| blob | b06e77f605c51befff42655e6e756bcf6a224a4b |
2 /*--------------------------------------------------------------------*/
3 /*--- The leak checker. mc_leakcheck.c ---*/
4 /*--------------------------------------------------------------------*/
6 /*
7 This file is part of MemCheck, a heavyweight Valgrind tool for
8 detecting memory errors.
10 Copyright (C) 2000-2017 Julian Seward
11 jseward@acm.org
13 This program is free software; you can redistribute it and/or
14 modify it under the terms of the GNU General Public License as
15 published by the Free Software Foundation; either version 2 of the
16 License, or (at your option) any later version.
18 This program is distributed in the hope that it will be useful, but
19 WITHOUT ANY WARRANTY; without even the implied warranty of
20 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
21 General Public License for more details.
23 You should have received a copy of the GNU General Public License
24 along with this program; if not, see <http://www.gnu.org/licenses/>.
26 The GNU General Public License is contained in the file COPYING.
27 */
52 /*------------------------------------------------------------*/
53 /*--- An overview of leak checking. ---*/
54 /*------------------------------------------------------------*/
56 // Leak-checking is a directed-graph traversal problem. The graph has
57 // two kinds of nodes:
58 // - root-set nodes:
59 // - GP registers of all threads;
60 // - valid, aligned, pointer-sized data words in valid client memory,
61 // including stacks, but excluding words within client heap-allocated
62 // blocks (they are excluded so that later on we can differentiate
63 // between heap blocks that are indirectly leaked vs. directly leaked).
64 // - heap-allocated blocks. A block is a mempool chunk or a malloc chunk
65 // that doesn't contain a mempool chunk. Nb: the terms "blocks" and
66 // "chunks" are used interchangeably below.
67 //
68 // There are two kinds of edges:
69 // - start-pointers, i.e. pointers to the start of a block;
70 // - interior-pointers, i.e. pointers to the interior of a block.
71 //
72 // We use "pointers" rather than "edges" below.
73 //
74 // Root set nodes only point to blocks. Blocks only point to blocks;
75 // a block can point to itself.
76 //
77 // The aim is to traverse the graph and determine the status of each block.
78 //
79 // There are 9 distinct cases. See memcheck/docs/mc-manual.xml for details.
80 // Presenting all nine categories to the user is probably too much.
81 // Currently we do this:
82 // - definitely lost: case 3
83 // - indirectly lost: case 4, 9
84 // - possibly lost: cases 5..8
85 // - still reachable: cases 1, 2
86 //
87 // It's far from clear that this is the best possible categorisation; it's
88 // accreted over time without any central guiding principle.
90 /*------------------------------------------------------------*/
91 /*--- XXX: Thoughts for improvement. ---*/
92 /*------------------------------------------------------------*/
94 // From the user's point of view:
95 // - If they aren't using interior-pointers, they just have to fix the
96 // directly lost blocks, and the indirectly lost ones will be fixed as
97 // part of that. Any possibly lost blocks will just be due to random
98 // pointer garbage and can be ignored.
99 //
100 // - If they are using interior-pointers, the fact that they currently are not
101 // being told which ones might be directly lost vs. indirectly lost makes
102 // it hard to know where to begin.
103 //
104 // All this makes me wonder if new option is warranted:
105 // --follow-interior-pointers. By default it would be off, the leak checker
106 // wouldn't follow interior-pointers and there would only be 3 categories:
107 // R, DL, IL.
108 //
109 // If turned on, then it would show 7 categories (R, DL, IL, DR/DL, IR/IL,
110 // IR/IL/DL, IL/DL). That output is harder to understand but it's your own
111 // damn fault for using interior-pointers...
112 //
113 // ----
114 //
115 // Also, why are two blank lines printed between each loss record?
116 // [bug 197930]
117 //
118 // ----
119 //
120 // Also, --show-reachable is a bad name because it also turns on the showing
121 // of indirectly leaked blocks(!) It would be better named --show-all or
122 // --show-all-heap-blocks, because that's the end result.
123 // We now have the option --show-leak-kinds=... which allows to specify =all.
124 //
125 // ----
126 //
127 // Also, the VALGRIND_LEAK_CHECK and VALGRIND_QUICK_LEAK_CHECK aren't great
128 // names. VALGRIND_FULL_LEAK_CHECK and VALGRIND_SUMMARY_LEAK_CHECK would be
129 // better.
130 //
131 // ----
132 //
133 // Also, VALGRIND_COUNT_LEAKS and VALGRIND_COUNT_LEAK_BLOCKS aren't great as
134 // they combine direct leaks and indirect leaks into one. New, more precise
135 // ones (they'll need new names) would be good. If more categories are
136 // used, as per the --follow-interior-pointers option, they should be
137 // updated accordingly. And they should use a struct to return the values.
138 //
139 // ----
140 //
141 // Also, for this case:
142 //
143 // (4) p4 BBB ---> AAA
144 //
145 // BBB is definitely directly lost. AAA is definitely indirectly lost.
