1 2 /*--------------------------------------------------------------------*/ 3 /*--- The leak checker. mc_leakcheck.c ---*/ 4 /*--------------------------------------------------------------------*/ 5 6 /* 7 This file is part of MemCheck, a heavyweight Valgrind tool for 8 detecting memory errors. 9 10 Copyright (C) 2000-2015 Julian Seward 11 jseward (at) acm.org 12 13 This program is free software; you can redistribute it and/or 14 modify it under the terms of the GNU General Public License as 15 published by the Free Software Foundation; either version 2 of the 16 License, or (at your option) any later version. 17 18 This program is distributed in the hope that it will be useful, but 19 WITHOUT ANY WARRANTY; without even the implied warranty of 20 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 21 General Public License for more details. 22 23 You should have received a copy of the GNU General Public License 24 along with this program; if not, write to the Free Software 25 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 26 02111-1307, USA. 27 28 The GNU General Public License is contained in the file COPYING. 29 */ 30 31 #include "pub_tool_basics.h" 32 #include "pub_tool_vki.h" 33 #include "pub_tool_aspacehl.h" 34 #include "pub_tool_aspacemgr.h" 35 #include "pub_tool_execontext.h" 36 #include "pub_tool_hashtable.h" 37 #include "pub_tool_libcbase.h" 38 #include "pub_tool_libcassert.h" 39 #include "pub_tool_libcprint.h" 40 #include "pub_tool_libcsignal.h" 41 #include "pub_tool_machine.h" 42 #include "pub_tool_mallocfree.h" 43 #include "pub_tool_options.h" 44 #include "pub_tool_oset.h" 45 #include "pub_tool_poolalloc.h" 46 #include "pub_tool_signals.h" // Needed for mc_include.h 47 #include "pub_tool_libcsetjmp.h" // setjmp facilities 48 #include "pub_tool_tooliface.h" // Needed for mc_include.h 49 50 #include "mc_include.h" 51 52 /*------------------------------------------------------------*/ 53 /*--- An overview of leak checking. ---*/ 54 /*------------------------------------------------------------*/ 55 56 // Leak-checking is a directed-graph traversal problem. The graph has 57 // two kinds of nodes: 58 // - root-set nodes: 59 // - GP registers of all threads; 60 // - valid, aligned, pointer-sized data words in valid client memory, 61 // including stacks, but excluding words within client heap-allocated 62 // blocks (they are excluded so that later on we can differentiate 63 // between heap blocks that are indirectly leaked vs. directly leaked). 64 // - heap-allocated blocks. A block is a mempool chunk or a malloc chunk 65 // that doesn't contain a mempool chunk. Nb: the terms "blocks" and 66 // "chunks" are used interchangeably below. 67 // 68 // There are two kinds of edges: 69 // - start-pointers, i.e. pointers to the start of a block; 70 // - interior-pointers, i.e. pointers to the interior of a block. 71 // 72 // We use "pointers" rather than "edges" below. 73 // 74 // Root set nodes only point to blocks. Blocks only point to blocks; 75 // a block can point to itself. 76 // 77 // The aim is to traverse the graph and determine the status of each block. 78 // 79 // There are 9 distinct cases. See memcheck/docs/mc-manual.xml for details. 80 // Presenting all nine categories to the user is probably too much. 81 // Currently we do this: 82 // - definitely lost: case 3 83 // - indirectly lost: case 4, 9 84 // - possibly lost: cases 5..8 85 // - still reachable: cases 1, 2 86 // 87 // It's far from clear that this is the best possible categorisation; it's 88 // accreted over time without any central guiding principle. 89 90 /*------------------------------------------------------------*/ 91 /*--- XXX: Thoughts for improvement. ---*/ 92 /*------------------------------------------------------------*/ 93 94 // From the user's point of view: 95 // - If they aren't using interior-pointers, they just have to fix the 96 // directly lost blocks, and the indirectly lost ones will be fixed as 97 // part of that. Any possibly lost blocks will just be due to random 98 // pointer garbage and can be ignored. 99 // 100 // - If they are using interior-pointers, the fact that they currently are not 101 // being told which ones might be directly lost vs. indirectly lost makes 102 // it hard to know where to begin. 103 // 104 // All this makes me wonder if new option is warranted: 105 // --follow-interior-pointers. By default it would be off, the leak checker 106 // wouldn't follow interior-pointers and there would only be 3 categories: 107 // R, DL, IL. 108 // 109 // If turned on, then it would show 7 categories (R, DL, IL, DR/DL, IR/IL, 110 // IR/IL/DL, IL/DL). That output is harder to understand but it's your own 111 // damn fault for using interior-pointers... 112 // 113 // ---- 114 // 115 // Also, why are two blank lines printed between each loss record? 116 // [bug 197930] 117 // 118 // ---- 119 // 120 // Also, --show-reachable is a bad name because it also turns on the showing 121 // of indirectly leaked blocks(!) It would be better named --show-all or 122 // --show-all-heap-blocks, because that's the end result. 123 // We now have the option --show-leak-kinds=... which allows to specify =all. 124 // 125 // ---- 126 // 127 // Also, the VALGRIND_LEAK_CHECK and VALGRIND_QUICK_LEAK_CHECK aren't great 128 // names. VALGRIND_FULL_LEAK_CHECK and VALGRIND_SUMMARY_LEAK_CHECK would be 129 // better. 130 // 131 // ---- 132 // 133 // Also, VALGRIND_COUNT_LEAKS and VALGRIND_COUNT_LEAK_BLOCKS aren't great as 134 // they combine direct leaks and indirect leaks into one. New, more precise 135 // ones (they'll need new names) would be good. If more categories are 136 // used, as per the --follow-interior-pointers option, they should be 137 // updated accordingly. And they should use a struct to return the values. 138 // 139 // ---- 140 // 141 // Also, for this case: 142 // 143 // (4) p4 BBB ---> AAA 144 // 145 // BBB is definitely directly lost. AAA is definitely indirectly lost. 146 // Here's the relevant loss records printed for a full check (each block is 147 // 16 bytes): 148 // 149 // ==20397== 16 bytes in 1 blocks are indirectly lost in loss record 9 of 15 150 // ==20397== at 0x4C2694E: malloc (vg_replace_malloc.c:177) 151 // ==20397== by 0x400521: mk (leak-cases.c:49) 152 // ==20397== by 0x400578: main (leak-cases.c:72) 153 // 154 // ==20397== 32 (16 direct, 16 indirect) bytes in 1 blocks are definitely 155 // lost in loss record 14 of 15 156 // ==20397== at 0x4C2694E: malloc (vg_replace_malloc.c:177) 157 // ==20397== by 0x400521: mk (leak-cases.c:49) 158 // ==20397== by 0x400580: main (leak-cases.c:72) 159 // 160 // The first one is fine -- it describes AAA. 161 // 162 // The second one is for BBB. It's correct in that 16 bytes in 1 block are 163 // directly lost. It's also correct that 16 are indirectly lost as a result, 164 // but it means that AAA is being counted twice in the loss records. (It's 165 // not, thankfully, counted twice in the summary counts). Argh. 166 // 167 // This would be less confusing for the second one: 168 // 169 // ==20397== 16 bytes in 1 blocks are definitely lost in loss record 14 170 // of 15 (and 16 bytes in 1 block are indirectly lost as a result; they 171 // are mentioned elsewhere (if --show-reachable=yes or indirect is given 172 // in --show-leak-kinds=... !)) 173 // ==20397== at 0x4C2694E: malloc (vg_replace_malloc.c:177) 174 // ==20397== by 0x400521: mk (leak-cases.c:49) 175 // ==20397== by 0x400580: main (leak-cases.c:72) 176 // 177 // But ideally we'd present the loss record for the directly lost block and 178 // then the resultant indirectly lost blocks and make it clear the 179 // dependence. Double argh. 180 181 /*------------------------------------------------------------*/ 182 /*--- The actual algorithm. ---*/ 183 /*------------------------------------------------------------*/ 184 185 // - Find all the blocks (a.k.a. chunks) to check. Mempool chunks require 186 // some special treatment because they can be within malloc'd blocks. 187 // - Scan every word in the root set (GP registers and valid 188 // non-heap memory words). 189 // - First, we skip if it doesn't point to valid memory. 190 // - Then, we see if it points to the start or interior of a block. If 191 // so, we push the block onto the mark stack and mark it as having been 192 // reached. 193 // - Then, we process the mark stack, repeating the scanning for each block; 194 // this can push more blocks onto the mark stack. We repeat until the 195 // mark stack is empty. Each block is marked as definitely or possibly 196 // reachable, depending on whether interior-pointers were required to 197 // reach it. 198 // - At this point we know for every block if it's reachable or not. 199 // - We then push each unreached block onto the mark stack, using the block 200 // number as the "clique" number. 201 // - We process the mark stack again, this time grouping blocks into cliques 202 // in order to facilitate the directly/indirectly lost categorisation. 203 // - We group blocks by their ExeContexts and categorisation, and print them 204 // if --leak-check=full. We also print summary numbers. 205 // 206 // A note on "cliques": 207 // - A directly lost block is one with no pointers to it. An indirectly 208 // lost block is one that is pointed to by a directly or indirectly lost 209 // block. 210 // - Each directly lost block has zero or more indirectly lost blocks 211 // hanging off it. All these blocks together form a "clique". The 212 // directly lost block is called the "clique leader". The clique number 213 // is the number (in lc_chunks[]) of the clique leader. 