libc/platform/bionic/malloc.h - platform/bionic.git - Git at Google

 /*
  * Copyright (C) 2018 The Android Open Source Project
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  *  * Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  *  * Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in
  *    the documentation and/or other materials provided with the
  *    distribution.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
  * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
  * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
  * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
  * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
  * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */

 #pragma once

 #include <malloc.h>
 #include <stdbool.h>
 #include <stdint.h>

 // Structures for android_mallopt.
 #pragma clang diagnostic push
 #pragma clang diagnostic ignored "-Wnullability-completeness"
 typedef struct {
   // Pointer to the buffer allocated by a call to M_GET_MALLOC_LEAK_INFO.
   uint8_t* buffer;
   // The size of the "info" buffer.
   size_t overall_size;
   // The size of a single entry.
   size_t info_size;
   // The sum of all allocations that have been tracked. Does not include
   // any heap overhead.
   size_t total_memory;
   // The maximum number of backtrace entries.
   size_t backtrace_size;
 } android_mallopt_leak_info_t;
 #pragma clang diagnostic pop
 // Opcodes for android_mallopt.

 enum {
   // Marks the calling process as a profileable zygote child, possibly
   // initializing profiling infrastructure.
   M_INIT_ZYGOTE_CHILD_PROFILING = 1,
 #define M_INIT_ZYGOTE_CHILD_PROFILING M_INIT_ZYGOTE_CHILD_PROFILING
   M_RESET_HOOKS = 2,
 #define M_RESET_HOOKS M_RESET_HOOKS
   // Set an upper bound on the total size in bytes of all allocations made
   // using the memory allocation APIs.
   //   arg = size_t*
   //   arg_size = sizeof(size_t)
   M_SET_ALLOCATION_LIMIT_BYTES = 3,
 #define M_SET_ALLOCATION_LIMIT_BYTES M_SET_ALLOCATION_LIMIT_BYTES
   // Called after the zygote forks to indicate this is a child.
   M_SET_ZYGOTE_CHILD = 4,
 #define M_SET_ZYGOTE_CHILD M_SET_ZYGOTE_CHILD

   // Options to dump backtraces of allocations. These options only
   // work when malloc debug has been enabled.

   // Writes the backtrace information of all current allocations to a file.
   // NOTE: arg_size has to be sizeof(FILE*) because FILE is an opaque type.
   //   arg = FILE*
   //   arg_size = sizeof(FILE*)
   M_WRITE_MALLOC_LEAK_INFO_TO_FILE = 5,
 #define M_WRITE_MALLOC_LEAK_INFO_TO_FILE M_WRITE_MALLOC_LEAK_INFO_TO_FILE
   // Get information about the backtraces of all
   //   arg = android_mallopt_leak_info_t*
   //   arg_size = sizeof(android_mallopt_leak_info_t)
   M_GET_MALLOC_LEAK_INFO = 6,
 #define M_GET_MALLOC_LEAK_INFO M_GET_MALLOC_LEAK_INFO
   // Free the memory allocated and returned by M_GET_MALLOC_LEAK_INFO.
   //   arg = android_mallopt_leak_info_t*
   //   arg_size = sizeof(android_mallopt_leak_info_t)
   M_FREE_MALLOC_LEAK_INFO = 7,
 #define M_FREE_MALLOC_LEAK_INFO M_FREE_MALLOC_LEAK_INFO
   // Query whether the current process is considered to be profileable by the
   // Android platform. Result is assigned to the arg pointer's destination.
   //   arg = bool*
   //   arg_size = sizeof(bool)
   M_GET_PROCESS_PROFILEABLE = 9,
 #define M_GET_PROCESS_PROFILEABLE M_GET_PROCESS_PROFILEABLE
   // Maybe enable GWP-ASan. Set *arg to force GWP-ASan to be turned on,
   // otherwise this mallopt() will internally decide whether to sample the
   // process. The program must be single threaded at the point when the
   // android_mallopt function is called.
   //   arg = android_mallopt_gwp_asan_options_t*
   //   arg_size = sizeof(android_mallopt_gwp_asan_options_t)
   M_INITIALIZE_GWP_ASAN = 10,
 #define M_INITIALIZE_GWP_ASAN M_INITIALIZE_GWP_ASAN
   // Query whether memtag stack is enabled for this process.
   M_MEMTAG_STACK_IS_ON = 11,
 #define M_MEMTAG_STACK_IS_ON M_MEMTAG_STACK_IS_ON
   // Query whether the current process has the decay time enabled so that
   // the memory from allocations are not immediately released to the OS.
   // Result is assigned to the arg pointer's destination.
   //   arg = bool*
   //   arg_size = sizeof(bool)
   M_GET_DECAY_TIME_ENABLED = 12,
 #define M_GET_DECAY_TIME_ENABLED M_GET_DECAY_TIME_ENABLED
 };

