#
1.296 |
|
30-Mar-2024 |
miod |
In _malloc_init(), round up the region being mprotected RW to the malloc page size, rather than relying upon mprotect to round up to the actual mmu page size.
This repairs malloc operation on systems where the malloc page size (1 << _MAX_PAGE_SHIFT) is larger than the mmu page size.
ok otto@
|
Revision tags: OPENBSD_7_5_BASE
|
#
1.295 |
|
19-Dec-2023 |
otto |
A small cleanup of malloc_bytes(), getting rid of a goto and a tiny bit of optimization; ok tb@ asou@
|
#
1.294 |
|
04-Dec-2023 |
otto |
Save backtraces to show in leak dump. Depth of backtrace set by malloc option D (aka 1), 2, 3 or 4. No performance impact if not used. ok asou@
|
#
1.293 |
|
04-Nov-2023 |
otto |
KNF plus fixed a few signed vs unsigned compares (that we actually not real problems)
|
#
1.292 |
|
26-Oct-2023 |
otto |
A few micro-optimizations; ok asou@
|
#
1.291 |
|
22-Oct-2023 |
otto |
When option D is active, store callers for all chunks; this avoids the 0x0 call sites for leak reports. Also display more info on detected write of free chunks: print the info about where the chunk was allocated, and for the preceding chunk as well. ok asou@
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.290 |
|
09-Sep-2023 |
asou |
Print waring message when not allocated memory in putleakinfo().
ok otto.
|
#
1.289 |
|
30-Jun-2023 |
otto |
Recommit "Allow to ask for deeper callers for leak reports using malloc options"
Now only enabled for platforms where it's know to work and written as a inline functions instead of a macro.
|
#
1.288 |
|
23-Jun-2023 |
otto |
Revert previous, not all platforms allow compiling __builtin_return_address(a) with a != 0.
|
#
1.287 |
|
22-Jun-2023 |
otto |
Allow to ask for deeper callers for leak reports using malloc options. ok deraadt@
|
#
1.286 |
|
07-Jun-2023 |
aoyama |
Add portable version and m88k-specific version lb() function, because unfortunately gcc3 does not have __builtin_clz().
ok miod@ otto@
|
#
1.285 |
|
04-Jun-2023 |
otto |
More thorough write-afetr-free checks.
On free, chunks (the pieces of a pages used for smaller allocations) are junked and then validated after they leave the delayed free list. So after free, a chunk always contains junk bytes. This means that if we start with the right contents for a new page of chunks, we can *validate* instead of *write* junk bytes when (re)-using a chunk.
With this, we can detect write-after-free when a chunk is recycled, not justy when a chunk is in the delayed free list. We do a little bit more work on initial allocation of a page of chunks and when re-using (as we validate now even on junk level 1).
Also: some extra consistency checks for recallocaray(3) and fixes in error messages to make them more consistent, with man page bits.
Plus regress additions.
|
#
1.284 |
|
27-May-2023 |
otto |
Remove malloc interposition, a workaround that was once needed for emacs ok guenther@
|
#
1.283 |
|
10-May-2023 |
otto |
As mmap(2) is no longer a LOCK syscall, do away with the extra unlock-lock dance it serves no real purpose any more. Confirmed by a small performance increase in tests. ok @tb
|
#
1.282 |
|
21-Apr-2023 |
jsg |
remove duplicate include ok otto@
|
#
1.281 |
|
16-Apr-2023 |
otto |
Dump (leak) info using utrace(2) and compile the code always in except for bootblocks. This way we have built-in leak detecction always (if enable by malloc flags). See man pages for details.
|
#
1.280 |
|
05-Apr-2023 |
otto |
Introduce variation in location of junked bytes; ok tb@
|
#
1.279 |
|
01-Apr-2023 |
otto |
Check all chunks in the delayed free list for write-after-free. Should catch more of them and closer (in time) to the WAF. ok tb@
|
#
1.278 |
|
25-Mar-2023 |
otto |
Change malloc chunk sizes to be fine grained.
The basic idea is simple: one of the reasons the recent sshd bug is potentially exploitable is that a (erroneously) freed malloc chunk gets re-used in a different role. malloc has power of two chunk sizes and so one page of chunks holds many different types of allocations. Userland malloc has no knowledge of types, we only know about sizes. So I changed that to use finer-grained chunk sizes.
This has some performance impact as we need to allocate chunk pages in more cases. Gain it back by allocation chunk_info pages in a bundle, and use less buckets is !malloc option S. The chunk sizes used are 16, 32, 48, 64, 80, 96, 112, 128, 160, 192, 224, 256, 320, 384, 448, 512, 640, 768, 896, 1024, 1280, 1536, 1792, 2048 (and a few more for sparc64 with its 8k sized pages and loongson with its 16k pages).
If malloc option S (or rather cache size 0) is used we use strict multiple of 16 sized chunks, to get as many buckets as possible. ssh(d) enabled malloc option S, in general security sensitive programs should.
See the find_bucket() and bin_of() functions. Thanks to Tony Finch for pointing me to code to compute nice bucket sizes.
ok tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.277 |
|
27-Feb-2023 |
otto |
There is no reason to-be-cleared chunks cannot participate in delayed freeing; ok tb@
|
#
1.276 |
|
27-Dec-2022 |
otto |
Change the way malloc_init() works so that the main data structures can be made immutable to provide extra protection. Also init pools on-demand: only pools that are actually used are initialized.
Tested by many
|
#
1.275 |
|
14-Oct-2022 |
deraadt |
put the malloc_readonly struct into the "openbsd.mutable" section, so that the kernel and ld.so will know not to mark it immutable. malloc handles the read/write transitions by itself.
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.274 |
|
30-Jun-2022 |
guenther |
To figure our whether a large allocation can be grown into the following page(s) we've been first mquery()ing for it, mmapp()ing w/o MAP_FIXED if available, and then munmap()ing if there was a race. Instead, just try it directly with mmap(MAP_FIXED | __MAP_NOREPLACE)
tested in snaps for weeks
ok deraadt@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.273 |
|
26-Feb-2022 |
otto |
Currently malloc caches a number of free'ed regions up to 128k in size. This cache is indexed by size (in # of pages), so it is very quick to check. Some programs allocate and deallocate larger allocations in a frantic way. Accomodate those programs by also keeping a cache of regions between 128k and 2M, in a cache of variable sized regions.
Tested by many in snaps; ok deraadt@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.272 |
|
19-Sep-2021 |
tb |
Switch two calls from memset() to explicit_bzero()
This matches the documented behavior more obviously and ensures that these aren't optimized away, although this is unlikely.
Discussed with deraadt and otto
|
#
1.271 |
|
23-Jul-2021 |
otto |
Make MALLOC_STATS compile again; noted by Omar Polo and Joe Nelson
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.270 |
|
09-Apr-2021 |
otto |
An extra internal consistency check and a missing stats adjustment. ok tb@
|
#
1.269 |
|
09-Mar-2021 |
otto |
Change the implementation of the malloc cache to keep lists of regions of a given size. In snaps for a while, committing since no issues were reported and a wider audience is good. ok deraadt@
|
#
1.268 |
|
25-Feb-2021 |
otto |
- Make use of the fact that we know how the chunks are aligned, and write 8 bytes at the time by using a uint64_t pointer. For an allocation a max of 4 such uint64_t's are written spread over the allocation. For pages sized and larger, the first page is junked in such a way. - Delayed free of a small chunk checks the corresponiding way. - Pages ending up in the cache are validated upon unmapping or re-use. In snaps for a while
|
#
1.267 |
|
23-Nov-2020 |
otto |
mapalign() only handles allocations >= a page; problem found by and ok semarie@
|
#
1.266 |
|
12-Oct-2020 |
deraadt |
make fixed-sized fixed-value mib[] arrays be const ok guenther tb millert
|
#
1.265 |
|
09-Oct-2020 |
otto |
As noted by tb@ previous commit only removed an unused fucntion. So redo previous commit properly: Use random value for canary bytes; ok tb@.
|
#
1.264 |
|
06-Oct-2020 |
otto |
Use random value for canary bytes; ok tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.263 |
|
06-Sep-2020 |
otto |
For page-sized and larger allocations do not put the pages we're shaving off into the cache but unamp them. Pages in the cache get re-used and then a future grow of the first allocation will be hampered. Also make realloc a no-op for small shrinkage. ok deraadt@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE
|
#
1.262 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.261 |
|
23-May-2019 |
otto |
Only override size of chunk if we're not given the actual length. Fixes malloc_conceal...freezero with malloc options C and/or G.
|
#
1.260 |
|
10-May-2019 |
otto |
Inroduce malloc_conceal() and calloc_conceal(). Similar to their counterparts but return memory in pages marked MAP_CONCEAL and on free() freezero() is actually called.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.259 |
|
10-Jan-2019 |
otto |
Move default numer of pools in the multi-threaded case to 8. Various tests by me and others indicate that it is the optimum.
|
#
1.258 |
|
10-Jan-2019 |
otto |
Make the "not my pool" searching loop a tiny bit smarter, while making the number of pools variable. Do not document the malloc conf settings atm, don't know yet if they will stay. Thanks to all the testers. ok deraadt@
|
#
1.257 |
|
10-Dec-2018 |
otto |
Improve speed for the multi-threaded case by reducing lock contention. tested by many; ok florian@
|
#
1.256 |
|
09-Dec-2018 |
florian |
style; OK otto
|
#
1.255 |
|
27-Nov-2018 |
otto |
Refactor "find the right pool" code into a function. ok djm@ tb@
|
#
1.254 |
|
21-Nov-2018 |
otto |
Introducing malloc_usable_size() was a mistake. While some other libs have it, it is a function that is considered harmful, so:
Delete malloc_usable_size(). It is a function that blurs the line between malloc managed memory and application managed memory and exposes some of the internal workings of malloc. If an application relies on that, it is likely to break using another implementation of malloc. If you want usable size x, just allocate x bytes. ok deraadt@ and other devs
|
#
1.253 |
|
19-Nov-2018 |
guenther |
Fix compilation on alpha, where DEF_WEAK() really must be paired with PROTO_NORMAL(). Problem noted by deraadt@
|
#
1.252 |
|
18-Nov-2018 |
otto |
Implement malloc_usable_size(); ok millert@ deraadt@ and jmc@ for the man page
|
#
1.251 |
|
06-Nov-2018 |
otto |
Use the new vm.malloc_conf sysctl; ok millert@ deraadt@
|
#
1.250 |
|
05-Nov-2018 |
otto |
Implement C11's aligned_alloc(3). ok guenther@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.249 |
|
07-Apr-2018 |
otto |
sys/uio.h is not used anymore
|
#
1.248 |
|
30-Mar-2018 |
otto |
fix MALLOC_STATS; spotted by and ok semarie@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.247 |
|
06-Mar-2018 |
deraadt |
use _ALIGN() which is uhm a bit OpenBSD-specific, but it means we don't need to use sys/param.h at all, guess which one i believe is greater namespace polution ok otto
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.295 |
|
19-Dec-2023 |
otto |
A small cleanup of malloc_bytes(), getting rid of a goto and a tiny bit of optimization; ok tb@ asou@
|
#
1.294 |
|
04-Dec-2023 |
otto |
Save backtraces to show in leak dump. Depth of backtrace set by malloc option D (aka 1), 2, 3 or 4. No performance impact if not used. ok asou@
|
#
1.293 |
|
04-Nov-2023 |
otto |
KNF plus fixed a few signed vs unsigned compares (that we actually not real problems)
|
#
1.292 |
|
26-Oct-2023 |
otto |
A few micro-optimizations; ok asou@
|
#
1.291 |
|
22-Oct-2023 |
otto |
When option D is active, store callers for all chunks; this avoids the 0x0 call sites for leak reports. Also display more info on detected write of free chunks: print the info about where the chunk was allocated, and for the preceding chunk as well. ok asou@
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.290 |
|
09-Sep-2023 |
asou |
Print waring message when not allocated memory in putleakinfo().
ok otto.
|
#
1.289 |
|
30-Jun-2023 |
otto |
Recommit "Allow to ask for deeper callers for leak reports using malloc options"
Now only enabled for platforms where it's know to work and written as a inline functions instead of a macro.
|
#
1.288 |
|
23-Jun-2023 |
otto |
Revert previous, not all platforms allow compiling __builtin_return_address(a) with a != 0.
|
#
1.287 |
|
22-Jun-2023 |
otto |
Allow to ask for deeper callers for leak reports using malloc options. ok deraadt@
|
#
1.286 |
|
07-Jun-2023 |
aoyama |
Add portable version and m88k-specific version lb() function, because unfortunately gcc3 does not have __builtin_clz().
ok miod@ otto@
|
#
1.285 |
|
04-Jun-2023 |
otto |
More thorough write-afetr-free checks.
