1 //=-- lsan_common.cpp -----------------------------------------------------===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This file is a part of LeakSanitizer. 10 // Implementation of common leak checking functionality. 11 // 12 //===----------------------------------------------------------------------===// 13 14 #include "lsan_common.h" 15 16 #include "sanitizer_common/sanitizer_common.h" 17 #include "sanitizer_common/sanitizer_flag_parser.h" 18 #include "sanitizer_common/sanitizer_flags.h" 19 #include "sanitizer_common/sanitizer_placement_new.h" 20 #include "sanitizer_common/sanitizer_procmaps.h" 21 #include "sanitizer_common/sanitizer_report_decorator.h" 22 #include "sanitizer_common/sanitizer_stackdepot.h" 23 #include "sanitizer_common/sanitizer_stacktrace.h" 24 #include "sanitizer_common/sanitizer_suppressions.h" 25 #include "sanitizer_common/sanitizer_thread_registry.h" 26 #include "sanitizer_common/sanitizer_tls_get_addr.h" 27 28 #if CAN_SANITIZE_LEAKS 29 30 # if SANITIZER_APPLE 31 // https://github.com/apple-oss-distributions/objc4/blob/8701d5672d3fd3cd817aeb84db1077aafe1a1604/runtime/objc-runtime-new.h#L127 32 # if SANITIZER_IOS && !SANITIZER_IOSSIM 33 # define OBJC_DATA_MASK 0x0000007ffffffff8UL 34 # else 35 # define OBJC_DATA_MASK 0x00007ffffffffff8UL 36 # endif 37 # endif 38 39 namespace __lsan { 40 41 // This mutex is used to prevent races between DoLeakCheck and IgnoreObject, and 42 // also to protect the global list of root regions. 43 static Mutex global_mutex; 44 45 void LockGlobal() SANITIZER_ACQUIRE(global_mutex) { global_mutex.Lock(); } 46 void UnlockGlobal() SANITIZER_RELEASE(global_mutex) { global_mutex.Unlock(); } 47 48 Flags lsan_flags; 49 50 void DisableCounterUnderflow() { 51 if (common_flags()->detect_leaks) { 52 Report("Unmatched call to __lsan_enable().\n"); 53 Die(); 54 } 55 } 56 57 void Flags::SetDefaults() { 58 # define LSAN_FLAG(Type, Name, DefaultValue, Description) Name = DefaultValue; 59 # include "lsan_flags.inc" 60 # undef LSAN_FLAG 61 } 62 63 void RegisterLsanFlags(FlagParser *parser, Flags *f) { 64 # define LSAN_FLAG(Type, Name, DefaultValue, Description) \ 65 RegisterFlag(parser, #Name, Description, &f->Name); 66 # include "lsan_flags.inc" 67 # undef LSAN_FLAG 68 } 69 70 # define LOG_POINTERS(...) \ 71 do { \ 72 if (flags()->log_pointers) \ 73 Report(__VA_ARGS__); \ 74 } while (0) 75 76 # define LOG_THREADS(...) \ 77 do { \ 78 if (flags()->log_threads) \ 79 Report(__VA_ARGS__); \ 80 } while (0) 81 82 class LeakSuppressionContext { 83 bool parsed = false; 84 SuppressionContext context; 85 bool suppressed_stacks_sorted = true; 86 InternalMmapVector<u32> suppressed_stacks; 87 const LoadedModule *suppress_module = nullptr; 88 89 void LazyInit(); 90 Suppression *GetSuppressionForAddr(uptr addr); 91 bool SuppressInvalid(const StackTrace &stack); 92 bool SuppressByRule(const StackTrace &stack, uptr hit_count, uptr total_size); 93 94 public: 95 LeakSuppressionContext(const char *supprression_types[], 96 int suppression_types_num) 97 : context(supprression_types, suppression_types_num) {} 98 99 bool Suppress(u32 stack_trace_id, uptr hit_count, uptr total_size); 100 101 const InternalMmapVector<u32> &GetSortedSuppressedStacks() { 102 if (!suppressed_stacks_sorted) { 103 suppressed_stacks_sorted = true; 104 SortAndDedup(suppressed_stacks); 105 } 106 return suppressed_stacks; 107 } 108 void PrintMatchedSuppressions(); 109 }; 110 111 ALIGNED(64) static char suppression_placeholder[sizeof(LeakSuppressionContext)]; 112 static LeakSuppressionContext *suppression_ctx = nullptr; 113 static const char kSuppressionLeak[] = "leak"; 114 static const char *kSuppressionTypes[] = {kSuppressionLeak}; 115 static const char kStdSuppressions[] = 116 # if SANITIZER_SUPPRESS_LEAK_ON_PTHREAD_EXIT 117 // For more details refer to the SANITIZER_SUPPRESS_LEAK_ON_PTHREAD_EXIT 118 // definition. 119 "leak:*pthread_exit*\n" 120 # endif // SANITIZER_SUPPRESS_LEAK_ON_PTHREAD_EXIT 121 # if SANITIZER_APPLE 122 // For Darwin and os_log/os_trace: https://reviews.llvm.org/D35173 123 "leak:*_os_trace*\n" 124 # endif 125 // TLS leak in some glibc versions, described in 126 // https://sourceware.org/bugzilla/show_bug.cgi?id=12650. 