214 // - Actually, a directly lost block may be pointed to if it's part of a 215 // cycle. In that case, there may be more than one choice for the clique 216 // leader, and the choice is arbitrary. Eg. if you have A-->B and B-->A 217 // either A or B could be the clique leader. 218 // - Cliques cannot overlap, and will be truncated to avoid this. Eg. if we 219 // have A-->C and B-->C, the two cliques will be {A,C} and {B}, or {A} and 220 // {B,C} (again the choice is arbitrary). This is because we don't want 221 // to count a block as indirectly lost more than once. 222 // 223 // A note on 'is_prior_definite': 224 // - This is a boolean used in various places that indicates if the chain 225 // up to the prior node (prior to the one being considered) is definite. 226 // - In the clique == -1 case: 227 // - if True it means that the prior node is a root-set node, or that the 228 // prior node is a block which is reachable from the root-set via 229 // start-pointers. 230 // - if False it means that the prior node is a block that is only 231 // reachable from the root-set via a path including at least one 232 // interior-pointer. 233 // - In the clique != -1 case, currently it's always True because we treat 234 // start-pointers and interior-pointers the same for direct/indirect leak 235 // checking. If we added a PossibleIndirectLeak state then this would 236 // change. 237 238 239 // Define to debug the memory-leak-detector. 240 #define VG_DEBUG_LEAKCHECK 0 241 #define VG_DEBUG_CLIQUE 0 242 243 244 /*------------------------------------------------------------*/ 245 /*--- Getting the initial chunks, and searching them. ---*/ 246 /*------------------------------------------------------------*/ 247 248 // Compare the MC_Chunks by 'data' (i.e. the address of the block). 249 static Int compare_MC_Chunks(const void* n1, const void* n2) 250 { 251 const MC_Chunk* mc1 = *(const MC_Chunk *const *)n1; 252 const MC_Chunk* mc2 = *(const MC_Chunk *const *)n2; 253 if (mc1->data < mc2->data) return -1; 254 if (mc1->data > mc2->data) return 1; 255 return 0; 256 } 257 258 #if VG_DEBUG_LEAKCHECK 259 // Used to sanity-check the fast binary-search mechanism. 260 static 261 Int find_chunk_for_OLD ( Addr ptr, 262 MC_Chunk** chunks, 263 Int n_chunks ) 264 265 { 266 Int i; 267 Addr a_lo, a_hi; 268 PROF_EVENT(MCPE_FIND_CHUNK_FOR_OLD); 269 for (i = 0; i < n_chunks; i++) { 270 PROF_EVENT(MCPE_FIND_CHUNK_FOR_OLD_LOOP); 271 a_lo = chunks[i]->data; 272 a_hi = ((Addr)chunks[i]->data) + chunks[i]->szB; 273 if (a_lo <= ptr && ptr < a_hi) 274 return i; 275 } 276 return -1; 277 } 278 #endif 279 280 // Find the i such that ptr points at or inside the block described by 281 // chunks[i]. Return -1 if none found. This assumes that chunks[] 282 // has been sorted on the 'data' field. 283 static 284 Int find_chunk_for ( Addr ptr, 285 MC_Chunk** chunks, 286 Int n_chunks ) 287 { 288 Addr a_mid_lo, a_mid_hi; 289 Int lo, mid, hi, retVal; 290 // VG_(printf)("find chunk for %p = ", ptr); 291 retVal = -1; 292 lo = 0; 293 hi = n_chunks-1; 294 while (True) { 295 // Invariant: current unsearched space is from lo to hi, inclusive. 296 if (lo > hi) break; // not found 297 298 mid = (lo + hi) / 2; 299 a_mid_lo = chunks[mid]->data; 300 a_mid_hi = chunks[mid]->data + chunks[mid]->szB; 301 // Extent of block 'mid' is [a_mid_lo .. a_mid_hi). 302 // Special-case zero-sized blocks - treat them as if they had 303 // size 1. Not doing so causes them to not cover any address 304 // range at all and so will never be identified as the target of 305 // any pointer, which causes them to be incorrectly reported as 306 // definitely leaked. 307 if (chunks[mid]->szB == 0) 308 a_mid_hi++; 309 310 if (ptr < a_mid_lo) { 311 hi = mid-1; 312 continue; 313 } 314 if (ptr >= a_mid_hi) { 315 lo = mid+1; 316 continue; 317 } 318 tl_assert(ptr >= a_mid_lo && ptr < a_mid_hi); 319 retVal = mid; 320 break; 321 } 322 323 # if VG_DEBUG_LEAKCHECK 324 tl_assert(retVal == find_chunk_for_OLD ( ptr, chunks, n_chunks )); 325 # endif 326 // VG_(printf)("%d\n", retVal); 327 return retVal; 328 } 329 330 331 static MC_Chunk** 332 find_active_chunks(Int* pn_chunks) 333 { 334 // Our goal is to construct a set of chunks that includes every 335 // mempool chunk, and every malloc region that *doesn't* contain a 336 // mempool chunk. 337 MC_Mempool *mp; 338 MC_Chunk **mallocs, **chunks, *mc; 339 UInt n_mallocs, n_chunks, m, s; 340 Bool *malloc_chunk_holds_a_pool_chunk; 341 342 // First we collect all the malloc chunks into an array and sort it. 343 // We do this because we want to query the chunks by interior 344 // pointers, requiring binary search. 345 mallocs = (MC_Chunk**) VG_(HT_to_array)( MC_(malloc_list), &n_mallocs ); 346 if (n_mallocs == 0) { 347 tl_assert(mallocs == NULL); 348 *pn_chunks = 0; 349 return NULL; 350 } 351 VG_(ssort)(mallocs, n_mallocs, sizeof(VgHashNode*), compare_MC_Chunks); 352 353 // Then we build an array containing a Bool for each malloc chunk, 354 // indicating whether it contains any mempools. 355 malloc_chunk_holds_a_pool_chunk = VG_(calloc)( "mc.fas.1", 356 n_mallocs, sizeof(Bool) ); 357 n_chunks = n_mallocs; 358 359 // Then we loop over the mempool tables. For each chunk in each 360 // pool, we set the entry in the Bool array corresponding to the 361 // malloc chunk containing the mempool chunk. 362 VG_(HT_ResetIter)(MC_(mempool_list)); 363 while ( (mp = VG_(HT_Next)(MC_(mempool_list))) ) { 364 VG_(HT_ResetIter)(mp->chunks); 365 while ( (mc = VG_(HT_Next)(mp->chunks)) ) { 366 367 // We'll need to record this chunk. 368 n_chunks++; 369 370 // Possibly invalidate the malloc holding the beginning of this chunk. 371 m = find_chunk_for(mc->data, mallocs, n_mallocs); 372 if (m != -1 && malloc_chunk_holds_a_pool_chunk[m] == False) { 373 tl_assert(n_chunks > 0); 374 n_chunks--; 375 malloc_chunk_holds_a_pool_chunk[m] = True; 376 } 377 378 // Possibly invalidate the malloc holding the end of this chunk. 379 if (mc->szB > 1) { 380 m = find_chunk_for(mc->data + (mc->szB - 1), mallocs, n_mallocs); 381 if (m != -1 && malloc_chunk_holds_a_pool_chunk[m] == False) { 382 tl_assert(n_chunks > 0); 383 n_chunks--; 384 malloc_chunk_holds_a_pool_chunk[m] = True; 385 } 386 } 387 } 388 } 389 tl_assert(n_chunks > 0); 390 391 // Create final chunk array. 392 chunks = VG_(malloc)("mc.fas.2", sizeof(VgHashNode*) * (n_chunks)); 393 s = 0; 394 395 // Copy the mempool chunks and the non-marked malloc chunks into a 396 // combined array of chunks. 397 VG_(HT_ResetIter)(MC_(mempool_list)); 398 while ( (mp = VG_(HT_Next)(MC_(mempool_list))) ) { 399 VG_(HT_ResetIter)(mp->chunks); 400 while ( (mc = VG_(HT_Next)(mp->chunks)) ) { 401 tl_assert(s < n_chunks); 402 chunks[s++] = mc; 403 } 404 } 405 for (m = 0; m < n_mallocs; ++m) { 406 if (!malloc_chunk_holds_a_pool_chunk[m]) { 407 tl_assert(s < n_chunks); 408 chunks[s++] = mallocs[m]; 409 } 410 } 411 tl_assert(s == n_chunks); 412 413 // Free temporaries. 414 VG_(free)(mallocs); 415 VG_(free)(malloc_chunk_holds_a_pool_chunk); 416 417 *pn_chunks = n_chunks; 418 419 return chunks; 420 } 421 422 /*------------------------------------------------------------*/ 423 /*--- The leak detector proper. ---*/ 424 /*------------------------------------------------------------*/ 425 426 // Holds extra info about each block during leak checking. 427 typedef 428 struct { 429 UInt state:2; // Reachedness. 430 UInt pending:1; // Scan pending. 431 UInt heuristic: (sizeof(UInt)*8)-3; 432 // Heuristic with which this block was considered reachable. 433 // LchNone if state != Reachable or no heuristic needed to 434 // consider it reachable. 435 436 union { 437 SizeT indirect_szB; 438 // If Unreached, how many bytes are unreachable from here. 439 SizeT clique; 440 // if IndirectLeak, clique leader to which it belongs. 441 } IorC; 442 } 443 LC_Extra; 444 445 // An array holding pointers to every chunk we're checking. Sorted by address. 446 // lc_chunks is initialised during leak search. It is kept after leak search 447 // to support printing the list of blocks belonging to a loss record. 448 // lc_chunk array can only be used validly till the next "free" operation 449 // (as a free operation potentially destroys one or more chunks). 450 // To detect lc_chunk is valid, we store the nr of frees operations done 451 // when lc_chunk was build : lc_chunks (and lc_extras) stays valid as 452 // long as no free operations has been done since lc_chunks building. 453 static MC_Chunk** lc_chunks; 454 // How many chunks we're dealing with. 455 static Int lc_n_chunks; 456 static SizeT lc_chunks_n_frees_marker; 457 // This has the same number of entries as lc_chunks, and each entry 458 // in lc_chunks corresponds with the entry here (ie. lc_chunks[i] and 459 // lc_extras[i] describe the same block). 460 static LC_Extra* lc_extras; 461 462 // chunks will be converted and merged in loss record, maintained in lr_table 463 // lr_table elements are kept from one leak_search to another to implement 464 // the "print new/changed leaks" client request 465 static OSet* lr_table; 466 // Array of sorted loss record (produced during last leak search). 467 static LossRecord** lr_array; 468 469 // Value of the heuristics parameter used in the current (or last) leak check. 470 static UInt detect_memory_leaks_last_heuristics; 471 472 // DeltaMode used the last time we called detect_memory_leaks. 473 // The recorded leak errors are output using a logic based on this delta_mode. 474 // The below avoids replicating the delta_mode in each LossRecord. 