Loading .gitignore +2 −0 Original line number Diff line number Diff line Loading @@ -171,6 +171,8 @@ uptime-*.json /src/lib/libtor-ctime-testing.a /src/lib/libtor-err.a /src/lib/libtor-err-testing.a /src/lib/libtor-malloc.a /src/lib/libtor-malloc-testing.a /src/lib/libtor-tls.a /src/lib/libtor-tls-testing.a /src/lib/libtor-trace.a Loading Makefile.am +2 −0 Original line number Diff line number Diff line Loading @@ -40,6 +40,7 @@ endif # "Common" libraries used to link tor's utility code. TOR_UTIL_LIBS = \ src/common/libor.a \ src/lib/libtor-malloc.a \ src/lib/libtor-err.a \ src/lib/libtor-ctime.a Loading @@ -47,6 +48,7 @@ TOR_UTIL_LIBS = \ # and tests) TOR_UTIL_TESTING_LIBS = \ src/common/libor-testing.a \ src/lib/libtor-malloc-testing.a \ src/lib/libtor-err-testing.a \ src/lib/libtor-ctime-testing.a Loading src/common/util.c +0 −210 Original line number Diff line number Diff line Loading @@ -95,219 +95,10 @@ #include <sys/prctl.h> #endif #ifdef __clang_analyzer__ #undef MALLOC_ZERO_WORKS #endif /* ===== * Memory management * ===== */ /** Allocate a chunk of <b>size</b> bytes of memory, and return a pointer to * result. On error, log and terminate the process. (Same as malloc(size), * but never returns NULL.) */ void * tor_malloc_(size_t size) { void *result; raw_assert(size < SIZE_T_CEILING); #ifndef MALLOC_ZERO_WORKS /* Some libc mallocs don't work when size==0. Override them. */ if (size==0) { size=1; } #endif /* !defined(MALLOC_ZERO_WORKS) */ result = raw_malloc(size); if (PREDICT_UNLIKELY(result == NULL)) { /* LCOV_EXCL_START */ /* If these functions die within a worker process, they won't call * spawn_exit, but that's ok, since the parent will run out of memory soon * anyway. */ raw_assert_unreached_msg("Out of memory on malloc(). Dying."); /* LCOV_EXCL_STOP */ } return result; } /** Allocate a chunk of <b>size</b> bytes of memory, fill the memory with * zero bytes, and return a pointer to the result. Log and terminate * the process on error. (Same as calloc(size,1), but never returns NULL.) */ void * tor_malloc_zero_(size_t size) { /* You may ask yourself, "wouldn't it be smart to use calloc instead of * malloc+memset? Perhaps libc's calloc knows some nifty optimization trick * we don't!" Indeed it does, but its optimizations are only a big win when * we're allocating something very big (it knows if it just got the memory * from the OS in a pre-zeroed state). We don't want to use tor_malloc_zero * for big stuff, so we don't bother with calloc. */ void *result = tor_malloc_(size); memset(result, 0, size); return result; } /* The square root of SIZE_MAX + 1. If a is less than this, and b is less * than this, then a*b is less than SIZE_MAX. (For example, if size_t is * 32 bits, then SIZE_MAX is 0xffffffff and this value is 0x10000. If a and * b are less than this, then their product is at most (65535*65535) == * 0xfffe0001. */ #define SQRT_SIZE_MAX_P1 (((size_t)1) << (sizeof(size_t)*4)) /** Return non-zero if and only if the product of the arguments is exact, * and cannot overflow. */ int size_mul_check(const size_t x, const size_t y) { /* This first check is equivalent to (x < SQRT_SIZE_MAX_P1 && y < SQRT_SIZE_MAX_P1) Rationale: if either one of x or y is >= SQRT_SIZE_MAX_P1, then it will have some bit set in its most significant half. */ return ((x|y) < SQRT_SIZE_MAX_P1 || y == 0 || x <= SIZE_MAX / y); } /** Allocate a chunk of <b>nmemb</b>*<b>size</b> bytes of memory, fill * the memory with zero bytes, and return a pointer to the result. * Log and terminate the process