 #pragma clang diagnostic push
 #pragma clang diagnostic ignored "-Wnullability-completeness"
 typedef struct {
   // The null-terminated name that the zygote is spawning. Because native
   // SpecializeCommon (where the GWP-ASan mallopt() is called from) happens
   // before argv[0] is set, we need the zygote to tell us the new app name.
   const char* program_name = nullptr;

   // An android_mallopt(M_INITIALIZE_GWP_ASAN) is always issued on process
   // startup and app startup, regardless of whether GWP-ASan is desired or not.
   // This allows the process/app's desire to be overwritten by the
   // "libc.debug.gwp_asan.*.app_default" or "libc.debug.gwp_asan.*.<name>"
   // system properties, as well as the "GWP_ASAN_*" environment variables.
   //
   // Worth noting, the "libc.debug.gwp_asan.*.app_default" sysprops *do not*
   // apply to system apps. They use the "libc.debug.gwp_asan.*.system_default"
   // sysprops.
   //
   // In recoverable mode, GWP-ASan will detect heap memory safety bugs, and bug
   // reports will be created by debuggerd, however the process will recover and
   // continue to function as if the memory safety bug wasn't detected. This
   // prevents any user-visible impact as apps and processes don't crash, and
   // probably saves us some CPU time in restarting the process.
   //
   // Process sampling enables GWP-ASan, but only a small percentage of the time
   // (~1%). This helps mitigate any recurring high-frequency problems in certain
   // processes, as it's highly likely the next restart of said process won't
   // have GWP-ASan. In addition, for system processes and system apps, this
   // allows us to mitigate system-wide memory overhead concerns, as each
   // GWP-ASan enabled process uses ~70KiB of extra memory.
   enum Mode {
     // Used by default for apps, or by those that have an explicit
     // `gwpAsanMode=default` in the manifest.
     //
     // Result:
     //  - Android 13 and before: GWP-ASan is not enabled.
     //  - Android 14 and after: Enables GWP-ASan with process sampling in
     //    recoverable mode.
     APP_MANIFEST_DEFAULT = 3,
     // This is used by apps that have `gwpAsanMode=always` in the manifest.
     //
     // Result:
     //  - Android 14 and before: Enables GWP-ASan in non-recoverable mode,
     //    without process sampling.
     //  - Android 15 and after: Enables GWP-ASan in recoverable mode, without
     //    process sampling.
     APP_MANIFEST_ALWAYS = 0,
     // This is used by apps that have `gwpAsanMode=never` in the manifest.
     //
     // Result:
     //  - GWP-ASan is not enabled, unless it's force-enabled by a system
     //    property or environment variable.
     APP_MANIFEST_NEVER = 2,
     // Used by system processes and system apps.
     //
     // Result:
     //  - Android 14 and before: Enables GWP-ASan with process sampling in
     //    non-recoverable mode.
     //  - Android 15 and after: Enables GWP-ASan with process sampling in
     //    recoverable mode.
     SYSTEM_PROCESS_OR_SYSTEM_APP = 1,
     // Next enum value = 4. Numbered non-sequentially above to preserve ABI
     // stability, but now ordered more logically.
   };

   Mode mode = APP_MANIFEST_NEVER;
 } android_mallopt_gwp_asan_options_t;
 #pragma clang diagnostic pop
 // Manipulates bionic-specific handling of memory allocation APIs such as
 // malloc. Only for use by the Android platform and APEXes.
 //
 // On success, returns true. On failure, returns false and sets errno.
 extern "C" bool android_mallopt(int opcode, void* _Nullable arg, size_t arg_size);
	/*
	* Copyright (C) 2018 The Android Open Source Project
	* All rights reserved.
	*
	* Redistribution and use in source and binary forms, with or without
	* modification, are permitted provided that the following conditions
	* are met:
	* * Redistributions of source code must retain the above copyright
	* notice, this list of conditions and the following disclaimer.
	* * Redistributions in binary form must reproduce the above copyright
	* notice, this list of conditions and the following disclaimer in
	* the documentation and/or other materials provided with the
	* distribution.
	*
	* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
	* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
	* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
	* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
	* COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
	* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
	* OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
	* AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
	* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
	* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	* SUCH DAMAGE.
	*/