146 // Here's the relevant loss records printed for a full check (each block is
147 // 16 bytes):
148 //
149 // ==20397== 16 bytes in 1 blocks are indirectly lost in loss record 9 of 15
150 // ==20397== at 0x4C2694E: malloc (vg_replace_malloc.c:177)
151 // ==20397== by 0x400521: mk (leak-cases.c:49)
152 // ==20397== by 0x400578: main (leak-cases.c:72)
153 //
154 // ==20397== 32 (16 direct, 16 indirect) bytes in 1 blocks are definitely
155 // lost in loss record 14 of 15
156 // ==20397== at 0x4C2694E: malloc (vg_replace_malloc.c:177)
157 // ==20397== by 0x400521: mk (leak-cases.c:49)
158 // ==20397== by 0x400580: main (leak-cases.c:72)
159 //
160 // The first one is fine -- it describes AAA.
161 //
162 // The second one is for BBB. It's correct in that 16 bytes in 1 block are
163 // directly lost. It's also correct that 16 are indirectly lost as a result,
164 // but it means that AAA is being counted twice in the loss records. (It's
165 // not, thankfully, counted twice in the summary counts). Argh.
166 //
167 // This would be less confusing for the second one:
168 //
169 // ==20397== 16 bytes in 1 blocks are definitely lost in loss record 14
170 // of 15 (and 16 bytes in 1 block are indirectly lost as a result; they
171 // are mentioned elsewhere (if --show-reachable=yes or indirect is given
172 // in --show-leak-kinds=... !))
173 // ==20397== at 0x4C2694E: malloc (vg_replace_malloc.c:177)
174 // ==20397== by 0x400521: mk (leak-cases.c:49)
175 // ==20397== by 0x400580: main (leak-cases.c:72)
176 //
177 // But ideally we'd present the loss record for the directly lost block and
178 // then the resultant indirectly lost blocks and make it clear the
179 // dependence. Double argh.
181 /*------------------------------------------------------------*/
182 /*--- The actual algorithm. ---*/
183 /*------------------------------------------------------------*/
185 // - Find all the blocks (a.k.a. chunks) to check. Mempool chunks require
186 // some special treatment because they can be within malloc'd blocks.
187 // - Scan every word in the root set (GP registers and valid
188 // non-heap memory words).
189 // - First, we skip if it doesn't point to valid memory.
190 // - Then, we see if it points to the start or interior of a block. If
191 // so, we push the block onto the mark stack and mark it as having been
192 // reached.
193 // - Then, we process the mark stack, repeating the scanning for each block;
194 // this can push more blocks onto the mark stack. We repeat until the
195 // mark stack is empty. Each block is marked as definitely or possibly
196 // reachable, depending on whether interior-pointers were required to
197 // reach it.
198 // - At this point we know for every block if it's reachable or not.
199 // - We then push each unreached block onto the mark stack, using the block
200 // number as the "clique" number.
201 // - We process the mark stack again, this time grouping blocks into cliques
202 // in order to facilitate the directly/indirectly lost categorisation.
203 // - We group blocks by their ExeContexts and categorisation, and print them
204 // if --leak-check=full. We also print summary numbers.
205 //
206 // A note on "cliques":
207 // - A directly lost block is one with no pointers to it. An indirectly
208 // lost block is one that is pointed to by a directly or indirectly lost
209 // block.
210 // - Each directly lost block has zero or more indirectly lost blocks
211 // hanging off it. All these blocks together form a "clique". The
212 // directly lost block is called the "clique leader". The clique number
213 // is the number (in lc_chunks[]) of the clique leader.
214 // - Actually, a directly lost block may be pointed to if it's part of a
215 // cycle. In that case, there may be more than one choice for the clique
216 // leader, and the choice is arbitrary. Eg. if you have A-->B and B-->A
217 // either A or B could be the clique leader.
218 // - Cliques cannot overlap, and will be truncated to avoid this. Eg. if we
219 // have A-->C and B-->C, the two cliques will be {A,C} and {B}, or {A} and
220 // {B,C} (again the choice is arbitrary). This is because we don't want
221 // to count a block as indirectly lost more than once.
222 //
223 // A note on 'is_prior_definite':
224 // - This is a boolean used in various places that indicates if the chain
225 // up to the prior node (prior to the one being considered) is definite.
226 // - In the clique == -1 case:
227 // - if True it means that the prior node is a root-set node, or that the
228 // prior node is a block which is reachable from the root-set via
229 // start-pointers.
230 // - if False it means that the prior node is a block that is only
231 // reachable from the root-set via a path including at least one
232 // interior-pointer.
233 // - In the clique != -1 case, currently it's always True because we treat
234 // start-pointers and interior-pointers the same for direct/indirect leak
235 // checking. If we added a PossibleIndirectLeak state then this would
236 // change.
239 // Define to debug the memory-leak-detector.
240 #define VG_DEBUG_FIND_CHUNK 0
241 #define VG_DEBUG_LEAKCHECK 0
242 #define VG_DEBUG_CLIQUE 0
245 /*------------------------------------------------------------*/
246 /*--- Getting the initial chunks, and searching them. ---*/
247 /*------------------------------------------------------------*/
249 // Compare the MC_Chunks by 'data' (i.e. the address of the block).
251 {
257 }
259 #if VG_DEBUG_FIND_CHUNK
260 // Used to sanity-check the fast binary-search mechanism.
261 static
264 Int n_chunks )
266 {
267 Int i;
278 }
280 }
281 #endif
283 // Find the i such that ptr points at or inside the block described by
284 // chunks[i]. Return -1 if none found. This assumes that chunks[]
285 // has been sorted on the 'data' field.