on error. (Same as * calloc(<b>nmemb</b>,<b>size</b>), but never returns NULL.) * The second argument (<b>size</b>) should preferably be non-zero * and a compile-time constant. */ void * tor_calloc_(size_t nmemb, size_t size) { raw_assert(size_mul_check(nmemb, size)); return tor_malloc_zero_((nmemb * size)); } /** Change the size of the memory block pointed to by <b>ptr</b> to <b>size</b> * bytes long; return the new memory block. On error, log and * terminate. (Like realloc(ptr,size), but never returns NULL.) */ void * tor_realloc_(void *ptr, size_t size) { void *result; raw_assert(size < SIZE_T_CEILING); #ifndef MALLOC_ZERO_WORKS /* Some libc mallocs don't work when size==0. Override them. */ if (size==0) { size=1; } #endif /* !defined(MALLOC_ZERO_WORKS) */ result = raw_realloc(ptr, size); if (PREDICT_UNLIKELY(result == NULL)) { /* LCOV_EXCL_START */ raw_assert_unreached_msg("Out of memory on realloc(). Dying."); /* LCOV_EXCL_STOP */ } return result; } /** * Try to realloc <b>ptr</b> so that it takes up sz1 * sz2 bytes. Check for * overflow. Unlike other allocation functions, return NULL on overflow. */ void * tor_reallocarray_(void *ptr, size_t sz1, size_t sz2) { /* XXXX we can make this return 0, but we would need to check all the * reallocarray users. */ raw_assert(size_mul_check(sz1, sz2)); return tor_realloc(ptr, (sz1 * sz2)); } /** Return a newly allocated copy of the NUL-terminated string s. On * error, log and terminate. (Like strdup(s), but never returns * NULL.) */ char * tor_strdup_(const char *s) { char *duplicate; raw_assert(s); duplicate = raw_strdup(s); if (PREDICT_UNLIKELY(duplicate == NULL)) { /* LCOV_EXCL_START */ raw_assert_unreached_msg("Out of memory on strdup(). Dying."); /* LCOV_EXCL_STOP */ } return duplicate; } /** Allocate and return a new string containing the first <b>n</b> * characters of <b>s</b>. If <b>s</b> is longer than <b>n</b> * characters, only the first <b>n</b> are copied. The result is * always NUL-terminated. (Like strndup(s,n), but never returns * NULL.) */ char * tor_strndup_(const char *s, size_t n) { char *duplicate; raw_assert(s); raw_assert(n < SIZE_T_CEILING); duplicate = tor_malloc_((n+1)); /* Performance note: Ordinarily we prefer strlcpy to strncpy. But * this function gets called a whole lot, and platform strncpy is * much faster than strlcpy when strlen(s) is much longer than n. */ strncpy(duplicate, s, n); duplicate[n]='\0'; return duplicate; } /** Allocate a chunk of <b>len</b> bytes, with the same contents as the * <b>len</b> bytes starting at <b>mem</b>. */ void * tor_memdup_(const void *mem, size_t len) { char *duplicate; raw_assert(len < SIZE_T_CEILING); raw_assert(mem); duplicate = tor_malloc_(len); memcpy(duplicate, mem, len); return duplicate; } /** As tor_memdup(), but add an extra 0 byte at the end of the resulting * memory. */ void * tor_memdup_nulterm_(const void *mem, size_t len) { char *duplicate; raw_assert(len < SIZE_T_CEILING+1); raw_assert(mem); duplicate = tor_malloc_(len+1); memcpy(duplicate, mem, len); duplicate[len] = '\0'; return duplicate; } /** Helper for places that need to take a function pointer to the right * spelling of "free()". */ void tor_free_(void *mem) { tor_free(mem); } DISABLE_GCC_WARNING(aggregate-return) /** Call the platform malloc info function, and dump the results to the log at * level <b>severity</b>. If no such function exists, do nothing. */ Loading Loading @@ -5252,4 +5043,3 @@ tor_ntohll(uint64_t a) { return tor_htonll(a); } src/common/util.h +1 −70 Original line number