means the
1156 // LeakCheckHeuristic enum is not in sync anymore with the
1157 // above loop and/or with N_LEAK_CHECK_HEURISTICS.
1158 tl_assert (h == N_LEAK_CHECK_HEURISTICS);
1159 }
1160 }
1161 }
1162 } else {
1163 lc_push_if_a_chunk_ptr(addr, clique, cur_clique, is_prior_definite);
1164 }
1165 } else if (0 && VG_DEBUG_LEAKCHECK) {
1166 VG_(printf)("%#lx not valid\n", ptr);
1167 }
1168 ptr += sizeof(Addr);
1169 }
1170
1171 VG_(set_fault_catcher)(prev_catcher);
1172 }
1173
1174
1175 // Process the mark stack until empty.
lc_process_markstack(Int clique)1176 static void lc_process_markstack(Int clique)
1177 {
1178 Int top = -1; // shut gcc up
1179 Bool is_prior_definite;
1180
1181 while (lc_pop(&top)) {
1182 tl_assert(top >= 0 && top < lc_n_chunks);
1183
1184 // See comment about 'is_prior_definite' at the top to understand this.
1185 is_prior_definite = ( Possible != lc_extras[top].state );
1186
1187 lc_scan_memory(lc_chunks[top]->data, lc_chunks[top]->szB,
1188 is_prior_definite, clique, (clique == -1 ? -1 : top),
1189 /*searched*/ 0, 0);
1190 }
1191 }
1192
cmp_LossRecordKey_LossRecord(const void * key,const void * elem)1193 static Word cmp_LossRecordKey_LossRecord(const void* key, const void* elem)
1194 {
1195 const LossRecordKey* a = key;
1196 const LossRecordKey* b = &(((const LossRecord*)elem)->key);
1197
1198 // Compare on states first because that's fast.
1199 if (a->state < b->state) return -1;
1200 if (a->state > b->state) return 1;
1201 // Ok, the states are equal. Now compare the locations, which is slower.
1202 if (VG_(eq_ExeContext)(
1203 MC_(clo_leak_resolution), a->allocated_at, b->allocated_at))
1204 return 0;
1205 // Different locations. Ordering is arbitrary, just use the ec pointer.
1206 if (a->allocated_at < b->allocated_at) return -1;
1207 if (a->allocated_at > b->allocated_at) return 1;
1208 VG_(tool_panic)("bad LossRecord comparison");
1209 }
1210
cmp_LossRecords(const void * va,const void * vb)1211 static Int cmp_LossRecords(const void* va, const void* vb)
1212 {
1213 const LossRecord* lr_a = *(const LossRecord *const *)va;
1214 const LossRecord* lr_b = *(const LossRecord *const *)vb;
1215 SizeT total_szB_a = lr_a->szB + lr_a->indirect_szB;
1216 SizeT total_szB_b = lr_b->szB + lr_b->indirect_szB;
1217
1218 // First compare by sizes.
1219 if (total_szB_a < total_szB_b) return -1;
1220 if (total_szB_a > total_szB_b) return 1;
1221 // If size are equal, compare by states.
1222 if (lr_a->key.state < lr_b->key.state) return -1;
1223 if (lr_a->key.state > lr_b->key.state) return 1;
1224 // If they're still equal here, it doesn't matter that much, but we keep
1225 // comparing other things so that regtests are as deterministic as
1226 // possible. So: compare num_blocks.
1227 if (lr_a->num_blocks < lr_b->num_blocks) return -1;
1228 if (lr_a->num_blocks > lr_b->num_blocks) return 1;
1229 // Finally, compare ExeContext addresses... older ones are likely to have
1230 // lower addresses.
1231 if (lr_a->key.allocated_at < lr_b->key.allocated_at) return -1;
1232 if (lr_a->key.allocated_at > lr_b->key.allocated_at) return 1;
1233 return 0;
1234 }
1235
1236 // allocates or reallocates lr_array, and set its elements to the loss records
1237 // contains in lr_table.
get_lr_array_from_lr_table(void)1238 static UInt get_lr_array_from_lr_table(void) {
1239 UInt i, n_lossrecords;
1240 LossRecord* lr;
1241
1242 n_lossrecords = VG_(OSetGen_Size)(lr_table);
1243
1244 // (re-)create the array of pointers to the loss records.
1245 // lr_array is kept to allow producing the block list from gdbserver.
1246 if (lr_array != NULL)
1247 VG_(free)(lr_array);
1248 lr_array = VG_(malloc)("mc.pr.2", n_lossrecords * sizeof(LossRecord*));
1249 i = 0;
1250 VG_(OSetGen_ResetIter)(lr_table);
1251 while ( (lr = VG_(OSetGen_Next)(lr_table)) ) {
1252 lr_array[i++] = lr;
1253 }
1254 tl_assert(i == n_lossrecords);
1255 return n_lossrecords;
1256 }
1257
1258
get_printing_rules(LeakCheckParams * lcp,LossRecord * lr,Bool * count_as_error,Bool * print_record)1259 static void get_printing_rules(LeakCheckParams* lcp,
1260 LossRecord* lr,
1261 Bool* count_as_error,
1262 Bool* print_record)
1263 {
1264 // Rules for printing:
1265 // - We don't show suppressed loss records ever (and that's controlled
1266 // within the error manager).