127 "leak:*tls_get_addr*\n"; 128 129 void InitializeSuppressions() { 130 CHECK_EQ(nullptr, suppression_ctx); 131 suppression_ctx = new (suppression_placeholder) 132 LeakSuppressionContext(kSuppressionTypes, ARRAY_SIZE(kSuppressionTypes)); 133 } 134 135 void LeakSuppressionContext::LazyInit() { 136 if (!parsed) { 137 parsed = true; 138 context.ParseFromFile(flags()->suppressions); 139 if (&__lsan_default_suppressions) 140 context.Parse(__lsan_default_suppressions()); 141 context.Parse(kStdSuppressions); 142 if (flags()->use_tls && flags()->use_ld_allocations) 143 suppress_module = GetLinker(); 144 } 145 } 146 147 Suppression *LeakSuppressionContext::GetSuppressionForAddr(uptr addr) { 148 Suppression *s = nullptr; 149 150 // Suppress by module name. 151 const char *module_name = Symbolizer::GetOrInit()->GetModuleNameForPc(addr); 152 if (!module_name) 153 module_name = "<unknown module>"; 154 if (context.Match(module_name, kSuppressionLeak, &s)) 155 return s; 156 157 // Suppress by file or function name. 158 SymbolizedStackHolder symbolized_stack( 159 Symbolizer::GetOrInit()->SymbolizePC(addr)); 160 const SymbolizedStack *frames = symbolized_stack.get(); 161 for (const SymbolizedStack *cur = frames; cur; cur = cur->next) { 162 if (context.Match(cur->info.function, kSuppressionLeak, &s) || 163 context.Match(cur->info.file, kSuppressionLeak, &s)) { 164 break; 165 } 166 } 167 return s; 168 } 169 170 static uptr GetCallerPC(const StackTrace &stack) { 171 // The top frame is our malloc/calloc/etc. The next frame is the caller. 172 if (stack.size >= 2) 173 return stack.trace[1]; 174 return 0; 175 } 176 177 # if SANITIZER_APPLE 178 // Several pointers in the Objective-C runtime (method cache and class_rw_t, 179 // for example) are tagged with additional bits we need to strip. 180 static inline void *TransformPointer(void *p) { 181 uptr ptr = reinterpret_cast<uptr>(p); 182 return reinterpret_cast<void *>(ptr & OBJC_DATA_MASK); 183 } 184 # endif 185 186 // On Linux, treats all chunks allocated from ld-linux.so as reachable, which 187 // covers dynamically allocated TLS blocks, internal dynamic loader's loaded 188 // modules accounting etc. 189 // Dynamic TLS blocks contain the TLS variables of dynamically loaded modules. 190 // They are allocated with a __libc_memalign() call in allocate_and_init() 191 // (elf/dl-tls.c). Glibc won't tell us the address ranges occupied by those 192 // blocks, but we can make sure they come from our own allocator by intercepting 193 // __libc_memalign(). On top of that, there is no easy way to reach them. Their 194 // addresses are stored in a dynamically allocated array (the DTV) which is 195 // referenced from the static TLS. Unfortunately, we can't just rely on the DTV 196 // being reachable from the static TLS, and the dynamic TLS being reachable from 197 // the DTV. This is because the initial DTV is allocated before our interception 198 // mechanism kicks in, and thus we don't recognize it as allocated memory. We 199 // can't special-case it either, since we don't know its size. 200 // Our solution is to include in the root set all allocations made from 201 // ld-linux.so (which is where allocate_and_init() is implemented). This is 202 // guaranteed to include all dynamic TLS blocks (and possibly other allocations 203 // which we don't care about). 204 // On all other platforms, this simply checks to ensure that the caller pc is 205 // valid before reporting chunks as leaked. 206 bool LeakSuppressionContext::SuppressInvalid(const StackTrace &stack) { 207 uptr caller_pc = GetCallerPC(stack); 208 // If caller_pc is unknown, this chunk may be allocated in a coroutine. Mark 209 // it as reachable, as we can't properly report its allocation stack anyway. 210 return !caller_pc || 211 (suppress_module && suppress_module->containsAddress(caller_pc)); 212 } 213 214 bool LeakSuppressionContext::SuppressByRule(const StackTrace &stack, 215 uptr hit_count, uptr total_size) { 216 for (uptr i = 0; i < stack.size; i++) { 217 Suppression *s = GetSuppressionForAddr( 218 StackTrace::GetPreviousInstructionPc(stack.trace[i])); 219 if (s) { 220 s->weight += total_size; 221 atomic_fetch_add(&s->hit_count, hit_count, memory_order_relaxed); 222 return true; 223 } 224 } 225 return false; 226 } 227 228 bool LeakSuppressionContext::Suppress(u32 stack_trace_id, uptr hit_count, 229 uptr total_size) { 230 LazyInit(); 231 StackTrace stack = StackDepotGet(stack_trace_id); 232 if (!SuppressInvalid(stack) && !SuppressByRule(stack, hit_count, total_size)) 233 return false; 234 suppressed_stacks_sorted = false; 235 suppressed_stacks.push_back(stack_trace_id); 236 return true; 237 } 238 239 static LeakSuppressionContext *GetSuppressionContext() { 240 CHECK(suppression_ctx); 241 return suppression_ctx; 242 } 243 244 void InitCommonLsan() { 245 if (common_flags()->detect_leaks) { 246 // Initialization which can fail or print warnings should only be done if 247 // LSan is actually enabled. 248 InitializeSuppressions(); 249 InitializePlatformSpecificModules(); 250 } 251 } 252 253 class Decorator : public __sanitizer::SanitizerCommonDecorator { 254 public: 255 Decorator() : SanitizerCommonDecorator() {} 256 const char *Error() { return Red(); } 257 const char *Leak() { return Blue(); } 258 }; 259 260 static inline bool MaybeUserPointer(uptr p) { 261 // Since our heap is located in mmap-ed memory, we can assume a sensible lower 262 // bound on heap addresses. 