Malloc debug is a method of debugging native memory problems. It can help detect memory corruption, memory leaks, and use after free issues.
Currently, malloc debug requires root to enable. When it is enabled, it works by adding a shim layer that replaces the normal allocation calls. The replaced calls are:
On 32 bit systems, these two deprecated functions are also replaced:
Any errors detected by the library are reported in the log.
Malloc debug is controlled by individual options. Each option can be enabled individually, or in a group of other options. Every single option can be combined with every other option.
Enables a small buffer placed before the allocated data. This is an attempt to find memory corruption occuring to a region before the original allocation. On first allocation, this front guard is written with a specific pattern (0xaa). When the allocation is freed, the guard is checked to verify it has not been modified. If any part of the front guard is modified, an error will be reported in the log indicating what bytes changed.
If the backtrace option is also enabled, then any error message will include the backtrace of the allocation site.
If SIZE_BYTES is present, it indicates the number of bytes in the guard. The default is 32 bytes, the max bytes is 16384. SIZE_BYTES will be padded so that it is a multiple of 8 bytes on 32 bit systems and 16 bytes on 64 bit systems to make sure that the allocation returned is aligned properly.
This option adds a special header to all allocations that contains the guard and information about the original allocation.
Example error:
Enables a small buffer placed after the allocated data. This is an attempt to find memory corruption occuring to a region after the original allocation. On first allocation, this rear guard is written with a specific pattern (0xbb). When the allocation is freed, the guard is checked to verify it has not been modified. If any part of the rear guard is modified, an error will be reported in the log indicating what bytes changed.
If SIZE_BYTES is present, it indicates the number of bytes in the guard. The default is 32 bytes, the max bytes is 16384.
This option adds a special header to all allocations that contains information about the original allocation.
Example error:
Enables both a front guard and a rear guard on all allocations.
If SIZE_BYTES is present, it indicates the number of bytes in both guards. The default is 32 bytes, the max bytes is 16384.
Enable capturing the backtrace of each allocation site. This option will slow down allocations by an order of magnitude. If the system runs too slowly with this option enabled, decreasing the maximum number of frames captured will speed the allocations up.
Note that any backtrace frames that occur within the malloc backtrace library itself are not recorded.
If MAX_FRAMES is present, it indicates the maximum number of frames to capture in a backtrace. The default is 16 frames, the maximumum value this can be set to is 256.
This option adds a special header to all allocations that contains the backtrace and information about the original allocation.
Enable capturing the backtrace of each allocation site. If the backtrace capture is toggled when the process receives the signal SIGRTMAX - 19 (which is 45 on most Android devices). When this option is used alone, backtrace capture starts out disabled until the signal is received. If both this option and the backtrace option are set, then backtrace capture is enabled until the signal is received.
If MAX_FRAMES is present, it indicates the maximum number of frames to capture in a backtrace. The default is 16 frames, the maximumum value this can be set to is 256.
This option adds a special header to all allocations that contains the backtrace and information about the original allocation.
Any allocation routine, other than calloc, will result in the allocation being filled with the value 0xeb. When doing a realloc to a larger size, the bytes above the original usable size will be set to 0xeb.
If MAX_FILLED_BYTES is present, it will only fill up to the specified number of bytes in the allocation. The default is to fill the entire allocation.
When an allocation is freed, fill it with 0xef.
If MAX_FILLED_BYTES is present, it will only fill up to the specified number of bytes in the allocation. The default is to fill the entire allocation.
This enables both the fill_on_alloc option and the fill_on_free option.
If MAX_FILLED_BYTES is present, it will only fill up to the specified number of bytes in the allocation. The default is to fill the entire allocation.
Add an extra amount to allocate for every allocation.
If XX is present, it is the number of bytes to expand the allocation by. The default is 16 bytes, the max bytes is 16384.
When a pointer is freed, do not free the memory right away, but add it to a list of freed allocations. In addition to being added to the list, the entire allocation is filled with the value 0xef, and the backtrace at the time of the free is recorded. The backtrace recording is completely separate from the backtrace option, and happens automatically if this option is enabled. By default, a maximum of 16 frames will be recorded, but this value can be changed using the free_track_backtrace_num_frames option. It can also be completely disabled by setting the option to zero. See the full description of this option below.
When the list is full, an allocation is removed from the list and is checked to make sure that none of the contents have been modified since being placed on the list. When the program terminates, all of the allocations left on the list are verified.
If ALLOCATION_COUNT is present, it indicates the total number of allocations in the list. The default is to record 100 freed allocations, the max allocations to record is 16384.
This option adds a special header to all allocations that contains information about the original allocation.
Example error:
In addition, there is another type of error message that can occur if an allocation has a special header applied, and the header is corrupted before the verification occurs. This is the error message that will be found in the log:
This option only has meaning if free_track is set. It indicates how many backtrace frames to capture when an allocation is freed.
If MAX_FRAMES is present, it indicates the number of frames to capture. If the value is set to zero, then no backtrace will be captured when the allocation is freed. The default is to record 16 frames, the max number of frames to to record is 256.
Track all live allocations. When the program terminates, all of the live allocations will be dumped to the log. If the backtrace option was enabled, then the log will include the backtrace of the leaked allocations. This option is not useful when enabled globally because a lot of programs do not free everything before the program terminates.
This option adds a special header to all allocations that contains information about the original allocation.
Example leak error found in the log:
There are a few other error messages that might appear in the log.
This indicates that code is attempting to free an already freed pointer. The name in parenthesis indicates that the application called the function free with the bad pointer.
For example, this message:
Would indicate that the application called the realloc function with an already freed pointer.
This indicates that a function (malloc_usable_size) was called with a pointer that is either not allocated memory, or that the memory of the pointer has been corrupted.
As with the other error message, the function in parenthesis is the function that was called with the bad pointer.
Enable backtrace tracking of all allocation for all processes:
Enable backtrace tracking for a specific process (ls):
Enable backtrace tracking for the zygote and zygote based processes:
Enable multiple options (backtrace and guards):
Enable malloc debug when multiple processes have the same name. This method can be used to enable malloc debug for only a very specific process if multiple processes have the same name.
Note: The double quotes in the adb shell command are necessary. Otherwise, the setprop command will fail since the backtrace guards options will look like two arguments instead of one.