On free, chunks (the pieces of a pages used for smaller allocations) are junked and then validated after they leave the delayed free list. So after free, a chunk always contains junk bytes. This means that if we start with the right contents for a new page of chunks, we can *validate* instead of *write* junk bytes when (re)-using a chunk.
With this, we can detect write-after-free when a chunk is recycled, not justy when a chunk is in the delayed free list. We do a little bit more work on initial allocation of a page of chunks and when re-using (as we validate now even on junk level 1).
Also: some extra consistency checks for recallocaray(3) and fixes in error messages to make them more consistent, with man page bits.
Plus regress additions.
|
#
1.284 |
|
27-May-2023 |
otto |
Remove malloc interposition, a workaround that was once needed for emacs ok guenther@
|
#
1.283 |
|
10-May-2023 |
otto |
As mmap(2) is no longer a LOCK syscall, do away with the extra unlock-lock dance it serves no real purpose any more. Confirmed by a small performance increase in tests. ok @tb
|
#
1.282 |
|
21-Apr-2023 |
jsg |
remove duplicate include ok otto@
|
#
1.281 |
|
16-Apr-2023 |
otto |
Dump (leak) info using utrace(2) and compile the code always in except for bootblocks. This way we have built-in leak detecction always (if enable by malloc flags). See man pages for details.
|
#
1.280 |
|
05-Apr-2023 |
otto |
Introduce variation in location of junked bytes; ok tb@
|
#
1.279 |
|
01-Apr-2023 |
otto |
Check all chunks in the delayed free list for write-after-free. Should catch more of them and closer (in time) to the WAF. ok tb@
|
#
1.278 |
|
25-Mar-2023 |
otto |
Change malloc chunk sizes to be fine grained.
The basic idea is simple: one of the reasons the recent sshd bug is potentially exploitable is that a (erroneously) freed malloc chunk gets re-used in a different role. malloc has power of two chunk sizes and so one page of chunks holds many different types of allocations. Userland malloc has no knowledge of types, we only know about sizes. So I changed that to use finer-grained chunk sizes.
This has some performance impact as we need to allocate chunk pages in more cases. Gain it back by allocation chunk_info pages in a bundle, and use less buckets is !malloc option S. The chunk sizes used are 16, 32, 48, 64, 80, 96, 112, 128, 160, 192, 224, 256, 320, 384, 448, 512, 640, 768, 896, 1024, 1280, 1536, 1792, 2048 (and a few more for sparc64 with its 8k sized pages and loongson with its 16k pages).
If malloc option S (or rather cache size 0) is used we use strict multiple of 16 sized chunks, to get as many buckets as possible. ssh(d) enabled malloc option S, in general security sensitive programs should.
See the find_bucket() and bin_of() functions. Thanks to Tony Finch for pointing me to code to compute nice bucket sizes.
ok tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.277 |
|
27-Feb-2023 |
otto |
There is no reason to-be-cleared chunks cannot participate in delayed freeing; ok tb@
|
#
1.276 |
|
27-Dec-2022 |
otto |
Change the way malloc_init() works so that the main data structures can be made immutable to provide extra protection. Also init pools on-demand: only pools that are actually used are initialized.
Tested by many
|
#
1.275 |
|
14-Oct-2022 |
deraadt |
put the malloc_readonly struct into the "openbsd.mutable" section, so that the kernel and ld.so will know not to mark it immutable. malloc handles the read/write transitions by itself.
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.274 |
|
30-Jun-2022 |
guenther |
To figure our whether a large allocation can be grown into the following page(s) we've been first mquery()ing for it, mmapp()ing w/o MAP_FIXED if available, and then munmap()ing if there was a race. Instead, just try it directly with mmap(MAP_FIXED | __MAP_NOREPLACE)
tested in snaps for weeks
ok deraadt@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.273 |
|
26-Feb-2022 |
otto |
Currently malloc caches a number of free'ed regions up to 128k in size. This cache is indexed by size (in # of pages), so it is very quick to check. Some programs allocate and deallocate larger allocations in a frantic way. Accomodate those programs by also keeping a cache of regions between 128k and 2M, in a cache of variable sized regions.
Tested by many in snaps; ok deraadt@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.272 |
|
19-Sep-2021 |
tb |
Switch two calls from memset() to explicit_bzero()
This matches the documented behavior more obviously and ensures that these aren't optimized away, although this is unlikely.
Discussed with deraadt and otto
|
#
1.271 |
|
23-Jul-2021 |
otto |
Make MALLOC_STATS compile again; noted by Omar Polo and Joe Nelson
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.270 |
|
09-Apr-2021 |
otto |
An extra internal consistency check and a missing stats adjustment. ok tb@
|
#
1.269 |
|
09-Mar-2021 |
otto |
Change the implementation of the malloc cache to keep lists of regions of a given size. In snaps for a while, committing since no issues were reported and a wider audience is good. ok deraadt@
|
#
1.268 |
|
25-Feb-2021 |
otto |
- Make use of the fact that we know how the chunks are aligned, and write 8 bytes at the time by using a uint64_t pointer. For an allocation a max of 4 such uint64_t's are written spread over the allocation. For pages sized and larger, the first page is junked in such a way. - Delayed free of a small chunk checks the corresponiding way. - Pages ending up in the cache are validated upon unmapping or re-use. In snaps for a while
|
#
1.267 |
|
23-Nov-2020 |
otto |
mapalign() only handles allocations >= a page; problem found by and ok semarie@
|
#
1.266 |
|
12-Oct-2020 |
deraadt |
make fixed-sized fixed-value mib[] arrays be const ok guenther tb millert
|
#
1.265 |
|
09-Oct-2020 |
otto |
As noted by tb@ previous commit only removed an unused fucntion. So redo previous commit properly: Use random value for canary bytes; ok tb@.
|
#
1.264 |
|
06-Oct-2020 |
otto |
Use random value for canary bytes; ok tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.263 |
|
06-Sep-2020 |
otto |
For page-sized and larger allocations do not put the pages we're shaving off into the cache but unamp them. Pages in the cache get re-used and then a future grow of the first allocation will be hampered. Also make realloc a no-op for small shrinkage. ok deraadt@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE
|
#
1.262 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.261 |
|
23-May-2019 |
otto |
Only override size of chunk if we're not given the actual length. Fixes malloc_conceal...freezero with malloc options C and/or G.
|
#
1.260 |
|
10-May-2019 |
otto |
Inroduce malloc_conceal() and calloc_conceal(). Similar to their counterparts but return memory in pages marked MAP_CONCEAL and on free() freezero() is actually called.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.259 |
|
10-Jan-2019 |
otto |
Move default numer of pools in the multi-threaded case to 8. Various tests by me and others indicate that it is the optimum.
|
#
1.258 |
|
10-Jan-2019 |
otto |
Make the "not my pool" searching loop a tiny bit smarter, while making the number of pools variable. Do not document the malloc conf settings atm, don't know yet if they will stay. Thanks to all the testers. ok deraadt@
|
#
1.257 |
|
10-Dec-2018 |
otto |
Improve speed for the multi-threaded case by reducing lock contention. tested by many; ok florian@
|
#
1.256 |
|
09-Dec-2018 |
florian |
style; OK otto
|
#
1.255 |
|
27-Nov-2018 |
otto |
Refactor "find the right pool" code into a function. ok djm@ tb@
|
#
1.254 |
|
21-Nov-2018 |
otto |
Introducing malloc_usable_size() was a mistake. While some other libs have it, it is a function that is considered harmful, so:
Delete malloc_usable_size(). It is a function that blurs the line between malloc managed memory and application managed memory and exposes some of the internal workings of malloc. If an application relies on that, it is likely to break using another implementation of malloc. If you want usable size x, just allocate x bytes. ok deraadt@ and other devs
|
#
1.253 |
|
19-Nov-2018 |
guenther |
Fix compilation on alpha, where DEF_WEAK() really must be paired with PROTO_NORMAL(). Problem noted by deraadt@
|
#
1.252 |
|
18-Nov-2018 |
otto |
Implement malloc_usable_size(); ok millert@ deraadt@ and jmc@ for the man page
|
#
1.251 |
|
06-Nov-2018 |
otto |
Use the new vm.malloc_conf sysctl; ok millert@ deraadt@
|
#
1.250 |
|
05-Nov-2018 |
otto |
Implement C11's aligned_alloc(3). ok guenther@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.249 |
|
07-Apr-2018 |
otto |
sys/uio.h is not used anymore
|
#
1.248 |
|
30-Mar-2018 |
otto |
fix MALLOC_STATS; spotted by and ok semarie@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.247 |
|
06-Mar-2018 |
deraadt |
use _ALIGN() which is uhm a bit OpenBSD-specific, but it means we don't need to use sys/param.h at all, guess which one i believe is greater namespace polution ok otto
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.294 |
|
04-Dec-2023 |
otto |
Save backtraces to show in leak dump. Depth of backtrace set by malloc option D (aka 1), 2, 3 or 4. No performance impact if not used. ok asou@
|
#
1.293 |
|
04-Nov-2023 |
otto |
KNF plus fixed a few signed vs unsigned compares (that we actually not real problems)
|
#
1.292 |
|
26-Oct-2023 |
otto |
A few micro-optimizations; ok asou@
|
#
1.291 |
|
22-Oct-2023 |
otto |
When option D is active, store callers for all chunks; this avoids the 0x0 call sites for leak reports. Also display more info on detected write of free chunks: print the info about where the chunk was allocated, and for the preceding chunk as well. ok asou@
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.290 |
|
09-Sep-2023 |
asou |
Print waring message when not allocated memory in putleakinfo().
ok otto.
|
#
1.289 |
|
30-Jun-2023 |
otto |
Recommit "Allow to ask for deeper callers for leak reports using malloc options"
Now only enabled for platforms where it's know to work and written as a inline functions instead of a macro.
|
#
1.288 |
|
23-Jun-2023 |
otto |
Revert previous, not all platforms allow compiling __builtin_return_address(a) with a != 0.
|
#
1.287 |
|
22-Jun-2023 |
otto |
Allow to ask for deeper callers for leak reports using malloc options. ok deraadt@
|
#
1.286 |
|
07-Jun-2023 |
aoyama |
Add portable version and m88k-specific version lb() function, because unfortunately gcc3 does not have __builtin_clz().
ok miod@ otto@
|
#
1.285 |
|
04-Jun-2023 |
otto |
More thorough write-afetr-free checks.
On free, chunks (the pieces of a pages used for smaller allocations) are junked and then validated after they leave the delayed free list. So after free, a chunk always contains junk bytes. This means that if we start with the right contents for a new page of chunks, we can *validate* instead of *write* junk bytes when (re)-using a chunk.
With this, we can detect write-after-free when a chunk is recycled, not justy when a chunk is in the delayed free list. We do a little bit more work on initial allocation of a page of chunks and when re-using (as we validate now even on junk level 1).
Also: some extra consistency checks for recallocaray(3) and fixes in error messages to make them more consistent, with man page bits.
Plus regress additions.
|
#
1.284 |
|
27-May-2023 |
otto |
Remove malloc interposition, a workaround that was once needed for emacs ok guenther@
|
#
1.283 |
|
10-May-2023 |
otto |
As mmap(2) is no longer a LOCK syscall, do away with the extra unlock-lock dance it serves no real purpose any more. Confirmed by a small performance increase in tests. ok @tb
|
#
1.282 |
|
21-Apr-2023 |
jsg |
remove duplicate include ok otto@
|
#
1.281 |
|
16-Apr-2023 |
otto |
Dump (leak) info using utrace(2) and compile the code always in except for bootblocks. This way we have built-in leak detecction always (if enable by malloc flags). See man pages for details.
|
#
1.280 |
|
05-Apr-2023 |
otto |
Introduce variation in location of junked bytes; ok tb@
|
#
1.279 |
|
01-Apr-2023 |
otto |
Check all chunks in the delayed free list for write-after-free. Should catch more of them and closer (in time) to the WAF. ok tb@
|
#
1.278 |
|
25-Mar-2023 |
otto |
Change malloc chunk sizes to be fine grained.