475 LeakCheckDeltaMode MC_(detect_memory_leaks_last_delta_mode); 476 477 // Each leak search run increments the below generation counter. 478 // A used suppression during a leak search will contain this 479 // generation number. 480 UInt MC_(leak_search_gen); 481 482 // Records chunks that are currently being processed. Each element in the 483 // stack is an index into lc_chunks and lc_extras. Its size is 484 // 'lc_n_chunks' because in the worst case that's how many chunks could be 485 // pushed onto it (actually I think the maximum is lc_n_chunks-1 but let's 486 // be conservative). 487 static Int* lc_markstack; 488 // The index of the top element of the stack; -1 if the stack is empty, 0 if 489 // the stack has one element, 1 if it has two, etc. 490 static Int lc_markstack_top; 491 492 // Keeps track of how many bytes of memory we've scanned, for printing. 493 // (Nb: We don't keep track of how many register bytes we've scanned.) 494 static SizeT lc_scanned_szB; 495 // Keeps track of how many bytes we have not scanned due to read errors that 496 // caused a signal such as SIGSEGV. 497 static SizeT lc_sig_skipped_szB; 498 499 500 SizeT MC_(bytes_leaked) = 0; 501 SizeT MC_(bytes_indirect) = 0; 502 SizeT MC_(bytes_dubious) = 0; 503 SizeT MC_(bytes_reachable) = 0; 504 SizeT MC_(bytes_suppressed) = 0; 505 506 SizeT MC_(blocks_leaked) = 0; 507 SizeT MC_(blocks_indirect) = 0; 508 SizeT MC_(blocks_dubious) = 0; 509 SizeT MC_(blocks_reachable) = 0; 510 SizeT MC_(blocks_suppressed) = 0; 511 512 // Subset of MC_(bytes_reachable) and MC_(blocks_reachable) which 513 // are considered reachable due to the corresponding heuristic. 514 static SizeT MC_(bytes_heuristically_reachable)[N_LEAK_CHECK_HEURISTICS] 515 = {0,0,0,0}; 516 static SizeT MC_(blocks_heuristically_reachable)[N_LEAK_CHECK_HEURISTICS] 517 = {0,0,0,0}; 518 519 // Determines if a pointer is to a chunk. Returns the chunk number et al 520 // via call-by-reference. 521 static Bool 522 lc_is_a_chunk_ptr(Addr ptr, Int* pch_no, MC_Chunk** pch, LC_Extra** pex) 523 { 524 Int ch_no; 525 MC_Chunk* ch; 526 LC_Extra* ex; 527 528 // Quick filter. Note: implemented with am, not with get_vabits2 529 // as ptr might be random data pointing anywhere. On 64 bit 530 // platforms, getting va bits for random data can be quite costly 531 // due to the secondary map. 532 if (!VG_(am_is_valid_for_client)(ptr, 1, VKI_PROT_READ)) { 533 return False; 534 } else { 535 ch_no = find_chunk_for(ptr, lc_chunks, lc_n_chunks); 536 tl_assert(ch_no >= -1 && ch_no < lc_n_chunks); 537 538 if (ch_no == -1) { 539 return False; 540 } else { 541 // Ok, we've found a pointer to a chunk. Get the MC_Chunk and its 542 // LC_Extra. 543 ch = lc_chunks[ch_no]; 544 ex = &(lc_extras[ch_no]); 545 546 tl_assert(ptr >= ch->data); 547 tl_assert(ptr < ch->data + ch->szB + (ch->szB==0 ? 1 : 0)); 548 549 if (VG_DEBUG_LEAKCHECK) 550 VG_(printf)("ptr=%#lx -> block %d\n", ptr, ch_no); 551 552 *pch_no = ch_no; 553 *pch = ch; 554 *pex = ex; 555 556 return True; 557 } 558 } 559 } 560 561 // Push a chunk (well, just its index) onto the mark stack. 562 static void lc_push(Int ch_no, MC_Chunk* ch) 563 { 564 if (!lc_extras[ch_no].pending) { 565 if (0) { 566 VG_(printf)("pushing %#lx-%#lx\n", ch->data, ch->data + ch->szB); 567 } 568 lc_markstack_top++; 569 tl_assert(lc_markstack_top < lc_n_chunks); 570 lc_markstack[lc_markstack_top] = ch_no; 571 tl_assert(!lc_extras[ch_no].pending); 572 lc_extras[ch_no].pending = True; 573 } 574 } 575 576 // Return the index of the chunk on the top of the mark stack, or -1 if 577 // there isn't one. 578 static Bool lc_pop(Int* ret) 579 { 580 if (-1 == lc_markstack_top) { 581 return False; 582 } else { 583 tl_assert(0 <= lc_markstack_top && lc_markstack_top < lc_n_chunks); 584 *ret = lc_markstack[lc_markstack_top]; 585 lc_markstack_top--; 586 tl_assert(lc_extras[*ret].pending); 587 lc_extras[*ret].pending = False; 588 return True; 589 } 590 } 591 592 static const HChar* pp_heuristic(LeakCheckHeuristic h) 593 { 594 switch(h) { 595 case LchNone: return "none"; 596 case LchStdString: return "stdstring"; 597 case LchLength64: return "length64"; 598 case LchNewArray: return "newarray"; 599 case LchMultipleInheritance: return "multipleinheritance"; 600 default: return "???invalid heuristic???"; 601 } 602 } 603 604 // True if ptr looks like the address of a vtable, i.e. if ptr 605 // points to an array of pointers to functions. 606 // It is assumed the only caller of this function is heuristic_reachedness 607 // which must check that ptr is aligned and above page 0. 608 // Checking that ptr is above page 0 is an optimisation : it is assumed 609 // that no vtable is located in the page 0. So, all small integer values 610 // encountered during the scan will not incur the cost of calling this 611 // function. 612 static Bool aligned_ptr_above_page0_is_vtable_addr(Addr ptr) 613 { 614 // ??? If performance problem: 615 // ??? maybe implement a cache (array indexed by ptr % primenr) 616 // ??? of "I am a vtable ptr" ??? 617 618 // ??? Maybe the debug info could (efficiently?) be used to detect vtables ? 619 620 // We consider ptr as a vtable ptr if it points to a table 621 // where we find only NULL pointers or pointers pointing at an 622 // executable region. We must find at least 2 non NULL pointers 623 // before considering ptr as a vtable pointer. 624 // We scan a maximum of VTABLE_MAX_CHECK words for these 2 non NULL 625 // pointers. 626 #define VTABLE_MAX_CHECK 20 627 628 NSegment const *seg; 629 UInt nr_fn_ptrs = 0; 630 Addr scan; 631 Addr scan_max; 632 633 // First verify ptr points inside a client mapped file section. 634 // ??? is a vtable always in a file mapped readable section ? 635 seg = VG_(am_find_nsegment) (ptr); 636 if (seg == NULL 637 || seg->kind != SkFileC 638 || !seg->hasR) 639 return False; 640 641 // Check potential function pointers, up to a maximum of VTABLE_MAX_CHECK. 642 scan_max = ptr + VTABLE_MAX_CHECK*sizeof(Addr); 643 // If ptr is near the end of seg, avoid scan_max exceeding the end of seg: 644 if (scan_max > seg->end - sizeof(Addr)) 645 scan_max = seg->end - sizeof(Addr); 646 for (scan = ptr; scan <= scan_max; scan+=sizeof(Addr)) { 647 Addr pot_fn = *((Addr *)scan); 648 if (pot_fn == 0) 649 continue; // NULL fn pointer. Seems it can happen in vtable. 650 seg = VG_(am_find_nsegment) (pot_fn); 651 #if defined(VGA_ppc64be) 652 // ppc64BE uses a thunk table (function descriptors), so we have one 653 // more level of indirection to follow. 654 if (seg == NULL 655 || seg->kind != SkFileC 656 || !seg->hasR 657 || !seg->hasW) 658 return False; // ptr to nowhere, or not a ptr to thunks. 659 pot_fn = *((Addr *)pot_fn); 660 if (pot_fn == 0) 661 continue; // NULL fn pointer. Seems it can happen in vtable. 662 seg = VG_(am_find_nsegment) (pot_fn); 663 #endif 664 if (seg == NULL 665 || seg->kind != SkFileC 666 || !seg->hasT) 667 return False; // ptr to nowhere, or not a fn ptr. 668 nr_fn_ptrs++; 669 if (nr_fn_ptrs == 2) 670 return True; 671 } 672 673 return False; 674 } 675 676 // true if a is properly aligned and points to 64bits of valid memory 677 static Bool is_valid_aligned_ULong ( Addr a ) 678 { 679 if (sizeof(Word) == 8) 680 return MC_(is_valid_aligned_word)(a); 681 682 return MC_(is_valid_aligned_word)(a) 683 && MC_(is_valid_aligned_word)(a + 4); 684 } 685 686 /* The below leak_search_fault_catcher is used to catch memory access 687 errors happening during leak_search. During the scan, we check 688 with aspacemgr and/or VA bits that each page or dereferenced location is 689 readable and belongs to the client. However, we still protect 690 against SIGSEGV and SIGBUS e.g. in case aspacemgr is desynchronised 691 with the real page mappings. Such a desynchronisation could happen 692 due to an aspacemgr bug. Note that if the application is using 693 mprotect(NONE), then a page can be unreadable but have addressable 694 and defined VA bits (see mc_main.c function mc_new_mem_mprotect). 695 Currently, 2 functions are dereferencing client memory during leak search: 696 heuristic_reachedness and lc_scan_memory. 697 Each such function has its own fault catcher, that will call 698 leak_search_fault_catcher with the proper 'who' and jmpbuf parameters. */ 699 static volatile Addr bad_scanned_addr; 700 static 701 void leak_search_fault_catcher ( Int sigNo, Addr addr, 702 const HChar *who, VG_MINIMAL_JMP_BUF(jmpbuf) ) 703 { 704 vki_sigset_t sigmask; 705 706 if (0) 707 VG_(printf)("OUCH! sig=%d addr=%#lx who=%s\n", sigNo, addr, who); 708 709 /* Signal handler runs with the signal masked. 710 Unmask the handled signal before longjmp-ing or return-ing. 711 Note that during leak search, we expect only SIGSEGV or SIGBUS 712 and we do not expect another occurence until we longjmp-ed!return-ed 713 to resume the leak search. So, it is safe to unmask the signal 714 here. */ 715 /* First get current mask (by passing NULL as first arg) */ 716 VG_(sigprocmask)(VKI_SIG_SETMASK, NULL, &sigmask); 717 /* Then set a new sigmask, with this signal removed from the mask. */ 718 VG_(sigdelset)(&sigmask, sigNo); 719 VG_(sigprocmask)(VKI_SIG_SETMASK, &sigmask, NULL); 720 721 if (sigNo == VKI_SIGSEGV || sigNo == VKI_SIGBUS) { 722 bad_scanned_addr = addr; 723 VG_MINIMAL_LONGJMP(jmpbuf); 724 } else { 725 /* ??? During leak search, we are not supposed to receive any 726 other sync signal that these 2. 727 In theory, we should not call VG_(umsg) in a signal handler, 728 but better (try to) report this unexpected behaviour. */ 729 VG_(umsg)("leak_search_fault_catcher:" 730 " unexpected signal %d, catcher %s ???