README.md
1 Malloc Debug
2 ============
3
4 Malloc debug is a method of debugging native memory problems. It can help
5 detect memory corruption, memory leaks, and use after free issues.
6
7 Currently, malloc debug requires root to enable. When it is enabled, it works
8 by adding a shim layer that replaces the normal allocation calls. The replaced
9 calls are:
10
11 <pre>
12 malloc
13 free
14 calloc
15 realloc
16 posix_memalign
17 memalign
18 malloc_usable_size
19 </pre>
20
21 On 32 bit systems, these two deprecated functions are also replaced:
22
23 <pre>
24 pvalloc
25 valloc
26 </pre>
27
28 Any errors detected by the library are reported in the log.
29
30 Controlling Malloc Debug Behavior
31 ---------------------------------
32 Malloc debug is controlled by individual options. Each option can be enabled
33 individually, or in a group of other options. Every single option can be
34 combined with every other option.
35
36 Option Descriptions
37 -------------------
38 ### front\_guard[=SIZE\_BYTES]
39 Enables a small buffer placed before the allocated data. This is an attempt
40 to find memory corruption occuring to a region before the original allocation.
41 On first allocation, this front guard is written with a specific pattern (0xaa).
42 When the allocation is freed, the guard is checked to verify it has not been
43 modified. If any part of the front guard is modified, an error will be reported
44 in the log indicating what bytes changed.
45
46 If the backtrace option is also enabled, then any error message will include
47 the backtrace of the allocation site.
48
49 If SIZE\_BYTES is present, it indicates the number of bytes in the guard.
50 The default is 32 bytes, the max bytes is 16384. SIZE\_BYTES will be
51 padded so that it is a multiple of 8 bytes on 32 bit systems and 16 bytes
52 on 64 bit systems to make sure that the allocation returned is aligned
53 properly.
54
55 This option adds a special header to all allocations that contains the guard
56 and information about the original allocation.
57
58 Example error:
59
60 <pre>
61 04-10 12:00:45.621 7412 7412 E malloc_debug: +++ ALLOCATION 0x12345678 SIZE 100 HAS A CORRUPTED FRONT GUARD
62 04-10 12:00:45.622 7412 7412 E malloc_debug: allocation[-32] = 0x00 (expected 0xaa)
63 04-10 12:00:45.622 7412 7412 E malloc_debug: allocation[-15] = 0x02 (expected 0xaa)
64 </pre>
65
66 ### rear\_guard[=SIZE\_BYTES]
67 Enables a small buffer placed after the allocated data. This is an attempt
68 to find memory corruption occuring to a region after the original allocation.
69 On first allocation, this rear guard is written with a specific pattern (0xbb).
70 When the allocation is freed, the guard is checked to verify it has not been
71 modified. If any part of the rear guard is modified, an error will be reported
72 in the log indicating what bytes changed.
73
74 If SIZE\_BYTES is present, it indicates the number of bytes in the guard.
75 The default is 32 bytes, the max bytes is 16384.
76
77 This option adds a special header to all allocations that contains
78 information about the original allocation.
79
80 Example error:
81
82 <pre>
83 04-10 12:00:45.621 7412 7412 E malloc_debug: +++ ALLOCATION 0x12345678 SIZE 100 HAS A CORRUPTED REAR GUARD
84 04-10 12:00:45.622 7412 7412 E malloc_debug: allocation[130] = 0xbf (expected 0xbb)
85 04-10 12:00:45.622 7412 7412 E malloc_debug: allocation[131] = 0x00 (expected 0xbb)
86 </pre>
87
88 ### guard[=SIZE\_BYTES]
89 Enables both a front guard and a rear guard on all allocations.
90
91 If SIZE\_BYTES is present, it indicates the number of bytes in both guards.
92 The default is 32 bytes, the max bytes is 16384.
93
94 ### backtrace[=MAX\_FRAMES]
95 Enable capturing the backtrace of each allocation site.
96 This option will slow down allocations by an order of magnitude. If the
97 system runs too slowly with this option enabled, decreasing the maximum number
98 of frames captured will speed the allocations up.
99
100 Note that any backtrace frames that occur within the malloc backtrace library
101 itself are not recorded.
102
103 If MAX\_FRAMES is present, it indicates the maximum number of frames to
104 capture in a backtrace. The default is 16 frames, the maximumum value
105 this can be set to is 256.
106
107 This option adds a special header to all allocations that contains the
108 backtrace and information about the original allocation.
109
110 ### backtrace\_enable\_on\_signal[=MAX\_FRAMES]
111 Enable capturing the backtrace of each allocation site. If the
112 backtrace capture is toggled when the process receives the signal
113 SIGRTMAX - 19 (which is 45 on most Android devices). When this
114 option is used alone, backtrace capture starts out disabled until the signal
115 is received. If both this option and the backtrace option are set, then
116 backtrace capture is enabled until the signal is received.