263 const uptr kMinAddress = 4 * 4096; 264 if (p < kMinAddress) 265 return false; 266 # if defined(__x86_64__) 267 // TODO: support LAM48 and 5 level page tables. 268 // LAM_U57 mask format 269 // * top byte: 0x81 because the format is: [0] [6-bit tag] [0] 270 // * top-1 byte: 0xff because it should be 0 271 // * top-2 byte: 0x80 because Linux uses 128 TB VMA ending at 0x7fffffffffff 272 constexpr uptr kLAM_U57Mask = 0x81ff80; 273 constexpr uptr kPointerMask = kLAM_U57Mask << 40; 274 return ((p & kPointerMask) == 0); 275 # elif defined(__mips64) 276 return ((p >> 40) == 0); 277 # elif defined(__aarch64__) 278 // TBI (Top Byte Ignore) feature of AArch64: bits [63:56] are ignored in 279 // address translation and can be used to store a tag. 280 constexpr uptr kPointerMask = 255ULL << 48; 281 // Accept up to 48 bit VMA. 282 return ((p & kPointerMask) == 0); 283 # elif defined(__loongarch_lp64) 284 // Allow 47-bit user-space VMA at current. 285 return ((p >> 47) == 0); 286 # else 287 return true; 288 # endif 289 } 290 291 // Scans the memory range, looking for byte patterns that point into allocator 292 // chunks. Marks those chunks with |tag| and adds them to |frontier|. 293 // There are two usage modes for this function: finding reachable chunks 294 // (|tag| = kReachable) and finding indirectly leaked chunks 295 // (|tag| = kIndirectlyLeaked). In the second case, there's no flood fill, 296 // so |frontier| = 0. 297 void ScanRangeForPointers(uptr begin, uptr end, Frontier *frontier, 298 const char *region_type, ChunkTag tag) { 299 CHECK(tag == kReachable || tag == kIndirectlyLeaked); 300 const uptr alignment = flags()->pointer_alignment(); 301 LOG_POINTERS("Scanning %s range %p-%p.\n", region_type, (void *)begin, 302 (void *)end); 303 uptr pp = begin; 304 if (pp % alignment) 305 pp = pp + alignment - pp % alignment; 306 for (; pp + sizeof(void *) <= end; pp += alignment) { 307 void *p = *reinterpret_cast<void **>(pp); 308 # if SANITIZER_APPLE 309 p = TransformPointer(p); 310 # endif 311 if (!MaybeUserPointer(reinterpret_cast<uptr>(p))) 312 continue; 313 uptr chunk = PointsIntoChunk(p); 314 if (!chunk) 315 continue; 316 // Pointers to self don't count. This matters when tag == kIndirectlyLeaked. 317 if (chunk == begin) 318 continue; 319 LsanMetadata m(chunk); 320 if (m.tag() == kReachable || m.tag() == kIgnored) 321 continue; 322 323 // Do this check relatively late so we can log only the interesting cases. 324 if (!flags()->use_poisoned && WordIsPoisoned(pp)) { 325 LOG_POINTERS( 326 "%p is poisoned: ignoring %p pointing into chunk %p-%p of size " 327 "%zu.\n", 328 (void *)pp, p, (void *)chunk, (void *)(chunk + m.requested_size()), 329 m.requested_size()); 330 continue; 331 } 332 333 m.set_tag(tag); 334 LOG_POINTERS("%p: found %p pointing into chunk %p-%p of size %zu.\n", 335 (void *)pp, p, (void *)chunk, 336 (void *)(chunk + m.requested_size()), m.requested_size()); 337 if (frontier) 338 frontier->push_back(chunk); 339 } 340 } 341 342 // Scans a global range for pointers 343 void ScanGlobalRange(uptr begin, uptr end, Frontier *frontier) { 344 uptr allocator_begin = 0, allocator_end = 0; 345 GetAllocatorGlobalRange(&allocator_begin, &allocator_end); 346 if (begin <= allocator_begin && allocator_begin < end) { 347 CHECK_LE(allocator_begin, allocator_end); 348 CHECK_LE(allocator_end, end); 349 if (begin < allocator_begin) 350 ScanRangeForPointers(begin, allocator_begin, frontier, "GLOBAL", 351 kReachable); 352 if (allocator_end < end) 353 ScanRangeForPointers(allocator_end, end, frontier, "GLOBAL", kReachable); 354 } else { 355 ScanRangeForPointers(begin, end, frontier, "GLOBAL", kReachable); 356 } 357 } 358 359 void ScanExtraStackRanges(const InternalMmapVector<Range> &ranges, 360 Frontier *frontier) { 361 for (uptr i = 0; i < ranges.size(); i++) { 362 ScanRangeForPointers(ranges[i].begin, ranges[i].end, frontier, "FAKE STACK", 363 kReachable); 364 } 365 } 366 367 # if SANITIZER_FUCHSIA 368 369 // Fuchsia handles all threads together with its own callback. 370 static void ProcessThreads(SuspendedThreadsList const &, Frontier *, tid_t, 371 uptr) {} 372 373 # else 374 375 # if SANITIZER_ANDROID 376 // FIXME: Move this out into *libcdep.cpp 377 extern "C" SANITIZER_WEAK_ATTRIBUTE void __libc_iterate_dynamic_tls( 378 pid_t, void (*cb)(void *, void *, uptr, void *), void *); 379 # endif 380 381 static void ProcessThreadRegistry(Frontier *frontier) { 382 InternalMmapVector<uptr> ptrs; 383 GetAdditionalThreadContextPtrsLocked(&ptrs); 384 385 for (uptr i = 0; i < ptrs.size(); ++i) { 386 void *ptr = reinterpret_cast<void *>(ptrs[i]); 387 uptr chunk = PointsIntoChunk(ptr); 388 if (!chunk) 389 continue; 390 LsanMetadata m(chunk); 391 if (!m.allocated()) 392 continue; 393 394 // Mark as reachable and add to frontier. 395 LOG_POINTERS("Treating pointer %p from ThreadContext as reachable\n", ptr); 396 m.set_tag(kReachable); 397 frontier->push_back(chunk); 398 } 399 } 400 401 // Scans thread data (stacks and TLS) for heap pointers. 