pvalloc is guarantueed to round up the allocation size to the page
size, so applications can assume that the memory region is larger
than the passed-in argument. The alloc_size attribute cannot express
that.
The test case is based on a suggestion from Jakub Jelinek.
This fixes commit 9bf8e29ca1 ("malloc:
make malloc fail with requests larger than PTRDIFF_MAX (BZ#23741)").
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
As discussed previously on libc-alpha [1], this patch follows up the idea
and add both the __attribute_alloc_size__ on malloc functions (malloc,
calloc, realloc, reallocarray, valloc, pvalloc, and memalign) and limit
maximum requested allocation size to up PTRDIFF_MAX (taking into
consideration internal padding and alignment).
This aligns glibc with gcc expected size defined by default warning
-Walloc-size-larger-than value which warns for allocation larger than
PTRDIFF_MAX. It also aligns with gcc expectation regarding libc and
expected size, such as described in PR#67999 [2] and previously discussed
ISO C11 issues [3] on libc-alpha.
From the RFC thread [4] and previous discussion, it seems that consensus
is only to limit such requested size for malloc functions, not the system
allocation one (mmap, sbrk, etc.).
The implementation changes checked_request2size to check for both overflow
and maximum object size up to PTRDIFF_MAX. No additional checks are done
on sysmalloc, so it can still issue mmap with values larger than
PTRDIFF_T depending on the requested size.
The __attribute_alloc_size__ is for functions that return a pointer only,
which means it cannot be applied to posix_memalign (see remarks in GCC
PR#87683 [5]). The runtimes checks to limit maximum requested allocation
size does applies to posix_memalign.
Checked on x86_64-linux-gnu and i686-linux-gnu.
[1] https://sourceware.org/ml/libc-alpha/2018-11/msg00223.html
[2] https://gcc.gnu.org/bugzilla//show_bug.cgi?id=67999
[3] https://sourceware.org/ml/libc-alpha/2011-12/msg00066.html
[4] https://sourceware.org/ml/libc-alpha/2018-11/msg00224.html
[5] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87683
[BZ #23741]
* malloc/hooks.c (malloc_check, realloc_check): Use
__builtin_add_overflow on overflow check and adapt to
checked_request2size change.
* malloc/malloc.c (__libc_malloc, __libc_realloc, _mid_memalign,
__libc_pvalloc, __libc_calloc, _int_memalign): Limit maximum
allocation size to PTRDIFF_MAX.
(REQUEST_OUT_OF_RANGE): Remove macro.
(checked_request2size): Change to inline function and limit maximum
requested size to PTRDIFF_MAX.
(__libc_malloc, __libc_realloc, _int_malloc, _int_memalign): Limit
maximum allocation size to PTRDIFF_MAX.
(_mid_memalign): Use _int_memalign call for overflow check.
(__libc_pvalloc): Use __builtin_add_overflow on overflow check.
(__libc_calloc): Use __builtin_mul_overflow for overflow check and
limit maximum requested size to PTRDIFF_MAX.
* malloc/malloc.h (malloc, calloc, realloc, reallocarray, memalign,
valloc, pvalloc): Add __attribute_alloc_size__.
* stdlib/stdlib.h (malloc, realloc, reallocarray, valloc): Likewise.
* malloc/tst-malloc-too-large.c (do_test): Add check for allocation
larger than PTRDIFF_MAX.
* malloc/tst-memalign.c (do_test): Disable -Walloc-size-larger-than=
around tests of malloc with negative sizes.
* malloc/tst-posix_memalign.c (do_test): Likewise.
* malloc/tst-pvalloc.c (do_test): Likewise.
* malloc/tst-valloc.c (do_test): Likewise.
* malloc/tst-reallocarray.c (do_test): Replace call to reallocarray
with resulting size allocation larger than PTRDIFF_MAX with
reallocarray_nowarn.
(reallocarray_nowarn): New function.
* NEWS: Mention the malloc function semantic change.
After the removal of __malloc_initialize_hook, newly compiled
Emacs binaries are no longer able to use these interfaces.
malloc_get_state is only used during the Emacs build process,
so we provide a stub implementation only. Existing Emacs binaries
will not call this stub function, but still reference the symbol.
The rewritten tst-mallocstate test constructs a dumped heap
which should approximates what existing Emacs binaries pass
to glibc malloc.
