malloc_debug: fix wrong type of arguments to formatting function

Pointed out by LGTM

Change-Id: I7130e655458500fd17b40fb163da6517022cc774
Reviewed-on: https://review.haiku-os.org/c/haiku/+/4608
Tested-by: Commit checker robot <no-reply+buildbot@haiku-os.org>
Reviewed-by: Adrien Destugues <pulkomandy@gmail.com>

Malloc_debug: Fix Wformat-security

Change-Id: I2f891fff74a003aac7774ee91f2c28d5e65a18f7
Reviewed-on: https://review.haiku-os.org/c/haiku/+/4486
Reviewed-by: Adrien Destugues <pulkomandy@gmail.com>

libroot_debug: Revert to a legacy default alignment of 8.

This reverts the legacy default alignment (in absence of max_align_t)
to 8, as it was before.

libroot_debug: Merge guarded heap into libroot_debug.

The individual debug heap implementations are now exposed via a
structure of function pointers and a common frontend dispatches the
malloc and malloc_debug APIs through them.

The MALLOC_DEBUG environment variable can be used to select the guarded
heap by adding 'g', otherwise the debug heap is used as the default.
Consequently the separate libroot_guarded is not needed anymore and has
been removed.

To allow the use of environment variables this early, init_env_post_heap
has been added and the heap dependent atfork() moved there. This allowed
to fold the code of init_heap_post_env into init_heap so the former has
been removed.

malloc_debug: Remove condition that is always true.

malloc_debug: Implement allocation dump on exit in guarded heap.

When enabled (using heap_debug_dump_allocations_on_exit(true) or
MALLOC_DEBUG=e) this causes a dump of all remaining allocations when
libroot_debug is unloaded. It uses terminate_after to be called as
late as possible.

When combined with alloc stack traces this makes for a nice if a bit
crude leak checker. Note that a lot of allocations usually remain
even at that stage due to statically, lazyly and globally allocated
stuff from the various system libraries where it isn't necessarily
worth the overhead to free them when the program terminates anyway.

malloc_debug: Implement alloc/free stack traces in guarded heap.

When configured to do so (using heap_debug_set_stack_trace_depth(depth)
or MALLOC_DEBUG=s<depth>) the guarded heap now captures stack traces on
alloc and free.

A crash due to hitting a guard page or an already freed page now dumps
these stack traces. In the case of use-after-free one can therefore see
both where the allocation was done and where it was freed.

Note that there is a hardcoded maximum stack trace depth of 50 and that
the alloc stack trace takes away space from the free stack trace which
uses up the rest of that maximum.

malloc_debug: Set default alignment to max_align_t if available.

For it to be available we build malloc_debug in C++11 mode when not
using GCC2. Note that max_align_t is not in the std namespace in GCC4
versions prior to GCC 4.9. The extra "using namespace std" is there to
be forward compatible once we update.

malloc_debug: Add default alignment option.

This allows for something similar as was implemented in 217f090 but
makes it optional and configurable.

The MALLOC_DEBUG environment variable now can take "a<size>" to set
the default alignment to the specified size. Note that not all
alignments may be supported depending on the heap implementation.

Revert "malloc_debug: align allocations".

This reverts commit 217f090f9e247d1d4c5644e626642c430fafe4e5.

At least for the guarded heap this completely defeats the purpose. If
software requires a certain alignment it should request it using
memalign explicitly instead of assuming it.

malloc_debug: align allocations

* Align all allocations of more than 8 bytes to 8-byte.
* Avoids hitting ASSERTs in WebKit when built in debug mode (it assumes
at least 8 byte alignment)

Compilation fix for malloc_debug.

Introduce __set_errno() throughout libroot.

* add errno_private.h, which defines the __set_errno() macro with
and without tracing
* instead of setting errno manually, all libroot's code now invokes
__set_errno(), which makes it much easier to trace changes to errno
* redirect glibc's use of __set_errno() to our own version

Closing #7227:
* fix debug-heap's handling of page-guarded allocations in realloc()
* let calloc() use page-guarded allocations, too, if requested


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@40533 a95241bf-73f2-0310-859d-f6bbb57e9c96

* Implemented a way to specify additional debug options via MALLOC_DEBUG when
using libroot_debug.so, instead of having to hardcode them in the application
via calling private heap functions.
* The following options are implemented: 'p' turns on paranoid validation,
'w' triggers periodic wall checking every 500ms ('W' does the same, but every
100ms), 'g' to use guard pages (beware, this will dramatically increase
memory usage), and 'r' which forbids reusing of memory, freed memory is never
actually freed.