Diff line number Diff line Loading @@ -23,6 +23,7 @@ #include <sys/stat.h> #endif #include "lib/err/torerr.h" #include "lib/malloc/util_malloc.h" #include "common/util_bug.h" #ifndef O_BINARY Loading @@ -35,79 +36,11 @@ #define O_NOFOLLOW 0 #endif /* Memory management */ void *tor_malloc_(size_t size) ATTR_MALLOC; void *tor_malloc_zero_(size_t size) ATTR_MALLOC; void *tor_calloc_(size_t nmemb, size_t size) ATTR_MALLOC; void *tor_realloc_(void *ptr, size_t size); void *tor_reallocarray_(void *ptr, size_t size1, size_t size2); char *tor_strdup_(const char *s) ATTR_MALLOC ATTR_NONNULL((1)); char *tor_strndup_(const char *s, size_t n) ATTR_MALLOC ATTR_NONNULL((1)); void *tor_memdup_(const void *mem, size_t len) ATTR_MALLOC ATTR_NONNULL((1)); void *tor_memdup_nulterm_(const void *mem, size_t len) ATTR_MALLOC ATTR_NONNULL((1)); void tor_free_(void *mem); uint64_t tor_htonll(uint64_t a); uint64_t tor_ntohll(uint64_t a); /** Release memory allocated by tor_malloc, tor_realloc, tor_strdup, * etc. Unlike the free() function, the tor_free() macro sets the * pointer value to NULL after freeing it. * * This is a macro. If you need a function pointer to release memory from * tor_malloc(), use tor_free_(). * * Note that this macro takes the address of the pointer it is going to * free and clear. If that pointer is stored with a nonstandard * alignment (eg because of a "packed" pragma) it is not correct to use * tor_free(). */ #ifdef __GNUC__ #define tor_free(p) STMT_BEGIN \ typeof(&(p)) tor_free__tmpvar = &(p); \ raw_free(*tor_free__tmpvar); \ *tor_free__tmpvar=NULL; \ STMT_END #else #define tor_free(p) STMT_BEGIN \ raw_free(p); \ (p)=NULL; \ STMT_END #endif #define tor_malloc(size) tor_malloc_(size) #define tor_malloc_zero(size) tor_malloc_zero_(size) #define tor_calloc(nmemb,size) tor_calloc_(nmemb, size) #define tor_realloc(ptr, size) tor_realloc_(ptr, size) #define tor_reallocarray(ptr, sz1, sz2) \ tor_reallocarray_((ptr), (sz1), (sz2)) #define tor_strdup(s) tor_strdup_(s) #define tor_strndup(s, n) tor_strndup_(s, n) #define tor_memdup(s, n) tor_memdup_(s, n) #define tor_memdup_nulterm(s, n) tor_memdup_nulterm_(s, n) /* Aliases for the underlying system malloc/realloc/free. Only use * them to indicate "I really want the underlying system function, I know * what I'm doing." */ #define raw_malloc malloc #define raw_realloc realloc #define raw_free free #define raw_strdup strdup void tor_log_mallinfo(int severity); /* Helper macro: free a variable of type 'typename' using freefn, and * set the variable to NULL. */ #define FREE_AND_NULL(typename, freefn, var) \ do { \ /* only evaluate (var) once. */ \ typename **tmp__free__ptr ## freefn = &(var); \ freefn(*tmp__free__ptr ## freefn); \ (*tmp__free__ptr ## freefn) = NULL; \ } while (0) /** Macro: yield a pointer to the field at position <b>off</b> within the * structure <b>st</b>. Example: * <pre> Loading Loading @@ -538,8 +471,6 @@ STATIC int format_helper_exit_status(unsigned char child_state, #endif /* defined(UTIL_PRIVATE) */ int size_mul_check(const size_t x, const size_t y); #define ARRAY_LENGTH(x) ((sizeof(x)) / sizeof(x[0])) #endif /* !defined(TOR_UTIL_H) */ src/include.am +1 −0 Original line number Diff line number Diff line Loading @@ -5,6 +5,7 @@ include src/lib/ctime/include.am include src/lib/compress/include.am include src/lib/crypt_ops/include.am include src/lib/include.libdonna.am include src/lib/malloc/include.am include src/lib/testsupport/include.am include src/lib/tls/include.am include src/lib/trace/include.am Loading Loading