\n", 731 sigNo, who); 732 } 733 } 734 735 // jmpbuf and fault_catcher used during heuristic_reachedness 736 static VG_MINIMAL_JMP_BUF(heuristic_reachedness_jmpbuf); 737 static 738 void heuristic_reachedness_fault_catcher ( Int sigNo, Addr addr ) 739 { 740 leak_search_fault_catcher (sigNo, addr, 741 "heuristic_reachedness_fault_catcher", 742 heuristic_reachedness_jmpbuf); 743 } 744 745 // If ch is heuristically reachable via an heuristic member of heur_set, 746 // returns this heuristic. 747 // If ch cannot be considered reachable using one of these heuristics, 748 // return LchNone. 749 // This should only be called when ptr is an interior ptr to ch. 750 // The StdString/NewArray/MultipleInheritance heuristics are directly 751 // inspired from DrMemory: 752 // see http://www.burningcutlery.com/derek/docs/drmem-CGO11.pdf [section VI,C] 753 // and bug 280271. 754 static LeakCheckHeuristic heuristic_reachedness (Addr ptr, 755 MC_Chunk *ch, LC_Extra *ex, 756 UInt heur_set) 757 { 758 759 fault_catcher_t prev_catcher; 760 761 prev_catcher = VG_(set_fault_catcher)(heuristic_reachedness_fault_catcher); 762 763 // See leak_search_fault_catcher 764 if (VG_MINIMAL_SETJMP(heuristic_reachedness_jmpbuf) != 0) { 765 VG_(set_fault_catcher) (prev_catcher); 766 return LchNone; 767 } 768 769 if (HiS(LchStdString, heur_set)) { 770 // Detects inner pointers to Std::String for layout being 771 // length capacity refcount char_array[] \0 772 // where ptr points to the beginning of the char_array. 773 // Note: we check definedness for length and capacity but 774 // not for refcount, as refcount size might be smaller than 775 // a SizeT, giving a uninitialised hole in the first 3 SizeT. 776 if ( ptr == ch->data + 3 * sizeof(SizeT) 777 && MC_(is_valid_aligned_word)(ch->data + sizeof(SizeT))) { 778 const SizeT capacity = *((SizeT*)(ch->data + sizeof(SizeT))); 779 if (3 * sizeof(SizeT) + capacity + 1 == ch->szB 780 && MC_(is_valid_aligned_word)(ch->data)) { 781 const SizeT length = *((SizeT*)ch->data); 782 if (length <= capacity) { 783 // ??? could check there is no null byte from ptr to ptr+length-1 784 // ??? and that there is a null byte at ptr+length. 785 // ??? 786 // ??? could check that ch->allockind is MC_AllocNew ??? 787 // ??? probably not a good idea, as I guess stdstring 788 // ??? allocator can be done via custom allocator 789 // ??? or even a call to malloc ???? 790 VG_(set_fault_catcher) (prev_catcher); 791 return LchStdString; 792 } 793 } 794 } 795 } 796 797 if (HiS(LchLength64, heur_set)) { 798 // Detects inner pointers that point at 64bit offset (8 bytes) into a 799 // block following the length of the remaining as 64bit number 800 // (=total block size - 8). 801 // This is used e.g. by sqlite for tracking the total size of allocated 802 // memory. 803 // Note that on 64bit platforms, a block matching LchLength64 will 804 // also be matched by LchNewArray. 805 if ( ptr == ch->data + sizeof(ULong) 806 && is_valid_aligned_ULong(ch->data)) { 807 const ULong size = *((ULong*)ch->data); 808 if (size > 0 && (ch->szB - sizeof(ULong)) == size) { 809 VG_(set_fault_catcher) (prev_catcher); 810 return LchLength64; 811 } 812 } 813 } 814 815 if (HiS(LchNewArray, heur_set)) { 816 // Detects inner pointers at second word of new[] array, following 817 // a plausible nr of elements. 818 // Such inner pointers are used for arrays of elements 819 // having a destructor, as the delete[] of the array must know 820 // how many elements to destroy. 821 // 822 // We have a strange/wrong case for 'ptr = new MyClass[0];' : 823 // For such a case, the returned ptr points just outside the 824 // allocated chunk. This chunk is then seen as a definite 825 // leak by Valgrind, as it is not considered an interior pointer. 826 // It is the c++ equivalent of bug 99923 (malloc(0) wrongly considered 827 // as definitely leaked). See the trick in find_chunk_for handling 828 // 0-sized block. This trick does not work for 'new MyClass[0]' 829 // because a chunk "word-sized" is allocated to store the (0) nr 830 // of elements. 831 if ( ptr == ch->data + sizeof(SizeT) 832 && MC_(is_valid_aligned_word)(ch->data)) { 833 const SizeT nr_elts = *((SizeT*)ch->data); 834 if (nr_elts > 0 && (ch->szB - sizeof(SizeT)) % nr_elts == 0) { 835 // ??? could check that ch->allockind is MC_AllocNewVec ??? 836 VG_(set_fault_catcher) (prev_catcher); 837 return LchNewArray; 838 } 839 } 840 } 841 842 if (HiS(LchMultipleInheritance, heur_set)) { 843 // Detect inner pointer used for multiple inheritance. 844 // Assumption is that the vtable pointers are before the object. 845 if (VG_IS_WORD_ALIGNED(ptr) 846 && MC_(is_valid_aligned_word)(ptr)) { 847 Addr first_addr; 848 Addr inner_addr; 849 850 // Avoid the call to is_vtable_addr when the addr is not 851 // aligned or points in the page0, as it is unlikely 852 // a vtable is located in this page. This last optimisation 853 // avoids to call aligned_ptr_above_page0_is_vtable_addr 854 // for all small integers. 855 // Note: we could possibly also avoid calling this function 856 // for small negative integers, as no vtable should be located 857 // in the last page. 858 inner_addr = *((Addr*)ptr); 859 if (VG_IS_WORD_ALIGNED(inner_addr) 860 && inner_addr >= (Addr)VKI_PAGE_SIZE 861 && MC_(is_valid_aligned_word)(ch->data)) { 862 first_addr = *((Addr*)ch->data); 863 if (VG_IS_WORD_ALIGNED(first_addr) 864 && first_addr >= (Addr)VKI_PAGE_SIZE 865 && aligned_ptr_above_page0_is_vtable_addr(inner_addr) 866 && aligned_ptr_above_page0_is_vtable_addr(first_addr)) { 867 // ??? could check that ch->allockind is MC_AllocNew ??? 868 VG_(set_fault_catcher) (prev_catcher); 869 return LchMultipleInheritance; 870 } 871 } 872 } 873 } 874 875 VG_(set_fault_catcher) (prev_catcher); 876 return LchNone; 877 } 878 879 880 // If 'ptr' is pointing to a heap-allocated block which hasn't been seen 881 // before, push it onto the mark stack. 882 static void 883 lc_push_without_clique_if_a_chunk_ptr(Addr ptr, Bool is_prior_definite) 884 { 885 Int ch_no; 886 MC_Chunk* ch; 887 LC_Extra* ex; 888 Reachedness ch_via_ptr; // Is ch reachable via ptr, and how ? 889 890 if ( ! lc_is_a_chunk_ptr(ptr, &ch_no, &ch, &ex) ) 891 return; 892 893 if (ex->state == Reachable) { 894 if (ex->heuristic && ptr == ch->data) 895 // If block was considered reachable via an heuristic, and it is now 896 // directly reachable via ptr, clear the heuristic field. 897 ex->heuristic = LchNone; 898 return; 899 } 900 901 // Possibly upgrade the state, ie. one of: 902 // - Unreached --> Possible 903 // - Unreached --> Reachable 904 // - Possible --> Reachable 905 906 if (ptr == ch->data) 907 ch_via_ptr = Reachable; 908 else if (detect_memory_leaks_last_heuristics) { 909 ex->heuristic 910 = heuristic_reachedness (ptr, ch, ex, 911 detect_memory_leaks_last_heuristics); 912 if (ex->heuristic) 913 ch_via_ptr = Reachable; 914 else 915 ch_via_ptr = Possible; 916 } else 917 ch_via_ptr = Possible; 918 919 if (ch_via_ptr == Reachable && is_prior_definite) { 920 // 'ptr' points to the start of the block or is to be considered as 921 // pointing to the start of the block, and the prior node is 922 // definite, which means that this block is definitely reachable. 923 ex->state = Reachable; 924 925 // State has changed to Reachable so (re)scan the block to make 926 // sure any blocks it points to are correctly marked. 927 lc_push(ch_no, ch); 928 929 } else if (ex->state == Unreached) { 930 // Either 'ptr' is a interior-pointer, or the prior node isn't definite, 931 // which means that we can only mark this block as possibly reachable. 932 ex->state = Possible; 933 934 // State has changed to Possible so (re)scan the block to make 935 // sure any blocks it points to are correctly marked. 936 lc_push(ch_no, ch); 937 } 938 } 939 940 static void 941 lc_push_if_a_chunk_ptr_register(ThreadId tid, const HChar* regname, Addr ptr) 942 { 943 lc_push_without_clique_if_a_chunk_ptr(ptr, /*is_prior_definite*/True); 944 } 945 946 // If ptr is pointing to a heap-allocated block which hasn't been seen 947 // before, push it onto the mark stack. Clique is the index of the 948 // clique leader. 949 static void 950 lc_push_with_clique_if_a_chunk_ptr(Addr ptr, Int clique, Int cur_clique) 951 { 952 Int ch_no; 953 MC_Chunk* ch; 954 LC_Extra* ex; 955 956 tl_assert(0 <= clique && clique < lc_n_chunks); 957 958 if ( ! lc_is_a_chunk_ptr(ptr, &ch_no, &ch, &ex) ) 959 return; 960 961 // If it's not Unreached, it's already been handled so ignore it. 962 // If ch_no==clique, it's the clique leader, which means this is a cyclic 963 // structure; again ignore it because it's already been handled. 964 if (ex->state == Unreached && ch_no != clique) { 965 // Note that, unlike reachable blocks, we currently don't distinguish 966 // between start-pointers and interior-pointers here. We probably 967 // should, though. 968 lc_push(ch_no, ch); 969 970 // Add the block to the clique, and add its size to the 971 // clique-leader's indirect size. Also, if the new block was 972 // itself a clique leader, it isn't any more, so add its 973 // indirect_szB to the new clique leader. 