402 static void ProcessThreads(SuspendedThreadsList const &suspended_threads, 403 Frontier *frontier, tid_t caller_tid, 404 uptr caller_sp) { 405 InternalMmapVector<uptr> registers; 406 InternalMmapVector<Range> extra_ranges; 407 for (uptr i = 0; i < suspended_threads.ThreadCount(); i++) { 408 tid_t os_id = static_cast<tid_t>(suspended_threads.GetThreadID(i)); 409 LOG_THREADS("Processing thread %llu.\n", os_id); 410 uptr stack_begin, stack_end, tls_begin, tls_end, cache_begin, cache_end; 411 DTLS *dtls; 412 bool thread_found = 413 GetThreadRangesLocked(os_id, &stack_begin, &stack_end, &tls_begin, 414 &tls_end, &cache_begin, &cache_end, &dtls); 415 if (!thread_found) { 416 // If a thread can't be found in the thread registry, it's probably in the 417 // process of destruction. Log this event and move on. 418 LOG_THREADS("Thread %llu not found in registry.\n", os_id); 419 continue; 420 } 421 uptr sp; 422 PtraceRegistersStatus have_registers = 423 suspended_threads.GetRegistersAndSP(i, ®isters, &sp); 424 if (have_registers != REGISTERS_AVAILABLE) { 425 Report("Unable to get registers from thread %llu.\n", os_id); 426 // If unable to get SP, consider the entire stack to be reachable unless 427 // GetRegistersAndSP failed with ESRCH. 428 if (have_registers == REGISTERS_UNAVAILABLE_FATAL) 429 continue; 430 sp = stack_begin; 431 } 432 if (suspended_threads.GetThreadID(i) == caller_tid) { 433 sp = caller_sp; 434 } 435 436 if (flags()->use_registers && have_registers) { 437 uptr registers_begin = reinterpret_cast<uptr>(registers.data()); 438 uptr registers_end = 439 reinterpret_cast<uptr>(registers.data() + registers.size()); 440 ScanRangeForPointers(registers_begin, registers_end, frontier, 441 "REGISTERS", kReachable); 442 } 443 444 if (flags()->use_stacks) { 445 LOG_THREADS("Stack at %p-%p (SP = %p).\n", (void *)stack_begin, 446 (void *)stack_end, (void *)sp); 447 if (sp < stack_begin || sp >= stack_end) { 448 // SP is outside the recorded stack range (e.g. the thread is running a 449 // signal handler on alternate stack, or swapcontext was used). 450 // Again, consider the entire stack range to be reachable. 451 LOG_THREADS("WARNING: stack pointer not in stack range.\n"); 452 uptr page_size = GetPageSizeCached(); 453 int skipped = 0; 454 while (stack_begin < stack_end && 455 !IsAccessibleMemoryRange(stack_begin, 1)) { 456 skipped++; 457 stack_begin += page_size; 458 } 459 LOG_THREADS("Skipped %d guard page(s) to obtain stack %p-%p.\n", 460 skipped, (void *)stack_begin, (void *)stack_end); 461 } else { 462 // Shrink the stack range to ignore out-of-scope values. 463 stack_begin = sp; 464 } 465 ScanRangeForPointers(stack_begin, stack_end, frontier, "STACK", 466 kReachable); 467 extra_ranges.clear(); 468 GetThreadExtraStackRangesLocked(os_id, &extra_ranges); 469 ScanExtraStackRanges(extra_ranges, frontier); 470 } 471 472 if (flags()->use_tls) { 473 if (tls_begin) { 474 LOG_THREADS("TLS at %p-%p.\n", (void *)tls_begin, (void *)tls_end); 475 // If the tls and cache ranges don't overlap, scan full tls range, 476 // otherwise, only scan the non-overlapping portions 477 if (cache_begin == cache_end || tls_end < cache_begin || 478 tls_begin > cache_end) { 479 ScanRangeForPointers(tls_begin, tls_end, frontier, "TLS", kReachable); 480 } else { 481 if (tls_begin < cache_begin) 482 ScanRangeForPointers(tls_begin, cache_begin, frontier, "TLS", 483 kReachable); 484 if (tls_end > cache_end) 485 ScanRangeForPointers(cache_end, tls_end, frontier, "TLS", 486 kReachable); 487 } 488 } 489 # if SANITIZER_ANDROID 490 auto *cb = +[](void *dtls_begin, void *dtls_end, uptr /*dso_idd*/, 491 void *arg) -> void { 492 ScanRangeForPointers(reinterpret_cast<uptr>(dtls_begin), 493 reinterpret_cast<uptr>(dtls_end), 494 reinterpret_cast<Frontier *>(arg), "DTLS", 495 kReachable); 496 }; 497 498 // FIXME: There might be a race-condition here (and in Bionic) if the 499 // thread is suspended in the middle of updating its DTLS. IOWs, we 500 // could scan already freed memory. (probably fine for now) 501 __libc_iterate_dynamic_tls(os_id, cb, frontier); 502 # else 503 if (dtls && !DTLSInDestruction(dtls)) { 504 ForEachDVT(dtls, [&](const DTLS::DTV &dtv, int id) { 505 uptr dtls_beg = dtv.beg; 506 uptr dtls_end = dtls_beg + dtv.size; 507 if (dtls_beg < dtls_end) { 508 LOG_THREADS("DTLS %d at %p-%p.\n", id, (void *)dtls_beg, 509 (void *)dtls_end); 510 ScanRangeForPointers(dtls_beg, dtls_end, frontier, "DTLS", 511 kReachable); 512 } 513 }); 514 } else { 515 // We are handling a thread with DTLS under destruction. Log about 516 // this and continue. 517 LOG_THREADS("Thread %llu has DTLS under destruction.\n", os_id); 518 } 519 # endif 520 } 521 } 522 523 // Add pointers reachable from ThreadContexts 524 ProcessThreadRegistry(frontier); 525 } 526 527 # endif // SANITIZER_FUCHSIA 528 529 // A map that contains [region_begin, region_end) pairs. 