.gitignore +2 −0 Original line number Diff line number Diff line Loading @@ -171,6 +171,8 @@ uptime-*.json /src/lib/libtor-ctime-testing.a /src/lib/libtor-err.a /src/lib/libtor-err-testing.a /src/lib/libtor-malloc.a /src/lib/libtor-malloc-testing.a /src/lib/libtor-tls.a /src/lib/libtor-tls-testing.a /src/lib/libtor-trace.a Loading
Makefile.am +2 −0 Original line number Diff line number Diff line Loading @@ -40,6 +40,7 @@ endif # "Common" libraries used to link tor's utility code. TOR_UTIL_LIBS = \ src/common/libor.a \ src/lib/libtor-malloc.a \ src/lib/libtor-err.a \ src/lib/libtor-ctime.a Loading @@ -47,6 +48,7 @@ TOR_UTIL_LIBS = \ # and tests) TOR_UTIL_TESTING_LIBS = \ src/common/libor-testing.a \ src/lib/libtor-malloc-testing.a \ src/lib/libtor-err-testing.a \ src/lib/libtor-ctime-testing.a Loading
src/common/util.c +0 −210 Original line number Diff line number Diff line Loading @@ -95,219 +95,10 @@ #include <sys/prctl.h> #endif #ifdef __clang_analyzer__ #undef MALLOC_ZERO_WORKS #endif /* ===== * Memory management * ===== */ /** Allocate a chunk of <b>size</b> bytes of memory, and return a pointer to * result. On error, log and terminate the process. (Same as malloc(size), * but never returns NULL.) */ void * tor_malloc_(size_t size) { void *result; raw_assert(size < SIZE_T_CEILING); #ifndef MALLOC_ZERO_WORKS /* Some libc mallocs don't work when size==0. Override them. */ if (size==0) { size=1; } #endif /* !defined(MALLOC_ZERO_WORKS) */ result = raw_malloc(size); if (PREDICT_UNLIKELY(result == NULL)) { /* LCOV_EXCL_START */ /* If these functions die within a worker process, they won't call * spawn_exit, but that's ok, since the parent will run out of memory soon * anyway. */ raw_assert_unreached_msg("Out of memory on malloc(). Dying."); /* LCOV_EXCL_STOP */ } return result; } /** Allocate a chunk of <b>size</b> bytes of memory, fill the memory with * zero bytes, and return a pointer to the result. Log and terminate * the process on error. (Same as calloc(size,1), but never returns NULL.) */ void * tor_malloc_zero_(size_t size) { /* You may ask yourself, "wouldn't it be smart to use calloc instead of * malloc+memset? Perhaps libc's calloc knows some nifty optimization trick * we don't!" Indeed it does, but its optimizations are only a big win when * we're allocating something very big (it knows if it just got the memory * from the OS in a pre-zeroed state). We don't want to use tor_malloc_zero * for big stuff, so we don't bother with calloc. */ void *result = tor_malloc_(size); memset(result, 0, size); return result; } /* The square root of SIZE_MAX + 1. If a is less than this, and b is less * than this, then a*b is less than SIZE_MAX. (For example, if size_t is * 32 bits, then SIZE_MAX is 0xffffffff and this value is 0x10000. If a and * b are less than this, then their product is at most (65535*65535) == * 0xfffe0001. */ #define SQRT_SIZE_MAX_P1 (((size_t)1) << (sizeof(size_t)*4)) /** Return non-zero if and only if the product of the arguments is exact, * and cannot overflow. */ int size_mul_check(const size_t x, const size_t y) { /* This first check is equivalent to (x < SQRT_SIZE_MAX_P1 && y < SQRT_SIZE_MAX_P1) Rationale: if either one of x or y is >= SQRT_SIZE_MAX_P1, then it will have some bit set in its most significant half. */ return ((x|y) < SQRT_SIZE_MAX_P1 || y == 0 || x <= SIZE_MAX / y); } /** Allocate a chunk of <b>nmemb</b>*<b>size</b> bytes of memory, fill * the memory with zero bytes, and return a pointer to the result. * Log and terminate the process