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@40514 a95241bf-73f2-0310-859d-f6bbb57e9c96

Made heap classes const just in case. They really already were though.


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@35713 a95241bf-73f2-0310-859d-f6bbb57e9c96

Finish the implementation of heap_debug_malloc_with_guard_page() using mprotect
to make the guard page inaccessible. Thanks Ingo for the pointer!


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@35488 a95241bf-73f2-0310-859d-f6bbb57e9c96

Return an error when encountering an invalid allocation info.


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@35482 a95241bf-73f2-0310-859d-f6bbb57e9c96

Add heap_debug_set_debugger_calls() which allows to disable debugger calls for
the heap debug panics. Instead syslog output is generated if turned off.


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@35481 a95241bf-73f2-0310-859d-f6bbb57e9c96

Add heap_debug_get_allocation_info() to retrieve the size of the allocation as
well as the thread allocating it. Can for example be used to verify that an
object or buffer is as large as expected.


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@35480 a95241bf-73f2-0310-859d-f6bbb57e9c96

* Add heap_debug_set_memory_reuse() which allows to disable memory reuse,
keeping all returned heap memory in the 0xdeadbeef state (including the
first sizeof(void *) bytes otherwise for the free list). While wasting a lot
of memory it allows you to rely on 0xdeadbeef being always present as no
future allocation will reuse the freed memory block.
* Also added heap_debug_malloc_with_guard_page() which is intended to allocate
a memory block so it is aligned that the start of invalid memory past the
allocation is in an unmapped guard page. However the kernel backend that would
guarantee this is not yet implemented, so right now this works only by chance
if no other area happens to be allocated exactly past the created one. With a
very specifc suspicion you can put that one allocation you get to good use
though. It causes a crash when accessing memory past the allocation size so
you actually get a backtrace from where the access happened instead of only
after freeing/wall checking.


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@35478 a95241bf-73f2-0310-859d-f6bbb57e9c96

* Adding malloc_debug.h that exposes the malloc_debug API.
* Moving some functions around, removing and adding others for the public API.

I've written a blog post at haiku-os.org to go as documentation for this
introducing the API and the other helpful bits.


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@35431 a95241bf-73f2-0310-859d-f6bbb57e9c96

Must only advance by step sizes, otherwise we may end up with misaligned pages
again.


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@35426 a95241bf-73f2-0310-859d-f6bbb57e9c96

Sync two locking changes from kernel heap. This just moves the page locking into
the contiguous page allocation function and unlocks a bin locker a bit earlier.


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@35424 a95241bf-73f2-0310-859d-f6bbb57e9c96

* Seperate the raw page wise allocation and allocations from bins.
* Make the contiguous page allocation capable of aligning the allocation
and make it more clever by checking up front if there's a chance of getting
enough pages at all, by giving up earlier if the page count can't be fit
anymore, and in the alignment case by only checking the pages which have a
valid alignment.
* If the alignment requirement is > B_PAGE_SIZE we now use page allocation
directly, because the bins aren't necesarily aligned on their size past
B_PAGE_SIZE anymore.
* When doing aligned bin allocation, calculate the aligned size up front and
choose the right heap for the allocation.
* Also when doing aligned bin allocations we not only need to round up the size
but also ensure that the bin we choose is aligned at all.
* Moved adding leak check info into it's own function.

Fixes various misalignment problems when working with alignments > B_PAGE_SIZE
or when using alignments < allocation size. Also the directly aligned page
allocations now only use up as many pages as actually required instead of
allocating based on the rounded up to align size.


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@35422 a95241bf-73f2-0310-859d-f6bbb57e9c96

Account for single page allocations. They aren't used anywhere right now because
the bin sizes ensure that when hitting this case it always allocates multiple
pages. This makes it more flexible for other use cases though.