	#pragma once

	#include <malloc.h>
	#include <stdbool.h>
	#include <stdint.h>

	// Structures for android_mallopt.
	#pragma clang diagnostic push
	#pragma clang diagnostic ignored "-Wnullability-completeness"
	typedef struct {
	// Pointer to the buffer allocated by a call to M_GET_MALLOC_LEAK_INFO.
	uint8_t* buffer;
	// The size of the "info" buffer.
	size_t overall_size;
	// The size of a single entry.
	size_t info_size;
	// The sum of all allocations that have been tracked. Does not include
	// any heap overhead.
	size_t total_memory;
	// The maximum number of backtrace entries.
	size_t backtrace_size;
	} android_mallopt_leak_info_t;
	#pragma clang diagnostic pop
	// Opcodes for android_mallopt.

	enum {
	// Marks the calling process as a profileable zygote child, possibly
	// initializing profiling infrastructure.
	M_INIT_ZYGOTE_CHILD_PROFILING = 1,
	#define M_INIT_ZYGOTE_CHILD_PROFILING M_INIT_ZYGOTE_CHILD_PROFILING
	M_RESET_HOOKS = 2,
	#define M_RESET_HOOKS M_RESET_HOOKS
	// Set an upper bound on the total size in bytes of all allocations made
	// using the memory allocation APIs.
	// arg = size_t*
	// arg_size = sizeof(size_t)
	M_SET_ALLOCATION_LIMIT_BYTES = 3,
	#define M_SET_ALLOCATION_LIMIT_BYTES M_SET_ALLOCATION_LIMIT_BYTES
	// Called after the zygote forks to indicate this is a child.
	M_SET_ZYGOTE_CHILD = 4,
	#define M_SET_ZYGOTE_CHILD M_SET_ZYGOTE_CHILD

	// Options to dump backtraces of allocations. These options only
	// work when malloc debug has been enabled.

	// Writes the backtrace information of all current allocations to a file.
	// NOTE: arg_size has to be sizeof(FILE*) because FILE is an opaque type.
	// arg = FILE*
	// arg_size = sizeof(FILE*)
	M_WRITE_MALLOC_LEAK_INFO_TO_FILE = 5,
	#define M_WRITE_MALLOC_LEAK_INFO_TO_FILE M_WRITE_MALLOC_LEAK_INFO_TO_FILE
	// Get information about the backtraces of all
	// arg = android_mallopt_leak_info_t*
	// arg_size = sizeof(android_mallopt_leak_info_t)
	M_GET_MALLOC_LEAK_INFO = 6,
	#define M_GET_MALLOC_LEAK_INFO M_GET_MALLOC_LEAK_INFO
	// Free the memory allocated and returned by M_GET_MALLOC_LEAK_INFO.
	// arg = android_mallopt_leak_info_t*
	// arg_size = sizeof(android_mallopt_leak_info_t)
	M_FREE_MALLOC_LEAK_INFO = 7,
	#define M_FREE_MALLOC_LEAK_INFO M_FREE_MALLOC_LEAK_INFO
	// Query whether the current process is considered to be profileable by the
	// Android platform. Result is assigned to the arg pointer's destination.
	// arg = bool*
	// arg_size = sizeof(bool)
	M_GET_PROCESS_PROFILEABLE = 9,
	#define M_GET_PROCESS_PROFILEABLE M_GET_PROCESS_PROFILEABLE
	// Maybe enable GWP-ASan. Set *arg to force GWP-ASan to be turned on,
	// otherwise this mallopt() will internally decide whether to sample the
	// process. The program must be single threaded at the point when the
	// android_mallopt function is called.
	// arg = android_mallopt_gwp_asan_options_t*
	// arg_size = sizeof(android_mallopt_gwp_asan_options_t)
	M_INITIALIZE_GWP_ASAN = 10,
	#define M_INITIALIZE_GWP_ASAN M_INITIALIZE_GWP_ASAN
	// Query whether memtag stack is enabled for this process.
	M_MEMTAG_STACK_IS_ON = 11,
	#define M_MEMTAG_STACK_IS_ON M_MEMTAG_STACK_IS_ON
	// Query whether the current process has the decay time enabled so that
	// the memory from allocations are not immediately released to the OS.
	// Result is assigned to the arg pointer's destination.
	// arg = bool*
	// arg_size = sizeof(bool)
	M_GET_DECAY_TIME_ENABLED = 12,
	#define M_GET_DECAY_TIME_ENABLED M_GET_DECAY_TIME_ENABLED
	};