530 using RootRegions = DenseMap<detail::DenseMapPair<uptr, uptr>, uptr>; 531 532 static RootRegions &GetRootRegionsLocked() { 533 global_mutex.CheckLocked(); 534 static RootRegions *regions = nullptr; 535 alignas(RootRegions) static char placeholder[sizeof(RootRegions)]; 536 if (!regions) 537 regions = new (placeholder) RootRegions(); 538 return *regions; 539 } 540 541 bool HasRootRegions() { return !GetRootRegionsLocked().empty(); } 542 543 void ScanRootRegions(Frontier *frontier, 544 const InternalMmapVectorNoCtor<Region> &mapped_regions) { 545 if (!flags()->use_root_regions) 546 return; 547 548 InternalMmapVector<Region> regions; 549 GetRootRegionsLocked().forEach([&](const auto &kv) { 550 regions.push_back({kv.first.first, kv.first.second}); 551 return true; 552 }); 553 554 InternalMmapVector<Region> intersection; 555 Intersect(mapped_regions, regions, intersection); 556 557 for (const Region &r : intersection) { 558 LOG_POINTERS("Root region intersects with mapped region at %p-%p\n", 559 (void *)r.begin, (void *)r.end); 560 ScanRangeForPointers(r.begin, r.end, frontier, "ROOT", kReachable); 561 } 562 } 563 564 // Scans root regions for heap pointers. 565 static void ProcessRootRegions(Frontier *frontier) { 566 if (!flags()->use_root_regions || !HasRootRegions()) 567 return; 568 MemoryMappingLayout proc_maps(/*cache_enabled*/ true); 569 MemoryMappedSegment segment; 570 InternalMmapVector<Region> mapped_regions; 571 while (proc_maps.Next(&segment)) 572 if (segment.IsReadable()) 573 mapped_regions.push_back({segment.start, segment.end}); 574 ScanRootRegions(frontier, mapped_regions); 575 } 576 577 static void FloodFillTag(Frontier *frontier, ChunkTag tag) { 578 while (frontier->size()) { 579 uptr next_chunk = frontier->back(); 580 frontier->pop_back(); 581 LsanMetadata m(next_chunk); 582 ScanRangeForPointers(next_chunk, next_chunk + m.requested_size(), frontier, 583 "HEAP", tag); 584 } 585 } 586 587 // ForEachChunk callback. If the chunk is marked as leaked, marks all chunks 588 // which are reachable from it as indirectly leaked. 589 static void MarkIndirectlyLeakedCb(uptr chunk, void *arg) { 590 chunk = GetUserBegin(chunk); 591 LsanMetadata m(chunk); 592 if (m.allocated() && m.tag() != kReachable) { 593 ScanRangeForPointers(chunk, chunk + m.requested_size(), 594 /* frontier */ nullptr, "HEAP", kIndirectlyLeaked); 595 } 596 } 597 598 static void IgnoredSuppressedCb(uptr chunk, void *arg) { 599 CHECK(arg); 600 chunk = GetUserBegin(chunk); 601 LsanMetadata m(chunk); 602 if (!m.allocated() || m.tag() == kIgnored) 603 return; 604 605 const InternalMmapVector<u32> &suppressed = 606 *static_cast<const InternalMmapVector<u32> *>(arg); 607 uptr idx = InternalLowerBound(suppressed, m.stack_trace_id()); 608 if (idx >= suppressed.size() || m.stack_trace_id() != suppressed[idx]) 609 return; 610 611 LOG_POINTERS("Suppressed: chunk %p-%p of size %zu.\n", (void *)chunk, 612 (void *)(chunk + m.requested_size()), m.requested_size()); 613 m.set_tag(kIgnored); 614 } 615 616 // ForEachChunk callback. If chunk is marked as ignored, adds its address to 617 // frontier. 618 static void CollectIgnoredCb(uptr chunk, void *arg) { 619 CHECK(arg); 620 chunk = GetUserBegin(chunk); 621 LsanMetadata m(chunk); 622 if (m.allocated() && m.tag() == kIgnored) { 623 LOG_POINTERS("Ignored: chunk %p-%p of size %zu.\n", (void *)chunk, 624 (void *)(chunk + m.requested_size()), m.requested_size()); 625 reinterpret_cast<Frontier *>(arg)->push_back(chunk); 626 } 627 } 628 629 // Sets the appropriate tag on each chunk. 630 static void ClassifyAllChunks(SuspendedThreadsList const &suspended_threads, 631 Frontier *frontier, tid_t caller_tid, 632 uptr caller_sp) { 633 const InternalMmapVector<u32> &suppressed_stacks = 634 GetSuppressionContext()->GetSortedSuppressedStacks(); 635 if (!suppressed_stacks.empty()) { 636 ForEachChunk(IgnoredSuppressedCb, 637 const_cast<InternalMmapVector<u32> *>(&suppressed_stacks)); 638 } 639 ForEachChunk(CollectIgnoredCb, frontier); 640 ProcessGlobalRegions(frontier); 641 ProcessThreads(suspended_threads, frontier, caller_tid, caller_sp); 642 ProcessRootRegions(frontier); 643 FloodFillTag(frontier, kReachable); 644 645 // The check here is relatively expensive, so we do this in a separate flood 646 // fill. That way we can skip the check for chunks that are reachable 647 // otherwise. 648 LOG_POINTERS("Processing platform-specific allocations.\n"); 649 ProcessPlatformSpecificAllocations(frontier); 650 FloodFillTag(frontier, kReachable); 651 652 // Iterate over leaked chunks and mark those that are reachable from other 653 // leaked chunks. 654 LOG_POINTERS("Scanning leaked chunks.\n"); 655 ForEachChunk(MarkIndirectlyLeakedCb, nullptr); 656 } 657 658 // ForEachChunk callback. Resets the tags to pre-leak-check state. 