1267 // - We show non-suppressed loss records that are specified in
1268 // --show-leak-kinds=... if --leak-check=yes.
1269
1270 Bool delta_considered;
1271
1272 switch (lcp->deltamode) {
1273 case LCD_Any:
1274 delta_considered = lr->num_blocks > 0;
1275 break;
1276 case LCD_Increased:
1277 delta_considered
1278 = lr->szB > lr->old_szB
1279 || lr->indirect_szB > lr->old_indirect_szB
1280 || lr->num_blocks > lr->old_num_blocks;
1281 break;
1282 case LCD_Changed:
1283 delta_considered = lr->szB != lr->old_szB
1284 || lr->indirect_szB != lr->old_indirect_szB
1285 || lr->num_blocks != lr->old_num_blocks;
1286 break;
1287 default:
1288 tl_assert(0);
1289 }
1290
1291 *print_record = lcp->mode == LC_Full && delta_considered
1292 && RiS(lr->key.state,lcp->show_leak_kinds);
1293 // We don't count a leaks as errors with lcp->mode==LC_Summary.
1294 // Otherwise you can get high error counts with few or no error
1295 // messages, which can be confusing. Otherwise, we count as errors
1296 // the leak kinds requested by --errors-for-leak-kinds=...
1297 *count_as_error = lcp->mode == LC_Full && delta_considered
1298 && RiS(lr->key.state,lcp->errors_for_leak_kinds);
1299 }
1300
print_results(ThreadId tid,LeakCheckParams * lcp)1301 static void print_results(ThreadId tid, LeakCheckParams* lcp)
1302 {
1303 Int i, n_lossrecords, start_lr_output_scan;
1304 LossRecord* lr;
1305 Bool is_suppressed;
1306 /* old_* variables are used to report delta in summary. */
1307 SizeT old_bytes_leaked = MC_(bytes_leaked);
1308 SizeT old_bytes_indirect = MC_(bytes_indirect);
1309 SizeT old_bytes_dubious = MC_(bytes_dubious);
1310 SizeT old_bytes_reachable = MC_(bytes_reachable);
1311 SizeT old_bytes_suppressed = MC_(bytes_suppressed);
1312 SizeT old_blocks_leaked = MC_(blocks_leaked);
1313 SizeT old_blocks_indirect = MC_(blocks_indirect);
1314 SizeT old_blocks_dubious = MC_(blocks_dubious);
1315 SizeT old_blocks_reachable = MC_(blocks_reachable);
1316 SizeT old_blocks_suppressed = MC_(blocks_suppressed);
1317
1318 SizeT old_bytes_heuristically_reachable[N_LEAK_CHECK_HEURISTICS];
1319 SizeT old_blocks_heuristically_reachable[N_LEAK_CHECK_HEURISTICS];
1320
1321 for (i = 0; i < N_LEAK_CHECK_HEURISTICS; i++) {
1322 old_bytes_heuristically_reachable[i]
1323 = MC_(bytes_heuristically_reachable)[i];
1324 MC_(bytes_heuristically_reachable)[i] = 0;
1325 old_blocks_heuristically_reachable[i]
1326 = MC_(blocks_heuristically_reachable)[i];
1327 MC_(blocks_heuristically_reachable)[i] = 0;
1328 }
1329
1330 if (lr_table == NULL)
1331 // Create the lr_table, which holds the loss records.
1332 // If the lr_table already exists, it means it contains
1333 // loss_records from the previous leak search. The old_*
1334 // values in these records are used to implement the
1335 // leak check delta mode
1336 lr_table =
1337 VG_(OSetGen_Create)(offsetof(LossRecord, key),
1338 cmp_LossRecordKey_LossRecord,
1339 VG_(malloc), "mc.pr.1",
1340 VG_(free));
1341
1342 // If we have loss records from a previous search, reset values to have
1343 // proper printing of the deltas between previous search and this search.
1344 n_lossrecords = get_lr_array_from_lr_table();
1345 for (i = 0; i < n_lossrecords; i++) {
1346 if (lr_array[i]->num_blocks == 0) {
1347 // remove from lr_table the old loss_records with 0 bytes found
1348 VG_(OSetGen_Remove) (lr_table, &lr_array[i]->key);
1349 VG_(OSetGen_FreeNode)(lr_table, lr_array[i]);
1350 } else {
1351 // move the leak sizes to old_* and zero the current sizes
1352 // for next leak search
1353 lr_array[i]->old_szB = lr_array[i]->szB;
1354 lr_array[i]->old_indirect_szB = lr_array[i]->indirect_szB;
1355 lr_array[i]->old_num_blocks = lr_array[i]->num_blocks;
1356 lr_array[i]->szB = 0;
1357 lr_array[i]->indirect_szB = 0;
1358 lr_array[i]->num_blocks = 0;
1359 }
1360 }
1361 // lr_array now contains "invalid" loss records => free it.
1362 // lr_array will be re-created below with the kept and new loss records.
1363 VG_(free) (lr_array);
1364 lr_array = NULL;
1365
1366 // Convert the chunks into loss records, merging them where appropriate.