	#pragma clang diagnostic push
	#pragma clang diagnostic ignored "-Wnullability-completeness"
	typedef struct {
	// The null-terminated name that the zygote is spawning. Because native
	// SpecializeCommon (where the GWP-ASan mallopt() is called from) happens
	// before argv[0] is set, we need the zygote to tell us the new app name.
	const char* program_name = nullptr;

	// An android_mallopt(M_INITIALIZE_GWP_ASAN) is always issued on process
	// startup and app startup, regardless of whether GWP-ASan is desired or not.
	// This allows the process/app's desire to be overwritten by the
	// "libc.debug.gwp_asan..app_default" or "libc.debug.gwp_asan..<name>"
	// system properties, as well as the "GWP_ASAN_*" environment variables.
	//
	// Worth noting, the "libc.debug.gwp_asan..app_default" sysprops do not*
	// apply to system apps. They use the "libc.debug.gwp_asan.*.system_default"
	// sysprops.
	//
	// In recoverable mode, GWP-ASan will detect heap memory safety bugs, and bug
	// reports will be created by debuggerd, however the process will recover and
	// continue to function as if the memory safety bug wasn't detected. This
	// prevents any user-visible impact as apps and processes don't crash, and
	// probably saves us some CPU time in restarting the process.
	//
	// Process sampling enables GWP-ASan, but only a small percentage of the time
	// (~1%). This helps mitigate any recurring high-frequency problems in certain
	// processes, as it's highly likely the next restart of said process won't
	// have GWP-ASan. In addition, for system processes and system apps, this
	// allows us to mitigate system-wide memory overhead concerns, as each
	// GWP-ASan enabled process uses ~70KiB of extra memory.
	enum Mode {
	// Used by default for apps, or by those that have an explicit
	// `gwpAsanMode=default` in the manifest.
	//
	// Result:
	// - Android 13 and before: GWP-ASan is not enabled.
	// - Android 14 and after: Enables GWP-ASan with process sampling in
	// recoverable mode.
	APP_MANIFEST_DEFAULT = 3,
	// This is used by apps that have `gwpAsanMode=always` in the manifest.
	//
	// Result:
	// - Android 14 and before: Enables GWP-ASan in non-recoverable mode,
	// without process sampling.
	// - Android 15 and after: Enables GWP-ASan in recoverable mode, without
	// process sampling.
	APP_MANIFEST_ALWAYS = 0,
	// This is used by apps that have `gwpAsanMode=never` in the manifest.
	//
	// Result:
	// - GWP-ASan is not enabled, unless it's force-enabled by a system
	// property or environment variable.
	APP_MANIFEST_NEVER = 2,
	// Used by system processes and system apps.
	//
	// Result:
	// - Android 14 and before: Enables GWP-ASan with process sampling in
	// non-recoverable mode.
	// - Android 15 and after: Enables GWP-ASan with process sampling in
	// recoverable mode.
	SYSTEM_PROCESS_OR_SYSTEM_APP = 1,
	// Next enum value = 4. Numbered non-sequentially above to preserve ABI
	// stability, but now ordered more logically.
	};

	Mode mode = APP_MANIFEST_NEVER;
	} android_mallopt_gwp_asan_options_t;
	#pragma clang diagnostic pop
	// Manipulates bionic-specific handling of memory allocation APIs such as
	// malloc. Only for use by the Android platform and APEXes.
	//
	// On success, returns true. On failure, returns false and sets errno.
	extern "C" bool android_mallopt(int opcode, void* _Nullable arg, size_t arg_size);