286 static
289 Int n_chunks )
290 {
293 // VG_(printf)("find chunk for %p = ", ptr);
298 // Invariant: current unsearched space is from lo to hi, inclusive.
304 // Extent of block 'mid' is [a_mid_lo .. a_mid_hi).
305 // Special-case zero-sized blocks - treat them as if they had
306 // size 1. Not doing so causes them to not cover any address
307 // range at all and so will never be identified as the target of
308 // any pointer, which causes them to be incorrectly reported as
309 // definitely leaked.
311 a_mid_hi++;
316 }
320 }
324 }
326 # if VG_DEBUG_FIND_CHUNK
328 # endif
329 // VG_(printf)("%d\n", retVal);
331 }
336 {
337 UInt n_mallocs;
340 // First we collect all the malloc chunks into an array and sort it.
341 // We do this because we want to query the chunks by interior
342 // pointers, requiring binary search.
348 }
351 // If there are no mempools (for most users, this is the case),
352 // n_mallocs and mallocs is the final result
353 // otherwise we need to do special handling for mempools.
356 // Our goal is to construct a set of chunks that includes every
357 // mempool chunk, and every malloc region that *doesn't* contain a
358 // mempool chunk.
364 // We build an array containing a Bool for each malloc chunk,
365 // indicating whether it contains any mempools.
370 // Then we loop over the mempool tables. For each chunk in each
371 // pool, we set the entry in the Bool array corresponding to the
372 // malloc chunk containing the mempool chunk.
378 // We'll need to record this chunk.
379 n_chunks++;
381 // Possibly invalidate the malloc holding the beginning of this chunk.
385 n_chunks--;
387 }
389 // Possibly invalidate the malloc holding the end of this chunk.
394 n_chunks--;
396 }
397 }
398 }
399 }
402 // Create final chunk array.
406 // Copy the mempool chunks and the non-marked malloc chunks into a
407 // combined array of chunks.
414 }
415 }
420 }
421 }
424 // Free temporaries.
430 // Sort the array so blocks are in ascending order in memory.
433 // Sanity check -- make sure they're in order.
436 }
442 }
443 }
445 /*------------------------------------------------------------*/
446 /*--- The leak detector proper. ---*/
447 /*------------------------------------------------------------*/
449 // Holds extra info about each block during leak checking.
450 typedef
455 // Heuristic with which this block was considered reachable.
456 // LchNone if state != Reachable or no heuristic needed to
457 // consider it reachable.
460 SizeT indirect_szB;
461 // If Unreached, how many bytes are unreachable from here.
462 SizeT clique;
463 // if IndirectLeak, clique leader to which it belongs.
465 }
466 LC_Extra;
468 // An array holding pointers to every chunk we're checking. Sorted by address.
469 // lc_chunks is initialised during leak search. It is kept after leak search
470 // to support printing the list of blocks belonging to a loss record.
471 // lc_chunk array can only be used validly till the next "free" operation
472 // (as a free operation potentially destroys one or more chunks).
473 // To detect lc_chunk is valid, we store the nr of frees operations done
474 // when lc_chunk was build : lc_chunks (and lc_extras) stays valid as
475 // long as no free operations has been done since lc_chunks building.
477 // How many chunks we're dealing with.
480 // This has the same number of entries as lc_chunks, and each entry
481 // in lc_chunks corresponds with the entry here (ie. lc_chunks[i] and
482 // lc_extras[i] describe the same block).
485 // chunks will be converted and merged in loss record, maintained in lr_table
486 // lr_table elements are kept from one leak_search to another to implement
487 // the "print new/changed leaks" client request
489 // Array of sorted loss record (produced during last leak search).
492 // Value of the heuristics parameter used in the current (or last) leak check.
495 // DeltaMode used the last time we called detect_memory_leaks.
496 // The recorded leak errors are output using a logic based on this delta_mode.
497 // The below avoids replicating the delta_mode in each LossRecord.
500 // Each leak search run increments the below generation counter.
501 // A used suppression during a leak search will contain this
502 // generation number.
505 // Records chunks that are currently being processed. Each element in the
506 // stack is an index into lc_chunks and lc_extras. Its size is
507 // 'lc_n_chunks' because in the worst case that's how many chunks could be
508 // pushed onto it (actually I think the maximum is lc_n_chunks-1 but let's
509 // be conservative).
511 // The index of the top element of the stack; -1 if the stack is empty, 0 if
512 // the stack has one element, 1 if it has two, etc.
515 // Keeps track of how many bytes of memory we've scanned, for printing.
516 // (Nb: We don't keep track of how many register bytes we've scanned.)
518 // Keeps track of how many bytes we have not scanned due to read errors that
519 // caused a signal such as SIGSEGV.
535 // Subset of MC_(bytes_reachable) and MC_(blocks_reachable) which
536 // are considered reachable due to the corresponding heuristic.
542 // Determines if a pointer is to a chunk. Returns the chunk number et al
543 // via call-by-reference.
544 static Bool
546 {
547 Int ch_no;
551 // Quick filter. Note: implemented with am, not with get_vabits2
552 // as ptr might be random data pointing anywhere. On 64 bit
553 // platforms, getting va bits for random data can be quite costly
554 // due to the secondary map.
564 // Ok, we've found a pointer to a chunk. Get the MC_Chunk and its
565 // LC_Extra.