1367 for (i = 0; i < lc_n_chunks; i++) {
1368 MC_Chunk* ch = lc_chunks[i];
1369 LC_Extra* ex = &(lc_extras)[i];
1370 LossRecord* old_lr;
1371 LossRecordKey lrkey;
1372 lrkey.state = ex->state;
1373 lrkey.allocated_at = MC_(allocated_at)(ch);
1374
1375 if (ex->heuristic) {
1376 MC_(bytes_heuristically_reachable)[ex->heuristic] += ch->szB;
1377 MC_(blocks_heuristically_reachable)[ex->heuristic]++;
1378 if (VG_DEBUG_LEAKCHECK)
1379 VG_(printf)("heuristic %s %#lx len %lu\n",
1380 pp_heuristic(ex->heuristic),
1381 ch->data, (SizeT)ch->szB);
1382 }
1383
1384 old_lr = VG_(OSetGen_Lookup)(lr_table, &lrkey);
1385 if (old_lr) {
1386 // We found an existing loss record matching this chunk. Update the
1387 // loss record's details in-situ. This is safe because we don't
1388 // change the elements used as the OSet key.
1389 old_lr->szB += ch->szB;
1390 if (ex->state == Unreached)
1391 old_lr->indirect_szB += ex->IorC.indirect_szB;
1392 old_lr->num_blocks++;
1393 } else {
1394 // No existing loss record matches this chunk. Create a new loss
1395 // record, initialise it from the chunk, and insert it into lr_table.
1396 lr = VG_(OSetGen_AllocNode)(lr_table, sizeof(LossRecord));
1397 lr->key = lrkey;
1398 lr->szB = ch->szB;
1399 if (ex->state == Unreached)
1400 lr->indirect_szB = ex->IorC.indirect_szB;
1401 else
1402 lr->indirect_szB = 0;
1403 lr->num_blocks = 1;
1404 lr->old_szB = 0;
1405 lr->old_indirect_szB = 0;
1406 lr->old_num_blocks = 0;
1407 VG_(OSetGen_Insert)(lr_table, lr);
1408 }
1409 }
1410
1411 // (re-)create the array of pointers to the (new) loss records.
1412 n_lossrecords = get_lr_array_from_lr_table ();
1413 tl_assert(VG_(OSetGen_Size)(lr_table) == n_lossrecords);
1414
1415 // Sort the array by loss record sizes.
1416 VG_(ssort)(lr_array, n_lossrecords, sizeof(LossRecord*),
1417 cmp_LossRecords);
1418
1419 // Zero totals.
1420 MC_(blocks_leaked) = MC_(bytes_leaked) = 0;
1421 MC_(blocks_indirect) = MC_(bytes_indirect) = 0;
1422 MC_(blocks_dubious) = MC_(bytes_dubious) = 0;
1423 MC_(blocks_reachable) = MC_(bytes_reachable) = 0;
1424 MC_(blocks_suppressed) = MC_(bytes_suppressed) = 0;
1425
1426 // If there is a maximum nr of loss records we can output, then first
1427 // compute from where the output scan has to start.
1428 // By default, start from the first loss record. Compute a higher
1429 // value if there is a maximum to respect. We need to print the last
1430 // records, as the one with the biggest sizes are more interesting.
1431 start_lr_output_scan = 0;
1432 if (lcp->mode == LC_Full && lcp->max_loss_records_output < n_lossrecords) {
1433 Int nr_printable_records = 0;
1434 for (i = n_lossrecords - 1; i >= 0 && start_lr_output_scan == 0; i--) {
1435 Bool count_as_error, print_record;
1436 lr = lr_array[i];
1437 get_printing_rules (lcp, lr, &count_as_error, &print_record);
1438 // Do not use get_printing_rules results for is_suppressed, as we
1439 // only want to check if the record would be suppressed.
1440 is_suppressed =
1441 MC_(record_leak_error) ( tid, i+1, n_lossrecords, lr,
1442 False /* print_record */,
1443 False /* count_as_error */);
1444 if (print_record && !is_suppressed) {
1445 nr_printable_records++;
1446 if (nr_printable_records == lcp->max_loss_records_output)
1447 start_lr_output_scan = i;
1448 }
1449 }
1450 }
1451
1452 // Print the loss records (in size order) and collect summary stats.