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@33726 a95241bf-73f2-0310-859d-f6bbb57e9c96

The allocation size wasn't updated on an area based realloc that would still
fit into the existing area. In that case further reallocs could then assume the
wrong previous size and then not copy enough from the original buffer, leading
to lost bytes at the end of the new buffer.


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@33724 a95241bf-73f2-0310-859d-f6bbb57e9c96

anevilyak+korli+mmlr:
* Check for overflows in memory allocation. If someone happened to (erroneously)
try to allocate a negative amount of memory we could overflow and crash
because of the sizes getting messed up.
* Review and update the alignment logic which was a bit broken for the huge
allocation case (reaching the area threshold). Also assert the results so
next time this will be easier to spot.


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@33638 a95241bf-73f2-0310-859d-f6bbb57e9c96

* Use mutex and rw_lock and the proper AutoLockers as in the kernel version, as
these interfaces are now available.
* Don't be quite so paranoid by default, the checks that are on by default
should be enough to detect most memory corruptions.

This makes the debug heap way more usable, so much that you can even use it as
your normal everyday heap without noticing much performance impact (it has quite
a bit of additional memory overhead though).


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@33544 a95241bf-73f2-0310-859d-f6bbb57e9c96

Add valloc() and posix_memalign() to malloc debug heap.


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@32954 a95241bf-73f2-0310-859d-f6bbb57e9c96

Apply fix of r32951 to malloc debug heap as well.


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@32953 a95241bf-73f2-0310-859d-f6bbb57e9c96

Ported over the kernel heap to libroot to make use of it's validation
capabilities to aid in debugging memory corruption issues.

It does:
* Initialize memory to 0xcc to help turn up use of uninitialized memory
* Set freed memory to 0xdeadbeef to help find accesses of freed memory
* Use the paranoid heap validation to turn up many cases of memory corruption
* Use a simplistic wall check to turn up memory overwrites past allocations
* Take extra steps to validate freed addresses to turn up misaligned frees

It has an interface to en-/disable paranoid validation and to start/stop regular
wall checking. Both are currently just enabled. At a later stage a debug version
of libroot could be used by an application and the checks enabled at will. Note
that due to the paranoid validation and the suboptimal locking this allocator
will perform horribly. Still to find memory corruption issues in the system or
also in your applications it can be helpful to build your installation with it
turned on. To enable it you currently need to edit the Jamfile to sub-include
the malloc_debug instead of the malloc directory.


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@32894 a95241bf-73f2-0310-859d-f6bbb57e9c96

libroot_debug: Revert to a legacy default alignment of 8.

This reverts the legacy default alignment (in absence of max_align_t)
to 8, as it was before.

libroot_debug: Merge guarded heap into libroot_debug.

The individual debug heap implementations are now exposed via a
structure of function pointers and a common frontend dispatches the
malloc and malloc_debug APIs through them.

The MALLOC_DEBUG environment variable can be used to select the guarded
heap by adding 'g', otherwise the debug heap is used as the default.
Consequently the separate libroot_guarded is not needed anymore and has
been removed.

To allow the use of environment variables this early, init_env_post_heap
has been added and the heap dependent atfork() moved there. This allowed
to fold the code of init_heap_post_env into init_heap so the former has
been removed.

malloc_debug: Remove condition that is always true.

malloc_debug: Implement allocation dump on exit in guarded heap.

When enabled (using heap_debug_dump_allocations_on_exit(true) or
MALLOC_DEBUG=e) this causes a dump of all remaining allocations when
libroot_debug is unloaded. It uses terminate_after to be called as
late as possible.

When combined with alloc stack traces this makes for a nice if a bit
crude leak checker. Note that a lot of allocations usually remain
even at that stage due to statically, lazyly and globally allocated
stuff from the various system libraries where it isn't necessarily
worth the overhead to free them when the program terminates anyway.

malloc_debug: Implement alloc/free stack traces in guarded heap.

When configured to do so (using heap_debug_set_stack_trace_depth(depth)
or MALLOC_DEBUG=s<depth>) the guarded heap now captures stack traces on
alloc and free.

A crash due to hitting a guard page or an already freed page now dumps
these stack traces. In the case of use-after-free one can therefore see
both where the allocation was done and where it was freed.