580 }
581 }
582 }
584 // Push a chunk (well, just its index) onto the mark stack.
586 {
590 }
591 lc_markstack_top++;
596 }
597 }
599 // Return the index of the chunk on the top of the mark stack, or -1 if
600 // there isn't one.
602 {
608 lc_markstack_top--;
612 }
613 }
616 {
624 }
625 }
627 // True if ptr looks like the address of a vtable, i.e. if ptr
628 // points to an array of pointers to functions.
629 // It is assumed the only caller of this function is heuristic_reachedness
630 // which must check that ptr is aligned and above page 0.
631 // Checking that ptr is above page 0 is an optimisation : it is assumed
632 // that no vtable is located in the page 0. So, all small integer values
633 // encountered during the scan will not incur the cost of calling this
634 // function.
636 {
637 // ??? If performance problem:
638 // ??? maybe implement a cache (array indexed by ptr % primenr)
639 // ??? of "I am a vtable ptr" ???
641 // ??? Maybe the debug info could (efficiently?) be used to detect vtables ?
643 // We consider ptr as a vtable ptr if it points to a table
644 // where we find only NULL pointers or pointers pointing at an
645 // executable region. We must find at least 2 non NULL pointers
646 // before considering ptr as a vtable pointer.
647 // We scan a maximum of VTABLE_MAX_CHECK words for these 2 non NULL
648 // pointers.
649 #define VTABLE_MAX_CHECK 20
653 Addr scan;
654 Addr scan_max;
656 // First verify ptr points inside a client mapped file section.
657 // ??? is a vtable always in a file mapped readable section ?
664 // Check potential function pointers, up to a maximum of VTABLE_MAX_CHECK.
666 // If ptr is near the end of seg, avoid scan_max exceeding the end of seg:
674 #if defined(VGA_ppc64be)
675 // ppc64BE uses a thunk table (function descriptors), so we have one
676 // more level of indirection to follow.
686 #endif
691 nr_fn_ptrs++;
694 }
697 }
699 // true if a is properly aligned and points to 64bits of valid memory
701 {
707 }
709 /* The below leak_search_fault_catcher is used to catch memory access
710 errors happening during leak_search. During the scan, we check
711 with aspacemgr and/or VA bits that each page or dereferenced location is
712 readable and belongs to the client. However, we still protect
713 against SIGSEGV and SIGBUS e.g. in case aspacemgr is desynchronised
714 with the real page mappings. Such a desynchronisation could happen
715 due to an aspacemgr bug. Note that if the application is using
716 mprotect(NONE), then a page can be unreadable but have addressable
717 and defined VA bits (see mc_main.c function mc_new_mem_mprotect).
718 Currently, 2 functions are dereferencing client memory during leak search:
719 heuristic_reachedness and lc_scan_memory.
720 Each such function has its own fault catcher, that will call
721 leak_search_fault_catcher with the proper 'who' and jmpbuf parameters. */
723 static
726 {
727 vki_sigset_t sigmask;
732 /* Signal handler runs with the signal masked.
733 Unmask the handled signal before longjmp-ing or return-ing.
734 Note that during leak search, we expect only SIGSEGV or SIGBUS
735 and we do not expect another occurrence until we longjmp-ed!return-ed
736 to resume the leak search. So, it is safe to unmask the signal
737 here. */
738 /* First get current mask (by passing NULL as first arg) */
740 /* Then set a new sigmask, with this signal removed from the mask. */
748 /* ??? During leak search, we are not supposed to receive any
749 other sync signal that these 2.
750 In theory, we should not call VG_(umsg) in a signal handler,
751 but better (try to) report this unexpected behaviour. */
755 }
756 }
758 // jmpbuf and fault_catcher used during heuristic_reachedness
760 static
762 {
765 heuristic_reachedness_jmpbuf);
766 }
768 // If ch is heuristically reachable via an heuristic member of heur_set,
769 // returns this heuristic.
770 // If ch cannot be considered reachable using one of these heuristics,
771 // return LchNone.
772 // This should only be called when ptr is an interior ptr to ch.
773 // The StdString/NewArray/MultipleInheritance heuristics are directly
774 // inspired from DrMemory:
775 // see http://www.burningcutlery.com/derek/docs/drmem-CGO11.pdf [section VI,C]
776 // and bug 280271.
779 UInt heur_set)
780 {
782 fault_catcher_t prev_catcher;
786 // See leak_search_fault_catcher
790 }
793 // Detects inner pointers to Std::String for layout being
794 // length capacity refcount char_array[] \0
795 // where ptr points to the beginning of the char_array.
796 // Note: we check definedness for length and capacity but
797 // not for refcount, as refcount size might be smaller than
798 // a SizeT, giving a uninitialised hole in the first 3 SizeT.
806 // ??? could check there is no null byte from ptr to ptr+length-1
807 // ??? and that there is a null byte at ptr+length.
808 // ???
809 // ??? could check that ch->allockind is MC_AllocNew ???
810 // ??? probably not a good idea, as I guess stdstring
811 // ??? allocator can be done via custom allocator
812 // ??? or even a call to malloc ????
815 }
816 }
817 }
818 }
821 // Detects inner pointers that point at 64bit offset (8 bytes) into a
822 // block following the length of the remaining as 64bit number
823 // (=total block size - 8).
824 // This is used e.g. by sqlite for tracking the total size of allocated
825 // memory.