1453 for (i = start_lr_output_scan; i < n_lossrecords; i++) {
1454 Bool count_as_error, print_record;
1455 lr = lr_array[i];
1456 get_printing_rules(lcp, lr, &count_as_error, &print_record);
1457 is_suppressed =
1458 MC_(record_leak_error) ( tid, i+1, n_lossrecords, lr, print_record,
1459 count_as_error );
1460
1461 if (is_suppressed) {
1462 MC_(blocks_suppressed) += lr->num_blocks;
1463 MC_(bytes_suppressed) += lr->szB;
1464
1465 } else if (Unreached == lr->key.state) {
1466 MC_(blocks_leaked) += lr->num_blocks;
1467 MC_(bytes_leaked) += lr->szB;
1468
1469 } else if (IndirectLeak == lr->key.state) {
1470 MC_(blocks_indirect) += lr->num_blocks;
1471 MC_(bytes_indirect) += lr->szB;
1472
1473 } else if (Possible == lr->key.state) {
1474 MC_(blocks_dubious) += lr->num_blocks;
1475 MC_(bytes_dubious) += lr->szB;
1476
1477 } else if (Reachable == lr->key.state) {
1478 MC_(blocks_reachable) += lr->num_blocks;
1479 MC_(bytes_reachable) += lr->szB;
1480
1481 } else {
1482 VG_(tool_panic)("unknown loss mode");
1483 }
1484 }
1485
1486 if (VG_(clo_verbosity) > 0 && !VG_(clo_xml)) {
1487 HChar d_bytes[31];
1488 HChar d_blocks[31];
1489 # define DBY(new,old) \
1490 MC_(snprintf_delta) (d_bytes, sizeof(d_bytes), (new), (old), \
1491 lcp->deltamode)
1492 # define DBL(new,old) \
1493 MC_(snprintf_delta) (d_blocks, sizeof(d_blocks), (new), (old), \
1494 lcp->deltamode)
1495
1496 VG_(umsg)("LEAK SUMMARY:\n");
1497 VG_(umsg)(" definitely lost: %'lu%s bytes in %'lu%s blocks\n",
1498 MC_(bytes_leaked),
1499 DBY (MC_(bytes_leaked), old_bytes_leaked),
1500 MC_(blocks_leaked),
1501 DBL (MC_(blocks_leaked), old_blocks_leaked));
1502 VG_(umsg)(" indirectly lost: %'lu%s bytes in %'lu%s blocks\n",
1503 MC_(bytes_indirect),
1504 DBY (MC_(bytes_indirect), old_bytes_indirect),
1505 MC_(blocks_indirect),
1506 DBL (MC_(blocks_indirect), old_blocks_indirect));
1507 VG_(umsg)(" possibly lost: %'lu%s bytes in %'lu%s blocks\n",
1508 MC_(bytes_dubious),
1509 DBY (MC_(bytes_dubious), old_bytes_dubious),
1510 MC_(blocks_dubious),
1511 DBL (MC_(blocks_dubious), old_blocks_dubious));
1512 VG_(umsg)(" still reachable: %'lu%s bytes in %'lu%s blocks\n",
1513 MC_(bytes_reachable),
1514 DBY (MC_(bytes_reachable), old_bytes_reachable),
1515 MC_(blocks_reachable),
1516 DBL (MC_(blocks_reachable), old_blocks_reachable));
1517 for (i = 0; i < N_LEAK_CHECK_HEURISTICS; i++)
1518 if (old_blocks_heuristically_reachable[i] > 0
1519 || MC_(blocks_heuristically_reachable)[i] > 0) {
1520 VG_(umsg)(" of which "
1521 "reachable via heuristic:\n");
1522 break;
1523 }
1524 for (i = 0; i < N_LEAK_CHECK_HEURISTICS; i++)
1525 if (old_blocks_heuristically_reachable[i] > 0
1526 || MC_(blocks_heuristically_reachable)[i] > 0)
1527 VG_(umsg)(" %-19s: "
1528 "%'lu%s bytes in %'lu%s blocks\n",
1529 pp_heuristic(i),
1530 MC_(bytes_heuristically_reachable)[i],
1531 DBY (MC_(bytes_heuristically_reachable)[i],
1532 old_bytes_heuristically_reachable[i]),
1533 MC_(blocks_heuristically_reachable)[i],
1534 DBL (MC_(blocks_heuristically_reachable)[i],
1535 old_blocks_heuristically_reachable[i]));
1536 VG_(umsg)(" suppressed: %'lu%s bytes in %'lu%s blocks\n",
1537 MC_(bytes_suppressed),
1538 DBY (MC_(bytes_suppressed), old_bytes_suppressed),
1539 MC_(blocks_suppressed),
1540 DBL (MC_(blocks_suppressed), old_blocks_suppressed));
1541 if (lcp->mode != LC_Full &&
1542 (MC_(blocks_leaked) + MC_(blocks_indirect) +
1543 MC_(blocks_dubious) + MC_(blocks_reachable)) > 0) {
1544 if (lcp->requested_by_monitor_command)
1545 VG_(umsg)("To see details of leaked memory, "
1546 "give 'full' arg to leak_check\n");
1547 else
1548 VG_(umsg)("Rerun with --leak-check=full to see details "
1549 "of leaked memory\n");
1550 }
1551 if (lcp->mode == LC_Full &&
1552 MC_(blocks_reachable) > 0 && !RiS(Reachable,lcp->show_leak_kinds)) {
1553 VG_(umsg)("Reachable blocks (those to which a pointer "
1554 "was found) are not shown.\n");
1555 if (lcp->requested_by_monitor_command)
1556 VG_(umsg)("To see them, add 'reachable any' args to leak_check\n");
1557 else
1558 VG_(umsg)("To see them, rerun with: --leak-check=full "
1559 "--show-leak-kinds=all\n");
1560 }
1561 VG_(umsg)("\n");
1562 #undef DBL
1563 #undef DBY
1564 }
1565 }
1566
1567 // print recursively all indirectly leaked blocks collected in clique.