974 if (VG_DEBUG_CLIQUE) { 975 if (ex->IorC.indirect_szB > 0) 976 VG_(printf)(" clique %d joining clique %d adding %lu+%lu\n", 977 ch_no, clique, (SizeT)ch->szB, ex->IorC.indirect_szB); 978 else 979 VG_(printf)(" block %d joining clique %d adding %lu\n", 980 ch_no, clique, (SizeT)ch->szB); 981 } 982 983 lc_extras[clique].IorC.indirect_szB += ch->szB; 984 lc_extras[clique].IorC.indirect_szB += ex->IorC.indirect_szB; 985 ex->state = IndirectLeak; 986 ex->IorC.clique = (SizeT) cur_clique; 987 } 988 } 989 990 static void 991 lc_push_if_a_chunk_ptr(Addr ptr, 992 Int clique, Int cur_clique, Bool is_prior_definite) 993 { 994 if (-1 == clique) 995 lc_push_without_clique_if_a_chunk_ptr(ptr, is_prior_definite); 996 else 997 lc_push_with_clique_if_a_chunk_ptr(ptr, clique, cur_clique); 998 } 999 1000 1001 static VG_MINIMAL_JMP_BUF(lc_scan_memory_jmpbuf); 1002 static 1003 void lc_scan_memory_fault_catcher ( Int sigNo, Addr addr ) 1004 { 1005 leak_search_fault_catcher (sigNo, addr, 1006 "lc_scan_memory_fault_catcher", 1007 lc_scan_memory_jmpbuf); 1008 } 1009 1010 // lc_scan_memory has 2 modes: 1011 // 1012 // 1. Leak check mode (searched == 0). 1013 // ----------------------------------- 1014 // Scan a block of memory between [start, start+len). This range may 1015 // be bogus, inaccessible, or otherwise strange; we deal with it. For each 1016 // valid aligned word we assume it's a pointer to a chunk a push the chunk 1017 // onto the mark stack if so. 1018 // clique is the "highest level clique" in which indirectly leaked blocks have 1019 // to be collected. cur_clique is the current "lower" level clique through which 1020 // the memory to be scanned has been found. 1021 // Example: in the below tree if A is leaked, the top level clique will 1022 // be A, while lower level cliques will be B and C. 1023 /* 1024 A 1025 / \ 1026 B C 1027 / \ / \ 1028 D E F G 1029 */ 1030 // Proper handling of top and lowest level clique allows block_list of a loss 1031 // record to describe the hierarchy of indirectly leaked blocks. 1032 // 1033 // 2. Search ptr mode (searched != 0). 1034 // ----------------------------------- 1035 // In this mode, searches for pointers to a specific address range 1036 // In such a case, lc_scan_memory just scans [start..start+len[ for pointers 1037 // to searched and outputs the places where searched is found. 1038 // It does not recursively scans the found memory. 1039 static void 1040 lc_scan_memory(Addr start, SizeT len, Bool is_prior_definite, 1041 Int clique, Int cur_clique, 1042 Addr searched, SizeT szB) 1043 { 1044 /* memory scan is based on the assumption that valid pointers are aligned 1045 on a multiple of sizeof(Addr). So, we can (and must) skip the begin and 1046 end portions of the block if they are not aligned on sizeof(Addr): 1047 These cannot be a valid pointer, and calls to MC_(is_valid_aligned_word) 1048 will assert for a non aligned address. */ 1049 #if defined(VGA_s390x) 1050 // Define ptr as volatile, as on this platform, the value of ptr 1051 // is read in code executed via a longjmp. 1052 volatile 1053 #endif 1054 Addr ptr = VG_ROUNDUP(start, sizeof(Addr)); 1055 const Addr end = VG_ROUNDDN(start+len, sizeof(Addr)); 1056 fault_catcher_t prev_catcher; 1057 1058 if (VG_DEBUG_LEAKCHECK) 1059 VG_(printf)("scan %#lx-%#lx (%lu)\n", start, end, len); 1060 1061 prev_catcher = VG_(set_fault_catcher)(lc_scan_memory_fault_catcher); 1062 1063 /* Optimisation: the loop below will check for each begin 1064 of SM chunk if the chunk is fully unaddressable. The idea is to 1065 skip efficiently such fully unaddressable SM chunks. 1066 So, we preferably start the loop on a chunk boundary. 1067 If the chunk is not fully unaddressable, we might be in 1068 an unaddressable page. Again, the idea is to skip efficiently 1069 such unaddressable page : this is the "else" part. 1070 We use an "else" so that two consecutive fully unaddressable 1071 SM chunks will be skipped efficiently: first one is skipped 1072 by this piece of code. The next SM chunk will be skipped inside 1073 the loop. */ 1074 if ( ! MC_(is_within_valid_secondary)(ptr) ) { 1075 // Skip an invalid SM chunk till the beginning of the next SM Chunk. 1076 ptr = VG_ROUNDUP(ptr+1, SM_SIZE); 1077 } else if (!VG_(am_is_valid_for_client)(ptr, sizeof(Addr), VKI_PROT_READ)) { 1078 // else we are in a (at least partially) valid SM chunk. 1079 // We might be in the middle of an unreadable page. 1080 // Do a cheap check to see if it's valid; 1081 // if not, skip onto the next page. 1082 ptr = VG_PGROUNDUP(ptr+1); // First page is bad - skip it. 1083 } 1084 /* The above optimisation and below loop is based on some relationships 1085 between VKI_PAGE_SIZE, SM_SIZE and sizeof(Addr) which are asserted in 1086 MC_(detect_memory_leaks). */ 1087 1088 // See leak_search_fault_catcher 1089 if (VG_MINIMAL_SETJMP(lc_scan_memory_jmpbuf) != 0) { 1090 // Catch read error ... 1091 # if defined(VGA_s390x) 1092 // For a SIGSEGV, s390 delivers the page address of the bad address. 1093 // For a SIGBUS, old s390 kernels deliver a NULL address. 1094 // bad_scanned_addr can thus not be used. 1095 // So, on this platform, we always skip a full page from ptr. 1096 // The below implies to mark ptr as volatile, as we read the value 1097 // after a longjmp to here. 1098 lc_sig_skipped_szB += VKI_PAGE_SIZE; 1099 ptr = ptr + VKI_PAGE_SIZE; // Unaddressable, - skip it. 1100 # else 1101 // On other platforms, just skip one Addr. 1102 lc_sig_skipped_szB += sizeof(Addr); 1103 tl_assert(bad_scanned_addr >= VG_ROUNDUP(start, sizeof(Addr))); 1104 tl_assert(bad_scanned_addr < VG_ROUNDDN(start+len, sizeof(Addr))); 1105 ptr = bad_scanned_addr + sizeof(Addr); // Unaddressable, - skip it. 1106 #endif 1107 } 1108 while (ptr < end) { 1109 Addr addr; 1110 1111 // Skip invalid chunks. 1112 if (UNLIKELY((ptr % SM_SIZE) == 0)) { 1113 if (! MC_(is_within_valid_secondary)(ptr) ) { 1114 ptr = VG_ROUNDUP(ptr+1, SM_SIZE); 1115 continue; 1116 } 1117 } 1118 1119 // Look to see if this page seems reasonable. 1120 if (UNLIKELY((ptr % VKI_PAGE_SIZE) == 0)) { 1121 if (!VG_(am_is_valid_for_client)(ptr, sizeof(Addr), VKI_PROT_READ)) { 1122 ptr += VKI_PAGE_SIZE; // Bad page - skip it. 1123 continue; 1124 } 1125 } 1126 1127 if ( MC_(is_valid_aligned_word)(ptr) ) { 1128 lc_scanned_szB += sizeof(Addr); 1129 // If the below read fails, we will longjmp to the loop begin. 1130 addr = *(Addr *)ptr; 1131 // If we get here, the scanned word is in valid memory. Now 1132 // let's see if its contents point to a chunk. 1133 if (UNLIKELY(searched)) { 1134 if (addr >= searched && addr < searched + szB) { 1135 if (addr == searched) { 1136 VG_(umsg)("*%#lx points at %#lx\n", ptr, searched); 1137 MC_(pp_describe_addr) (ptr); 1138 } else { 1139 Int ch_no; 1140 MC_Chunk *ch; 1141 LC_Extra *ex; 1142 VG_(umsg)("*%#lx interior points at %lu bytes inside %#lx\n", 1143 ptr, (long unsigned) addr - searched, searched); 1144 MC_(pp_describe_addr) (ptr); 1145 if (lc_is_a_chunk_ptr(addr, &ch_no, &ch, &ex) ) { 1146 Int h; 1147 for (h = LchStdString; h < N_LEAK_CHECK_HEURISTICS; h++) { 1148 if (heuristic_reachedness(addr, ch, ex, H2S(h)) == h) { 1149 VG_(umsg)("block at %#lx considered reachable " 1150 "by ptr %#lx using %s heuristic\n", 1151 ch->data, addr, pp_heuristic(h)); 1152 } 1153 } 1154 // Verify the loop above has properly scanned all 1155 // heuristics. If the below fails, it probably means the 1156 // LeakCheckHeuristic enum is not in sync anymore with the 1157 // above loop and/or with N_LEAK_CHECK_HEURISTICS. 1158 tl_assert (h == N_LEAK_CHECK_HEURISTICS); 1159 } 1160 } 1161 } 1162 } else { 1163 lc_push_if_a_chunk_ptr(addr, clique, cur_clique, is_prior_definite); 1164 } 1165 } else if (0 && VG_DEBUG_LEAKCHECK) { 1166 VG_(printf)("%#lx not valid\n", ptr); 1167 } 1168 ptr += sizeof(Addr); 1169 } 1170 1171 VG_(set_fault_catcher)(prev_catcher); 1172 } 1173 1174 1175 // Process the mark stack until empty. 1176 static void lc_process_markstack(Int clique) 1177 { 1178 Int top = -1; // shut gcc up 1179 Bool is_prior_definite; 1180 1181 while (lc_pop(&top)) { 1182 tl_assert(top >= 0 && top < lc_n_chunks); 1183 1184 // See comment about 'is_prior_definite' at the top to understand this. 1185 is_prior_definite = ( Possible != lc_extras[top].state ); 1186 1187 lc_scan_memory(lc_chunks[top]->data, lc_chunks[top]->szB, 1188 is_prior_definite, clique, (clique == -1 ? -1 : top), 1189 /*searched*/ 0, 0); 1190 } 1191 } 1192 1193 static Word cmp_LossRecordKey_LossRecord(const void* key, const void* elem) 1194 { 1195 const LossRecordKey* a = key; 1196 const LossRecordKey* b = &(((const LossRecord*)elem)->key); 1197 1198 // Compare on states first because that's fast. 1199 if (a->state < b->state) return -1; 1200 if (a->state > b->state) return 1; 1201 // Ok, the states are equal. Now compare the locations, which is slower. 1202 if (VG_(eq_ExeContext)( 1203 MC_(clo_leak_resolution), a->allocated_at, b->allocated_at)) 1204 return 0; 1205 // Different locations. Ordering is arbitrary, just use the ec pointer. 1206 if (a->allocated_at < b->allocated_at) return -1; 1207 if (a->allocated_at > b->allocated_at) return 1; 1208 VG_(tool_panic)("bad LossRecord comparison"); 1209 } 1210 1211 static Int cmp_LossRecords(const void* va, const void* vb) 1212 { 1213 const LossRecord* lr_a = *(const LossRecord *const *)va; 1214 const LossRecord* lr_b = *(const LossRecord *const *)vb; 1215 SizeT total_szB_a = lr_a->szB + lr_a->indirect_szB; 1216 SizeT total_szB_b = lr_b->szB + lr_b->indirect_szB; 1217 1218 // First compare by sizes. 1219 if (total_szB_a < total_szB_b) return -1; 1220 if (total_szB_a > total_szB_b) return 1; 1221 // If size are equal, compare by states. 1222 if (lr_a->key.state < lr_b->key.state) return -1; 1223 if (lr_a->key.state > lr_b->key.state) return 1; 1224 // If they're still equal here, it doesn't matter that much, but we keep 1225 // comparing other things so that regtests are as deterministic as 1226 // possible. So: compare num_blocks. 1227 if (lr_a->num_blocks < lr_b->num_blocks) return -1; 1228 if (lr_a->num_blocks > lr_b->num_blocks) return 1; 1229 // Finally, compare ExeContext addresses... older ones are likely to have 1230 // lower addresses. 