826 // Note that on 64bit platforms, a block matching LchLength64 will
827 // also be matched by LchNewArray.
834 }
835 }
836 }
839 // Detects inner pointers at second word of new[] array, following
840 // a plausible nr of elements.
841 // Such inner pointers are used for arrays of elements
842 // having a destructor, as the delete[] of the array must know
843 // how many elements to destroy.
844 //
845 // We have a strange/wrong case for 'ptr = new MyClass[0];' :
846 // For such a case, the returned ptr points just outside the
847 // allocated chunk. This chunk is then seen as a definite
848 // leak by Valgrind, as it is not considered an interior pointer.
849 // It is the c++ equivalent of bug 99923 (malloc(0) wrongly considered
850 // as definitely leaked). See the trick in find_chunk_for handling
851 // 0-sized block. This trick does not work for 'new MyClass[0]'
852 // because a chunk "word-sized" is allocated to store the (0) nr
853 // of elements.
858 // ??? could check that ch->allockind is MC_AllocNewVec ???
861 }
862 }
863 }
866 // Detect inner pointer used for multiple inheritance.
867 // Assumption is that the vtable pointers are before the object.
870 Addr first_addr;
871 Addr inner_addr;
873 // Avoid the call to is_vtable_addr when the addr is not
874 // aligned or points in the page0, as it is unlikely
875 // a vtable is located in this page. This last optimisation
876 // avoids to call aligned_ptr_above_page0_is_vtable_addr
877 // for all small integers.
878 // Note: we could possibly also avoid calling this function
879 // for small negative integers, as no vtable should be located
880 // in the last page.
890 // ??? could check that ch->allockind is MC_AllocNew ???
893 }
894 }
895 }
896 }
900 }
903 // If 'ptr' is pointing to a heap-allocated block which hasn't been seen
904 // before, push it onto the mark stack.
905 static void
907 {
908 Int ch_no;
918 // If block was considered reachable via an heuristic, and it is now
919 // directly reachable via ptr, clear the heuristic field.
922 }
924 // Possibly upgrade the state, ie. one of:
925 // - Unreached --> Possible
926 // - Unreached --> Reachable
927 // - Possible --> Reachable
932 ex->heuristic
934 detect_memory_leaks_last_heuristics);
937 else
943 // 'ptr' points to the start of the block or is to be considered as
944 // pointing to the start of the block, and the prior node is
945 // definite, which means that this block is definitely reachable.
948 // State has changed to Reachable so (re)scan the block to make
949 // sure any blocks it points to are correctly marked.
953 // Either 'ptr' is a interior-pointer, or the prior node isn't definite,
954 // which means that we can only mark this block as possibly reachable.
957 // State has changed to Possible so (re)scan the block to make
958 // sure any blocks it points to are correctly marked.
960 }
961 }
963 static void
965 {
967 }
969 // If ptr is pointing to a heap-allocated block which hasn't been seen
970 // before, push it onto the mark stack. Clique is the index of the
971 // clique leader.
972 static void
974 {
975 Int ch_no;
984 // If it's not Unreached, it's already been handled so ignore it.
985 // If ch_no==clique, it's the clique leader, which means this is a cyclic
986 // structure; again ignore it because it's already been handled.
988 // Note that, unlike reachable blocks, we currently don't distinguish
989 // between start-pointers and interior-pointers here. We probably
990 // should, though.
993 // Add the block to the clique, and add its size to the
994 // clique-leader's indirect size. Also, if the new block was
995 // itself a clique leader, it isn't any more, so add its
996 // indirect_szB to the new clique leader.
1001 else
1004 }
1010 }
1011 }
1013 static void
1016 {
1019 else
1021 }
1025 static
1027 {
1030 lc_scan_memory_jmpbuf);
1031 }
1033 // lc_scan_memory has 2 modes:
1034 //
1035 // 1. Leak check mode (searched == 0).
1036 // -----------------------------------
1037 // Scan a block of memory between [start, start+len). This range may
1038 // be bogus, inaccessible, or otherwise strange; we deal with it. For each
1039 // valid aligned word we assume it's a pointer to a chunk a push the chunk
1040 // onto the mark stack if so.
1041 // clique is the "highest level clique" in which indirectly leaked blocks have
1042 // to be collected. cur_clique is the current "lower" level clique through which
1043 // the memory to be scanned has been found.
1044 // Example: in the below tree if A is leaked, the top level clique will
1045 // be A, while lower level cliques will be B and C.
1046 /*
1047 A
1048 / \
1049 B C
1050 / \ / \
1051 D E F G
1052 */
1053 // Proper handling of top and lowest level clique allows block_list of a loss
1054 // record to describe the hierarchy of indirectly leaked blocks.
1055 //
1056 // 2. Search ptr mode (searched != 0).
1057 // -----------------------------------
1058 // In this mode, searches for pointers to a specific address range
1059 // In such a case, lc_scan_memory just scans [start..start+len[ for pointers
1060 // to searched and outputs the places where searched is found.
1061 // It does not recursively scans the found memory.
1062 static void
1066 {
1067 /* memory scan is based on the assumption that valid pointers are aligned
1068 on a multiple of sizeof(Addr). So, we can (and must) skip the begin and
1069 end portions of the block if they are not aligned on sizeof(Addr):
1070 These cannot be a valid pointer, and calls to MC_(is_valid_aligned_word)
1071 will assert for a non aligned address. */
1072 #if defined(VGA_s390x)
1073 // Define ptr as volatile, as on this platform, the value of ptr
1074 // is read in code executed via a longjmp.
