Home | History | Annotate | Download | only in malloc_debug 
      1 Malloc Debug
      2 ============
      3 
      4 Malloc debug is a method of debugging native memory problems. It can help
      5 detect memory corruption, memory leaks, and use after free issues.
      6 
      7 This documentation describes how to enable this feature on versions of
      8 the Android OS, Marshmallow or older. Note: malloc debug was full of bugs
      9 and was not fully functional until KitKat, so using it on a version older
     10 than that is not guaranteed to work at all.
     11 
     12 The documentation for malloc debug on newer versions of Android is
     13 [here](README.md).
     14 
     15 On these old versions of the OS, you must be able to set system properties
     16 using the setprop command from the shell. This requires the ability to
     17 run as root on the device.
     18 
     19 When malloc debug is enabled, it works by adding a shim layer that replaces
     20 the normal allocation calls. The replaced calls are:
     21 
     22 * `malloc`
     23 * `free`
     24 * `calloc`
     25 * `realloc`
     26 * `posix_memalign`
     27 * `memalign`
     28 * `malloc_usable_size`
     29 
     30 On 32 bit systems, these two deprecated functions are also replaced:
     31 
     32 * `pvalloc`
     33 * `valloc`
     34 
     35 Any errors detected by the library are reported in the log.
     36 
     37 Controlling Malloc Debug Behavior
     38 ---------------------------------
     39 Malloc debug is controlled by a system property that takes a numeric value
     40 named libc.debug.malloc. It has only a few distinct modes that enables a
     41 set of different malloc debug checks at once.
     42 
     43 Value 1
     44 --------
     45 When enabled, this value creates a special header to all allocations
     46 that contains information about the allocation.
     47 
     48 ### Backtrace at Allocation Creation
     49 Enable capturing the backtrace of each allocation site. Only the
     50 first 16 frames of the backtrace will be captured.
     51 This option will slow down allocations by an order of magnitude, and
     52 might cause timeouts when trying to start a device.
     53 
     54 ### Track Live Allocations
     55 All of the currently live allocations will be tracked and can be retrieved
     56 by a call to get\_malloc\_leak\_info (see README\_api.md for details).
     57 
     58 Note: If multiple allocations have the same exact backtrace, then only one
     59 entry is returned in the list.
     60 
     61 Value 5
     62 -------
     63 When enabled, this value does not create a special header. It only modifies
     64 the content of allocations.
     65 
     66 Whenever an allocation is created, initialize the data with a known
     67 pattern (0xeb). This does not happen for the calloc calls.
     68 Whenever an allocation is freed, write a known pattern over the data (0xef).
     69 
     70 Value 10
     71 --------
     72 When enabled, this value creates a special header to all allocations
     73 that contains information about the allocation.
     74 
     75 This value enables everything enabled with value 1 plus these other options.
     76 
     77 ### Allocation Guards
     78 A 32 byte buffer is placed before the returned allocation (known as
     79 a front guard). This buffer is filled with the pattern (0xaa). In addition,
     80 a 32 byte buffer is placed after the data for the returned allocation (known
     81 as a rear guard). This buffer is filled with the pattern (0xbb).
     82 
     83 When the allocation is freed, both of these guards are verified to contain
     84 the expected patterns. If not, then an error message is printed to the log.
     85 
     86 ### Free Memory Tracking
     87 When a pointer is freed, do not free the memory right away, but add it to
     88 a list of freed allocations. In addition to being added to the list, the
     89 entire allocation is filled with the value 0xef, and the backtrace at
     90 the time of the free is recorded. As with the backtrace on allocation,
     91 only up to 16 frames will be recorded.
     92 
     93 When the list of freed allocations reaches 100, the oldest allocation
     94 on the list is removed and verified that it still contains the pattern 0xef.
     95 If the entire allocation is not filled with this value, an error is printed
     96 to the log.
     97 
     98 ### Log Leaks
     99 When the program completes, all of the allocations that are still live
    100 are printed to the log as leaks. This isn't very useful since it tends
    101 to display a lot of false positive because many programs do not free
    102 everything before terminating.
    103 
    104 Option 20
    105 ---------
    106 Do not use this option value, it only works on the emulator. It has not
    107 been verified, so it may or may not work.
    108 
    109 Enable on Certain Processes
    110 ---------------------------
    111 Using the special system property, libc.debug.malloc.program, will
    112 cause malloc debug to only be used on processes with that name. For example,
    113 if the property is set to ls, then only the program named ls will have malloc
    114 debug enabled.
    115 
    116 Examples
    117 ========
    118 Enable malloc debug for all allocations for all processes:
    119 
    120     adb shell stop
    121     adb shell setprop libc.debug.malloc 1
    122     adb shell start
    123 
    124 Enable malloc debug for a particular process:
    125 
    126     adb shell setprop libc.debug.malloc.program ls
    127     adb shell setprop libc.debug.malloc 10
    128     adb shell ls /data/local/tmp
    129