The basic idea is simple: one of the reasons the recent sshd bug is potentially exploitable is that a (erroneously) freed malloc chunk gets re-used in a different role. malloc has power of two chunk sizes and so one page of chunks holds many different types of allocations. Userland malloc has no knowledge of types, we only know about sizes. So I changed that to use finer-grained chunk sizes.
This has some performance impact as we need to allocate chunk pages in more cases. Gain it back by allocation chunk_info pages in a bundle, and use less buckets is !malloc option S. The chunk sizes used are 16, 32, 48, 64, 80, 96, 112, 128, 160, 192, 224, 256, 320, 384, 448, 512, 640, 768, 896, 1024, 1280, 1536, 1792, 2048 (and a few more for sparc64 with its 8k sized pages and loongson with its 16k pages).
If malloc option S (or rather cache size 0) is used we use strict multiple of 16 sized chunks, to get as many buckets as possible. ssh(d) enabled malloc option S, in general security sensitive programs should.
See the find_bucket() and bin_of() functions. Thanks to Tony Finch for pointing me to code to compute nice bucket sizes.
ok tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.277 |
|
27-Feb-2023 |
otto |
There is no reason to-be-cleared chunks cannot participate in delayed freeing; ok tb@
|
#
1.276 |
|
27-Dec-2022 |
otto |
Change the way malloc_init() works so that the main data structures can be made immutable to provide extra protection. Also init pools on-demand: only pools that are actually used are initialized.
Tested by many
|
#
1.275 |
|
14-Oct-2022 |
deraadt |
put the malloc_readonly struct into the "openbsd.mutable" section, so that the kernel and ld.so will know not to mark it immutable. malloc handles the read/write transitions by itself.
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.274 |
|
30-Jun-2022 |
guenther |
To figure our whether a large allocation can be grown into the following page(s) we've been first mquery()ing for it, mmapp()ing w/o MAP_FIXED if available, and then munmap()ing if there was a race. Instead, just try it directly with mmap(MAP_FIXED | __MAP_NOREPLACE)
tested in snaps for weeks
ok deraadt@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.273 |
|
26-Feb-2022 |
otto |
Currently malloc caches a number of free'ed regions up to 128k in size. This cache is indexed by size (in # of pages), so it is very quick to check. Some programs allocate and deallocate larger allocations in a frantic way. Accomodate those programs by also keeping a cache of regions between 128k and 2M, in a cache of variable sized regions.
Tested by many in snaps; ok deraadt@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.272 |
|
19-Sep-2021 |
tb |
Switch two calls from memset() to explicit_bzero()
This matches the documented behavior more obviously and ensures that these aren't optimized away, although this is unlikely.
Discussed with deraadt and otto
|
#
1.271 |
|
23-Jul-2021 |
otto |
Make MALLOC_STATS compile again; noted by Omar Polo and Joe Nelson
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.270 |
|
09-Apr-2021 |
otto |
An extra internal consistency check and a missing stats adjustment. ok tb@
|
#
1.269 |
|
09-Mar-2021 |
otto |
Change the implementation of the malloc cache to keep lists of regions of a given size. In snaps for a while, committing since no issues were reported and a wider audience is good. ok deraadt@
|
#
1.268 |
|
25-Feb-2021 |
otto |
- Make use of the fact that we know how the chunks are aligned, and write 8 bytes at the time by using a uint64_t pointer. For an allocation a max of 4 such uint64_t's are written spread over the allocation. For pages sized and larger, the first page is junked in such a way. - Delayed free of a small chunk checks the corresponiding way. - Pages ending up in the cache are validated upon unmapping or re-use. In snaps for a while
|
#
1.267 |
|
23-Nov-2020 |
otto |
mapalign() only handles allocations >= a page; problem found by and ok semarie@
|
#
1.266 |
|
12-Oct-2020 |
deraadt |
make fixed-sized fixed-value mib[] arrays be const ok guenther tb millert
|
#
1.265 |
|
09-Oct-2020 |
otto |
As noted by tb@ previous commit only removed an unused fucntion. So redo previous commit properly: Use random value for canary bytes; ok tb@.
|
#
1.264 |
|
06-Oct-2020 |
otto |
Use random value for canary bytes; ok tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.263 |
|
06-Sep-2020 |
otto |
For page-sized and larger allocations do not put the pages we're shaving off into the cache but unamp them. Pages in the cache get re-used and then a future grow of the first allocation will be hampered. Also make realloc a no-op for small shrinkage. ok deraadt@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE
|
#
1.262 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.261 |
|
23-May-2019 |
otto |
Only override size of chunk if we're not given the actual length. Fixes malloc_conceal...freezero with malloc options C and/or G.
|
#
1.260 |
|
10-May-2019 |
otto |
Inroduce malloc_conceal() and calloc_conceal(). Similar to their counterparts but return memory in pages marked MAP_CONCEAL and on free() freezero() is actually called.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.259 |
|
10-Jan-2019 |
otto |
Move default numer of pools in the multi-threaded case to 8. Various tests by me and others indicate that it is the optimum.
|
#
1.258 |
|
10-Jan-2019 |
otto |
Make the "not my pool" searching loop a tiny bit smarter, while making the number of pools variable. Do not document the malloc conf settings atm, don't know yet if they will stay. Thanks to all the testers. ok deraadt@
|
#
1.257 |
|
10-Dec-2018 |
otto |
Improve speed for the multi-threaded case by reducing lock contention. tested by many; ok florian@
|
#
1.256 |
|
09-Dec-2018 |
florian |
style; OK otto
|
#
1.255 |
|
27-Nov-2018 |
otto |
Refactor "find the right pool" code into a function. ok djm@ tb@
|
#
1.254 |
|
21-Nov-2018 |
otto |
Introducing malloc_usable_size() was a mistake. While some other libs have it, it is a function that is considered harmful, so:
Delete malloc_usable_size(). It is a function that blurs the line between malloc managed memory and application managed memory and exposes some of the internal workings of malloc. If an application relies on that, it is likely to break using another implementation of malloc. If you want usable size x, just allocate x bytes. ok deraadt@ and other devs
|
#
1.253 |
|
19-Nov-2018 |
guenther |
Fix compilation on alpha, where DEF_WEAK() really must be paired with PROTO_NORMAL(). Problem noted by deraadt@
|
#
1.252 |
|
18-Nov-2018 |
otto |
Implement malloc_usable_size(); ok millert@ deraadt@ and jmc@ for the man page
|
#
1.251 |
|
06-Nov-2018 |
otto |
Use the new vm.malloc_conf sysctl; ok millert@ deraadt@
|
#
1.250 |
|
05-Nov-2018 |
otto |
Implement C11's aligned_alloc(3). ok guenther@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.249 |
|
07-Apr-2018 |
otto |
sys/uio.h is not used anymore
|
#
1.248 |
|
30-Mar-2018 |
otto |
fix MALLOC_STATS; spotted by and ok semarie@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.247 |
|
06-Mar-2018 |
deraadt |
use _ALIGN() which is uhm a bit OpenBSD-specific, but it means we don't need to use sys/param.h at all, guess which one i believe is greater namespace polution ok otto
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.293 |
|
04-Nov-2023 |
otto |
KNF plus fixed a few signed vs unsigned compares (that we actually not real problems)
|
#
1.292 |
|
26-Oct-2023 |
otto |
A few micro-optimizations; ok asou@
|
#
1.291 |
|
22-Oct-2023 |
otto |
When option D is active, store callers for all chunks; this avoids the 0x0 call sites for leak reports. Also display more info on detected write of free chunks: print the info about where the chunk was allocated, and for the preceding chunk as well. ok asou@
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.290 |
|
09-Sep-2023 |
asou |
Print waring message when not allocated memory in putleakinfo().
ok otto.
|
#
1.289 |
|
30-Jun-2023 |
otto |
Recommit "Allow to ask for deeper callers for leak reports using malloc options"
Now only enabled for platforms where it's know to work and written as a inline functions instead of a macro.
|
#
1.288 |
|
23-Jun-2023 |
otto |
Revert previous, not all platforms allow compiling __builtin_return_address(a) with a != 0.
|
#
1.287 |
|
22-Jun-2023 |
otto |
Allow to ask for deeper callers for leak reports using malloc options. ok deraadt@
|
#
1.286 |
|
07-Jun-2023 |
aoyama |
Add portable version and m88k-specific version lb() function, because unfortunately gcc3 does not have __builtin_clz().
ok miod@ otto@
|
#
1.285 |
|
04-Jun-2023 |
otto |
More thorough write-afetr-free checks.
On free, chunks (the pieces of a pages used for smaller allocations) are junked and then validated after they leave the delayed free list. So after free, a chunk always contains junk bytes. This means that if we start with the right contents for a new page of chunks, we can *validate* instead of *write* junk bytes when (re)-using a chunk.
With this, we can detect write-after-free when a chunk is recycled, not justy when a chunk is in the delayed free list. We do a little bit more work on initial allocation of a page of chunks and when re-using (as we validate now even on junk level 1).
Also: some extra consistency checks for recallocaray(3) and fixes in error messages to make them more consistent, with man page bits.
Plus regress additions.
|
#
1.284 |
|
27-May-2023 |
otto |
Remove malloc interposition, a workaround that was once needed for emacs ok guenther@
|
#
1.283 |
|
10-May-2023 |
otto |
As mmap(2) is no longer a LOCK syscall, do away with the extra unlock-lock dance it serves no real purpose any more. Confirmed by a small performance increase in tests. ok @tb
|
#
1.282 |
|
21-Apr-2023 |
jsg |
remove duplicate include ok otto@
|
#
1.281 |
|
16-Apr-2023 |
otto |
Dump (leak) info using utrace(2) and compile the code always in except for bootblocks. This way we have built-in leak detecction always (if enable by malloc flags). See man pages for details.
|
#
1.280 |
|
05-Apr-2023 |
otto |
Introduce variation in location of junked bytes; ok tb@
|
#
1.279 |
|
01-Apr-2023 |
otto |
Check all chunks in the delayed free list for write-after-free. Should catch more of them and closer (in time) to the WAF. ok tb@
|
#
1.278 |
|
25-Mar-2023 |
otto |
Change malloc chunk sizes to be fine grained.
The basic idea is simple: one of the reasons the recent sshd bug is potentially exploitable is that a (erroneously) freed malloc chunk gets re-used in a different role. malloc has power of two chunk sizes and so one page of chunks holds many different types of allocations. Userland malloc has no knowledge of types, we only know about sizes. So I changed that to use finer-grained chunk sizes.
This has some performance impact as we need to allocate chunk pages in more cases. Gain it back by allocation chunk_info pages in a bundle, and use less buckets is !malloc option S. The chunk sizes used are 16, 32, 48, 64, 80, 96, 112, 128, 160, 192, 224, 256, 320, 384, 448, 512, 640, 768, 896, 1024, 1280, 1536, 1792, 2048 (and a few more for sparc64 with its 8k sized pages and loongson with its 16k pages).
If malloc option S (or rather cache size 0) is used we use strict multiple of 16 sized chunks, to get as many buckets as possible. ssh(d) enabled malloc option S, in general security sensitive programs should.
See the find_bucket() and bin_of() functions. Thanks to Tony Finch for pointing me to code to compute nice bucket sizes.
ok tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.277 |
|
27-Feb-2023 |
otto |
There is no reason to-be-cleared chunks cannot participate in delayed freeing; ok tb@
|
#
1.276 |
|
27-Dec-2022 |
otto |
Change the way malloc_init() works so that the main data structures can be made immutable to provide extra protection. Also init pools on-demand: only pools that are actually used are initialized.
Tested by many
|
#
1.275 |
|
14-Oct-2022 |
deraadt |
put the malloc_readonly struct into the "openbsd.mutable" section, so that the kernel and ld.so will know not to mark it immutable. malloc handles the read/write transitions by itself.