659 static void ResetTagsCb(uptr chunk, void *arg) { 660 (void)arg; 661 chunk = GetUserBegin(chunk); 662 LsanMetadata m(chunk); 663 if (m.allocated() && m.tag() != kIgnored) 664 m.set_tag(kDirectlyLeaked); 665 } 666 667 // ForEachChunk callback. Aggregates information about unreachable chunks into 668 // a LeakReport. 669 static void CollectLeaksCb(uptr chunk, void *arg) { 670 CHECK(arg); 671 LeakedChunks *leaks = reinterpret_cast<LeakedChunks *>(arg); 672 chunk = GetUserBegin(chunk); 673 LsanMetadata m(chunk); 674 if (!m.allocated()) 675 return; 676 if (m.tag() == kDirectlyLeaked || m.tag() == kIndirectlyLeaked) 677 leaks->push_back({chunk, m.stack_trace_id(), m.requested_size(), m.tag()}); 678 } 679 680 void LeakSuppressionContext::PrintMatchedSuppressions() { 681 InternalMmapVector<Suppression *> matched; 682 context.GetMatched(&matched); 683 if (!matched.size()) 684 return; 685 const char *line = "-----------------------------------------------------"; 686 Printf("%s\n", line); 687 Printf("Suppressions used:\n"); 688 Printf(" count bytes template\n"); 689 for (uptr i = 0; i < matched.size(); i++) { 690 Printf("%7zu %10zu %s\n", 691 static_cast<uptr>(atomic_load_relaxed(&matched[i]->hit_count)), 692 matched[i]->weight, matched[i]->templ); 693 } 694 Printf("%s\n\n", line); 695 } 696 697 # if SANITIZER_FUCHSIA 698 699 // Fuchsia provides a libc interface that guarantees all threads are 700 // covered, and SuspendedThreadList is never really used. 701 static void ReportUnsuspendedThreads(const SuspendedThreadsList &) {} 702 703 # else // !SANITIZER_FUCHSIA 704 705 static void ReportUnsuspendedThreads( 706 const SuspendedThreadsList &suspended_threads) { 707 InternalMmapVector<tid_t> threads(suspended_threads.ThreadCount()); 708 for (uptr i = 0; i < suspended_threads.ThreadCount(); ++i) 709 threads[i] = suspended_threads.GetThreadID(i); 710 711 Sort(threads.data(), threads.size()); 712 713 InternalMmapVector<tid_t> unsuspended; 714 GetRunningThreadsLocked(&unsuspended); 715 716 for (auto os_id : unsuspended) { 717 uptr i = InternalLowerBound(threads, os_id); 718 if (i >= threads.size() || threads[i] != os_id) 719 Report( 720 "Running thread %zu was not suspended. False leaks are possible.\n", 721 os_id); 722 } 723 } 724 725 # endif // !SANITIZER_FUCHSIA 726 727 static void CheckForLeaksCallback(const SuspendedThreadsList &suspended_threads, 728 void *arg) { 729 CheckForLeaksParam *param = reinterpret_cast<CheckForLeaksParam *>(arg); 730 CHECK(param); 731 CHECK(!param->success); 732 ReportUnsuspendedThreads(suspended_threads); 733 ClassifyAllChunks(suspended_threads, ¶m->frontier, param->caller_tid, 734 param->caller_sp); 735 ForEachChunk(CollectLeaksCb, ¶m->leaks); 736 // Clean up for subsequent leak checks. This assumes we did not overwrite any 737 // kIgnored tags. 738 ForEachChunk(ResetTagsCb, nullptr); 739 param->success = true; 740 } 741 742 static bool PrintResults(LeakReport &report) { 743 uptr unsuppressed_count = report.UnsuppressedLeakCount(); 744 if (unsuppressed_count) { 745 Decorator d; 746 Printf( 747 "\n" 748 "=================================================================" 749 "\n"); 750 Printf("%s", d.Error()); 751 Report("ERROR: LeakSanitizer: detected memory leaks\n"); 752 Printf("%s", d.Default()); 753 report.ReportTopLeaks(flags()->max_leaks); 754 } 755 if (common_flags()->print_suppressions) 756 GetSuppressionContext()->PrintMatchedSuppressions(); 757 if (unsuppressed_count > 0) { 758 report.PrintSummary(); 759 return true; 760 } 761 return false; 762 } 763 764 static bool CheckForLeaks() { 765 if (&__lsan_is_turned_off && __lsan_is_turned_off()) { 766 VReport(1, "LeakSanitizer is disabled"); 767 return false; 768 } 769 VReport(1, "LeakSanitizer: checking for leaks"); 770 // Inside LockStuffAndStopTheWorld we can't run symbolizer, so we can't match 771 // suppressions. However if a stack id was previously suppressed, it should be 772 // suppressed in future checks as well. 773 for (int i = 0;; ++i) { 774 EnsureMainThreadIDIsCorrect(); 775 CheckForLeaksParam param; 776 // Capture calling thread's stack pointer early, to avoid false negatives. 777 // Old frame with dead pointers might be overlapped by new frame inside 778 // CheckForLeaks which does not use bytes with pointers before the 779 // threads are suspended and stack pointers captured. 780 param.caller_tid = GetTid(); 781 param.caller_sp = reinterpret_cast<uptr>(__builtin_frame_address(0)); 782 LockStuffAndStopTheWorld(CheckForLeaksCallback, ¶m); 783 if (!param.success) { 784 Report("LeakSanitizer has encountered a fatal error.\n"); 785 Report( 786 "HINT: For debugging, try setting environment variable " 787 "LSAN_OPTIONS=verbosity=1:log_threads=1\n"); 788 Report( 789 "HINT: LeakSanitizer does not work under ptrace (strace, gdb, " 790 "etc)\n"); 791 Die(); 792 } 793 LeakReport leak_report; 794 leak_report.AddLeakedChunks(param.leaks); 795 796 // No new suppressions stacks, so rerun will not help and we can report. 