1075 volatile
1076 #endif
1079 fault_catcher_t prev_catcher;
1086 /* Optimisation: the loop below will check for each begin
1087 of SM chunk if the chunk is fully unaddressable. The idea is to
1088 skip efficiently such fully unaddressable SM chunks.
1089 So, we preferably start the loop on a chunk boundary.
1090 If the chunk is not fully unaddressable, we might be in
1091 an unaddressable page. Again, the idea is to skip efficiently
1092 such unaddressable page : this is the "else" part.
1093 We use an "else" so that two consecutive fully unaddressable
1094 SM chunks will be skipped efficiently: first one is skipped
1095 by this piece of code. The next SM chunk will be skipped inside
1096 the loop. */
1098 // Skip an invalid SM chunk till the beginning of the next SM Chunk.
1101 // else we are in a (at least partially) valid SM chunk.
1102 // We might be in the middle of an unreadable page.
1103 // Do a cheap check to see if it's valid;
1104 // if not, skip onto the next page.
1106 }
1107 /* The above optimisation and below loop is based on some relationships
1108 between VKI_PAGE_SIZE, SM_SIZE and sizeof(Addr) which are asserted in
1109 MC_(detect_memory_leaks). */
1111 // See leak_search_fault_catcher
1113 // Catch read error ...
1114 # if defined(VGA_s390x)
1115 // For a SIGSEGV, s390 delivers the page address of the bad address.
1116 // For a SIGBUS, old s390 kernels deliver a NULL address.
1117 // bad_scanned_addr can thus not be used.
1118 // So, on this platform, we always skip a full page from ptr.
1119 // The below implies to mark ptr as volatile, as we read the value
1120 // after a longjmp to here.
1123 # else
1124 // On other platforms, just skip one Addr.
1129 #endif
1130 }
1132 Addr addr;
1134 // Skip invalid chunks.
1139 }
1140 }
1142 // Look to see if this page seems reasonable.
1147 }
1148 }
1152 // If the below read fails, we will longjmp to the loop begin.
1154 // If we get here, the scanned word is in valid memory. Now
1155 // let's see if its contents point to a chunk.
1159 // The found addr is 'live', so use cur_ep to describe it.
1164 Int ch_no;
1171 Int h;
1177 }
1178 }
1179 // Verify the loop above has properly scanned all
1180 // heuristics. If the below fails, it probably means the
1181 // LeakCheckHeuristic enum is not in sync anymore with the
1182 // above loop and/or with N_LEAK_CHECK_HEURISTICS.
1184 }
1185 }
1186 }
1189 }
1192 }
1194 }
1197 }
1200 // Process the mark stack until empty.
1202 {
1204 Bool is_prior_definite;
1209 // See comment about 'is_prior_definite' at the top to understand this.
1215 }
1216 }
1219 {
1223 // Compare on states first because that's fast.
1226 // Ok, the states are equal. Now compare the locations, which is slower.
1230 // Different locations. Ordering is arbitrary, just use the ec pointer.
1234 }
1237 {
1243 // First compare by sizes.
1246 // If size are equal, compare by states.
1249 // If they're still equal here, it doesn't matter that much, but we keep
1250 // comparing other things so that regtests are as deterministic as
1251 // possible. So: compare num_blocks.
1254 // Finally, compare ExeContext addresses... older ones are likely to have
1255 // lower addresses.
1259 }
1261 // allocates or reallocates lr_array, and set its elements to the loss records
1262 // contains in lr_table.
1269 // (re-)create the array of pointers to the loss records.
1270 // lr_array is kept to allow producing the block list from gdbserver.
1278 }
1281 }
1288 {
1289 // Rules for printing:
1290 // - We don't show suppressed loss records ever (and that's controlled
1291 // within the error manager).
1292 // - We show non-suppressed loss records that are specified in
1293 // --show-leak-kinds=... if --leak-check=yes.
1295 Bool delta_considered;
1302 delta_considered
1313 delta_considered
1318 }
1322 // We don't count a leaks as errors with lcp->mode==LC_Summary.
1323 // Otherwise you can get high error counts with few or no error
1324 // messages, which can be confusing. Otherwise, we count as errors
1325 // the leak kinds requested by --errors-for-leak-kinds=...
1328 }
1330 //
1331 // Types and functions for xtree leak report.
1332 //
1336 /* Sizes and delta sizes for a loss record output in an xtree.
1337 As the output format can only show positive values, we need values for
1338 the increase and decrease cases. */
1339 typedef
1342 ULong indirect_szB;
1343 ULong num_blocks;
1346 typedef
1351 }
1354 typedef
1359 typedef
1365 {
1367 }
1369 {
1378 }
1379 }
1381 {
1382 XT_Leak xtl;
1393 else
1398 else
1404 else
1409 }
1412 {
1414 }
1416 {
1425 // print szB. We add indirect_szB to have the Unreachable showing
1426 // the total bytes loss, including indirect loss. This is similar
1427 // to the textual and xml reports.