on error. (Same as * calloc(<b>nmemb</b>,<b>size</b>), but never returns NULL.) * The second argument (<b>size</b>) should preferably be non-zero * and a compile-time constant. */ void * tor_calloc_(size_t nmemb, size_t size) { raw_assert(size_mul_check(nmemb, size)); return tor_malloc_zero_((nmemb * size)); } /** Change the size of the memory block pointed to by <b>ptr</b> to <b>size</b> * bytes long; return the new memory block. On error, log and * terminate. (Like realloc(ptr,size), but never returns NULL.) */ void * tor_realloc_(void *ptr, size_t size) { void *result; raw_assert(size < SIZE_T_CEILING); #ifndef MALLOC_ZERO_WORKS /* Some libc mallocs don't work when size==0. Override them. */ if (size==0) { size=1; } #endif /* !defined(MALLOC_ZERO_WORKS) */ result = raw_realloc(ptr, size); if (PREDICT_UNLIKELY(result == NULL)) { /* LCOV_EXCL_START */ raw_assert_unreached_msg("Out of memory on realloc(). Dying."); /* LCOV_EXCL_STOP */ } return result; } /** * Try to realloc <b>ptr</b> so that it takes up sz1 * sz2 bytes. Check for * overflow. Unlike other allocation functions, return NULL on overflow. */ void * tor_reallocarray_(void *ptr, size_t sz1, size_t sz2) { /* XXXX we can make this return 0, but we would need to check all the * reallocarray users. */ raw_assert(size_mul_check(sz1, sz2)); return tor_realloc(ptr, (sz1 * sz2)); } /** Return a newly allocated copy of the NUL-terminated string s. On * error, log and terminate. (Like strdup(s), but never returns * NULL.) */ char * tor_strdup_(const char *s) { char *duplicate; raw_assert(s); duplicate = raw_strdup(s); if (PREDICT_UNLIKELY(duplicate == NULL)) { /* LCOV_EXCL_START */ raw_assert_unreached_msg("Out of memory on strdup(). Dying."); /* LCOV_EXCL_STOP */ } return duplicate; } /** Allocate and return a new string containing the first <b>n</b> * characters of <b>s</b>. If <b>s</b> is longer than <b>n</b> * characters, only the first <b>n</b> are copied. The result is * always NUL-terminated. (Like strndup(s,n), but never returns * NULL.) */ char * tor_strndup_(const char *s, size_t n) { char *duplicate; raw_assert(s); raw_assert(n < SIZE_T_CEILING); duplicate = tor_malloc_((n+1)); /* Performance note: Ordinarily we prefer strlcpy to strncpy. But * this function gets called a whole lot, and platform strncpy is * much faster than strlcpy when strlen(s) is much longer than n. */ strncpy(duplicate, s, n); duplicate[n]='\0'; return duplicate; } /** Allocate a chunk of <b>len</b> bytes, with the same contents as the * <b>len</b> bytes starting at <b>mem</b>. */ void * tor_memdup_(const void *mem, size_t len) { char *duplicate; raw_assert(len < SIZE_T_CEILING); raw_assert(mem); duplicate = tor_malloc_(len); memcpy(duplicate, mem, len); return duplicate; } /** As tor_memdup(), but add an extra 0 byte at the end of the resulting * memory. */ void * tor_memdup_nulterm_(const void *mem, size_t len) { char *duplicate; raw_assert(len < SIZE_T_CEILING+1); raw_assert(mem); duplicate = tor_malloc_(len+1); memcpy(duplicate, mem, len); duplicate[len] = '\0'; return duplicate; } /** Helper for places that need to take a function pointer to the right * spelling of "free()". */ void tor_free_(void *mem) { tor_free(mem); } DISABLE_GCC_WARNING(aggregate-return) /** Call the platform malloc info function, and dump the results to the log at * level <b>severity</b>. If no such function exists, do nothing. */ Loading Loading @@ -5252,4 +5043,3 @@ tor_ntohll(uint64_t a) { return tor_htonll(a); }