797 if (!leak_report.ApplySuppressions()) 798 return PrintResults(leak_report); 799 800 // No indirect leaks to report, so we are done here. 801 if (!leak_report.IndirectUnsuppressedLeakCount()) 802 return PrintResults(leak_report); 803 804 if (i >= 8) { 805 Report("WARNING: LeakSanitizer gave up on indirect leaks suppression.\n"); 806 return PrintResults(leak_report); 807 } 808 809 // We found a new previously unseen suppressed call stack. Rerun to make 810 // sure it does not hold indirect leaks. 811 VReport(1, "Rerun with %zu suppressed stacks.", 812 GetSuppressionContext()->GetSortedSuppressedStacks().size()); 813 } 814 } 815 816 static bool has_reported_leaks = false; 817 bool HasReportedLeaks() { return has_reported_leaks; } 818 819 void DoLeakCheck() { 820 Lock l(&global_mutex); 821 static bool already_done; 822 if (already_done) 823 return; 824 already_done = true; 825 has_reported_leaks = CheckForLeaks(); 826 if (has_reported_leaks) 827 HandleLeaks(); 828 } 829 830 static int DoRecoverableLeakCheck() { 831 Lock l(&global_mutex); 832 bool have_leaks = CheckForLeaks(); 833 return have_leaks ? 1 : 0; 834 } 835 836 void DoRecoverableLeakCheckVoid() { DoRecoverableLeakCheck(); } 837 838 ///// LeakReport implementation. ///// 839 840 // A hard limit on the number of distinct leaks, to avoid quadratic complexity 841 // in LeakReport::AddLeakedChunk(). We don't expect to ever see this many leaks 842 // in real-world applications. 843 // FIXME: Get rid of this limit by moving logic into DedupLeaks. 844 const uptr kMaxLeaksConsidered = 5000; 845 846 void LeakReport::AddLeakedChunks(const LeakedChunks &chunks) { 847 for (const LeakedChunk &leak : chunks) { 848 uptr chunk = leak.chunk; 849 u32 stack_trace_id = leak.stack_trace_id; 850 uptr leaked_size = leak.leaked_size; 851 ChunkTag tag = leak.tag; 852 CHECK(tag == kDirectlyLeaked || tag == kIndirectlyLeaked); 853 854 if (u32 resolution = flags()->resolution) { 855 StackTrace stack = StackDepotGet(stack_trace_id); 856 stack.size = Min(stack.size, resolution); 857 stack_trace_id = StackDepotPut(stack); 858 } 859 860 bool is_directly_leaked = (tag == kDirectlyLeaked); 861 uptr i; 862 for (i = 0; i < leaks_.size(); i++) { 863 if (leaks_[i].stack_trace_id == stack_trace_id && 864 leaks_[i].is_directly_leaked == is_directly_leaked) { 865 leaks_[i].hit_count++; 866 leaks_[i].total_size += leaked_size; 867 break; 868 } 869 } 870 if (i == leaks_.size()) { 871 if (leaks_.size() == kMaxLeaksConsidered) 872 return; 873 Leak leak = {next_id_++, /* hit_count */ 1, 874 leaked_size, stack_trace_id, 875 is_directly_leaked, /* is_suppressed */ false}; 876 leaks_.push_back(leak); 877 } 878 if (flags()->report_objects) { 879 LeakedObject obj = {leaks_[i].id, GetUserAddr(chunk), leaked_size}; 880 leaked_objects_.push_back(obj); 881 } 882 } 883 } 884 885 static bool LeakComparator(const Leak &leak1, const Leak &leak2) { 886 if (leak1.is_directly_leaked == leak2.is_directly_leaked) 887 return leak1.total_size > leak2.total_size; 888 else 889 return leak1.is_directly_leaked; 890 } 891 892 void LeakReport::ReportTopLeaks(uptr num_leaks_to_report) { 893 CHECK(leaks_.size() <= kMaxLeaksConsidered); 894 Printf("\n"); 895 if (leaks_.size() == kMaxLeaksConsidered) 896 Printf( 897 "Too many leaks! Only the first %zu leaks encountered will be " 898 "reported.\n", 899 kMaxLeaksConsidered); 900 901 uptr unsuppressed_count = UnsuppressedLeakCount(); 902 if (num_leaks_to_report > 0 && num_leaks_to_report < unsuppressed_count) 903 Printf("The %zu top leak(s):\n", num_leaks_to_report); 904 Sort(leaks_.data(), leaks_.size(), &LeakComparator); 905 uptr leaks_reported = 0; 906 for (uptr i = 0; i < leaks_.size(); i++) { 907 if (leaks_[i].is_suppressed) 908 continue; 909 PrintReportForLeak(i); 910 leaks_reported++; 911 if (leaks_reported == num_leaks_to_report) 912 break; 913 } 914 if (leaks_reported < unsuppressed_count) { 915 uptr remaining = unsuppressed_count - leaks_reported; 916 Printf("Omitting %zu more leak(s).\n", remaining); 917 } 918 } 919 920 void LeakReport::PrintReportForLeak(uptr index) { 921 Decorator d; 922 Printf("%s", d.Leak()); 923 Printf("%s leak of %zu byte(s) in %zu object(s) allocated from:\n", 924 leaks_[index].is_directly_leaked ? "Direct" : "Indirect", 925 leaks_[index].total_size, leaks_[index].hit_count); 926 Printf("%s", d.Default()); 927 928 CHECK(leaks_[index].stack_trace_id); 929 StackDepotGet(leaks_[index].stack_trace_id).Print(); 930 931 if (flags()->report_objects) { 932 Printf("Objects leaked above:\n"); 933 PrintLeakedObjectsForLeak(index); 934 Printf("\n"); 935 } 936 } 937 938 void LeakReport::PrintLeakedObjectsForLeak(uptr index) { 939 u32 leak_id = leaks_[index].id; 940 for (uptr j = 0; j < leaked_objects_.size(); j++) { 941 if (leaked_objects_[j].leak_id == leak_id) 942 Printf("%p (%zu bytes)\n", (void *)leaked_objects_[j].addr, 943 leaked_objects_[j].size); 944 } 945 } 946 947 void LeakReport::PrintSummary() { 948 CHECK(leaks_.size() <= kMaxLeaksConsidered); 949 uptr bytes = 0, allocations = 0; 950 for (uptr i = 0; i < leaks_.size(); i++) { 951 if (leaks_[i].is_suppressed) 952 continue; 953 bytes += leaks_[i].total_size; 954 allocations += leaks_[i].hit_count; 955 } 956 InternalScopedString summary; 957 summary.AppendF("%zu byte(s) leaked in %zu allocation(s).", bytes, 958 allocations); 959 ReportErrorSummary(summary.data()); 960 } 961 962 uptr LeakReport::ApplySuppressions() { 963 LeakSuppressionContext *suppressions = GetSuppressionContext(); 964 uptr new_suppressions = 0; 965 for (uptr i = 0; i < leaks_.size(); i++) { 966 if (suppressions->Suppress(leaks_[i].stack_trace_id, leaks_[i].hit_count, 967 leaks_[i].total_size)) { 968 leaks_[i].is_suppressed = true; 969 ++new_suppressions; 970 } 971 } 972 return new_suppressions; 973 } 974 975 uptr LeakReport::UnsuppressedLeakCount() { 976 uptr result = 0; 977 for (uptr i = 0; i < leaks_.size(); i++) 978 if (!leaks_[i].is_suppressed) 979 result++; 980 return result; 981 } 982 983 uptr LeakReport::IndirectUnsuppressedLeakCount() { 984 uptr result = 0; 985 for (uptr i = 0; i < leaks_.size(); i++) 986 if (!leaks_[i].is_suppressed && !leaks_[i].is_directly_leaked) 987 result++; 988 return result; 989 } 990 991 } // namespace __lsan 992 #else // CAN_SANITIZE_LEAKS 993 namespace __lsan { 994 void InitCommonLsan() {} 995 void DoLeakCheck() {} 996 void DoRecoverableLeakCheckVoid() {} 997 void DisableInThisThread() {} 998 void EnableInThisThread() {} 999 } // namespace __lsan 1000 #endif // CAN_SANITIZE_LEAKS 1001 1002 using namespace __lsan; 1003 1004 extern "C" { 1005 SANITIZER_INTERFACE_ATTRIBUTE 1006 void __lsan_ignore_object(const void *p) { 1007 #if CAN_SANITIZE_LEAKS 1008 if (!common_flags()->detect_leaks) 1009 return; 1010 // Cannot use PointsIntoChunk or LsanMetadata here, since the allocator is not 1011 // locked. 1012 Lock l(&global_mutex); 1013 IgnoreObjectResult res = IgnoreObject(p); 1014 if (res == kIgnoreObjectInvalid) 1015 VReport(1, "__lsan_ignore_object(): no heap object found at %p\n", p); 1016 if (res == kIgnoreObjectAlreadyIgnored) 1017 VReport(1, 1018 "__lsan_ignore_object(): " 1019 "heap object at %p is already being ignored\n", 1020 p); 1021 if (res == kIgnoreObjectSuccess) 1022 VReport(1, "__lsan_ignore_object(): ignoring heap object at %p\n", p); 1023 #endif // CAN_SANITIZE_LEAKS 1024 } 1025 1026 SANITIZER_INTERFACE_ATTRIBUTE 1027 void __lsan_register_root_region(const void *begin, uptr size) { 1028 #if CAN_SANITIZE_LEAKS 1029 VReport(1, "Registered root region at %p of size %zu\n", begin, size); 1030 uptr b = reinterpret_cast<uptr>(begin); 1031 uptr e = b + size; 1032 CHECK_LT(b, e); 1033 1034 Lock l(&global_mutex); 1035 ++GetRootRegionsLocked()[{b, e}]; 1036 #endif // CAN_SANITIZE_LEAKS 1037 } 1038 1039 SANITIZER_INTERFACE_ATTRIBUTE 1040 void __lsan_unregister_root_region(const void *begin, uptr size) { 1041 #if CAN_SANITIZE_LEAKS 1042 uptr b = reinterpret_cast<uptr>(begin); 1043 uptr e = b + size; 1044 CHECK_LT(b, e); 1045 VReport(1, "Unregistered root region at %p of size %zu\n", begin, size); 1046 1047 { 1048 Lock l(&global_mutex); 1049 if (auto *f = GetRootRegionsLocked().find({b, e})) { 1050 if (--(f->second) == 0) 1051 GetRootRegionsLocked().erase(f); 1052 return; 1053 } 1054 } 1055 Report( 1056 "__lsan_unregister_root_region(): region at %p of size %zu has not " 1057 "been registered.\n", 1058 begin, size); 1059 Die(); 1060 #endif // CAN_SANITIZE_LEAKS 1061 } 1062 1063 SANITIZER_INTERFACE_ATTRIBUTE 1064 void __lsan_disable() { 1065 #if CAN_SANITIZE_LEAKS 1066 __lsan::DisableInThisThread(); 1067 #endif 1068 } 1069 1070 SANITIZER_INTERFACE_ATTRIBUTE 1071 void __lsan_enable() { 1072 #if CAN_SANITIZE_LEAKS 1073 __lsan::EnableInThisThread(); 1074 #endif 1075 } 1076 1077 SANITIZER_INTERFACE_ATTRIBUTE 1078 void __lsan_do_leak_check() { 1079 #if CAN_SANITIZE_LEAKS 1080 if (common_flags()->detect_leaks) 1081 __lsan::DoLeakCheck(); 1082 #endif // CAN_SANITIZE_LEAKS 1083 } 1084 1085 SANITIZER_INTERFACE_ATTRIBUTE 1086 int __lsan_do_recoverable_leak_check() { 1087 #if CAN_SANITIZE_LEAKS 1088 if (common_flags()->detect_leaks) 1089 return __lsan::DoRecoverableLeakCheck(); 1090 #endif // CAN_SANITIZE_LEAKS 1091 return 0; 1092 } 1093 1094 SANITIZER_INTERFACE_WEAK_DEF(const char *, __lsan_default_options, void) { 1095 return ""; 1096 } 1097 1098 #if !SANITIZER_SUPPORTS_WEAK_HOOKS 1099 SANITIZER_INTERFACE_WEAK_DEF(int, __lsan_is_turned_off, void) { 1100 return 0; 1101 } 1102 1103 SANITIZER_INTERFACE_WEAK_DEF(const char *, __lsan_default_suppressions, void) { 1104 return ""; 1105 } 1106 #endif 1107 } // extern "C" 1108