117
118 If MAX\_FRAMES is present, it indicates the maximum number of frames to
119 capture in a backtrace. The default is 16 frames, the maximumum value
120 this can be set to is 256.
121
122 This option adds a special header to all allocations that contains the
123 backtrace and information about the original allocation.
124
125 ### fill\_on\_alloc[=MAX\_FILLED\_BYTES]
126 Any allocation routine, other than calloc, will result in the allocation being
127 filled with the value 0xeb. When doing a realloc to a larger size, the bytes
128 above the original usable size will be set to 0xeb.
129
130 If MAX\_FILLED\_BYTES is present, it will only fill up to the specified number
131 of bytes in the allocation. The default is to fill the entire allocation.
132
133 ### fill\_on\_free[=MAX\_FILLED\_BYTES]
134 When an allocation is freed, fill it with 0xef.
135
136 If MAX\_FILLED\_BYTES is present, it will only fill up to the specified number
137 of bytes in the allocation. The default is to fill the entire allocation.
138
139 ### fill[=MAX\_FILLED\_BYTES]
140 This enables both the fill\_on\_alloc option and the fill\_on\_free option.
141
142 If MAX\_FILLED\_BYTES is present, it will only fill up to the specified number
143 of bytes in the allocation. The default is to fill the entire allocation.
144
145 ### expand\_alloc[=EXPAND\_BYTES]
146 Add an extra amount to allocate for every allocation.
147
148 If XX is present, it is the number of bytes to expand the allocation by.
149 The default is 16 bytes, the max bytes is 16384.
150
151 ### free\_track[=ALLOCATION\_COUNT]
152 When a pointer is freed, do not free the memory right away, but add it to
153 a list of freed allocations. In addition to being added to the list, the
154 entire allocation is filled with the value 0xef, and the backtrace at
155 the time of the free is recorded. The backtrace recording is completely
156 separate from the backtrace option, and happens automatically if this
157 option is enabled. By default, a maximum of 16 frames will be recorded,
158 but this value can be changed using the free\_track\_backtrace\_num\_frames
159 option. It can also be completely disabled by setting the option to zero.
160 See the full description of this option below.
161
162 When the list is full, an allocation is removed from the list and is
163 checked to make sure that none of the contents have been modified since
164 being placed on the list. When the program terminates, all of the allocations
165 left on the list are verified.
166
167 If ALLOCATION\_COUNT is present, it indicates the total number of allocations
168 in the list. The default is to record 100 freed allocations, the max
169 allocations to record is 16384.
170
171 This option adds a special header to all allocations that contains
172 information about the original allocation.
173
174 Example error:
175
176 <pre>
177 04-15 12:00:31.304 7412 7412 E malloc_debug: +++ ALLOCATION 0x12345678 USED AFTER FREE
178 04-15 12:00:31.305 7412 7412 E malloc_debug: allocation[20] = 0xaf (expected 0xef)
179 04-15 12:00:31.305 7412 7412 E malloc_debug: allocation[99] = 0x12 (expected 0xef)
180 04-15 12:00:31.305 7412 7412 E malloc_debug: Backtrace at time of free:
181 04-15 12:00:31.305 7412 7412 E malloc_debug: #00 pc 00029310 /system/lib/libc.so
182 04-15 12:00:31.305 7412 7412 E malloc_debug: #01 pc 00021438 /system/lib/libc.so (newlocale+160)
183 04-15 12:00:31.305 7412 7412 E malloc_debug: #02 pc 000a9e38 /system/lib/libc++.so
184 04-15 12:00:31.305 7412 7412 E malloc_debug: #03 pc 000a28a8 /system/lib/libc++.so
185 </pre>
186
187 In addition, there is another type of error message that can occur if
188 an allocation has a special header applied, and the header is corrupted
189 before the verification occurs. This is the error message that will be found
190 in the log:
191
192 <pre>
193 +++ ALLOCATION 0x12345678 HAS CORRUPTED HEADER TAG 0x1cc7dc00 AFTER FREE
194 </pre>
195
196 ### free\_track\_backtrace\_num\_frames[=MAX\_FRAMES]
197 This option only has meaning if free\_track is set. It indicates how many
198 backtrace frames to capture when an allocation is freed.
199
200 If MAX\_FRAMES is present, it indicates the number of frames to capture.
201 If the value is set to zero, then no backtrace will be captured when the
202 allocation is freed. The default is to record 16 frames, the max number of
203 frames to to record is 256.