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.274 |
|
30-Jun-2022 |
guenther |
To figure our whether a large allocation can be grown into the following page(s) we've been first mquery()ing for it, mmapp()ing w/o MAP_FIXED if available, and then munmap()ing if there was a race. Instead, just try it directly with mmap(MAP_FIXED | __MAP_NOREPLACE)
tested in snaps for weeks
ok deraadt@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.273 |
|
26-Feb-2022 |
otto |
Currently malloc caches a number of free'ed regions up to 128k in size. This cache is indexed by size (in # of pages), so it is very quick to check. Some programs allocate and deallocate larger allocations in a frantic way. Accomodate those programs by also keeping a cache of regions between 128k and 2M, in a cache of variable sized regions.
Tested by many in snaps; ok deraadt@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.272 |
|
19-Sep-2021 |
tb |
Switch two calls from memset() to explicit_bzero()
This matches the documented behavior more obviously and ensures that these aren't optimized away, although this is unlikely.
Discussed with deraadt and otto
|
#
1.271 |
|
23-Jul-2021 |
otto |
Make MALLOC_STATS compile again; noted by Omar Polo and Joe Nelson
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.270 |
|
09-Apr-2021 |
otto |
An extra internal consistency check and a missing stats adjustment. ok tb@
|
#
1.269 |
|
09-Mar-2021 |
otto |
Change the implementation of the malloc cache to keep lists of regions of a given size. In snaps for a while, committing since no issues were reported and a wider audience is good. ok deraadt@
|
#
1.268 |
|
25-Feb-2021 |
otto |
- Make use of the fact that we know how the chunks are aligned, and write 8 bytes at the time by using a uint64_t pointer. For an allocation a max of 4 such uint64_t's are written spread over the allocation. For pages sized and larger, the first page is junked in such a way. - Delayed free of a small chunk checks the corresponiding way. - Pages ending up in the cache are validated upon unmapping or re-use. In snaps for a while
|
#
1.267 |
|
23-Nov-2020 |
otto |
mapalign() only handles allocations >= a page; problem found by and ok semarie@
|
#
1.266 |
|
12-Oct-2020 |
deraadt |
make fixed-sized fixed-value mib[] arrays be const ok guenther tb millert
|
#
1.265 |
|
09-Oct-2020 |
otto |
As noted by tb@ previous commit only removed an unused fucntion. So redo previous commit properly: Use random value for canary bytes; ok tb@.
|
#
1.264 |
|
06-Oct-2020 |
otto |
Use random value for canary bytes; ok tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.263 |
|
06-Sep-2020 |
otto |
For page-sized and larger allocations do not put the pages we're shaving off into the cache but unamp them. Pages in the cache get re-used and then a future grow of the first allocation will be hampered. Also make realloc a no-op for small shrinkage. ok deraadt@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE
|
#
1.262 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.261 |
|
23-May-2019 |
otto |
Only override size of chunk if we're not given the actual length. Fixes malloc_conceal...freezero with malloc options C and/or G.
|
#
1.260 |
|
10-May-2019 |
otto |
Inroduce malloc_conceal() and calloc_conceal(). Similar to their counterparts but return memory in pages marked MAP_CONCEAL and on free() freezero() is actually called.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.259 |
|
10-Jan-2019 |
otto |
Move default numer of pools in the multi-threaded case to 8. Various tests by me and others indicate that it is the optimum.
|
#
1.258 |
|
10-Jan-2019 |
otto |
Make the "not my pool" searching loop a tiny bit smarter, while making the number of pools variable. Do not document the malloc conf settings atm, don't know yet if they will stay. Thanks to all the testers. ok deraadt@
|
#
1.257 |
|
10-Dec-2018 |
otto |
Improve speed for the multi-threaded case by reducing lock contention. tested by many; ok florian@
|
#
1.256 |
|
09-Dec-2018 |
florian |
style; OK otto
|
#
1.255 |
|
27-Nov-2018 |
otto |
Refactor "find the right pool" code into a function. ok djm@ tb@
|
#
1.254 |
|
21-Nov-2018 |
otto |
Introducing malloc_usable_size() was a mistake. While some other libs have it, it is a function that is considered harmful, so:
Delete malloc_usable_size(). It is a function that blurs the line between malloc managed memory and application managed memory and exposes some of the internal workings of malloc. If an application relies on that, it is likely to break using another implementation of malloc. If you want usable size x, just allocate x bytes. ok deraadt@ and other devs
|
#
1.253 |
|
19-Nov-2018 |
guenther |
Fix compilation on alpha, where DEF_WEAK() really must be paired with PROTO_NORMAL(). Problem noted by deraadt@
|
#
1.252 |
|
18-Nov-2018 |
otto |
Implement malloc_usable_size(); ok millert@ deraadt@ and jmc@ for the man page
|
#
1.251 |
|
06-Nov-2018 |
otto |
Use the new vm.malloc_conf sysctl; ok millert@ deraadt@
|
#
1.250 |
|
05-Nov-2018 |
otto |
Implement C11's aligned_alloc(3). ok guenther@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.249 |
|
07-Apr-2018 |
otto |
sys/uio.h is not used anymore
|
#
1.248 |
|
30-Mar-2018 |
otto |
fix MALLOC_STATS; spotted by and ok semarie@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.247 |
|
06-Mar-2018 |
deraadt |
use _ALIGN() which is uhm a bit OpenBSD-specific, but it means we don't need to use sys/param.h at all, guess which one i believe is greater namespace polution ok otto
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.292 |
|
26-Oct-2023 |
otto |
A few micro-optimizations; ok asou@
|
#
1.291 |
|
22-Oct-2023 |
otto |
When option D is active, store callers for all chunks; this avoids the 0x0 call sites for leak reports. Also display more info on detected write of free chunks: print the info about where the chunk was allocated, and for the preceding chunk as well. ok asou@
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.290 |
|
09-Sep-2023 |
asou |
Print waring message when not allocated memory in putleakinfo().
ok otto.
|
#
1.289 |
|
30-Jun-2023 |
otto |
Recommit "Allow to ask for deeper callers for leak reports using malloc options"
Now only enabled for platforms where it's know to work and written as a inline functions instead of a macro.
|
#
1.288 |
|
23-Jun-2023 |
otto |
Revert previous, not all platforms allow compiling __builtin_return_address(a) with a != 0.
|
#
1.287 |
|
22-Jun-2023 |
otto |
Allow to ask for deeper callers for leak reports using malloc options. ok deraadt@
|
#
1.286 |
|
07-Jun-2023 |
aoyama |
Add portable version and m88k-specific version lb() function, because unfortunately gcc3 does not have __builtin_clz().
ok miod@ otto@
|
#
1.285 |
|
04-Jun-2023 |
otto |
More thorough write-afetr-free checks.
On free, chunks (the pieces of a pages used for smaller allocations) are junked and then validated after they leave the delayed free list. So after free, a chunk always contains junk bytes. This means that if we start with the right contents for a new page of chunks, we can *validate* instead of *write* junk bytes when (re)-using a chunk.
With this, we can detect write-after-free when a chunk is recycled, not justy when a chunk is in the delayed free list. We do a little bit more work on initial allocation of a page of chunks and when re-using (as we validate now even on junk level 1).
Also: some extra consistency checks for recallocaray(3) and fixes in error messages to make them more consistent, with man page bits.
Plus regress additions.
|
#
1.284 |
|
27-May-2023 |
otto |
Remove malloc interposition, a workaround that was once needed for emacs ok guenther@
|
#
1.283 |
|
10-May-2023 |
otto |
As mmap(2) is no longer a LOCK syscall, do away with the extra unlock-lock dance it serves no real purpose any more. Confirmed by a small performance increase in tests. ok @tb
|
#
1.282 |
|
21-Apr-2023 |
jsg |
remove duplicate include ok otto@
|
#
1.281 |
|
16-Apr-2023 |
otto |
Dump (leak) info using utrace(2) and compile the code always in except for bootblocks. This way we have built-in leak detecction always (if enable by malloc flags). See man pages for details.
|
#
1.280 |
|
05-Apr-2023 |
otto |
Introduce variation in location of junked bytes; ok tb@
|
#
1.279 |
|
01-Apr-2023 |
otto |
Check all chunks in the delayed free list for write-after-free. Should catch more of them and closer (in time) to the WAF. ok tb@
|
#
1.278 |
|
25-Mar-2023 |
otto |
Change malloc chunk sizes to be fine grained.
The basic idea is simple: one of the reasons the recent sshd bug is potentially exploitable is that a (erroneously) freed malloc chunk gets re-used in a different role. malloc has power of two chunk sizes and so one page of chunks holds many different types of allocations. Userland malloc has no knowledge of types, we only know about sizes. So I changed that to use finer-grained chunk sizes.
This has some performance impact as we need to allocate chunk pages in more cases. Gain it back by allocation chunk_info pages in a bundle, and use less buckets is !malloc option S. The chunk sizes used are 16, 32, 48, 64, 80, 96, 112, 128, 160, 192, 224, 256, 320, 384, 448, 512, 640, 768, 896, 1024, 1280, 1536, 1792, 2048 (and a few more for sparc64 with its 8k sized pages and loongson with its 16k pages).
If malloc option S (or rather cache size 0) is used we use strict multiple of 16 sized chunks, to get as many buckets as possible. ssh(d) enabled malloc option S, in general security sensitive programs should.
See the find_bucket() and bin_of() functions. Thanks to Tony Finch for pointing me to code to compute nice bucket sizes.
ok tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.277 |
|
27-Feb-2023 |
otto |
There is no reason to-be-cleared chunks cannot participate in delayed freeing; ok tb@
|
#
1.276 |
|
27-Dec-2022 |
otto |
Change the way malloc_init() works so that the main data structures can be made immutable to provide extra protection. Also init pools on-demand: only pools that are actually used are initialized.
Tested by many
|
#
1.275 |
|
14-Oct-2022 |
deraadt |
put the malloc_readonly struct into the "openbsd.mutable" section, so that the kernel and ld.so will know not to mark it immutable. malloc handles the read/write transitions by itself.
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.274 |
|
30-Jun-2022 |
guenther |
To figure our whether a large allocation can be grown into the following page(s) we've been first mquery()ing for it, mmapp()ing w/o MAP_FIXED if available, and then munmap()ing if there was a race. Instead, just try it directly with mmap(MAP_FIXED | __MAP_NOREPLACE)
tested in snaps for weeks
ok deraadt@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.273 |
|
26-Feb-2022 |
otto |
Currently malloc caches a number of free'ed regions up to 128k in size. This cache is indexed by size (in # of pages), so it is very quick to check. Some programs allocate and deallocate larger allocations in a frantic way. Accomodate those programs by also keeping a cache of regions between 128k and 2M, in a cache of variable sized regions.
Tested by many in snaps; ok deraadt@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.272 |
|
19-Sep-2021 |
tb |
Switch two calls from memset() to explicit_bzero()
This matches the documented behavior more obviously and ensures that these aren't optimized away, although this is unlikely.