1231 if (lr_a->key.allocated_at < lr_b->key.allocated_at) return -1; 1232 if (lr_a->key.allocated_at > lr_b->key.allocated_at) return 1; 1233 return 0; 1234 } 1235 1236 // allocates or reallocates lr_array, and set its elements to the loss records 1237 // contains in lr_table. 1238 static UInt get_lr_array_from_lr_table(void) { 1239 UInt i, n_lossrecords; 1240 LossRecord* lr; 1241 1242 n_lossrecords = VG_(OSetGen_Size)(lr_table); 1243 1244 // (re-)create the array of pointers to the loss records. 1245 // lr_array is kept to allow producing the block list from gdbserver. 1246 if (lr_array != NULL) 1247 VG_(free)(lr_array); 1248 lr_array = VG_(malloc)("mc.pr.2", n_lossrecords * sizeof(LossRecord*)); 1249 i = 0; 1250 VG_(OSetGen_ResetIter)(lr_table); 1251 while ( (lr = VG_(OSetGen_Next)(lr_table)) ) { 1252 lr_array[i++] = lr; 1253 } 1254 tl_assert(i == n_lossrecords); 1255 return n_lossrecords; 1256 } 1257 1258 1259 static void get_printing_rules(LeakCheckParams* lcp, 1260 LossRecord* lr, 1261 Bool* count_as_error, 1262 Bool* print_record) 1263 { 1264 // Rules for printing: 1265 // - We don't show suppressed loss records ever (and that's controlled 1266 // within the error manager). 1267 // - We show non-suppressed loss records that are specified in 1268 // --show-leak-kinds=... if --leak-check=yes. 1269 1270 Bool delta_considered; 1271 1272 switch (lcp->deltamode) { 1273 case LCD_Any: 1274 delta_considered = lr->num_blocks > 0; 1275 break; 1276 case LCD_Increased: 1277 delta_considered 1278 = lr->szB > lr->old_szB 1279 || lr->indirect_szB > lr->old_indirect_szB 1280 || lr->num_blocks > lr->old_num_blocks; 1281 break; 1282 case LCD_Changed: 1283 delta_considered = lr->szB != lr->old_szB 1284 || lr->indirect_szB != lr->old_indirect_szB 1285 || lr->num_blocks != lr->old_num_blocks; 1286 break; 1287 default: 1288 tl_assert(0); 1289 } 1290 1291 *print_record = lcp->mode == LC_Full && delta_considered 1292 && RiS(lr->key.state,lcp->show_leak_kinds); 1293 // We don't count a leaks as errors with lcp->mode==LC_Summary. 1294 // Otherwise you can get high error counts with few or no error 1295 // messages, which can be confusing. Otherwise, we count as errors 1296 // the leak kinds requested by --errors-for-leak-kinds=... 1297 *count_as_error = lcp->mode == LC_Full && delta_considered 1298 && RiS(lr->key.state,lcp->errors_for_leak_kinds); 1299 } 1300 1301 static void print_results(ThreadId tid, LeakCheckParams* lcp) 1302 { 1303 Int i, n_lossrecords, start_lr_output_scan; 1304 LossRecord* lr; 1305 Bool is_suppressed; 1306 /* old_* variables are used to report delta in summary. */ 1307 SizeT old_bytes_leaked = MC_(bytes_leaked); 1308 SizeT old_bytes_indirect = MC_(bytes_indirect); 1309 SizeT old_bytes_dubious = MC_(bytes_dubious); 1310 SizeT old_bytes_reachable = MC_(bytes_reachable); 1311 SizeT old_bytes_suppressed = MC_(bytes_suppressed); 1312 SizeT old_blocks_leaked = MC_(blocks_leaked); 1313 SizeT old_blocks_indirect = MC_(blocks_indirect); 1314 SizeT old_blocks_dubious = MC_(blocks_dubious); 1315 SizeT old_blocks_reachable = MC_(blocks_reachable); 1316 SizeT old_blocks_suppressed = MC_(blocks_suppressed); 1317 1318 SizeT old_bytes_heuristically_reachable[N_LEAK_CHECK_HEURISTICS]; 1319 SizeT old_blocks_heuristically_reachable[N_LEAK_CHECK_HEURISTICS]; 1320 1321 for (i = 0; i < N_LEAK_CHECK_HEURISTICS; i++) { 1322 old_bytes_heuristically_reachable[i] 1323 = MC_(bytes_heuristically_reachable)[i]; 1324 MC_(bytes_heuristically_reachable)[i] = 0; 1325 old_blocks_heuristically_reachable[i] 1326 = MC_(blocks_heuristically_reachable)[i]; 1327 MC_(blocks_heuristically_reachable)[i] = 0; 1328 } 1329 1330 if (lr_table == NULL) 1331 // Create the lr_table, which holds the loss records. 1332 // If the lr_table already exists, it means it contains 1333 // loss_records from the previous leak search. The old_* 1334 // values in these records are used to implement the 1335 // leak check delta mode 1336 lr_table = 1337 VG_(OSetGen_Create)(offsetof(LossRecord, key), 1338 cmp_LossRecordKey_LossRecord, 1339 VG_(malloc), "mc.pr.1", 1340 VG_(free)); 1341 1342 // If we have loss records from a previous search, reset values to have 1343 // proper printing of the deltas between previous search and this search. 1344 n_lossrecords = get_lr_array_from_lr_table(); 1345 for (i = 0; i < n_lossrecords; i++) { 1346 if (lr_array[i]->num_blocks == 0) { 1347 // remove from lr_table the old loss_records with 0 bytes found 1348 VG_(OSetGen_Remove) (lr_table, &lr_array[i]->key); 1349 VG_(OSetGen_FreeNode)(lr_table, lr_array[i]); 1350 } else { 1351 // move the leak sizes to old_* and zero the current sizes 1352 // for next leak search 1353 lr_array[i]->old_szB = lr_array[i]->szB; 1354 lr_array[i]->old_indirect_szB = lr_array[i]->indirect_szB; 1355 lr_array[i]->old_num_blocks = lr_array[i]->num_blocks; 1356 lr_array[i]->szB = 0; 1357 lr_array[i]->indirect_szB = 0; 1358 lr_array[i]->num_blocks = 0; 1359 } 1360 } 1361 // lr_array now contains "invalid" loss records => free it. 1362 // lr_array will be re-created below with the kept and new loss records. 1363 VG_(free) (lr_array); 1364 lr_array = NULL; 1365 1366 // Convert the chunks into loss records, merging them where appropriate. 1367 for (i = 0; i < lc_n_chunks; i++) { 1368 MC_Chunk* ch = lc_chunks[i]; 1369 LC_Extra* ex = &(lc_extras)[i]; 1370 LossRecord* old_lr; 1371 LossRecordKey lrkey; 1372 lrkey.state = ex->state; 1373 lrkey.allocated_at = MC_(allocated_at)(ch); 1374 1375 if (ex->heuristic) { 1376 MC_(bytes_heuristically_reachable)[ex->heuristic] += ch->szB; 1377 MC_(blocks_heuristically_reachable)[ex->heuristic]++; 1378 if (VG_DEBUG_LEAKCHECK) 1379 VG_(printf)("heuristic %s %#lx len %lu\n", 1380 pp_heuristic(ex->heuristic), 1381 ch->data, (SizeT)ch->szB); 1382 } 1383 1384 old_lr = VG_(OSetGen_Lookup)(lr_table, &lrkey); 1385 if (old_lr) { 1386 // We found an existing loss record matching this chunk. Update the 1387 // loss record's details in-situ. This is safe because we don't 1388 // change the elements used as the OSet key. 1389 old_lr->szB += ch->szB; 1390 if (ex->state == Unreached) 1391 old_lr->indirect_szB += ex->IorC.indirect_szB; 1392 old_lr->num_blocks++; 1393 } else { 1394 // No existing loss record matches this chunk. Create a new loss 1395 // record, initialise it from the chunk, and insert it into lr_table. 1396 lr = VG_(OSetGen_AllocNode)(lr_table, sizeof(LossRecord)); 1397 lr->key = lrkey; 1398 lr->szB = ch->szB; 1399 if (ex->state == Unreached) 1400 lr->indirect_szB = ex->IorC.indirect_szB; 1401 else 1402 lr->indirect_szB = 0; 1403 lr->num_blocks = 1; 1404 lr->old_szB = 0; 1405 lr->old_indirect_szB = 0; 1406 lr->old_num_blocks = 0; 1407 VG_(OSetGen_Insert)(lr_table, lr); 1408 } 1409 } 1410 1411 // (re-)create the array of pointers to the (new) loss records. 1412 n_lossrecords = get_lr_array_from_lr_table (); 1413 tl_assert(VG_(OSetGen_Size)(lr_table) == n_lossrecords); 1414 1415 // Sort the array by loss record sizes. 1416 VG_(ssort)(lr_array, n_lossrecords, sizeof(LossRecord*), 1417 cmp_LossRecords); 1418 1419 // Zero totals. 1420 MC_(blocks_leaked) = MC_(bytes_leaked) = 0; 1421 MC_(blocks_indirect) = MC_(bytes_indirect) = 0; 1422 MC_(blocks_dubious) = MC_(bytes_dubious) = 0; 1423 MC_(blocks_reachable) = MC_(bytes_reachable) = 0; 1424 MC_(blocks_suppressed) = MC_(bytes_suppressed) = 0; 1425 1426 // If there is a maximum nr of loss records we can output, then first 1427 // compute from where the output scan has to start. 1428 // By default, start from the first loss record. Compute a higher 1429 // value if there is a maximum to respect. We need to print the last 1430 // records, as the one with the biggest sizes are more interesting. 1431 start_lr_output_scan = 0; 1432 if (lcp->mode == LC_Full && lcp->max_loss_records_output < n_lossrecords) { 1433 Int nr_printable_records = 0; 1434 for (i = n_lossrecords - 1; i >= 0 && start_lr_output_scan == 0; i--) { 1435 Bool count_as_error, print_record; 1436 lr = lr_array[i]; 1437 get_printing_rules (lcp, lr, &count_as_error, &print_record); 1438 // Do not use get_printing_rules results for is_suppressed, as we 1439 // only want to check if the record would be suppressed. 1440 is_suppressed = 1441 MC_(record_leak_error) ( tid, i+1, n_lossrecords, lr, 1442 False /* print_record */, 1443 False /* count_as_error */); 1444 if (print_record && !is_suppressed) { 1445 nr_printable_records++; 1446 if (nr_printable_records == lcp->max_loss_records_output) 1447 start_lr_output_scan = i; 1448 } 1449 } 1450 } 1451 1452 // Print the loss records (in size order) and collect summary stats. 