204
205 ### leak\_track
206 Track all live allocations. When the program terminates, all of the live
207 allocations will be dumped to the log. If the backtrace option was enabled,
208 then the log will include the backtrace of the leaked allocations. This
209 option is not useful when enabled globally because a lot of programs do not
210 free everything before the program terminates.
211
212 This option adds a special header to all allocations that contains
213 information about the original allocation.
214
215 Example leak error found in the log:
216
217 <pre>
218 04-15 12:35:33.304 7412 7412 E malloc_debug: +++ APP leaked block of size 100 at 0x2be3b0b0 (leak 1 of 2)
219 04-15 12:35:33.304 7412 7412 E malloc_debug: Backtrace at time of allocation:
220 04-15 12:35:33.305 7412 7412 E malloc_debug: #00 pc 00029310 /system/lib/libc.so
221 04-15 12:35:33.305 7412 7412 E malloc_debug: #01 pc 00021438 /system/lib/libc.so (newlocale+160)
222 04-15 12:35:33.305 7412 7412 E malloc_debug: #02 pc 000a9e38 /system/lib/libc++.so
223 04-15 12:35:33.305 7412 7412 E malloc_debug: #03 pc 000a28a8 /system/lib/libc++.so
224 04-15 12:35:33.305 7412 7412 E malloc_debug: +++ APP leaked block of size 24 at 0x7be32380 (leak 2 of 2)
225 04-15 12:35:33.305 7412 7412 E malloc_debug: Backtrace at time of allocation:
226 04-15 12:35:33.305 7412 7412 E malloc_debug: #00 pc 00029310 /system/lib/libc.so
227 04-15 12:35:33.305 7412 7412 E malloc_debug: #01 pc 00021438 /system/lib/libc.so (newlocale+160)
228 04-15 12:35:33.305 7412 7412 E malloc_debug: #02 pc 000a9e38 /system/lib/libc++.so
229 04-15 12:35:33.305 7412 7412 E malloc_debug: #03 pc 000a28a8 /system/lib/libc++.so
230 </pre>
231
232 Additional Errors
233 -----------------
234 There are a few other error messages that might appear in the log.
235
236 ### Use After Free
237 <pre>
238 04-15 12:00:31.304 7412 7412 E malloc_debug: +++ ALLOCATION 0x12345678 USED AFTER FREE (free)
239 04-15 12:00:31.305 7412 7412 E malloc_debug: Backtrace of original free:
240 04-15 12:00:31.305 7412 7412 E malloc_debug: #00 pc 00029310 /system/lib/libc.so
241 04-15 12:00:31.305 7412 7412 E malloc_debug: #01 pc 00021438 /system/lib/libc.so (newlocale+160)
242 04-15 12:00:31.305 7412 7412 E malloc_debug: #02 pc 000a9e38 /system/lib/libc++.so
243 04-15 12:00:31.305 7412 7412 E malloc_debug: #03 pc 000a28a8 /system/lib/libc++.so
244 04-15 12:00:31.305 7412 7412 E malloc_debug: Backtrace at time of failure:
245 04-15 12:00:31.305 7412 7412 E malloc_debug: #00 pc 00029310 /system/lib/libc.so
246 04-15 12:00:31.305 7412 7412 E malloc_debug: #01 pc 00021438 /system/lib/libc.so (newlocale+160)
247 04-15 12:00:31.305 7412 7412 E malloc_debug: #02 pc 000a9e38 /system/lib/libc++.so
248 04-15 12:00:31.305 7412 7412 E malloc_debug: #03 pc 000a28a8 /system/lib/libc++.so
249 </pre>
250
251 This indicates that code is attempting to free an already freed pointer. The
252 name in parenthesis indicates that the application called the function
253 <i>free</i> with the bad pointer.
254
255 For example, this message:
256
257 <pre>
258 04-15 12:00:31.304 7412 7412 E malloc_debug: +++ ALLOCATION 0x12345678 USED AFTER FREE (realloc)
259 </pre>
260
261 Would indicate that the application called the <i>realloc</i> function
262 with an already freed pointer.
263
264 ### Invalid Tag
265 <pre>
266 04-15 12:00:31.304 7412 7412 E malloc_debug: +++ ALLOCATION 0x12345678 HAS INVALID TAG 1ee7d000 (malloc_usable_size)
267 04-15 12:00:31.305 7412 7412 E malloc_debug: Backtrace at time of failure:
268 04-15 12:00:31.305 7412 7412 E malloc_debug: #00 pc 00029310 /system/lib/libc.so
269 04-15 12:00:31.305 7412 7412 E malloc_debug: #01 pc 00021438 /system/lib/libc.so (newlocale+160)
270 04-15 12:00:31.305 7412 7412 E malloc_debug: #02 pc 000a9e38 /system/lib/libc++.so
271 04-15 12:00:31.305 7412 7412 E malloc_debug: #03 pc 000a28a8 /system/lib/libc++.so
272 </pre>
273
274 This indicates that a function (malloc\_usable\_size) was called with
275 a pointer that is either not allocated memory, or that the memory of
276 the pointer has been corrupted.