Discussed with deraadt and otto
|
#
1.271 |
|
23-Jul-2021 |
otto |
Make MALLOC_STATS compile again; noted by Omar Polo and Joe Nelson
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.270 |
|
09-Apr-2021 |
otto |
An extra internal consistency check and a missing stats adjustment. ok tb@
|
#
1.269 |
|
09-Mar-2021 |
otto |
Change the implementation of the malloc cache to keep lists of regions of a given size. In snaps for a while, committing since no issues were reported and a wider audience is good. ok deraadt@
|
#
1.268 |
|
25-Feb-2021 |
otto |
- Make use of the fact that we know how the chunks are aligned, and write 8 bytes at the time by using a uint64_t pointer. For an allocation a max of 4 such uint64_t's are written spread over the allocation. For pages sized and larger, the first page is junked in such a way. - Delayed free of a small chunk checks the corresponiding way. - Pages ending up in the cache are validated upon unmapping or re-use. In snaps for a while
|
#
1.267 |
|
23-Nov-2020 |
otto |
mapalign() only handles allocations >= a page; problem found by and ok semarie@
|
#
1.266 |
|
12-Oct-2020 |
deraadt |
make fixed-sized fixed-value mib[] arrays be const ok guenther tb millert
|
#
1.265 |
|
09-Oct-2020 |
otto |
As noted by tb@ previous commit only removed an unused fucntion. So redo previous commit properly: Use random value for canary bytes; ok tb@.
|
#
1.264 |
|
06-Oct-2020 |
otto |
Use random value for canary bytes; ok tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.263 |
|
06-Sep-2020 |
otto |
For page-sized and larger allocations do not put the pages we're shaving off into the cache but unamp them. Pages in the cache get re-used and then a future grow of the first allocation will be hampered. Also make realloc a no-op for small shrinkage. ok deraadt@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE
|
#
1.262 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.261 |
|
23-May-2019 |
otto |
Only override size of chunk if we're not given the actual length. Fixes malloc_conceal...freezero with malloc options C and/or G.
|
#
1.260 |
|
10-May-2019 |
otto |
Inroduce malloc_conceal() and calloc_conceal(). Similar to their counterparts but return memory in pages marked MAP_CONCEAL and on free() freezero() is actually called.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.259 |
|
10-Jan-2019 |
otto |
Move default numer of pools in the multi-threaded case to 8. Various tests by me and others indicate that it is the optimum.
|
#
1.258 |
|
10-Jan-2019 |
otto |
Make the "not my pool" searching loop a tiny bit smarter, while making the number of pools variable. Do not document the malloc conf settings atm, don't know yet if they will stay. Thanks to all the testers. ok deraadt@
|
#
1.257 |
|
10-Dec-2018 |
otto |
Improve speed for the multi-threaded case by reducing lock contention. tested by many; ok florian@
|
#
1.256 |
|
09-Dec-2018 |
florian |
style; OK otto
|
#
1.255 |
|
27-Nov-2018 |
otto |
Refactor "find the right pool" code into a function. ok djm@ tb@
|
#
1.254 |
|
21-Nov-2018 |
otto |
Introducing malloc_usable_size() was a mistake. While some other libs have it, it is a function that is considered harmful, so:
Delete malloc_usable_size(). It is a function that blurs the line between malloc managed memory and application managed memory and exposes some of the internal workings of malloc. If an application relies on that, it is likely to break using another implementation of malloc. If you want usable size x, just allocate x bytes. ok deraadt@ and other devs
|
#
1.253 |
|
19-Nov-2018 |
guenther |
Fix compilation on alpha, where DEF_WEAK() really must be paired with PROTO_NORMAL(). Problem noted by deraadt@
|
#
1.252 |
|
18-Nov-2018 |
otto |
Implement malloc_usable_size(); ok millert@ deraadt@ and jmc@ for the man page
|
#
1.251 |
|
06-Nov-2018 |
otto |
Use the new vm.malloc_conf sysctl; ok millert@ deraadt@
|
#
1.250 |
|
05-Nov-2018 |
otto |
Implement C11's aligned_alloc(3). ok guenther@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.249 |
|
07-Apr-2018 |
otto |
sys/uio.h is not used anymore
|
#
1.248 |
|
30-Mar-2018 |
otto |
fix MALLOC_STATS; spotted by and ok semarie@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.247 |
|
06-Mar-2018 |
deraadt |
use _ALIGN() which is uhm a bit OpenBSD-specific, but it means we don't need to use sys/param.h at all, guess which one i believe is greater namespace polution ok otto
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.291 |
|
22-Oct-2023 |
otto |
When option D is active, store callers for all chunks; this avoids the 0x0 call sites for leak reports. Also display more info on detected write of free chunks: print the info about where the chunk was allocated, and for the preceding chunk as well. ok asou@
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.290 |
|
09-Sep-2023 |
asou |
Print waring message when not allocated memory in putleakinfo().
ok otto.
|
#
1.289 |
|
30-Jun-2023 |
otto |
Recommit "Allow to ask for deeper callers for leak reports using malloc options"
Now only enabled for platforms where it's know to work and written as a inline functions instead of a macro.
|
#
1.288 |
|
23-Jun-2023 |
otto |
Revert previous, not all platforms allow compiling __builtin_return_address(a) with a != 0.
|
#
1.287 |
|
22-Jun-2023 |
otto |
Allow to ask for deeper callers for leak reports using malloc options. ok deraadt@
|
#
1.286 |
|
07-Jun-2023 |
aoyama |
Add portable version and m88k-specific version lb() function, because unfortunately gcc3 does not have __builtin_clz().
ok miod@ otto@
|
#
1.285 |
|
04-Jun-2023 |
otto |
More thorough write-afetr-free checks.
On free, chunks (the pieces of a pages used for smaller allocations) are junked and then validated after they leave the delayed free list. So after free, a chunk always contains junk bytes. This means that if we start with the right contents for a new page of chunks, we can *validate* instead of *write* junk bytes when (re)-using a chunk.
With this, we can detect write-after-free when a chunk is recycled, not justy when a chunk is in the delayed free list. We do a little bit more work on initial allocation of a page of chunks and when re-using (as we validate now even on junk level 1).
Also: some extra consistency checks for recallocaray(3) and fixes in error messages to make them more consistent, with man page bits.
Plus regress additions.
|
#
1.284 |
|
27-May-2023 |
otto |
Remove malloc interposition, a workaround that was once needed for emacs ok guenther@
|
#
1.283 |
|
10-May-2023 |
otto |
As mmap(2) is no longer a LOCK syscall, do away with the extra unlock-lock dance it serves no real purpose any more. Confirmed by a small performance increase in tests. ok @tb
|
#
1.282 |
|
21-Apr-2023 |
jsg |
remove duplicate include ok otto@
|
#
1.281 |
|
16-Apr-2023 |
otto |
Dump (leak) info using utrace(2) and compile the code always in except for bootblocks. This way we have built-in leak detecction always (if enable by malloc flags). See man pages for details.
|
#
1.280 |
|
05-Apr-2023 |
otto |
Introduce variation in location of junked bytes; ok tb@
|
#
1.279 |
|
01-Apr-2023 |
otto |
Check all chunks in the delayed free list for write-after-free. Should catch more of them and closer (in time) to the WAF. ok tb@
|
#
1.278 |
|
25-Mar-2023 |
otto |
Change malloc chunk sizes to be fine grained.
The basic idea is simple: one of the reasons the recent sshd bug is potentially exploitable is that a (erroneously) freed malloc chunk gets re-used in a different role. malloc has power of two chunk sizes and so one page of chunks holds many different types of allocations. Userland malloc has no knowledge of types, we only know about sizes. So I changed that to use finer-grained chunk sizes.
This has some performance impact as we need to allocate chunk pages in more cases. Gain it back by allocation chunk_info pages in a bundle, and use less buckets is !malloc option S. The chunk sizes used are 16, 32, 48, 64, 80, 96, 112, 128, 160, 192, 224, 256, 320, 384, 448, 512, 640, 768, 896, 1024, 1280, 1536, 1792, 2048 (and a few more for sparc64 with its 8k sized pages and loongson with its 16k pages).
If malloc option S (or rather cache size 0) is used we use strict multiple of 16 sized chunks, to get as many buckets as possible. ssh(d) enabled malloc option S, in general security sensitive programs should.
See the find_bucket() and bin_of() functions. Thanks to Tony Finch for pointing me to code to compute nice bucket sizes.
ok tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.277 |
|
27-Feb-2023 |
otto |
There is no reason to-be-cleared chunks cannot participate in delayed freeing; ok tb@
|
#
1.276 |
|
27-Dec-2022 |
otto |
Change the way malloc_init() works so that the main data structures can be made immutable to provide extra protection. Also init pools on-demand: only pools that are actually used are initialized.
Tested by many
|
#
1.275 |
|
14-Oct-2022 |
deraadt |
put the malloc_readonly struct into the "openbsd.mutable" section, so that the kernel and ld.so will know not to mark it immutable. malloc handles the read/write transitions by itself.
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.274 |
|
30-Jun-2022 |
guenther |
To figure our whether a large allocation can be grown into the following page(s) we've been first mquery()ing for it, mmapp()ing w/o MAP_FIXED if available, and then munmap()ing if there was a race. Instead, just try it directly with mmap(MAP_FIXED | __MAP_NOREPLACE)
tested in snaps for weeks
ok deraadt@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.273 |
|
26-Feb-2022 |
otto |
Currently malloc caches a number of free'ed regions up to 128k in size. This cache is indexed by size (in # of pages), so it is very quick to check. Some programs allocate and deallocate larger allocations in a frantic way. Accomodate those programs by also keeping a cache of regions between 128k and 2M, in a cache of variable sized regions.
Tested by many in snaps; ok deraadt@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.272 |
|
19-Sep-2021 |
tb |
Switch two calls from memset() to explicit_bzero()
This matches the documented behavior more obviously and ensures that these aren't optimized away, although this is unlikely.
Discussed with deraadt and otto
|
#
1.271 |
|
23-Jul-2021 |
otto |
Make MALLOC_STATS compile again; noted by Omar Polo and Joe Nelson
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.270 |
|
09-Apr-2021 |
otto |
An extra internal consistency check and a missing stats adjustment. ok tb@
|
#
1.269 |
|
09-Mar-2021 |
otto |
Change the implementation of the malloc cache to keep lists of regions of a given size. In snaps for a while, committing since no issues were reported and a wider audience is good. ok deraadt@
|
#
1.268 |
|
25-Feb-2021 |
otto |
- Make use of the fact that we know how the chunks are aligned, and write 8 bytes at the time by using a uint64_t pointer. For an allocation a max of 4 such uint64_t's are written spread over the allocation. For pages sized and larger, the first page is junked in such a way. - Delayed free of a small chunk checks the corresponiding way. - Pages ending up in the cache are validated upon unmapping or re-use. In snaps for a while
|
#
1.267 |
|
23-Nov-2020 |
otto |
mapalign() only handles allocations >= a page; problem found by and ok semarie@
|
#
1.266 |
|
12-Oct-2020 |
deraadt |
make fixed-sized fixed-value mib[] arrays be const ok guenther tb millert
|
#
1.265 |
|
09-Oct-2020 |
otto |
As noted by tb@ previous commit only removed an unused fucntion. So redo previous commit properly: Use random value for canary bytes; ok tb@.
|
#
1.264 |
|
06-Oct-2020 |
otto |
Use random value for canary bytes; ok tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.263 |
|
06-Sep-2020 |
otto |
For page-sized and larger allocations do not put the pages we're shaving off into the cache but unamp them. Pages in the cache get re-used and then a future grow of the first allocation will be hampered. Also make realloc a no-op for small shrinkage. ok deraadt@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE
|
#
1.262 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.261 |
|
23-May-2019 |
otto |
Only override size of chunk if we're not given the actual length. Fixes malloc_conceal...freezero with malloc options C and/or G.
|
#
1.260 |
|
10-May-2019 |
otto |
Inroduce malloc_conceal() and calloc_conceal(). Similar to their counterparts but return memory in pages marked MAP_CONCEAL and on free() freezero() is actually called.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.259 |
|
10-Jan-2019 |
otto |
Move default numer of pools in the multi-threaded case to 8. Various tests by me and others indicate that it is the optimum.
|
#
1.258 |
|
10-Jan-2019 |
otto |
Make the "not my pool" searching loop a tiny bit smarter, while making the number of pools variable. Do not document the malloc conf settings atm, don't know yet if they will stay. Thanks to all the testers. ok deraadt@
|
#
1.257 |
|
10-Dec-2018 |
otto |
Improve speed for the multi-threaded case by reducing lock contention. tested by many; ok florian@
|
#
1.256 |
|
09-Dec-2018 |
florian |
style; OK otto
|
#
1.255 |
|
27-Nov-2018 |
otto |
Refactor "find the right pool" code into a function. ok djm@ tb@
|
#
1.254 |
|
21-Nov-2018 |
otto |
Introducing malloc_usable_size() was a mistake. While some other libs have it, it is a function that is considered harmful, so:
Delete malloc_usable_size(). It is a function that blurs the line between malloc managed memory and application managed memory and exposes some of the internal workings of malloc. If an application relies on that, it is likely to break using another implementation of malloc. If you want usable size x, just allocate x bytes. ok deraadt@ and other devs
|
#
1.253 |
|
19-Nov-2018 |
guenther |
Fix compilation on alpha, where DEF_WEAK() really must be paired with PROTO_NORMAL(). Problem noted by deraadt@
|
#
1.252 |
|
18-Nov-2018 |
otto |
Implement malloc_usable_size(); ok millert@ deraadt@ and jmc@ for the man page
|
#
1.251 |
|
06-Nov-2018 |
otto |
Use the new vm.malloc_conf sysctl; ok millert@ deraadt@
|
#
1.250 |
|
05-Nov-2018 |
otto |
Implement C11's aligned_alloc(3). ok guenther@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.249 |
|
07-Apr-2018 |
otto |
sys/uio.h is not used anymore
|
#
1.248 |
|
30-Mar-2018 |
otto |
fix MALLOC_STATS; spotted by and ok semarie@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.247 |
|
06-Mar-2018 |
deraadt |
use _ALIGN() which is uhm a bit OpenBSD-specific, but it means we don't need to use sys/param.h at all, guess which one i believe is greater namespace polution ok otto
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.290 |
|
09-Sep-2023 |
asou |
Print waring message when not allocated memory in putleakinfo().