1432 // print indirect_szB, only for reachedness having such values)
1437 // print num_blocks
1441 }
1445 }
1446 }
1448 /* The short event name is made of 2 or 3 or 4 letters:
1449 an optional delta indication: i = increase d = decrease
1450 a loss kind: R = Reachable P = Possibly I = Indirectly D = Definitely
1451 an optional i to indicate this loss record has indirectly lost bytes
1452 B = Bytes or Bk = Blocks.
1453 Note that indirectly lost bytes/blocks can thus be counted in 2
1454 loss records: the loss records for their "own" allocation stack trace,
1455 and the loss record of the 'main' Definitely or Possibly loss record
1456 in the indirectly lost count for these loss records. */
1458 ////// XT_Value szB
1464 ////// XT_Value indirect_szB
1465 // no RIB
1466 // no PIB
1467 // no IIB
1470 ////// XT_Value num_blocks
1476 ////// XT_Increase szB
1482 ////// XT_Increase indirect_szB
1483 // no iRIB
1484 // no iPIB
1485 // no iIIB
1488 ////// XT_Increase num_blocks
1495 ////// XT_Decrease szB
1501 ////// XT_Decrease indirect_szB
1502 // no dRIB
1503 // no dPIB
1504 // no dIIB
1507 ////// XT_Decrease num_blocks
1514 {
1517 Bool is_suppressed;
1518 /* old_* variables are used to report delta in summary. */
1540 }
1543 // Create the lr_table, which holds the loss records.
1544 // If the lr_table already exists, it means it contains
1545 // loss_records from the previous leak search. The old_*
1546 // values in these records are used to implement the
1547 // leak check delta mode
1548 lr_table =
1550 cmp_LossRecordKey_LossRecord,
1554 // If we have loss records from a previous search, reset values to have
1555 // proper printing of the deltas between previous search and this search.
1559 // remove from lr_table the old loss_records with 0 bytes found
1563 // move the leak sizes to old_* and zero the current sizes
1564 // for next leak search
1571 }
1572 }
1573 // lr_array now contains "invalid" loss records => free it.
1574 // lr_array will be re-created below with the kept and new loss records.
1578 // Convert the chunks into loss records, merging them where appropriate.
1583 LossRecordKey lrkey;
1594 }
1598 // We found an existing loss record matching this chunk. Update the
1599 // loss record's details in-situ. This is safe because we don't
1600 // change the elements used as the OSet key.
1606 // No existing loss record matches this chunk. Create a new loss
1607 // record, initialise it from the chunk, and insert it into lr_table.
1613 else
1620 }
1621 }
1623 // (re-)create the array of pointers to the (new) loss records.
1627 // Sort the array by loss record sizes.
1629 cmp_LossRecords);
1631 // Zero totals.
1638 // If there is a maximum nr of loss records we can output, then first
1639 // compute from where the output scan has to start.
1640 // By default, start from the first loss record. Compute a higher
1641 // value if there is a maximum to respect. We need to print the last
1642 // records, as the one with the biggest sizes are more interesting.
1650 // Do not use get_printing_rules results for is_suppressed, as we
1651 // only want to check if the record would be suppressed.
1652 is_suppressed =
1657 nr_printable_records++;
1660 }
1661 }
1662 }
1674 // Print the loss records (in size order) and collect summary stats.
1679 is_suppressed =
1683 count_as_error );
1709 }
1710 }
1715 XT_Leak_events,
1720 }
1725 # define DBY(new,old) \
1726 MC_(snprintf_delta) (d_bytes, sizeof(d_bytes), (new), (old), \
1727 lcp->deltamode)
1728 # define DBL(new,old) \
1729 MC_(snprintf_delta) (d_blocks, sizeof(d_blocks), (new), (old), \
1730 lcp->deltamode)
1759 }
1783 else
1786 }
1793 else
1796 }
1798 #undef DBL
1799 #undef DBY
1800 }
1801 }
1803 // print recursively all indirectly leaked blocks collected in clique.
1804 // Printing stops when *remaining reaches 0.
1806 {
1807 Int ind;
1818 LossRecordKey ind_lrkey;
1819 UInt lr_i;
1837 }
1838 }
1839 }
1842 UInt loss_record_nr_to,
1843 UInt max_blocks,
1844 UInt heuristics)
1845 {
1846 UInt loss_record_nr;
1849 Bool lr_printed;
1855 }
1860 }
1873 loss_record_nr++) {
1877 /* If user asks to print a specific loss record, we print
1878 the block details, even if no block will be shown for this lr.
1879 If user asks to print a range of lr, we only print lr details
1880 when at least one block is shown. */
1882 /* (+1 on loss_record_nr as user numbering for loss records
1883 starts at 1). */
1886 }
1888 // Match the chunks with loss records.
1893 LossRecordKey lrkey;
1899 // We found an existing loss record matching this chunk.
1900 // If this is the loss record we are looking for, output the
1901 // pointer.
1907 }
1913 else
1916 remaining--;
1918 // We can print the clique in all states, except Reachable.
1919 // In Unreached state, lc_chunk[i] is the clique leader.
1920 // In IndirectLeak, lc_chunk[i] might have been a clique
1921 // leader which was later collected in another clique.
1922 // For Possible, lc_chunk[i] might be the top of a clique
1923 // or an intermediate clique.
1925 }
1926 }
1928 // No existing loss record matches this chunk ???
1931 }
1932 }
1933 }
1935 }
1937 // If searched = 0, scan memory root set, pushing onto the mark stack the blocks
1938 // encountered.