277
278 As with the other error message, the function in parenthesis is the
279 function that was called with the bad pointer.
280
281 Examples
282 ========
283 Enable backtrace tracking of all allocation for all processes:
284
285 <pre>
286 adb shell stop
287 adb shell setprop libc.debug.malloc.options backtrace
288 adb shell start
289 </pre>
290
291 Enable backtrace tracking for a specific process (ls):
292
293 <pre>
294 adb shell setprop libc.debug.malloc.options backtrace
295 adb shell setprop libc.debug.malloc.program ls
296 adb shell ls
297 </pre>
298
299 Enable backtrace tracking for the zygote and zygote based processes:
300
301 <pre>
302 adb shell stop
303 adb shell setprop libc.debug.malloc.program app_process
304 adb shell setprop libc.debug.malloc.options backtrace
305 adb shell start
306 </pre>
307
308 Enable multiple options (backtrace and guards):
309
310 <pre>
311 adb shell stop
312 adb shell setprop libc.debug.malloc.options "\"backtrace guards\""
313 adb shell start
314 </pre>
315
316 Enable malloc debug when multiple processes have the same name. This method
317 can be used to enable malloc debug for only a very specific process if
318 multiple processes have the same name.
319
320 Note: The double quotes in the adb shell command are necessary. Otherwise,
321 the setprop command will fail since the backtrace guards options will look
322 like two arguments instead of one.
323
324 <pre>
325 adb shell
326 # setprop libc.debug.malloc.env_enabled
327 # setprop libc.debug.malloc.options backtrace
328 # export LIBC_DEBUG_MALLOC_ENABLE 1
329 # ls
330 </pre>
331
README_api.md
1 Native Memory Tracking using libc Callbacks
2 -------------------------------------------
3 Malloc debug can be used to get information on all of the live allocations
4 in a process. The libc library in Android exports two calls that can be
5 used to gather this data from a process. This tracking can be enabled using
6 either the backtrace option or the backtrace\_enabled\_on\_signal option.
7
8 The function to gather the data:
9
10 <pre>
11 <b>
12 extern "C" void get_malloc_leak_info(uint8_t** info, size_t* overall_size, size_t* info_size, size_t* total_memory, size_t* backtrace_size);
13 </b>
14 </pre>
15
16 <i>info</i> is set to a buffer allocated by the call that contains all of
17 the allocation information.
18 <i>overall\_size</i> is set to the total size of the buffer returned. If this
19 <i>info\_size</i>
20 value is zero, then there are no allocation being tracked.
21 <i>total\_memory</i> is set to the sum of all allocation sizes that are live at
22 the point of the function call. This does not include the memory allocated
23 by the malloc debug library itself.
24 <i>backtrace\_size</i> is set to the maximum number of backtrace entries
25 that are present for each allocation.
26
27 In order to free the buffer allocated by the function, call:
28
29 <pre>
30 <b>
31 extern "C" void free_malloc_leak_info(uint8_t* info);
32 </b>
33 </pre>
34
35 ### Format of info Buffer
36 <pre>
37 size_t size_of_original_allocation
38 size_t num_backtrace_frames
39 uintptr_t pc1
40 uintptr_t pc2
41 uintptr_t pc3
42 .
43 .
44 .
45 </pre>
46
47 The number of <i>uintptr\_t</i> values is determined by the value
48 <i>backtrace\_size</i> as returned by the original call to
49 <i>get\_malloc\_leak\_info</i>. This value is not variable, it is the same
50 for all the returned data. The value
51 <i>num\_backtrace\_frames</i> contains the real number of frames found. The
52 extra frames are set to zero. Each <i>uintptr\_t</i> is a pc of the callstack.
53 The calls from within the malloc debug library are automatically removed.
54
55 For 32 bit systems, <i>size\_t</i> and <i>uintptr\_t</i> are both 4 byte values.
56
57 For 64 bit systems, <i>size\_t</i> and <i>uintptr\_t</i> are both 8 byte values.
58
59 The total number of these structures returned in <i>info</i> is
60 <i>overall\_size</i> divided by <i>info\_size</i>.
61
62 Note, the size value in each allocation data structure will have bit 31 set
63 if this allocation was created by the Zygote process. This helps to distinguish
64 between native allocations created by the application.
65