1453 for (i = start_lr_output_scan; i < n_lossrecords; i++) { 1454 Bool count_as_error, print_record; 1455 lr = lr_array[i]; 1456 get_printing_rules(lcp, lr, &count_as_error, &print_record); 1457 is_suppressed = 1458 MC_(record_leak_error) ( tid, i+1, n_lossrecords, lr, print_record, 1459 count_as_error ); 1460 1461 if (is_suppressed) { 1462 MC_(blocks_suppressed) += lr->num_blocks; 1463 MC_(bytes_suppressed) += lr->szB; 1464 1465 } else if (Unreached == lr->key.state) { 1466 MC_(blocks_leaked) += lr->num_blocks; 1467 MC_(bytes_leaked) += lr->szB; 1468 1469 } else if (IndirectLeak == lr->key.state) { 1470 MC_(blocks_indirect) += lr->num_blocks; 1471 MC_(bytes_indirect) += lr->szB; 1472 1473 } else if (Possible == lr->key.state) { 1474 MC_(blocks_dubious) += lr->num_blocks; 1475 MC_(bytes_dubious) += lr->szB; 1476 1477 } else if (Reachable == lr->key.state) { 1478 MC_(blocks_reachable) += lr->num_blocks; 1479 MC_(bytes_reachable) += lr->szB; 1480 1481 } else { 1482 VG_(tool_panic)("unknown loss mode"); 1483 } 1484 } 1485 1486 if (VG_(clo_verbosity) > 0 && !VG_(clo_xml)) { 1487 HChar d_bytes[31]; 1488 HChar d_blocks[31]; 1489 # define DBY(new,old) \ 1490 MC_(snprintf_delta) (d_bytes, sizeof(d_bytes), (new), (old), \ 1491 lcp->deltamode) 1492 # define DBL(new,old) \ 1493 MC_(snprintf_delta) (d_blocks, sizeof(d_blocks), (new), (old), \ 1494 lcp->deltamode) 1495 1496 VG_(umsg)("LEAK SUMMARY:\n"); 1497 VG_(umsg)(" definitely lost: %'lu%s bytes in %'lu%s blocks\n", 1498 MC_(bytes_leaked), 1499 DBY (MC_(bytes_leaked), old_bytes_leaked), 1500 MC_(blocks_leaked), 1501 DBL (MC_(blocks_leaked), old_blocks_leaked)); 1502 VG_(umsg)(" indirectly lost: %'lu%s bytes in %'lu%s blocks\n", 1503 MC_(bytes_indirect), 1504 DBY (MC_(bytes_indirect), old_bytes_indirect), 1505 MC_(blocks_indirect), 1506 DBL (MC_(blocks_indirect), old_blocks_indirect)); 1507 VG_(umsg)(" possibly lost: %'lu%s bytes in %'lu%s blocks\n", 1508 MC_(bytes_dubious), 1509 DBY (MC_(bytes_dubious), old_bytes_dubious), 1510 MC_(blocks_dubious), 1511 DBL (MC_(blocks_dubious), old_blocks_dubious)); 1512 VG_(umsg)(" still reachable: %'lu%s bytes in %'lu%s blocks\n", 1513 MC_(bytes_reachable), 1514 DBY (MC_(bytes_reachable), old_bytes_reachable), 1515 MC_(blocks_reachable), 1516 DBL (MC_(blocks_reachable), old_blocks_reachable)); 1517 for (i = 0; i < N_LEAK_CHECK_HEURISTICS; i++) 1518 if (old_blocks_heuristically_reachable[i] > 0 1519 || MC_(blocks_heuristically_reachable)[i] > 0) { 1520 VG_(umsg)(" of which " 1521 "reachable via heuristic:\n"); 1522 break; 1523 } 1524 for (i = 0; i < N_LEAK_CHECK_HEURISTICS; i++) 1525 if (old_blocks_heuristically_reachable[i] > 0 1526 || MC_(blocks_heuristically_reachable)[i] > 0) 1527 VG_(umsg)(" %-19s: " 1528 "%'lu%s bytes in %'lu%s blocks\n", 1529 pp_heuristic(i), 1530 MC_(bytes_heuristically_reachable)[i], 1531 DBY (MC_(bytes_heuristically_reachable)[i], 1532 old_bytes_heuristically_reachable[i]), 1533 MC_(blocks_heuristically_reachable)[i], 1534 DBL (MC_(blocks_heuristically_reachable)[i], 1535 old_blocks_heuristically_reachable[i])); 1536 VG_(umsg)(" suppressed: %'lu%s bytes in %'lu%s blocks\n", 1537 MC_(bytes_suppressed), 1538 DBY (MC_(bytes_suppressed), old_bytes_suppressed), 1539 MC_(blocks_suppressed), 1540 DBL (MC_(blocks_suppressed), old_blocks_suppressed)); 1541 if (lcp->mode != LC_Full && 1542 (MC_(blocks_leaked) + MC_(blocks_indirect) + 1543 MC_(blocks_dubious) + MC_(blocks_reachable)) > 0) { 1544 if (lcp->requested_by_monitor_command) 1545 VG_(umsg)("To see details of leaked memory, " 1546 "give 'full' arg to leak_check\n"); 1547 else 1548 VG_(umsg)("Rerun with --leak-check=full to see details " 1549 "of leaked memory\n"); 1550 } 1551 if (lcp->mode == LC_Full && 1552 MC_(blocks_reachable) > 0 && !RiS(Reachable,lcp->show_leak_kinds)) { 1553 VG_(umsg)("Reachable blocks (those to which a pointer " 1554 "was found) are not shown.\n"); 1555 if (lcp->requested_by_monitor_command) 1556 VG_(umsg)("To see them, add 'reachable any' args to leak_check\n"); 1557 else 1558 VG_(umsg)("To see them, rerun with: --leak-check=full " 1559 "--show-leak-kinds=all\n"); 1560 } 1561 VG_(umsg)("\n"); 1562 #undef DBL 1563 #undef DBY 1564 } 1565 } 1566 1567 // print recursively all indirectly leaked blocks collected in clique. 1568 // Printing stops when *remaining reaches 0. 1569 static void print_clique (Int clique, UInt level, UInt *remaining) 1570 { 1571 Int ind; 1572 UInt i, n_lossrecords; 1573 1574 n_lossrecords = VG_(OSetGen_Size)(lr_table); 1575 1576 for (ind = 0; ind < lc_n_chunks && *remaining > 0; ind++) { 1577 LC_Extra* ind_ex = &(lc_extras)[ind]; 1578 if (ind_ex->state == IndirectLeak 1579 && ind_ex->IorC.clique == (SizeT) clique) { 1580 MC_Chunk* ind_ch = lc_chunks[ind]; 1581 LossRecord* ind_lr; 1582 LossRecordKey ind_lrkey; 1583 UInt lr_i; 1584 ind_lrkey.state = ind_ex->state; 1585 ind_lrkey.allocated_at = MC_(allocated_at)(ind_ch); 1586 ind_lr = VG_(OSetGen_Lookup)(lr_table, &ind_lrkey); 1587 for (lr_i = 0; lr_i < n_lossrecords; lr_i++) 1588 if (ind_lr == lr_array[lr_i]) 1589 break; 1590 for (i = 0; i < level; i++) 1591 VG_(umsg)(" "); 1592 VG_(umsg)("%p[%lu] indirect loss record %u\n", 1593 (void *)ind_ch->data, (SizeT)ind_ch->szB, 1594 lr_i+1); // lr_i+1 for user numbering. 1595 (*remaining)--; 1596 if (lr_i >= n_lossrecords) 1597 VG_(umsg) 1598 ("error: no indirect loss record found for %p[%lu]?????\n", 1599 (void *)ind_ch->data, (SizeT)ind_ch->szB); 1600 print_clique(ind, level+1, remaining); 1601 } 1602 } 1603 } 1604 1605 Bool MC_(print_block_list) ( UInt loss_record_nr_from, 1606 UInt loss_record_nr_to, 1607 UInt max_blocks, 1608 UInt heuristics) 1609 { 1610 UInt loss_record_nr; 1611 UInt i, n_lossrecords; 1612 LossRecord* lr; 1613 Bool lr_printed; 1614 UInt remaining = max_blocks; 1615 1616 if (lr_table == NULL || lc_chunks == NULL || lc_extras == NULL) { 1617 VG_(umsg)("Can't print block list : no valid leak search result\n"); 1618 return False; 1619 } 1620 1621 if (lc_chunks_n_frees_marker != MC_(get_cmalloc_n_frees)()) { 1622 VG_(umsg)("Can't print obsolete block list : redo a leak search first\n"); 1623 return False; 1624 } 1625 1626 n_lossrecords = VG_(OSetGen_Size)(lr_table); 1627 if (loss_record_nr_from >= n_lossrecords) 1628 return False; // Invalid starting loss record nr. 1629 1630 if (loss_record_nr_to >= n_lossrecords) 1631 loss_record_nr_to = n_lossrecords - 1; 1632 1633 tl_assert (lr_array); 1634 1635 for (loss_record_nr = loss_record_nr_from; 1636 loss_record_nr <= loss_record_nr_to && remaining > 0; 1637 loss_record_nr++) { 1638 lr = lr_array[loss_record_nr]; 1639 lr_printed = False; 1640 1641 /* If user asks to print a specific loss record, we print 1642 the block details, even if no block will be shown for this lr. 1643 If user asks to print a range of lr, we only print lr details 1644 when at least one block is shown. */ 1645 if (loss_record_nr_from == loss_record_nr_to) { 1646 /* (+1 on loss_record_nr as user numbering for loss records 1647 starts at 1). */ 1648 MC_(pp_LossRecord)(loss_record_nr+1, n_lossrecords, lr); 1649 lr_printed = True; 1650 } 1651 1652 // Match the chunks with loss records. 1653 for (i = 0; i < lc_n_chunks && remaining > 0; i++) { 1654 MC_Chunk* ch = lc_chunks[i]; 1655 LC_Extra* ex = &(lc_extras)[i]; 1656 LossRecord* old_lr; 1657 LossRecordKey lrkey; 1658 lrkey.state = ex->state; 1659 lrkey.allocated_at = MC_(allocated_at)(ch); 1660 1661 old_lr = VG_(OSetGen_Lookup)(lr_table, &lrkey); 1662 if (old_lr) { 1663 // We found an existing loss record matching this chunk. 1664 // If this is the loss record we are looking for, output the 1665 // pointer. 1666 if (old_lr == lr_array[loss_record_nr] 1667 && (heuristics == 0 || HiS(ex->heuristic, heuristics))) { 1668 if (!lr_printed) { 1669 MC_(pp_LossRecord)(loss_record_nr+1, n_lossrecords, lr); 1670 lr_printed = True; 1671 } 1672 1673 if (ex->heuristic) 1674 VG_(umsg)("%p[%lu] (found via heuristic %s)\n", 1675 (void *)ch->data, (SizeT)ch->szB, 1676 pp_heuristic (ex->heuristic)); 1677 else 1678 VG_(umsg)("%p[%lu]\n", 1679 (void *)ch->data, (SizeT)ch->szB); 1680 remaining--; 1681 if (ex->state != Reachable) { 1682 // We can print the clique in all states, except Reachable. 1683 // In Unreached state, lc_chunk[i] is the clique leader. 1684 // In IndirectLeak, lc_chunk[i] might have been a clique 1685 // leader which was later collected in another clique. 1686 // For Possible, lc_chunk[i] might be the top of a clique 1687 // or an intermediate clique. 1688 print_clique(i, 1, &remaining); 1689 } 1690 } 1691 } else { 1692 // No existing loss record matches this chunk ??? 1693 VG_(umsg)("error: no loss record found for %p[%lu]?????\n", 1694 (void *)ch->data, (SizeT)ch->szB); 1695 } 1696 } 1697 } 1698 return True; 1699 } 1700 1701 // If searched = 0, scan memory root set, pushing onto the mark stack the blocks 1702 // encountered. 1703 // Otherwise (searched != 0), scan the memory root set searching for ptr 1704 // pointing inside [searched, searched+szB[. 1705 static void scan_memory_root_set(Addr searched, SizeT szB) 1706 { 1707 Int i; 1708 Int n_seg_starts; 1709 Addr* seg_starts = VG_(get_segment_starts)( SkFileC | SkAnonC | SkShmC, 1710 &n_seg_starts ); 1711 1712 tl_assert(seg_starts && n_seg_starts > 0); 1713 1714 lc_scanned_szB = 0; 1715 lc_sig_skipped_szB = 0; 1716 1717 // VG_(am_show_nsegments)( 0, "leakcheck"); 1718 for (i = 0; i < n_seg_starts; i++) { 1719 SizeT seg_size; 1720 NSegment const* seg = VG_(am_find_nsegment)( seg_starts[i] ); 1721 tl_assert(seg); 1722 tl_assert(seg->kind == SkFileC || seg->kind == SkAnonC || 1723 seg->kind == SkShmC); 1724 1725 if (!(seg->hasR && seg->hasW)) continue; 1726 if (seg->isCH) continue; 1727 1728 // Don't poke around in device segments as this may cause 1729 // hangs. Include /dev/zero just in case someone allocated 1730 // memory by explicitly mapping /dev/zero. 1731 if (seg->kind == SkFileC 1732 && (VKI_S_ISCHR(seg->mode) || VKI_S_ISBLK(seg->mode))) { 1733 const HChar* dev_name = VG_(am_get_filename)( seg ); 1734 if (dev_name && 0 == VG_(strcmp)(dev_name, "/dev/zero")) { 1735 // Don't skip /dev/zero. 1736 } else { 1737 // Skip this device mapping. 1738 continue; 1739 } 1740 } 1741 1742 if (0) 1743 VG_(printf)("ACCEPT %2d %#lx %#lx\n", i, seg->start, seg->end); 1744 1745 // Scan the segment. We use -1 for the clique number, because this 1746 // is a root-set. 1747 seg_size = seg->end - seg->start + 1; 1748 if (VG_(clo_verbosity) > 2) { 1749 VG_(message)(Vg_DebugMsg, 1750 " Scanning root segment: %#lx..