Note that there is a hardcoded maximum stack trace depth of 50 and that
the alloc stack trace takes away space from the free stack trace which
uses up the rest of that maximum.

malloc_debug: Set default alignment to max_align_t if available.

For it to be available we build malloc_debug in C++11 mode when not
using GCC2. Note that max_align_t is not in the std namespace in GCC4
versions prior to GCC 4.9. The extra "using namespace std" is there to
be forward compatible once we update.

malloc_debug: Add default alignment option.

This allows for something similar as was implemented in 217f090 but
makes it optional and configurable.

The MALLOC_DEBUG environment variable now can take "a<size>" to set
the default alignment to the specified size. Note that not all
alignments may be supported depending on the heap implementation.

Revert "malloc_debug: align allocations".

This reverts commit 217f090f9e247d1d4c5644e626642c430fafe4e5.

At least for the guarded heap this completely defeats the purpose. If
software requires a certain alignment it should request it using
memalign explicitly instead of assuming it.

malloc_debug: align allocations

* Align all allocations of more than 8 bytes to 8-byte.
* Avoids hitting ASSERTs in WebKit when built in debug mode (it assumes
at least 8 byte alignment)

Compilation fix for malloc_debug.

Introduce __set_errno() throughout libroot.

* add errno_private.h, which defines the __set_errno() macro with
and without tracing
* instead of setting errno manually, all libroot's code now invokes
__set_errno(), which makes it much easier to trace changes to errno
* redirect glibc's use of __set_errno() to our own version

Closing #7227:
* fix debug-heap's handling of page-guarded allocations in realloc()
* let calloc() use page-guarded allocations, too, if requested


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@40533 a95241bf-73f2-0310-859d-f6bbb57e9c96

* Implemented a way to specify additional debug options via MALLOC_DEBUG when
using libroot_debug.so, instead of having to hardcode them in the application
via calling private heap functions.
* The following options are implemented: 'p' turns on paranoid validation,
'w' triggers periodic wall checking every 500ms ('W' does the same, but every
100ms), 'g' to use guard pages (beware, this will dramatically increase
memory usage), and 'r' which forbids reusing of memory, freed memory is never
actually freed.


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@40514 a95241bf-73f2-0310-859d-f6bbb57e9c96

Made heap classes const just in case. They really already were though.


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@35713 a95241bf-73f2-0310-859d-f6bbb57e9c96

Finish the implementation of heap_debug_malloc_with_guard_page() using mprotect
to make the guard page inaccessible. Thanks Ingo for the pointer!


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@35488 a95241bf-73f2-0310-859d-f6bbb57e9c96

Return an error when encountering an invalid allocation info.


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@35482 a95241bf-73f2-0310-859d-f6bbb57e9c96

Add heap_debug_set_debugger_calls() which allows to disable debugger calls for
the heap debug panics. Instead syslog output is generated if turned off.


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@35481 a95241bf-73f2-0310-859d-f6bbb57e9c96

Add heap_debug_get_allocation_info() to retrieve the size of the allocation as
well as the thread allocating it. Can for example be used to verify that an
object or buffer is as large as expected.


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@35480 a95241bf-73f2-0310-859d-f6bbb57e9c96

* Add heap_debug_set_memory_reuse() which allows to disable memory reuse,
keeping all returned heap memory in the 0xdeadbeef state (including the
first sizeof(void *) bytes otherwise for the free list). While wasting a lot
of memory it allows you to rely on 0xdeadbeef being always present as no
future allocation will reuse the freed memory block.
* Also added heap_debug_malloc_with_guard_page() which is intended to allocate
a memory block so it is aligned that the start of invalid memory past the
allocation is in an unmapped guard page. However the kernel backend that would
guarantee this is not yet implemented, so right now this works only by chance
if no other area happens to be allocated exactly past the created one. With a
very specifc suspicion you can put that one allocation you get to good use
though. It causes a crash when accessing memory past the allocation size so
you actually get a backtrace from where the access happened instead of only
after freeing/wall checking.


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@35478 a95241bf-73f2-0310-859d-f6bbb57e9c96

* Adding malloc_debug.h that exposes the malloc_debug API.
* Moving some functions around, removing and adding others for the public API.