1568 // Printing stops when *remaining reaches 0.
print_clique(Int clique,UInt level,UInt * remaining)1569 static void print_clique (Int clique, UInt level, UInt *remaining)
1570 {
1571 Int ind;
1572 UInt i, n_lossrecords;
1573
1574 n_lossrecords = VG_(OSetGen_Size)(lr_table);
1575
1576 for (ind = 0; ind < lc_n_chunks && *remaining > 0; ind++) {
1577 LC_Extra* ind_ex = &(lc_extras)[ind];
1578 if (ind_ex->state == IndirectLeak
1579 && ind_ex->IorC.clique == (SizeT) clique) {
1580 MC_Chunk* ind_ch = lc_chunks[ind];
1581 LossRecord* ind_lr;
1582 LossRecordKey ind_lrkey;
1583 UInt lr_i;
1584 ind_lrkey.state = ind_ex->state;
1585 ind_lrkey.allocated_at = MC_(allocated_at)(ind_ch);
1586 ind_lr = VG_(OSetGen_Lookup)(lr_table, &ind_lrkey);
1587 for (lr_i = 0; lr_i < n_lossrecords; lr_i++)
1588 if (ind_lr == lr_array[lr_i])
1589 break;
1590 for (i = 0; i < level; i++)
1591 VG_(umsg)(" ");
1592 VG_(umsg)("%p[%lu] indirect loss record %u\n",
1593 (void *)ind_ch->data, (SizeT)ind_ch->szB,
1594 lr_i+1); // lr_i+1 for user numbering.
1595 (*remaining)--;
1596 if (lr_i >= n_lossrecords)
1597 VG_(umsg)
1598 ("error: no indirect loss record found for %p[%lu]?????\n",
1599 (void *)ind_ch->data, (SizeT)ind_ch->szB);
1600 print_clique(ind, level+1, remaining);
1601 }
1602 }
1603 }
1604
MC_(print_block_list)1605 Bool MC_(print_block_list) ( UInt loss_record_nr_from,
1606 UInt loss_record_nr_to,
1607 UInt max_blocks,
1608 UInt heuristics)
1609 {
1610 UInt loss_record_nr;
1611 UInt i, n_lossrecords;
1612 LossRecord* lr;
1613 Bool lr_printed;
1614 UInt remaining = max_blocks;
1615
1616 if (lr_table == NULL || lc_chunks == NULL || lc_extras == NULL) {
1617 VG_(umsg)("Can't print block list : no valid leak search result\n");
1618 return False;
1619 }
1620
1621 if (lc_chunks_n_frees_marker != MC_(get_cmalloc_n_frees)()) {
1622 VG_(umsg)("Can't print obsolete block list : redo a leak search first\n");
1623 return False;
1624 }
1625
1626 n_lossrecords = VG_(OSetGen_Size)(lr_table);
1627 if (loss_record_nr_from >= n_lossrecords)
1628 return False; // Invalid starting loss record nr.
1629
1630 if (loss_record_nr_to >= n_lossrecords)
1631 loss_record_nr_to = n_lossrecords - 1;
1632
1633 tl_assert (lr_array);
1634
1635 for (loss_record_nr = loss_record_nr_from;
1636 loss_record_nr <= loss_record_nr_to && remaining > 0;
1637 loss_record_nr++) {
1638 lr = lr_array[loss_record_nr];
1639 lr_printed = False;
1640
1641 /* If user asks to print a specific loss record, we print
1642 the block details, even if no block will be shown for this lr.
1643 If user asks to print a range of lr, we only print lr details
1644 when at least one block is shown. */
1645 if (loss_record_nr_from == loss_record_nr_to) {
1646 /* (+1 on loss_record_nr as user numbering for loss records
1647 starts at 1). */
1648 MC_(pp_LossRecord)(loss_record_nr+1, n_lossrecords, lr);
1649 lr_printed = True;
1650 }
1651
1652 // Match the chunks with loss records.
1653 for (i = 0; i < lc_n_chunks && remaining > 0; i++) {
1654 MC_Chunk* ch = lc_chunks[i];
1655 LC_Extra* ex = &(lc_extras)[i];
1656 LossRecord* old_lr;
1657 LossRecordKey lrkey;
1658 lrkey.state = ex->state;
1659 lrkey.allocated_at = MC_(allocated_at)(ch);
1660
1661 old_lr = VG_(OSetGen_Lookup)(lr_table, &lrkey);
1662 if (old_lr) {
1663 // We found an existing loss record matching this chunk.
1664 // If this is the loss record we are looking for, output the
1665 // pointer.
1666 if (old_lr == lr_array[loss_record_nr]
1667 && (heuristics == 0 || HiS(ex->heuristic, heuristics))) {
1668 if (!lr_printed) {
1669 MC_(pp_LossRecord)(loss_record_nr+1, n_lossrecords, lr);
1670 lr_printed = True;
1671 }
1672
1673 if (ex->heuristic)
1674 VG_(umsg)("%p[%lu] (found via heuristic %s)\n",
1675 (void *)ch->data, (SizeT)ch->szB,
1676 pp_heuristic (ex->heuristic));
1677 else
1678 VG_(umsg)("%p[%lu]\n",
1679 (void *)ch->data, (SizeT)ch->szB);
1680 remaining--;
1681 if (ex->state != Reachable) {
1682 // We can print the clique in all states, except Reachable.