__malloc_initialize_hook is interposed by application code, so
the usual approach to define a compatibility symbol does not work.
This commit adds a new mechanism based on #pragma GCC poison in
<stdc-predef.h>.
mallopt appropriately.
* malloc/malloc.h: Define M_PERTURB.
* malloc/malloc.c (perturb_byte): New variable.
(alloc_perturb, free_perturb): New macros.
(_int_malloc): Before returning, overwrite the memory if this is
requested.
(_int_free): Overwrite freed memory if requested.
(mALLOPt): Handle M_PERTURB.
* test-skeleton.c: Add call to mallopt with M_PERTURB command.
* misc/sys/cdefs.h (__attribute_warn_unused_result__): Define.
* stdlib/stdlib.h: Make realloc with
__attribute_warn_unused_result__ instead of __wur.
* malloc/malloc.h: Add __wur and __attribute_warn_unused_result__
markers as in <stdlib.h>.
2002-01-18 Wolfram Gloger <wg@malloc.de>
* malloc/malloc.c: Rewrite, adapted from Doug Lea's malloc-2.7.0.c.
* malloc/malloc.h: Likewise.
* malloc/arena.c: New file.
* malloc/hooks.c: New file.
* malloc/tst-mallocstate.c: New file.
* malloc/Makefile: Add new testcase tst-mallocstate.
Add arena.c and hooks.c to distribute. Fix commented CPPFLAGS.
2002-01-28 Ulrich Drepper <drepper@redhat.com>
* stdlib/msort.c: Remove last patch. The optimization violates the
same rule which qsort.c had problems with.
2002-01-27 Paul Eggert <eggert@twinsun.com>
* stdlib/qsort.c (_quicksort): Do not apply the comparison function
to a pivot element that lies outside the array to be sorted, as
ISO C99 requires that the comparison function be called only with
addresses of array elements [PR libc/2880].
2001-07-06 Paul Eggert <eggert@twinsun.com>
* manual/argp.texi: Remove ignored LGPL copyright notice; it's
not appropriate for documentation anyway.
* manual/libc-texinfo.sh: "Library General Public License" ->
"Lesser General Public License".
2001-07-06 Andreas Jaeger <aj@suse.de>
* All files under GPL/LGPL version 2: Place under LGPL version
2.1.
2000-10-07 Ulrich Drepper <drepper@redhat.com>
* include/features.h (__STDC_ISO_10646__): Set to correct date.
Patch by Markus Kuhn <Markus.Kuhn@cl.cam.ac.uk>.
2000-10-06 Jes Sorensen <jes@linuxcare.com>
* sysdeps/ia64/fpu/fraiseexcpt.c (feraiseexcept): Implement
overflow generation by adding DBL_MAX to DBL_MAX instead of
setting the bits manually in the fpsr and generating the exception
with kill() if necessary.
(feraiseexcept): Implement underflow by dividing DBL_MIN by
DBL_MIN - similar to the overflow change described above.
2000-08-27 H.J. Lu <hjl@gnu.org>
* sysdeps/unix/sysv/linux/ia64/clone.S: Make it a dummy as clone
is not supported under Linux/ia64, use clone2.
2000-10-06 Jakub Jelinek <jakub@redhat.com>
* malloc/malloc.h (__THROW): Define to nothing if not gcc.
* misc/sys/cdefs.h (__THROW): Likewise.
1999-12-19 Andreas Jaeger <aj@suse.de>
* sysdeps/generic/libc-start.c: Remove declaration of
__libc_open. Move declaration of __libc_fcntl to ...
* include/fcntl.h: ...here.
* include/unistd.h: Move __libc_open and __libc_open64 to ...
* include/fcntl.h: ...here.
* malloc/malloc.h (__attribute_malloc__): Only define if hasn't
happened yet.
* malloc/Versions: __libc_freeres was exported with glibc 2.1.3,
rename label.
* misc/sys/cdefs.h: Define __attribute_malloc__ according to
available gcc version.
* string/string.h: Mark strdup, __strdup, and strndup with
__attribute_malloc__.
* stdlib/stdlib.h: Make malloc, calloc, realloc, and valloc with
__attribute_malloc__.
* malloc/malloc.h: Make malloc, calloc, realloc, valloc, pvallc,
__morecore, and __default_morecore with __attribute_malloc__.
Provide default definition for __attribute_malloc__.
* libio/stdio.h: Make tempnam with __attribute_malloc__.