ok otto.
|
#
1.289 |
|
30-Jun-2023 |
otto |
Recommit "Allow to ask for deeper callers for leak reports using malloc options"
Now only enabled for platforms where it's know to work and written as a inline functions instead of a macro.
|
#
1.288 |
|
23-Jun-2023 |
otto |
Revert previous, not all platforms allow compiling __builtin_return_address(a) with a != 0.
|
#
1.287 |
|
22-Jun-2023 |
otto |
Allow to ask for deeper callers for leak reports using malloc options. ok deraadt@
|
#
1.286 |
|
07-Jun-2023 |
aoyama |
Add portable version and m88k-specific version lb() function, because unfortunately gcc3 does not have __builtin_clz().
ok miod@ otto@
|
#
1.285 |
|
04-Jun-2023 |
otto |
More thorough write-afetr-free checks.
On free, chunks (the pieces of a pages used for smaller allocations) are junked and then validated after they leave the delayed free list. So after free, a chunk always contains junk bytes. This means that if we start with the right contents for a new page of chunks, we can *validate* instead of *write* junk bytes when (re)-using a chunk.
With this, we can detect write-after-free when a chunk is recycled, not justy when a chunk is in the delayed free list. We do a little bit more work on initial allocation of a page of chunks and when re-using (as we validate now even on junk level 1).
Also: some extra consistency checks for recallocaray(3) and fixes in error messages to make them more consistent, with man page bits.
Plus regress additions.
|
#
1.284 |
|
27-May-2023 |
otto |
Remove malloc interposition, a workaround that was once needed for emacs ok guenther@
|
#
1.283 |
|
10-May-2023 |
otto |
As mmap(2) is no longer a LOCK syscall, do away with the extra unlock-lock dance it serves no real purpose any more. Confirmed by a small performance increase in tests. ok @tb
|
#
1.282 |
|
21-Apr-2023 |
jsg |
remove duplicate include ok otto@
|
#
1.281 |
|
16-Apr-2023 |
otto |
Dump (leak) info using utrace(2) and compile the code always in except for bootblocks. This way we have built-in leak detecction always (if enable by malloc flags). See man pages for details.
|
#
1.280 |
|
05-Apr-2023 |
otto |
Introduce variation in location of junked bytes; ok tb@
|
#
1.279 |
|
01-Apr-2023 |
otto |
Check all chunks in the delayed free list for write-after-free. Should catch more of them and closer (in time) to the WAF. ok tb@
|
#
1.278 |
|
25-Mar-2023 |
otto |
Change malloc chunk sizes to be fine grained.
The basic idea is simple: one of the reasons the recent sshd bug is potentially exploitable is that a (erroneously) freed malloc chunk gets re-used in a different role. malloc has power of two chunk sizes and so one page of chunks holds many different types of allocations. Userland malloc has no knowledge of types, we only know about sizes. So I changed that to use finer-grained chunk sizes.
This has some performance impact as we need to allocate chunk pages in more cases. Gain it back by allocation chunk_info pages in a bundle, and use less buckets is !malloc option S. The chunk sizes used are 16, 32, 48, 64, 80, 96, 112, 128, 160, 192, 224, 256, 320, 384, 448, 512, 640, 768, 896, 1024, 1280, 1536, 1792, 2048 (and a few more for sparc64 with its 8k sized pages and loongson with its 16k pages).
If malloc option S (or rather cache size 0) is used we use strict multiple of 16 sized chunks, to get as many buckets as possible. ssh(d) enabled malloc option S, in general security sensitive programs should.
See the find_bucket() and bin_of() functions. Thanks to Tony Finch for pointing me to code to compute nice bucket sizes.
ok tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.277 |
|
27-Feb-2023 |
otto |
There is no reason to-be-cleared chunks cannot participate in delayed freeing; ok tb@
|
#
1.276 |
|
27-Dec-2022 |
otto |
Change the way malloc_init() works so that the main data structures can be made immutable to provide extra protection. Also init pools on-demand: only pools that are actually used are initialized.
Tested by many
|
#
1.275 |
|
14-Oct-2022 |
deraadt |
put the malloc_readonly struct into the "openbsd.mutable" section, so that the kernel and ld.so will know not to mark it immutable. malloc handles the read/write transitions by itself.
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.274 |
|
30-Jun-2022 |
guenther |
To figure our whether a large allocation can be grown into the following page(s) we've been first mquery()ing for it, mmapp()ing w/o MAP_FIXED if available, and then munmap()ing if there was a race. Instead, just try it directly with mmap(MAP_FIXED | __MAP_NOREPLACE)
tested in snaps for weeks
ok deraadt@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.273 |
|
26-Feb-2022 |
otto |
Currently malloc caches a number of free'ed regions up to 128k in size. This cache is indexed by size (in # of pages), so it is very quick to check. Some programs allocate and deallocate larger allocations in a frantic way. Accomodate those programs by also keeping a cache of regions between 128k and 2M, in a cache of variable sized regions.
Tested by many in snaps; ok deraadt@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.272 |
|
19-Sep-2021 |
tb |
Switch two calls from memset() to explicit_bzero()
This matches the documented behavior more obviously and ensures that these aren't optimized away, although this is unlikely.
Discussed with deraadt and otto
|
#
1.271 |
|
23-Jul-2021 |
otto |
Make MALLOC_STATS compile again; noted by Omar Polo and Joe Nelson
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.270 |
|
09-Apr-2021 |
otto |
An extra internal consistency check and a missing stats adjustment. ok tb@
|
#
1.269 |
|
09-Mar-2021 |
otto |
Change the implementation of the malloc cache to keep lists of regions of a given size. In snaps for a while, committing since no issues were reported and a wider audience is good. ok deraadt@
|
#
1.268 |
|
25-Feb-2021 |
otto |
- Make use of the fact that we know how the chunks are aligned, and write 8 bytes at the time by using a uint64_t pointer. For an allocation a max of 4 such uint64_t's are written spread over the allocation. For pages sized and larger, the first page is junked in such a way. - Delayed free of a small chunk checks the corresponiding way. - Pages ending up in the cache are validated upon unmapping or re-use. In snaps for a while
|
#
1.267 |
|
23-Nov-2020 |
otto |
mapalign() only handles allocations >= a page; problem found by and ok semarie@
|
#
1.266 |
|
12-Oct-2020 |
deraadt |
make fixed-sized fixed-value mib[] arrays be const ok guenther tb millert
|
#
1.265 |
|
09-Oct-2020 |
otto |
As noted by tb@ previous commit only removed an unused fucntion. So redo previous commit properly: Use random value for canary bytes; ok tb@.
|
#
1.264 |
|
06-Oct-2020 |
otto |
Use random value for canary bytes; ok tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.263 |
|
06-Sep-2020 |
otto |
For page-sized and larger allocations do not put the pages we're shaving off into the cache but unamp them. Pages in the cache get re-used and then a future grow of the first allocation will be hampered. Also make realloc a no-op for small shrinkage. ok deraadt@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE
|
#
1.262 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.261 |
|
23-May-2019 |
otto |
Only override size of chunk if we're not given the actual length. Fixes malloc_conceal...freezero with malloc options C and/or G.
|
#
1.260 |
|
10-May-2019 |
otto |
Inroduce malloc_conceal() and calloc_conceal(). Similar to their counterparts but return memory in pages marked MAP_CONCEAL and on free() freezero() is actually called.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.259 |
|
10-Jan-2019 |
otto |
Move default numer of pools in the multi-threaded case to 8. Various tests by me and others indicate that it is the optimum.
|
#
1.258 |
|
10-Jan-2019 |
otto |
Make the "not my pool" searching loop a tiny bit smarter, while making the number of pools variable. Do not document the malloc conf settings atm, don't know yet if they will stay. Thanks to all the testers. ok deraadt@
|
#
1.257 |
|
10-Dec-2018 |
otto |
Improve speed for the multi-threaded case by reducing lock contention. tested by many; ok florian@
|
#
1.256 |
|
09-Dec-2018 |
florian |
style; OK otto
|
#
1.255 |
|
27-Nov-2018 |
otto |
Refactor "find the right pool" code into a function. ok djm@ tb@
|
#
1.254 |
|
21-Nov-2018 |
otto |
Introducing malloc_usable_size() was a mistake. While some other libs have it, it is a function that is considered harmful, so:
Delete malloc_usable_size(). It is a function that blurs the line between malloc managed memory and application managed memory and exposes some of the internal workings of malloc. If an application relies on that, it is likely to break using another implementation of malloc. If you want usable size x, just allocate x bytes. ok deraadt@ and other devs
|
#
1.253 |
|
19-Nov-2018 |
guenther |
Fix compilation on alpha, where DEF_WEAK() really must be paired with PROTO_NORMAL(). Problem noted by deraadt@
|
#
1.252 |
|
18-Nov-2018 |
otto |
Implement malloc_usable_size(); ok millert@ deraadt@ and jmc@ for the man page
|
#
1.251 |
|
06-Nov-2018 |
otto |
Use the new vm.malloc_conf sysctl; ok millert@ deraadt@
|
#
1.250 |
|
05-Nov-2018 |
otto |
Implement C11's aligned_alloc(3). ok guenther@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.249 |
|
07-Apr-2018 |
otto |
sys/uio.h is not used anymore
|
#
1.248 |
|
30-Mar-2018 |
otto |
fix MALLOC_STATS; spotted by and ok semarie@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.247 |
|
06-Mar-2018 |
deraadt |
use _ALIGN() which is uhm a bit OpenBSD-specific, but it means we don't need to use sys/param.h at all, guess which one i believe is greater namespace polution ok otto
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.289 |
|
30-Jun-2023 |
otto |
Recommit "Allow to ask for deeper callers for leak reports using malloc options"
Now only enabled for platforms where it's know to work and written as a inline functions instead of a macro.
|
#
1.288 |
|
23-Jun-2023 |
otto |
Revert previous, not all platforms allow compiling __builtin_return_address(a) with a != 0.
|
#
1.287 |
|
22-Jun-2023 |
otto |
Allow to ask for deeper callers for leak reports using malloc options. ok deraadt@
|
#
1.286 |
|
07-Jun-2023 |
aoyama |
Add portable version and m88k-specific version lb() function, because unfortunately gcc3 does not have __builtin_clz().
ok miod@ otto@
|
#
1.285 |
|
04-Jun-2023 |
otto |
More thorough write-afetr-free checks.
On free, chunks (the pieces of a pages used for smaller allocations) are junked and then validated after they leave the delayed free list. So after free, a chunk always contains junk bytes. This means that if we start with the right contents for a new page of chunks, we can *validate* instead of *write* junk bytes when (re)-using a chunk.
With this, we can detect write-after-free when a chunk is recycled, not justy when a chunk is in the delayed free list. We do a little bit more work on initial allocation of a page of chunks and when re-using (as we validate now even on junk level 1).
Also: some extra consistency checks for recallocaray(3) and fixes in error messages to make them more consistent, with man page bits.