1939 // Otherwise (searched != 0), scan the memory root set searching for ptr
1940 // pointing inside [searched, searched+szB[.
1942 {
1943 Int i;
1944 Int n_seg_starts;
1953 // VG_(am_show_nsegments)( 0, "leakcheck");
1955 SizeT seg_size;
1964 // Don't poke around in device segments as this may cause
1965 // hangs. Include /dev/zero just in case someone allocated
1966 // memory by explicitly mapping /dev/zero.
1971 // Don't skip /dev/zero.
1973 // Skip this device mapping.
1975 }
1976 }
1981 // Scan the segment. We use -1 for the clique number, because this
1982 // is a root-set.
1988 }
1992 }
1994 }
1997 {
2009 }
2010 }
2013 }
2015 /*------------------------------------------------------------*/
2016 /*--- Top-level entry point. ---*/
2017 /*------------------------------------------------------------*/
2020 {
2025 // Verify some assertions which are used in lc_scan_memory.
2028 // Above two assertions are critical, while below assertion
2029 // ensures that the optimisation in the loop is done in the
2030 // correct order : the loop checks for (big) SM chunk skipping
2031 // before checking for (smaller) page skipping.
2038 // Get the chunks, stop if there were none.
2042 }
2048 // forget the previous recorded LossRecords as next leak search
2049 // can in any case just create new leaks.
2050 // Maybe it would be better to rather call print_result ?
2051 // (at least when leak decreases are requested)
2052 // This will then output all LossRecords with a size decreasing to 0
2055 }
2059 }
2061 }
2063 // Sanity check -- make sure they don't overlap. One exception is that
2064 // we allow a MALLOCLIKE block to sit entirely within a malloc() block.
2065 // This is for bug 100628. If this occurs, we ignore the malloc() block
2066 // for leak-checking purposes. This is a hack and probably should be done
2067 // better, but at least it's consistent with mempools (which are treated
2068 // like this in find_active_chunks). Mempools have a separate VgHashTable
2069 // for mempool chunks, but if custom-allocated blocks are put in a separate
2070 // table from normal heap blocks it makes free-mismatch checking more
2071 // difficult.
2072 // Another exception: Metapool memory blocks overlap by definition. The meta-
2073 // block is allocated (by a custom allocator), and chunks of that block are
2074 // allocated again for use by the application: Not an error.
2075 //
2076 // If this check fails, it probably means that the application
2077 // has done something stupid with VALGRIND_MALLOCLIKE_BLOCK client
2078 // requests, eg. has made overlapping requests (which are
2079 // nonsensical), or used VALGRIND_MALLOCLIKE_BLOCK for stack locations;
2080 // again nonsensical.
2081 //
2094 // Normal case - no overlap.
2096 // We used to allow exact duplicates, I'm not sure why. --njn
2097 //} else if (start1 == start2 && end1 == end2) {
2098 // Degenerate case: exact duplicates.
2101 // Block i is MALLOCLIKE and entirely within block i+1.
2102 // Remove block i+1.
2105 }
2106 lc_n_chunks--;
2109 // Block i+1 is MALLOCLIKE and entirely within block i.
2110 // Remove block i.
2113 }
2114 lc_n_chunks--;
2117 // Overlap is allowed ONLY when one of the two candicates is a block
2118 // from a memory pool that has the metapool attribute set.
2119 // All other mixtures trigger the error + assert.
2128 }
2129 }
2135 }
2136 }
2138 // If one of the blocks is a meta block, the other must be entirely
2139 // within that meta block, or something is really wrong with the custom
2140 // allocator.
2145 }
2146 }
2158 }
2159 }
2160 }
2162 // Initialise lc_extras.
2166 }
2173 }
2175 // Initialise lc_markstack.
2179 }
2182 // Verbosity.
2185 lc_n_chunks );
2186 }
2188 // Scan the memory root-set, pushing onto the mark stack any blocks
2189 // pointed to.
2192 // Scan GP registers for chunk pointers.
2195 // Process the pushed blocks. After this, every block that is reachable
2196 // from the root-set has been traced.
2203 lc_sig_skipped_szB);
2205 }
2207 // Trace all the leaked blocks to determine which are directly leaked and
2208 // which are indirectly leaked. For each Unreached block, push it onto
2209 // the mark stack, and find all the as-yet-Unreached blocks reachable
2210 // from it. These form a clique and are marked IndirectLeak, and their
2211 // size is added to the clique leader's indirect size. If one of the
2212 // found blocks was itself a clique leader (from a previous clique), then
2213 // the cliques are merged.
2228 // Push this Unreached block onto the stack and process it.
2234 }
2235 }
2241 // lc_chunks, lc_extras, lr_array and lr_table are kept (needed if user
2242 // calls MC_(print_block_list)). lr_table also used for delta leak reporting
2243 // between this leak search and the next leak search.
2244 }
2248 static void
2250 {
2257 else
2261 searched_wpa);
2262 }
2263 }
2266 {
2268 Int n_chunks;
2269 Int i;
2273 else
2279 // Scan memory root-set, searching for ptr pointing in address[szB]
2282 // Scan active malloc-ed chunks
2288 }
2291 // Scan GP registers for pointers to address range.
2296 }
2298 /*--------------------------------------------------------------------*/
2299 /*--- end ---*/
2300 /*--------------------------------------------------------------------*/