1683 // In Unreached state, lc_chunk[i] is the clique leader.
1684 // In IndirectLeak, lc_chunk[i] might have been a clique
1685 // leader which was later collected in another clique.
1686 // For Possible, lc_chunk[i] might be the top of a clique
1687 // or an intermediate clique.
1688 print_clique(i, 1, &remaining);
1689 }
1690 }
1691 } else {
1692 // No existing loss record matches this chunk ???
1693 VG_(umsg)("error: no loss record found for %p[%lu]?????\n",
1694 (void *)ch->data, (SizeT)ch->szB);
1695 }
1696 }
1697 }
1698 return True;
1699 }
1700
1701 // If searched = 0, scan memory root set, pushing onto the mark stack the blocks
1702 // encountered.
1703 // Otherwise (searched != 0), scan the memory root set searching for ptr
1704 // pointing inside [searched, searched+szB[.
scan_memory_root_set(Addr searched,SizeT szB)1705 static void scan_memory_root_set(Addr searched, SizeT szB)
1706 {
1707 Int i;
1708 Int n_seg_starts;
1709 Addr* seg_starts = VG_(get_segment_starts)( SkFileC | SkAnonC | SkShmC,
1710 &n_seg_starts );
1711
1712 tl_assert(seg_starts && n_seg_starts > 0);
1713
1714 lc_scanned_szB = 0;
1715 lc_sig_skipped_szB = 0;
1716
1717 // VG_(am_show_nsegments)( 0, "leakcheck");
1718 for (i = 0; i < n_seg_starts; i++) {
1719 SizeT seg_size;
1720 NSegment const* seg = VG_(am_find_nsegment)( seg_starts[i] );
1721 tl_assert(seg);
1722 tl_assert(seg->kind == SkFileC || seg->kind == SkAnonC ||
1723 seg->kind == SkShmC);
1724
1725 if (!(seg->hasR && seg->hasW)) continue;
1726 if (seg->isCH) continue;
1727
1728 // Don't poke around in device segments as this may cause
1729 // hangs. Include /dev/zero just in case someone allocated
1730 // memory by explicitly mapping /dev/zero.
1731 if (seg->kind == SkFileC
1732 && (VKI_S_ISCHR(seg->mode) || VKI_S_ISBLK(seg->mode))) {
1733 const HChar* dev_name = VG_(am_get_filename)( seg );
1734 if (dev_name && 0 == VG_(strcmp)(dev_name, "/dev/zero")) {
1735 // Don't skip /dev/zero.
1736 } else {
1737 // Skip this device mapping.
1738 continue;
1739 }
1740 }
1741
1742 if (0)
1743 VG_(printf)("ACCEPT %2d %#lx %#lx\n", i, seg->start, seg->end);
1744
1745 // Scan the segment. We use -1 for the clique number, because this
1746 // is a root-set.
1747 seg_size = seg->end - seg->start + 1;
1748 if (VG_(clo_verbosity) > 2) {
1749 VG_(message)(Vg_DebugMsg,
1750 " Scanning root segment: %#lx..%#lx (%lu)\n",
1751 seg->start, seg->end, seg_size);
1752 }
1753 lc_scan_memory(seg->start, seg_size, /*is_prior_definite*/True,
1754 /*clique*/-1, /*cur_clique*/-1,
1755 searched, szB);
1756 }
1757 VG_(free)(seg_starts);
1758 }
1759
1760 /*------------------------------------------------------------*/
1761 /*--- Top-level entry point. ---*/
1762 /*------------------------------------------------------------*/
1763
MC_(detect_memory_leaks)1764 void MC_(detect_memory_leaks) ( ThreadId tid, LeakCheckParams* lcp)
1765 {
1766 Int i, j;
1767
1768 tl_assert(lcp->mode != LC_Off);
1769
1770 // Verify some assertions which are used in lc_scan_memory.
1771 tl_assert((VKI_PAGE_SIZE % sizeof(Addr)) == 0);
1772 tl_assert((SM_SIZE % sizeof(Addr)) == 0);
1773 // Above two assertions are critical, while below assertion
1774 // ensures that the optimisation in the loop is done in the
1775 // correct order : the loop checks for (big) SM chunk skipping
1776 // before checking for (smaller) page skipping.
1777 tl_assert((SM_SIZE % VKI_PAGE_SIZE) == 0);
1778
1779 MC_(leak_search_gen)++;
1780 MC_(detect_memory_leaks_last_delta_mode) = lcp->deltamode;
1781 detect_memory_leaks_last_heuristics = lcp->heuristics;
1782
1783 // Get the chunks, stop if there were none.
1784 if (lc_chunks) {
1785 VG_(free)(lc_chunks);
1786 lc_chunks = NULL;
1787 }
1788 lc_chunks = find_active_chunks(&lc_n_chunks);
1789 lc_chunks_n_frees_marker = MC_(get_cmalloc_n_frees)();
1790 if (lc_n_chunks == 0) {
1791 tl_assert(lc_chunks == NULL);
1792 if (lr_table != NULL) {
1793 // forget the previous recorded LossRecords as next leak search
1794 // can in any case just create new leaks.