%#lx (%lu)\n", 1751 seg->start, seg->end, seg_size); 1752 } 1753 lc_scan_memory(seg->start, seg_size, /*is_prior_definite*/True, 1754 /*clique*/-1, /*cur_clique*/-1, 1755 searched, szB); 1756 } 1757 VG_(free)(seg_starts); 1758 } 1759 1760 /*------------------------------------------------------------*/ 1761 /*--- Top-level entry point. ---*/ 1762 /*------------------------------------------------------------*/ 1763 1764 void MC_(detect_memory_leaks) ( ThreadId tid, LeakCheckParams* lcp) 1765 { 1766 Int i, j; 1767 1768 tl_assert(lcp->mode != LC_Off); 1769 1770 // Verify some assertions which are used in lc_scan_memory. 1771 tl_assert((VKI_PAGE_SIZE % sizeof(Addr)) == 0); 1772 tl_assert((SM_SIZE % sizeof(Addr)) == 0); 1773 // Above two assertions are critical, while below assertion 1774 // ensures that the optimisation in the loop is done in the 1775 // correct order : the loop checks for (big) SM chunk skipping 1776 // before checking for (smaller) page skipping. 1777 tl_assert((SM_SIZE % VKI_PAGE_SIZE) == 0); 1778 1779 MC_(leak_search_gen)++; 1780 MC_(detect_memory_leaks_last_delta_mode) = lcp->deltamode; 1781 detect_memory_leaks_last_heuristics = lcp->heuristics; 1782 1783 // Get the chunks, stop if there were none. 1784 if (lc_chunks) { 1785 VG_(free)(lc_chunks); 1786 lc_chunks = NULL; 1787 } 1788 lc_chunks = find_active_chunks(&lc_n_chunks); 1789 lc_chunks_n_frees_marker = MC_(get_cmalloc_n_frees)(); 1790 if (lc_n_chunks == 0) { 1791 tl_assert(lc_chunks == NULL); 1792 if (lr_table != NULL) { 1793 // forget the previous recorded LossRecords as next leak search 1794 // can in any case just create new leaks. 1795 // Maybe it would be better to rather call print_result ? 1796 // (at least when leak decreases are requested) 1797 // This will then output all LossRecords with a size decreasing to 0 1798 VG_(OSetGen_Destroy) (lr_table); 1799 lr_table = NULL; 1800 } 1801 if (VG_(clo_verbosity) >= 1 && !VG_(clo_xml)) { 1802 VG_(umsg)("All heap blocks were freed -- no leaks are possible\n"); 1803 VG_(umsg)("\n"); 1804 } 1805 return; 1806 } 1807 1808 // Sort the array so blocks are in ascending order in memory. 1809 VG_(ssort)(lc_chunks, lc_n_chunks, sizeof(VgHashNode*), compare_MC_Chunks); 1810 1811 // Sanity check -- make sure they're in order. 1812 for (i = 0; i < lc_n_chunks-1; i++) { 1813 tl_assert( lc_chunks[i]->data <= lc_chunks[i+1]->data); 1814 } 1815 1816 // Sanity check -- make sure they don't overlap. The one exception is that 1817 // we allow a MALLOCLIKE block to sit entirely within a malloc() block. 1818 // This is for bug 100628. If this occurs, we ignore the malloc() block 1819 // for leak-checking purposes. This is a hack and probably should be done 1820 // better, but at least it's consistent with mempools (which are treated 1821 // like this in find_active_chunks). Mempools have a separate VgHashTable 1822 // for mempool chunks, but if custom-allocated blocks are put in a separate 1823 // table from normal heap blocks it makes free-mismatch checking more 1824 // difficult. 1825 // 1826 // If this check fails, it probably means that the application 1827 // has done something stupid with VALGRIND_MALLOCLIKE_BLOCK client 1828 // requests, eg. has made overlapping requests (which are 1829 // nonsensical), or used VALGRIND_MALLOCLIKE_BLOCK for stack locations; 1830 // again nonsensical. 1831 // 1832 for (i = 0; i < lc_n_chunks-1; i++) { 1833 MC_Chunk* ch1 = lc_chunks[i]; 1834 MC_Chunk* ch2 = lc_chunks[i+1]; 1835 1836 Addr start1 = ch1->data; 1837 Addr start2 = ch2->data; 1838 Addr end1 = ch1->data + ch1->szB - 1; 1839 Addr end2 = ch2->data + ch2->szB - 1; 1840 Bool isCustom1 = ch1->allockind == MC_AllocCustom; 1841 Bool isCustom2 = ch2->allockind == MC_AllocCustom; 1842 1843 if (end1 < start2) { 1844 // Normal case - no overlap. 1845 1846 // We used to allow exact duplicates, I'm not sure why. --njn 1847 //} else if (start1 == start2 && end1 == end2) { 1848 // Degenerate case: exact duplicates. 1849 1850 } else if (start1 >= start2 && end1 <= end2 && isCustom1 && !isCustom2) { 1851 // Block i is MALLOCLIKE and entirely within block i+1. 1852 // Remove block i+1. 1853 for (j = i+1; j < lc_n_chunks-1; j++) { 1854 lc_chunks[j] = lc_chunks[j+1]; 1855 } 1856 lc_n_chunks--; 1857 1858 } else if (start2 >= start1 && end2 <= end1 && isCustom2 && !isCustom1) { 1859 // Block i+1 is MALLOCLIKE and entirely within block i. 1860 // Remove block i. 1861 for (j = i; j < lc_n_chunks-1; j++) { 1862 lc_chunks[j] = lc_chunks[j+1]; 1863 } 1864 lc_n_chunks--; 1865 1866 } else { 1867 VG_(umsg)("Block 0x%lx..0x%lx overlaps with block 0x%lx..0x%lx\n", 1868 start1, end1, start2, end2); 1869 VG_(umsg)("Blocks allocation contexts:\n"), 1870 VG_(pp_ExeContext)( MC_(allocated_at)(ch1)); 1871 VG_(umsg)("\n"), 1872 VG_(pp_ExeContext)( MC_(allocated_at)(ch2)); 1873 VG_(umsg)("This is usually caused by using VALGRIND_MALLOCLIKE_BLOCK"); 1874 VG_(umsg)("in an inappropriate way.\n"); 1875 tl_assert (0); 1876 } 1877 } 1878 1879 // Initialise lc_extras. 1880 if (lc_extras) { 1881 VG_(free)(lc_extras); 1882 lc_extras = NULL; 1883 } 1884 lc_extras = VG_(malloc)( "mc.dml.2", lc_n_chunks * sizeof(LC_Extra) ); 1885 for (i = 0; i < lc_n_chunks; i++) { 1886 lc_extras[i].state = Unreached; 1887 lc_extras[i].pending = False; 1888 lc_extras[i].heuristic = LchNone; 1889 lc_extras[i].IorC.indirect_szB = 0; 1890 } 1891 1892 // Initialise lc_markstack. 1893 lc_markstack = VG_(malloc)( "mc.dml.2", lc_n_chunks * sizeof(Int) ); 1894 for (i = 0; i < lc_n_chunks; i++) { 1895 lc_markstack[i] = -1; 1896 } 1897 lc_markstack_top = -1; 1898 1899 // Verbosity. 1900 if (VG_(clo_verbosity) > 1 && !VG_(clo_xml)) { 1901 VG_(umsg)( "Searching for pointers to %'d not-freed blocks\n", 1902 lc_n_chunks ); 1903 } 1904 1905 // Scan the memory root-set, pushing onto the mark stack any blocks 1906 // pointed to. 1907 scan_memory_root_set(/*searched*/0, 0); 1908 1909 // Scan GP registers for chunk pointers. 1910 VG_(apply_to_GP_regs)(lc_push_if_a_chunk_ptr_register); 1911 1912 // Process the pushed blocks. After this, every block that is reachable 1913 // from the root-set has been traced. 1914 lc_process_markstack(/*clique*/-1); 1915 1916 if (VG_(clo_verbosity) > 1 && !VG_(clo_xml)) { 1917 VG_(umsg)("Checked %'lu bytes\n", lc_scanned_szB); 1918 if (lc_sig_skipped_szB > 0) 1919 VG_(umsg)("Skipped %'lu bytes due to read errors\n", 1920 lc_sig_skipped_szB); 1921 VG_(umsg)( "\n" ); 1922 } 1923 1924 // Trace all the leaked blocks to determine which are directly leaked and 1925 // which are indirectly leaked. For each Unreached block, push it onto 1926 // the mark stack, and find all the as-yet-Unreached blocks reachable 1927 // from it. These form a clique and are marked IndirectLeak, and their 1928 // size is added to the clique leader's indirect size. If one of the 1929 // found blocks was itself a clique leader (from a previous clique), then 1930 // the cliques are merged. 1931 for (i = 0; i < lc_n_chunks; i++) { 1932 MC_Chunk* ch = lc_chunks[i]; 1933 LC_Extra* ex = &(lc_extras[i]); 1934 1935 if (VG_DEBUG_CLIQUE) 1936 VG_(printf)("cliques: %d at %#lx -> Loss state %d\n", 1937 i, ch->data, ex->state); 1938 1939 tl_assert(lc_markstack_top == -1); 1940 1941 if (ex->state == Unreached) { 1942 if (VG_DEBUG_CLIQUE) 1943 VG_(printf)("%d: gathering clique %#lx\n", i, ch->data); 1944 1945 // Push this Unreached block onto the stack and process it. 1946 lc_push(i, ch); 1947 lc_process_markstack(/*clique*/i); 1948 1949 tl_assert(lc_markstack_top == -1); 1950 tl_assert(ex->state == Unreached); 1951 } 1952 } 1953 1954 print_results( tid, lcp); 1955 1956 VG_(free) ( lc_markstack ); 1957 lc_markstack = NULL; 1958 // lc_chunks, lc_extras, lr_array and lr_table are kept (needed if user 1959 // calls MC_(print_block_list)). lr_table also used for delta leak reporting 1960 // between this leak search and the next leak search. 1961 } 1962 1963 static Addr searched_wpa; 1964 static SizeT searched_szB; 1965 static void 1966 search_address_in_GP_reg(ThreadId tid, const HChar* regname, Addr addr_in_reg) 1967 { 1968 if (addr_in_reg >= searched_wpa 1969 && addr_in_reg < searched_wpa + searched_szB) { 1970 if (addr_in_reg == searched_wpa) 1971 VG_(umsg) 1972 ("tid %u register %s pointing at %#lx\n", 1973 tid, regname, searched_wpa); 1974 else 1975 VG_(umsg) 1976 ("tid %u register %s interior pointing %lu bytes inside %#lx\n", 1977 tid, regname, (long unsigned) addr_in_reg - searched_wpa, 1978 searched_wpa); 1979 } 1980 } 1981 1982 void MC_(who_points_at) ( Addr address, SizeT szB) 1983 { 1984 MC_Chunk** chunks; 1985 Int n_chunks; 1986 Int i; 1987 1988 if (szB == 1) 1989 VG_(umsg) ("Searching for pointers to %#lx\n", address); 1990 else 1991 VG_(umsg) ("Searching for pointers pointing in %lu bytes from %#lx\n", 1992 szB, address); 1993 1994 chunks = find_active_chunks(&n_chunks); 1995 1996 // Scan memory root-set, searching for ptr pointing in address[szB] 1997 scan_memory_root_set(address, szB); 1998 1999 // Scan active malloc-ed chunks 2000 for (i = 0; i < n_chunks; i++) { 2001 lc_scan_memory(chunks[i]->data, chunks[i]->szB, 2002 /*is_prior_definite*/True, 2003 /*clique*/-1, /*cur_clique*/-1, 2004 address, szB); 2005 } 2006 VG_(free) ( chunks ); 2007 2008 // Scan GP registers for pointers to address range. 2009 searched_wpa = address; 2010 searched_szB = szB; 2011 VG_(apply_to_GP_regs)(search_address_in_GP_reg); 2012 2013 } 2014 2015 /*--------------------------------------------------------------------*/ 2016 /*--- end ---*/ 2017 /*--------------------------------------------------------------------*/ 2018 2019