Plus regress additions.
|
#
1.284 |
|
27-May-2023 |
otto |
Remove malloc interposition, a workaround that was once needed for emacs ok guenther@
|
#
1.283 |
|
10-May-2023 |
otto |
As mmap(2) is no longer a LOCK syscall, do away with the extra unlock-lock dance it serves no real purpose any more. Confirmed by a small performance increase in tests. ok @tb
|
#
1.282 |
|
21-Apr-2023 |
jsg |
remove duplicate include ok otto@
|
#
1.281 |
|
16-Apr-2023 |
otto |
Dump (leak) info using utrace(2) and compile the code always in except for bootblocks. This way we have built-in leak detecction always (if enable by malloc flags). See man pages for details.
|
#
1.280 |
|
05-Apr-2023 |
otto |
Introduce variation in location of junked bytes; ok tb@
|
#
1.279 |
|
01-Apr-2023 |
otto |
Check all chunks in the delayed free list for write-after-free. Should catch more of them and closer (in time) to the WAF. ok tb@
|
#
1.278 |
|
25-Mar-2023 |
otto |
Change malloc chunk sizes to be fine grained.
The basic idea is simple: one of the reasons the recent sshd bug is potentially exploitable is that a (erroneously) freed malloc chunk gets re-used in a different role. malloc has power of two chunk sizes and so one page of chunks holds many different types of allocations. Userland malloc has no knowledge of types, we only know about sizes. So I changed that to use finer-grained chunk sizes.
This has some performance impact as we need to allocate chunk pages in more cases. Gain it back by allocation chunk_info pages in a bundle, and use less buckets is !malloc option S. The chunk sizes used are 16, 32, 48, 64, 80, 96, 112, 128, 160, 192, 224, 256, 320, 384, 448, 512, 640, 768, 896, 1024, 1280, 1536, 1792, 2048 (and a few more for sparc64 with its 8k sized pages and loongson with its 16k pages).
If malloc option S (or rather cache size 0) is used we use strict multiple of 16 sized chunks, to get as many buckets as possible. ssh(d) enabled malloc option S, in general security sensitive programs should.
See the find_bucket() and bin_of() functions. Thanks to Tony Finch for pointing me to code to compute nice bucket sizes.
ok tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.277 |
|
27-Feb-2023 |
otto |
There is no reason to-be-cleared chunks cannot participate in delayed freeing; ok tb@
|
#
1.276 |
|
27-Dec-2022 |
otto |
Change the way malloc_init() works so that the main data structures can be made immutable to provide extra protection. Also init pools on-demand: only pools that are actually used are initialized.
Tested by many
|
#
1.275 |
|
14-Oct-2022 |
deraadt |
put the malloc_readonly struct into the "openbsd.mutable" section, so that the kernel and ld.so will know not to mark it immutable. malloc handles the read/write transitions by itself.
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.274 |
|
30-Jun-2022 |
guenther |
To figure our whether a large allocation can be grown into the following page(s) we've been first mquery()ing for it, mmapp()ing w/o MAP_FIXED if available, and then munmap()ing if there was a race. Instead, just try it directly with mmap(MAP_FIXED | __MAP_NOREPLACE)
tested in snaps for weeks
ok deraadt@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.273 |
|
26-Feb-2022 |
otto |
Currently malloc caches a number of free'ed regions up to 128k in size. This cache is indexed by size (in # of pages), so it is very quick to check. Some programs allocate and deallocate larger allocations in a frantic way. Accomodate those programs by also keeping a cache of regions between 128k and 2M, in a cache of variable sized regions.
Tested by many in snaps; ok deraadt@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.272 |
|
19-Sep-2021 |
tb |
Switch two calls from memset() to explicit_bzero()
This matches the documented behavior more obviously and ensures that these aren't optimized away, although this is unlikely.
Discussed with deraadt and otto
|
#
1.271 |
|
23-Jul-2021 |
otto |
Make MALLOC_STATS compile again; noted by Omar Polo and Joe Nelson
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.270 |
|
09-Apr-2021 |
otto |
An extra internal consistency check and a missing stats adjustment. ok tb@
|
#
1.269 |
|
09-Mar-2021 |
otto |
Change the implementation of the malloc cache to keep lists of regions of a given size. In snaps for a while, committing since no issues were reported and a wider audience is good. ok deraadt@
|
#
1.268 |
|
25-Feb-2021 |
otto |
- Make use of the fact that we know how the chunks are aligned, and write 8 bytes at the time by using a uint64_t pointer. For an allocation a max of 4 such uint64_t's are written spread over the allocation. For pages sized and larger, the first page is junked in such a way. - Delayed free of a small chunk checks the corresponiding way. - Pages ending up in the cache are validated upon unmapping or re-use. In snaps for a while
|
#
1.267 |
|
23-Nov-2020 |
otto |
mapalign() only handles allocations >= a page; problem found by and ok semarie@
|
#
1.266 |
|
12-Oct-2020 |
deraadt |
make fixed-sized fixed-value mib[] arrays be const ok guenther tb millert
|
#
1.265 |
|
09-Oct-2020 |
otto |
As noted by tb@ previous commit only removed an unused fucntion. So redo previous commit properly: Use random value for canary bytes; ok tb@.
|
#
1.264 |
|
06-Oct-2020 |
otto |
Use random value for canary bytes; ok tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.263 |
|
06-Sep-2020 |
otto |
For page-sized and larger allocations do not put the pages we're shaving off into the cache but unamp them. Pages in the cache get re-used and then a future grow of the first allocation will be hampered. Also make realloc a no-op for small shrinkage. ok deraadt@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE
|
#
1.262 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.261 |
|
23-May-2019 |
otto |
Only override size of chunk if we're not given the actual length. Fixes malloc_conceal...freezero with malloc options C and/or G.
|
#
1.260 |
|
10-May-2019 |
otto |
Inroduce malloc_conceal() and calloc_conceal(). Similar to their counterparts but return memory in pages marked MAP_CONCEAL and on free() freezero() is actually called.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.259 |
|
10-Jan-2019 |
otto |
Move default numer of pools in the multi-threaded case to 8. Various tests by me and others indicate that it is the optimum.
|
#
1.258 |
|
10-Jan-2019 |
otto |
Make the "not my pool" searching loop a tiny bit smarter, while making the number of pools variable. Do not document the malloc conf settings atm, don't know yet if they will stay. Thanks to all the testers. ok deraadt@
|
#
1.257 |
|
10-Dec-2018 |
otto |
Improve speed for the multi-threaded case by reducing lock contention. tested by many; ok florian@
|
#
1.256 |
|
09-Dec-2018 |
florian |
style; OK otto
|
#
1.255 |
|
27-Nov-2018 |
otto |
Refactor "find the right pool" code into a function. ok djm@ tb@
|
#
1.254 |
|
21-Nov-2018 |
otto |
Introducing malloc_usable_size() was a mistake. While some other libs have it, it is a function that is considered harmful, so:
Delete malloc_usable_size(). It is a function that blurs the line between malloc managed memory and application managed memory and exposes some of the internal workings of malloc. If an application relies on that, it is likely to break using another implementation of malloc. If you want usable size x, just allocate x bytes. ok deraadt@ and other devs
|
#
1.253 |
|
19-Nov-2018 |
guenther |
Fix compilation on alpha, where DEF_WEAK() really must be paired with PROTO_NORMAL(). Problem noted by deraadt@
|
#
1.252 |
|
18-Nov-2018 |
otto |
Implement malloc_usable_size(); ok millert@ deraadt@ and jmc@ for the man page
|
#
1.251 |
|
06-Nov-2018 |
otto |
Use the new vm.malloc_conf sysctl; ok millert@ deraadt@
|
#
1.250 |
|
05-Nov-2018 |
otto |
Implement C11's aligned_alloc(3). ok guenther@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.249 |
|
07-Apr-2018 |
otto |
sys/uio.h is not used anymore
|
#
1.248 |
|
30-Mar-2018 |
otto |
fix MALLOC_STATS; spotted by and ok semarie@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.247 |
|
06-Mar-2018 |
deraadt |
use _ALIGN() which is uhm a bit OpenBSD-specific, but it means we don't need to use sys/param.h at all, guess which one i believe is greater namespace polution ok otto
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.282 |
|
21-Apr-2023 |
jsg |
remove duplicate include ok otto@
|
#
1.281 |
|
16-Apr-2023 |
otto |
Dump (leak) info using utrace(2) and compile the code always in except for bootblocks. This way we have built-in leak detecction always (if enable by malloc flags). See man pages for details.
|
#
1.280 |
|
05-Apr-2023 |
otto |
Introduce variation in location of junked bytes; ok tb@
|
#
1.279 |
|
01-Apr-2023 |
otto |
Check all chunks in the delayed free list for write-after-free. Should catch more of them and closer (in time) to the WAF. ok tb@
|
#
1.278 |
|
25-Mar-2023 |
otto |
Change malloc chunk sizes to be fine grained.
The basic idea is simple: one of the reasons the recent sshd bug is potentially exploitable is that a (erroneously) freed malloc chunk gets re-used in a different role. malloc has power of two chunk sizes and so one page of chunks holds many different types of allocations. Userland malloc has no knowledge of types, we only know about sizes. So I changed that to use finer-grained chunk sizes.
This has some performance impact as we need to allocate chunk pages in more cases. Gain it back by allocation chunk_info pages in a bundle, and use less buckets is !malloc option S. The chunk sizes used are 16, 32, 48, 64, 80, 96, 112, 128, 160, 192, 224, 256, 320, 384, 448, 512, 640, 768, 896, 1024, 1280, 1536, 1792, 2048 (and a few more for sparc64 with its 8k sized pages and loongson with its 16k pages).
If malloc option S (or rather cache size 0) is used we use strict multiple of 16 sized chunks, to get as many buckets as possible. ssh(d) enabled malloc option S, in general security sensitive programs should.
See the find_bucket() and bin_of() functions. Thanks to Tony Finch for pointing me to code to compute nice bucket sizes.
ok tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.277 |
|
27-Feb-2023 |
otto |
There is no reason to-be-cleared chunks cannot participate in delayed freeing; ok tb@
|
#
1.276 |
|
27-Dec-2022 |
otto |
Change the way malloc_init() works so that the main data structures can be made immutable to provide extra protection. Also init pools on-demand: only pools that are actually used are initialized.
Tested by many
|
#
1.275 |
|
14-Oct-2022 |
deraadt |
put the malloc_readonly struct into the "openbsd.mutable" section, so that the kernel and ld.so will know not to mark it immutable. malloc handles the read/write transitions by itself.
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.274 |
|
30-Jun-2022 |
guenther |
To figure our whether a large allocation can be grown into the following page(s) we've been first mquery()ing for it, mmapp()ing w/o MAP_FIXED if available, and then munmap()ing if there was a race. Instead, just try it directly with mmap(MAP_FIXED | __MAP_NOREPLACE)
tested in snaps for weeks
ok deraadt@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.273 |
|
26-Feb-2022 |
otto |
Currently malloc caches a number of free'ed regions up to 128k in size. This cache is indexed by size (in # of pages), so it is very quick to check. Some programs allocate and deallocate larger allocations in a frantic way. Accomodate those programs by also keeping a cache of regions between 128k and 2M, in a cache of variable sized regions.
Tested by many in snaps; ok deraadt@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.272 |
|
19-Sep-2021 |
tb |
Switch two calls from memset() to explicit_bzero()
This matches the documented behavior more obviously and ensures that these aren't optimized away, although this is unlikely.