1795 // Maybe it would be better to rather call print_result ?
1796 // (at least when leak decreases are requested)
1797 // This will then output all LossRecords with a size decreasing to 0
1798 VG_(OSetGen_Destroy) (lr_table);
1799 lr_table = NULL;
1800 }
1801 if (VG_(clo_verbosity) >= 1 && !VG_(clo_xml)) {
1802 VG_(umsg)("All heap blocks were freed -- no leaks are possible\n");
1803 VG_(umsg)("\n");
1804 }
1805 return;
1806 }
1807
1808 // Sort the array so blocks are in ascending order in memory.
1809 VG_(ssort)(lc_chunks, lc_n_chunks, sizeof(VgHashNode*), compare_MC_Chunks);
1810
1811 // Sanity check -- make sure they're in order.
1812 for (i = 0; i < lc_n_chunks-1; i++) {
1813 tl_assert( lc_chunks[i]->data <= lc_chunks[i+1]->data);
1814 }
1815
1816 // Sanity check -- make sure they don't overlap. The one exception is that
1817 // we allow a MALLOCLIKE block to sit entirely within a malloc() block.
1818 // This is for bug 100628. If this occurs, we ignore the malloc() block
1819 // for leak-checking purposes. This is a hack and probably should be done
1820 // better, but at least it's consistent with mempools (which are treated
1821 // like this in find_active_chunks). Mempools have a separate VgHashTable
1822 // for mempool chunks, but if custom-allocated blocks are put in a separate
1823 // table from normal heap blocks it makes free-mismatch checking more
1824 // difficult.
1825 //
1826 // If this check fails, it probably means that the application
1827 // has done something stupid with VALGRIND_MALLOCLIKE_BLOCK client
1828 // requests, eg. has made overlapping requests (which are
1829 // nonsensical), or used VALGRIND_MALLOCLIKE_BLOCK for stack locations;
1830 // again nonsensical.
1831 //
1832 for (i = 0; i < lc_n_chunks-1; i++) {
1833 MC_Chunk* ch1 = lc_chunks[i];
1834 MC_Chunk* ch2 = lc_chunks[i+1];
1835
1836 Addr start1 = ch1->data;
1837 Addr start2 = ch2->data;
1838 Addr end1 = ch1->data + ch1->szB - 1;
1839 Addr end2 = ch2->data + ch2->szB - 1;
1840 Bool isCustom1 = ch1->allockind == MC_AllocCustom;
1841 Bool isCustom2 = ch2->allockind == MC_AllocCustom;
1842
1843 if (end1 < start2) {
1844 // Normal case - no overlap.
1845
1846 // We used to allow exact duplicates, I'm not sure why. --njn
1847 //} else if (start1 == start2 && end1 == end2) {
1848 // Degenerate case: exact duplicates.
1849
1850 } else if (start1 >= start2 && end1 <= end2 && isCustom1 && !isCustom2) {
1851 // Block i is MALLOCLIKE and entirely within block i+1.
1852 // Remove block i+1.
1853 for (j = i+1; j < lc_n_chunks-1; j++) {
1854 lc_chunks[j] = lc_chunks[j+1];
1855 }
1856 lc_n_chunks--;
1857
1858 } else if (start2 >= start1 && end2 <= end1 && isCustom2 && !isCustom1) {
1859 // Block i+1 is MALLOCLIKE and entirely within block i.
1860 // Remove block i.
1861 for (j = i; j < lc_n_chunks-1; j++) {
1862 lc_chunks[j] = lc_chunks[j+1];
1863 }
1864 lc_n_chunks--;
1865
1866 } else {
1867 VG_(umsg)("Block 0x%lx..0x%lx overlaps with block 0x%lx..0x%lx\n",
1868 start1, end1, start2, end2);
1869 VG_(umsg)("Blocks allocation contexts:\n"),
1870 VG_(pp_ExeContext)( MC_(allocated_at)(ch1));
1871 VG_(umsg)("\n"),
1872 VG_(pp_ExeContext)( MC_(allocated_at)(ch2));
1873 VG_(umsg)("This is usually caused by using VALGRIND_MALLOCLIKE_BLOCK");
1874 VG_(umsg)("in an inappropriate way.\n");
1875 tl_assert (0);
1876 }
1877 }
1878
1879 // Initialise lc_extras.
1880 if (lc_extras) {
1881 VG_(free)(lc_extras);
1882 lc_extras = NULL;
1883 }
1884 lc_extras = VG_(malloc)( "mc.dml.2", lc_n_chunks * sizeof(LC_Extra) );
1885 for (i = 0; i < lc_n_chunks; i++) {
1886 lc_extras[i].state = Unreached;
1887 lc_extras[i].pending = False;
1888 lc_extras[i].heuristic = LchNone;
1889 lc_extras[i].IorC.indirect_szB = 0;
1890 }
1891
1892 // Initialise lc_markstack.
1893 lc_markstack = VG_(malloc)( "mc.dml.2", lc_n_chunks * sizeof(Int) );
1894 for (i = 0; i < lc_n_chunks; i++) {
1895 lc_markstack[i] = -1;
1896 }
1897 lc_markstack_top = -1;
1898
1899 // Verbosity.
