1 /* Copyright (c) 2003, Roger Dingledine
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2021, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
8 * \brief Wrappers for C malloc code, and replacements for items that
17 #include "lib/testsupport/testsupport.h"
18 #define UTIL_MALLOC_PRIVATE
19 #include "lib/malloc/malloc.h"
20 #include "lib/cc/torint.h"
21 #include "lib/err/torerr.h"
23 #ifdef __clang_analyzer__
24 #undef MALLOC_ZERO_WORKS
27 /** Allocate a chunk of <b>size</b> bytes of memory, and return a pointer to
28 * result. On error, log and terminate the process. (Same as malloc(size),
29 * but never returns NULL.)
32 tor_malloc_(size_t size
)
36 raw_assert(size
< SIZE_T_CEILING
);
38 #ifndef MALLOC_ZERO_WORKS
39 /* Some libc mallocs don't work when size==0. Override them. */
43 #endif /* !defined(MALLOC_ZERO_WORKS) */
45 result
= raw_malloc(size
);
47 if (PREDICT_UNLIKELY(result
== NULL
)) {
49 /* If these functions die within a worker process, they won't call
50 * spawn_exit, but that's ok, since the parent will run out of memory soon
52 raw_assert_unreached_msg("Out of memory on malloc(). Dying.");
58 /** Allocate a chunk of <b>size</b> bytes of memory, fill the memory with
59 * zero bytes, and return a pointer to the result. Log and terminate
60 * the process on error. (Same as calloc(size,1), but never returns NULL.)
63 tor_malloc_zero_(size_t size
)
65 /* You may ask yourself, "wouldn't it be smart to use calloc instead of
66 * malloc+memset? Perhaps libc's calloc knows some nifty optimization trick
67 * we don't!" Indeed it does, but its optimizations are only a big win when
68 * we're allocating something very big (it knows if it just got the memory
69 * from the OS in a pre-zeroed state). We don't want to use tor_malloc_zero
70 * for big stuff, so we don't bother with calloc. */
71 void *result
= tor_malloc_(size
);
72 memset(result
, 0, size
);
76 /* The square root of SIZE_MAX + 1. If a is less than this, and b is less
77 * than this, then a*b is less than SIZE_MAX. (For example, if size_t is
78 * 32 bits, then SIZE_MAX is 0xffffffff and this value is 0x10000. If a and
79 * b are less than this, then their product is at most (65535*65535) ==
81 #define SQRT_SIZE_MAX_P1 (((size_t)1) << (sizeof(size_t)*4))
83 /** Return non-zero if and only if the product of the arguments is exact,
84 * and cannot overflow. */
86 size_mul_check(const size_t x
, const size_t y
)
88 /* This first check is equivalent to
89 (x < SQRT_SIZE_MAX_P1 && y < SQRT_SIZE_MAX_P1)
91 Rationale: if either one of x or y is >= SQRT_SIZE_MAX_P1, then it
92 will have some bit set in its most significant half.
94 return ((x
|y
) < SQRT_SIZE_MAX_P1
||
99 /** Allocate a chunk of <b>nmemb</b>*<b>size</b> bytes of memory, fill
100 * the memory with zero bytes, and return a pointer to the result.
101 * Log and terminate the process on error. (Same as
102 * calloc(<b>nmemb</b>,<b>size</b>), but never returns NULL.)
103 * The second argument (<b>size</b>) should preferably be non-zero
104 * and a compile-time constant.
107 tor_calloc_(size_t nmemb
, size_t size
)
109 raw_assert(size_mul_check(nmemb
, size
));
110 return tor_malloc_zero_((nmemb
* size
));
113 /** Change the size of the memory block pointed to by <b>ptr</b> to <b>size</b>
114 * bytes long; return the new memory block. On error, log and
115 * terminate. (Like realloc(ptr,size), but never returns NULL.)
118 tor_realloc_(void *ptr
, size_t size
)
122 raw_assert(size
< SIZE_T_CEILING
);
124 #ifndef MALLOC_ZERO_WORKS
125 /* Some libc mallocs don't work when size==0. Override them. */
129 #endif /* !defined(MALLOC_ZERO_WORKS) */
131 result
= raw_realloc(ptr
, size
);
133 if (PREDICT_UNLIKELY(result
== NULL
)) {
134 /* LCOV_EXCL_START */
135 raw_assert_unreached_msg("Out of memory on realloc(). Dying.");
142 * Try to realloc <b>ptr</b> so that it takes up sz1 * sz2 bytes. Check for
143 * overflow. Unlike other allocation functions, return NULL on overflow.
146 tor_reallocarray_(void *ptr
, size_t sz1
, size_t sz2
)
148 /* XXXX we can make this return 0, but we would need to check all the
149 * reallocarray users. */
150 raw_assert(size_mul_check(sz1
, sz2
));
152 return tor_realloc(ptr
, (sz1
* sz2
));
155 /** Return a newly allocated copy of the NUL-terminated string s. On
156 * error, log and terminate. (Like strdup(s), but never returns
160 tor_strdup_(const char *s
)
165 duplicate
= raw_strdup(s
);
167 if (PREDICT_UNLIKELY(duplicate
== NULL
)) {
168 /* LCOV_EXCL_START */
169 raw_assert_unreached_msg("Out of memory on strdup(). Dying.");
175 /** Allocate and return a new string containing the first <b>n</b>
176 * characters of <b>s</b>. If <b>s</b> is longer than <b>n</b>
177 * characters, only the first <b>n</b> are copied. The result is
178 * always NUL-terminated. (Like strndup(s,n), but never returns
182 tor_strndup_(const char *s
, size_t n
)
186 raw_assert(n
< SIZE_T_CEILING
);
187 duplicate
= tor_malloc_((n
+1));
188 /* Performance note: Ordinarily we prefer strlcpy to strncpy. But
189 * this function gets called a whole lot, and platform strncpy is
190 * much faster than strlcpy when strlen(s) is much longer than n.
192 strncpy(duplicate
, s
, n
);
197 /** Allocate a chunk of <b>len</b> bytes, with the same contents as the
198 * <b>len</b> bytes starting at <b>mem</b>. */
200 tor_memdup_(const void *mem
, size_t len
)
203 raw_assert(len
< SIZE_T_CEILING
);
205 duplicate
= tor_malloc_(len
);
206 memcpy(duplicate
, mem
, len
);
210 /** As tor_memdup(), but add an extra 0 byte at the end of the resulting
213 tor_memdup_nulterm_(const void *mem
, size_t len
)
216 raw_assert(len
< SIZE_T_CEILING
+1);
218 duplicate
= tor_malloc_(len
+1);
219 memcpy(duplicate
, mem
, len
);
220 duplicate
[len
] = '\0';
224 /** Helper for places that need to take a function pointer to the right
225 * spelling of "free()". */