src/common/util.h +1 −70 Original line number Diff line number Diff line Loading @@ -23,6 +23,7 @@ #include <sys/stat.h> #endif #include "lib/err/torerr.h" #include "lib/malloc/util_malloc.h" #include "common/util_bug.h" #ifndef O_BINARY Loading @@ -35,79 +36,11 @@ #define O_NOFOLLOW 0 #endif /* Memory management */ void *tor_malloc_(size_t size) ATTR_MALLOC; void *tor_malloc_zero_(size_t size) ATTR_MALLOC; void *tor_calloc_(size_t nmemb, size_t size) ATTR_MALLOC; void *tor_realloc_(void *ptr, size_t size); void *tor_reallocarray_(void *ptr, size_t size1, size_t size2); char *tor_strdup_(const char *s) ATTR_MALLOC ATTR_NONNULL((1)); char *tor_strndup_(const char *s, size_t n) ATTR_MALLOC ATTR_NONNULL((1)); void *tor_memdup_(const void *mem, size_t len) ATTR_MALLOC ATTR_NONNULL((1)); void *tor_memdup_nulterm_(const void *mem, size_t len) ATTR_MALLOC ATTR_NONNULL((1)); void tor_free_(void *mem); uint64_t tor_htonll(uint64_t a); uint64_t tor_ntohll(uint64_t a); /** Release memory allocated by tor_malloc, tor_realloc, tor_strdup, * etc. Unlike the free() function, the tor_free() macro sets the * pointer value to NULL after freeing it. * * This is a macro. If you need a function pointer to release memory from * tor_malloc(), use tor_free_(). * * Note that this macro takes the address of the pointer it is going to * free and clear. If that pointer is stored with a nonstandard * alignment (eg because of a "packed" pragma) it is not correct to use * tor_free(). */ #ifdef __GNUC__ #define tor_free(p) STMT_BEGIN \ typeof(&(p)) tor_free__tmpvar = &(p); \ raw_free(*tor_free__tmpvar); \ *tor_free__tmpvar=NULL; \ STMT_END #else #define tor_free(p) STMT_BEGIN \ raw_free(p); \ (p)=NULL; \ STMT_END #endif #define tor_malloc(size) tor_malloc_(size) #define tor_malloc_zero(size) tor_malloc_zero_(size) #define tor_calloc(nmemb,size) tor_calloc_(nmemb, size) #define tor_realloc(ptr, size) tor_realloc_(ptr, size) #define tor_reallocarray(ptr, sz1, sz2) \ tor_reallocarray_((ptr), (sz1), (sz2)) #define tor_strdup(s) tor_strdup_(s) #define tor_strndup(s, n) tor_strndup_(s, n) #define tor_memdup(s, n) tor_memdup_(s, n) #define tor_memdup_nulterm(s, n) tor_memdup_nulterm_(s, n) /* Aliases for the underlying system malloc/realloc/free. Only use * them to indicate "I really want the underlying system function, I know * what I'm doing." */ #define raw_malloc malloc #define raw_realloc realloc #define raw_free free #define raw_strdup strdup void tor_log_mallinfo(int severity); /* Helper macro: free a variable of type 'typename' using freefn, and * set the variable to NULL. */ #define FREE_AND_NULL(typename, freefn, var) \ do { \ /* only evaluate (var) once. */ \ typename **tmp__free__ptr ## freefn = &(var); \ freefn(*tmp__free__ptr ## freefn); \ (*tmp__free__ptr ## freefn) = NULL; \ } while (0) /** Macro: yield a pointer to the field at position <b>off</b> within the * structure <b>st</b>. Example: * <pre> Loading Loading @@ -538,8 +471,6 @@ STATIC int format_helper_exit_status(unsigned char child_state, #endif /* defined(UTIL_PRIVATE) */ int size_mul_check(const size_t x, const size_t y); #define ARRAY_LENGTH(x) ((sizeof(x)) / sizeof(x[0])) #endif /* !defined(TOR_UTIL_H) */
src/include.am +1 −0 Original line number Diff line number Diff line Loading @@ -5,6 +5,7 @@ include src/lib/ctime/include.am include src/lib/compress/include.am include src/lib/crypt_ops/include.am include src/lib/include.libdonna.am include src/lib/malloc/include.am include src/lib/testsupport/include.am include src/lib/tls/include.am include src/lib/trace/include.am Loading