1900 if (VG_(clo_verbosity) > 1 && !VG_(clo_xml)) {
1901 VG_(umsg)( "Searching for pointers to %'d not-freed blocks\n",
1902 lc_n_chunks );
1903 }
1904
1905 // Scan the memory root-set, pushing onto the mark stack any blocks
1906 // pointed to.
1907 scan_memory_root_set(/*searched*/0, 0);
1908
1909 // Scan GP registers for chunk pointers.
1910 VG_(apply_to_GP_regs)(lc_push_if_a_chunk_ptr_register);
1911
1912 // Process the pushed blocks. After this, every block that is reachable
1913 // from the root-set has been traced.
1914 lc_process_markstack(/*clique*/-1);
1915
1916 if (VG_(clo_verbosity) > 1 && !VG_(clo_xml)) {
1917 VG_(umsg)("Checked %'lu bytes\n", lc_scanned_szB);
1918 if (lc_sig_skipped_szB > 0)
1919 VG_(umsg)("Skipped %'lu bytes due to read errors\n",
1920 lc_sig_skipped_szB);
1921 VG_(umsg)( "\n" );
1922 }
1923
1924 // Trace all the leaked blocks to determine which are directly leaked and
1925 // which are indirectly leaked. For each Unreached block, push it onto
1926 // the mark stack, and find all the as-yet-Unreached blocks reachable
1927 // from it. These form a clique and are marked IndirectLeak, and their
1928 // size is added to the clique leader's indirect size. If one of the
1929 // found blocks was itself a clique leader (from a previous clique), then
1930 // the cliques are merged.
1931 for (i = 0; i < lc_n_chunks; i++) {
1932 MC_Chunk* ch = lc_chunks[i];
1933 LC_Extra* ex = &(lc_extras[i]);
1934
1935 if (VG_DEBUG_CLIQUE)
1936 VG_(printf)("cliques: %d at %#lx -> Loss state %d\n",
1937 i, ch->data, ex->state);
1938
1939 tl_assert(lc_markstack_top == -1);
1940
1941 if (ex->state == Unreached) {
1942 if (VG_DEBUG_CLIQUE)
1943 VG_(printf)("%d: gathering clique %#lx\n", i, ch->data);
1944
1945 // Push this Unreached block onto the stack and process it.
1946 lc_push(i, ch);
1947 lc_process_markstack(/*clique*/i);
1948
1949 tl_assert(lc_markstack_top == -1);
1950 tl_assert(ex->state == Unreached);
1951 }
1952 }
1953
1954 print_results( tid, lcp);
1955
1956 VG_(free) ( lc_markstack );
1957 lc_markstack = NULL;
1958 // lc_chunks, lc_extras, lr_array and lr_table are kept (needed if user
1959 // calls MC_(print_block_list)). lr_table also used for delta leak reporting
1960 // between this leak search and the next leak search.
1961 }
1962
1963 static Addr searched_wpa;
1964 static SizeT searched_szB;
1965 static void
search_address_in_GP_reg(ThreadId tid,const HChar * regname,Addr addr_in_reg)1966 search_address_in_GP_reg(ThreadId tid, const HChar* regname, Addr addr_in_reg)
1967 {
1968 if (addr_in_reg >= searched_wpa
1969 && addr_in_reg < searched_wpa + searched_szB) {
1970 if (addr_in_reg == searched_wpa)
1971 VG_(umsg)
1972 ("tid %u register %s pointing at %#lx\n",
1973 tid, regname, searched_wpa);
1974 else
1975 VG_(umsg)
1976 ("tid %u register %s interior pointing %lu bytes inside %#lx\n",
1977 tid, regname, (long unsigned) addr_in_reg - searched_wpa,
1978 searched_wpa);
1979 }
1980 }
1981
MC_(who_points_at)1982 void MC_(who_points_at) ( Addr address, SizeT szB)
1983 {
1984 MC_Chunk** chunks;
1985 Int n_chunks;
1986 Int i;
1987
1988 if (szB == 1)
1989 VG_(umsg) ("Searching for pointers to %#lx\n", address);
1990 else
1991 VG_(umsg) ("Searching for pointers pointing in %lu bytes from %#lx\n",
1992 szB, address);
1993
1994 chunks = find_active_chunks(&n_chunks);
1995
1996 // Scan memory root-set, searching for ptr pointing in address[szB]
1997 scan_memory_root_set(address, szB);
1998
1999 // Scan active malloc-ed chunks
2000 for (i = 0; i < n_chunks; i++) {
2001 lc_scan_memory(chunks[i]->data, chunks[i]->szB,
2002 /*is_prior_definite*/True,
2003 /*clique*/-1, /*cur_clique*/-1,
2004 address, szB);
2005 }
2006 VG_(free) ( chunks );
2007
2008 // Scan GP registers for pointers to address range.
2009 searched_wpa = address;
2010 searched_szB = szB;
2011 VG_(apply_to_GP_regs)(search_address_in_GP_reg);
2012
2013 }
2014
2015 /*--------------------------------------------------------------------*/
2016 /*--- end ---*/
2017 /*--------------------------------------------------------------------*/
2018
2019