I've written a blog post at haiku-os.org to go as documentation for this
introducing the API and the other helpful bits.


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@35431 a95241bf-73f2-0310-859d-f6bbb57e9c96

Must only advance by step sizes, otherwise we may end up with misaligned pages
again.


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@35426 a95241bf-73f2-0310-859d-f6bbb57e9c96

Sync two locking changes from kernel heap. This just moves the page locking into
the contiguous page allocation function and unlocks a bin locker a bit earlier.


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@35424 a95241bf-73f2-0310-859d-f6bbb57e9c96

* Seperate the raw page wise allocation and allocations from bins.
* Make the contiguous page allocation capable of aligning the allocation
and make it more clever by checking up front if there's a chance of getting
enough pages at all, by giving up earlier if the page count can't be fit
anymore, and in the alignment case by only checking the pages which have a
valid alignment.
* If the alignment requirement is > B_PAGE_SIZE we now use page allocation
directly, because the bins aren't necesarily aligned on their size past
B_PAGE_SIZE anymore.
* When doing aligned bin allocation, calculate the aligned size up front and
choose the right heap for the allocation.
* Also when doing aligned bin allocations we not only need to round up the size
but also ensure that the bin we choose is aligned at all.
* Moved adding leak check info into it's own function.

Fixes various misalignment problems when working with alignments > B_PAGE_SIZE
or when using alignments < allocation size. Also the directly aligned page
allocations now only use up as many pages as actually required instead of
allocating based on the rounded up to align size.


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@35422 a95241bf-73f2-0310-859d-f6bbb57e9c96

Account for single page allocations. They aren't used anywhere right now because
the bin sizes ensure that when hitting this case it always allocates multiple
pages. This makes it more flexible for other use cases though.


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@33726 a95241bf-73f2-0310-859d-f6bbb57e9c96

The allocation size wasn't updated on an area based realloc that would still
fit into the existing area. In that case further reallocs could then assume the
wrong previous size and then not copy enough from the original buffer, leading
to lost bytes at the end of the new buffer.


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@33724 a95241bf-73f2-0310-859d-f6bbb57e9c96

anevilyak+korli+mmlr:
* Check for overflows in memory allocation. If someone happened to (erroneously)
try to allocate a negative amount of memory we could overflow and crash
because of the sizes getting messed up.
* Review and update the alignment logic which was a bit broken for the huge
allocation case (reaching the area threshold). Also assert the results so
next time this will be easier to spot.


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@33638 a95241bf-73f2-0310-859d-f6bbb57e9c96

* Use mutex and rw_lock and the proper AutoLockers as in the kernel version, as
these interfaces are now available.
* Don't be quite so paranoid by default, the checks that are on by default
should be enough to detect most memory corruptions.

This makes the debug heap way more usable, so much that you can even use it as
your normal everyday heap without noticing much performance impact (it has quite
a bit of additional memory overhead though).


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@33544 a95241bf-73f2-0310-859d-f6bbb57e9c96

Add valloc() and posix_memalign() to malloc debug heap.


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@32954 a95241bf-73f2-0310-859d-f6bbb57e9c96

Apply fix of r32951 to malloc debug heap as well.


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@32953 a95241bf-73f2-0310-859d-f6bbb57e9c96

Ported over the kernel heap to libroot to make use of it's validation
capabilities to aid in debugging memory corruption issues.

It does:
* Initialize memory to 0xcc to help turn up use of uninitialized memory
* Set freed memory to 0xdeadbeef to help find accesses of freed memory
* Use the paranoid heap validation to turn up many cases of memory corruption
* Use a simplistic wall check to turn up memory overwrites past allocations
* Take extra steps to validate freed addresses to turn up misaligned frees

It has an interface to en-/disable paranoid validation and to start/stop regular
wall checking. Both are currently just enabled. At a later stage a debug version
of libroot could be used by an application and the checks enabled at will. Note
that due to the paranoid validation and the suboptimal locking this allocator
will perform horribly. Still to find memory corruption issues in the system or
also in your applications it can be helpful to build your installation with it
turned on. To enable it you currently need to edit the Jamfile to sub-include
the malloc_debug instead of the malloc directory.


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@32894 a95241bf-73f2-0310-859d-f6bbb57e9c96