Discussed with deraadt and otto
|
#
1.271 |
|
23-Jul-2021 |
otto |
Make MALLOC_STATS compile again; noted by Omar Polo and Joe Nelson
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.270 |
|
09-Apr-2021 |
otto |
An extra internal consistency check and a missing stats adjustment. ok tb@
|
#
1.269 |
|
09-Mar-2021 |
otto |
Change the implementation of the malloc cache to keep lists of regions of a given size. In snaps for a while, committing since no issues were reported and a wider audience is good. ok deraadt@
|
#
1.268 |
|
25-Feb-2021 |
otto |
- Make use of the fact that we know how the chunks are aligned, and write 8 bytes at the time by using a uint64_t pointer. For an allocation a max of 4 such uint64_t's are written spread over the allocation. For pages sized and larger, the first page is junked in such a way. - Delayed free of a small chunk checks the corresponiding way. - Pages ending up in the cache are validated upon unmapping or re-use. In snaps for a while
|
#
1.267 |
|
23-Nov-2020 |
otto |
mapalign() only handles allocations >= a page; problem found by and ok semarie@
|
#
1.266 |
|
12-Oct-2020 |
deraadt |
make fixed-sized fixed-value mib[] arrays be const ok guenther tb millert
|
#
1.265 |
|
09-Oct-2020 |
otto |
As noted by tb@ previous commit only removed an unused fucntion. So redo previous commit properly: Use random value for canary bytes; ok tb@.
|
#
1.264 |
|
06-Oct-2020 |
otto |
Use random value for canary bytes; ok tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.263 |
|
06-Sep-2020 |
otto |
For page-sized and larger allocations do not put the pages we're shaving off into the cache but unamp them. Pages in the cache get re-used and then a future grow of the first allocation will be hampered. Also make realloc a no-op for small shrinkage. ok deraadt@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE
|
#
1.262 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.261 |
|
23-May-2019 |
otto |
Only override size of chunk if we're not given the actual length. Fixes malloc_conceal...freezero with malloc options C and/or G.
|
#
1.260 |
|
10-May-2019 |
otto |
Inroduce malloc_conceal() and calloc_conceal(). Similar to their counterparts but return memory in pages marked MAP_CONCEAL and on free() freezero() is actually called.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.259 |
|
10-Jan-2019 |
otto |
Move default numer of pools in the multi-threaded case to 8. Various tests by me and others indicate that it is the optimum.
|
#
1.258 |
|
10-Jan-2019 |
otto |
Make the "not my pool" searching loop a tiny bit smarter, while making the number of pools variable. Do not document the malloc conf settings atm, don't know yet if they will stay. Thanks to all the testers. ok deraadt@
|
#
1.257 |
|
10-Dec-2018 |
otto |
Improve speed for the multi-threaded case by reducing lock contention. tested by many; ok florian@
|
#
1.256 |
|
09-Dec-2018 |
florian |
style; OK otto
|
#
1.255 |
|
27-Nov-2018 |
otto |
Refactor "find the right pool" code into a function. ok djm@ tb@
|
#
1.254 |
|
21-Nov-2018 |
otto |
Introducing malloc_usable_size() was a mistake. While some other libs have it, it is a function that is considered harmful, so:
Delete malloc_usable_size(). It is a function that blurs the line between malloc managed memory and application managed memory and exposes some of the internal workings of malloc. If an application relies on that, it is likely to break using another implementation of malloc. If you want usable size x, just allocate x bytes. ok deraadt@ and other devs
|
#
1.253 |
|
19-Nov-2018 |
guenther |
Fix compilation on alpha, where DEF_WEAK() really must be paired with PROTO_NORMAL(). Problem noted by deraadt@
|
#
1.252 |
|
18-Nov-2018 |
otto |
Implement malloc_usable_size(); ok millert@ deraadt@ and jmc@ for the man page
|
#
1.251 |
|
06-Nov-2018 |
otto |
Use the new vm.malloc_conf sysctl; ok millert@ deraadt@
|
#
1.250 |
|
05-Nov-2018 |
otto |
Implement C11's aligned_alloc(3). ok guenther@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.249 |
|
07-Apr-2018 |
otto |
sys/uio.h is not used anymore
|
#
1.248 |
|
30-Mar-2018 |
otto |
fix MALLOC_STATS; spotted by and ok semarie@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.247 |
|
06-Mar-2018 |
deraadt |
use _ALIGN() which is uhm a bit OpenBSD-specific, but it means we don't need to use sys/param.h at all, guess which one i believe is greater namespace polution ok otto
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.281 |
|
16-Apr-2023 |
otto |
Dump (leak) info using utrace(2) and compile the code always in except for bootblocks. This way we have built-in leak detecction always (if enable by malloc flags). See man pages for details.
|
#
1.280 |
|
05-Apr-2023 |
otto |
Introduce variation in location of junked bytes; ok tb@
|
#
1.279 |
|
01-Apr-2023 |
otto |
Check all chunks in the delayed free list for write-after-free. Should catch more of them and closer (in time) to the WAF. ok tb@
|
#
1.278 |
|
25-Mar-2023 |
otto |
Change malloc chunk sizes to be fine grained.
The basic idea is simple: one of the reasons the recent sshd bug is potentially exploitable is that a (erroneously) freed malloc chunk gets re-used in a different role. malloc has power of two chunk sizes and so one page of chunks holds many different types of allocations. Userland malloc has no knowledge of types, we only know about sizes. So I changed that to use finer-grained chunk sizes.
This has some performance impact as we need to allocate chunk pages in more cases. Gain it back by allocation chunk_info pages in a bundle, and use less buckets is !malloc option S. The chunk sizes used are 16, 32, 48, 64, 80, 96, 112, 128, 160, 192, 224, 256, 320, 384, 448, 512, 640, 768, 896, 1024, 1280, 1536, 1792, 2048 (and a few more for sparc64 with its 8k sized pages and loongson with its 16k pages).
If malloc option S (or rather cache size 0) is used we use strict multiple of 16 sized chunks, to get as many buckets as possible. ssh(d) enabled malloc option S, in general security sensitive programs should.
See the find_bucket() and bin_of() functions. Thanks to Tony Finch for pointing me to code to compute nice bucket sizes.
ok tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.277 |
|
27-Feb-2023 |
otto |
There is no reason to-be-cleared chunks cannot participate in delayed freeing; ok tb@
|
#
1.276 |
|
27-Dec-2022 |
otto |
Change the way malloc_init() works so that the main data structures can be made immutable to provide extra protection. Also init pools on-demand: only pools that are actually used are initialized.
Tested by many
|
#
1.275 |
|
14-Oct-2022 |
deraadt |
put the malloc_readonly struct into the "openbsd.mutable" section, so that the kernel and ld.so will know not to mark it immutable. malloc handles the read/write transitions by itself.
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.274 |
|
30-Jun-2022 |
guenther |
To figure our whether a large allocation can be grown into the following page(s) we've been first mquery()ing for it, mmapp()ing w/o MAP_FIXED if available, and then munmap()ing if there was a race. Instead, just try it directly with mmap(MAP_FIXED | __MAP_NOREPLACE)
tested in snaps for weeks
ok deraadt@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.273 |
|
26-Feb-2022 |
otto |
Currently malloc caches a number of free'ed regions up to 128k in size. This cache is indexed by size (in # of pages), so it is very quick to check. Some programs allocate and deallocate larger allocations in a frantic way. Accomodate those programs by also keeping a cache of regions between 128k and 2M, in a cache of variable sized regions.
Tested by many in snaps; ok deraadt@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.272 |
|
19-Sep-2021 |
tb |
Switch two calls from memset() to explicit_bzero()
This matches the documented behavior more obviously and ensures that these aren't optimized away, although this is unlikely.
Discussed with deraadt and otto
|
#
1.271 |
|
23-Jul-2021 |
otto |
Make MALLOC_STATS compile again; noted by Omar Polo and Joe Nelson
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.270 |
|
09-Apr-2021 |
otto |
An extra internal consistency check and a missing stats adjustment. ok tb@
|
#
1.269 |
|
09-Mar-2021 |
otto |
Change the implementation of the malloc cache to keep lists of regions of a given size. In snaps for a while, committing since no issues were reported and a wider audience is good. ok deraadt@
|
#
1.268 |
|
25-Feb-2021 |
otto |
- Make use of the fact that we know how the chunks are aligned, and write 8 bytes at the time by using a uint64_t pointer. For an allocation a max of 4 such uint64_t's are written spread over the allocation. For pages sized and larger, the first page is junked in such a way. - Delayed free of a small chunk checks the corresponiding way. - Pages ending up in the cache are validated upon unmapping or re-use. In snaps for a while
|
#
1.267 |
|
23-Nov-2020 |
otto |
mapalign() only handles allocations >= a page; problem found by and ok semarie@
|
#
1.266 |
|
12-Oct-2020 |
deraadt |
make fixed-sized fixed-value mib[] arrays be const ok guenther tb millert
|
#
1.265 |
|
09-Oct-2020 |
otto |
As noted by tb@ previous commit only removed an unused fucntion. So redo previous commit properly: Use random value for canary bytes; ok tb@.
|
#
1.264 |
|
06-Oct-2020 |
otto |
Use random value for canary bytes; ok tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.263 |
|
06-Sep-2020 |
otto |
For page-sized and larger allocations do not put the pages we're shaving off into the cache but unamp them. Pages in the cache get re-used and then a future grow of the first allocation will be hampered. Also make realloc a no-op for small shrinkage. ok deraadt@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE
|
#
1.262 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.261 |
|
23-May-2019 |
otto |
Only override size of chunk if we're not given the actual length. Fixes malloc_conceal...freezero with malloc options C and/or G.
|
#
1.260 |
|
10-May-2019 |
otto |
Inroduce malloc_conceal() and calloc_conceal(). Similar to their counterparts but return memory in pages marked MAP_CONCEAL and on free() freezero() is actually called.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.259 |
|
10-Jan-2019 |
otto |
Move default numer of pools in the multi-threaded case to 8. Various tests by me and others indicate that it is the optimum.
|
#
1.258 |
|
10-Jan-2019 |
otto |
Make the "not my pool" searching loop a tiny bit smarter, while making the number of pools variable. Do not document the malloc conf settings atm, don't know yet if they will stay. Thanks to all the testers. ok deraadt@
|
#
1.257 |
|
10-Dec-2018 |
otto |
Improve speed for the multi-threaded case by reducing lock contention. tested by many; ok florian@
|
#
1.256 |
|
09-Dec-2018 |
florian |
style; OK otto
|
#
1.255 |
|
27-Nov-2018 |
otto |
Refactor "find the right pool" code into a function. ok djm@ tb@
|
#
1.254 |
|
21-Nov-2018 |
otto |
Introducing malloc_usable_size() was a mistake. While some other libs have it, it is a function that is considered harmful, so:
Delete malloc_usable_size(). It is a function that blurs the line between malloc managed memory and application managed memory and exposes some of the internal workings of malloc. If an application relies on that, it is likely to break using another implementation of malloc. If you want usable size x, just allocate x bytes. ok deraadt@ and other devs
|
#
1.253 |
|
19-Nov-2018 |
guenther |
Fix compilation on alpha, where DEF_WEAK() really must be paired with PROTO_NORMAL(). Problem noted by deraadt@
|
#
1.252 |
|
18-Nov-2018 |
otto |
Implement malloc_usable_size(); ok millert@ deraadt@ and jmc@ for the man page
|
#
1.251 |
|
06-Nov-2018 |
otto |
Use the new vm.malloc_conf sysctl; ok millert@ deraadt@
|
#
1.250 |
|
05-Nov-2018 |
otto |
Implement C11's aligned_alloc(3). ok guenther@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.249 |
|
07-Apr-2018 |
otto |
sys/uio.h is not used anymore
|
#
1.248 |
|
30-Mar-2018 |
otto |
fix MALLOC_STATS; spotted by and ok semarie@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.247 |
|
06-Mar-2018 |
deraadt |
use _ALIGN() which is uhm a bit OpenBSD-specific, but it means we don't need to use sys/param.h at all, guess which one i believe is greater namespace polution ok otto
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.277 |
|
27-Feb-2023 |
otto |
There is no reason to-be-cleared chunks cannot participate in delayed freeing; ok tb@
|
#
1.276 |
|
27-Dec-2022 |
otto |
Change the way malloc_init() works so that the main data structures can be made immutable to provide extra protection. Also init pools on-demand: only pools that are actually used are initialized.
Tested by many
|
#
1.275 |
|
14-Oct-2022 |
deraadt |
put the malloc_readonly struct into the "openbsd.mutable" section, so that the kernel and ld.so will know not to mark it immutable. malloc handles the read/write transitions by itself.
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.274 |
|
30-Jun-2022 |
guenther |
To figure our whether a large allocation can be grown into the following page(s) we've been first mquery()ing for it, mmapp()ing w/o MAP_FIXED if available, and then munmap()ing if there was a race. Instead, just try it directly with mmap(MAP_FIXED | __MAP_NOREPLACE)
tested in snaps for weeks
ok deraadt@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.273 |
|
26-Feb-2022 |
otto |
Currently malloc caches a number of free'ed regions up to 128k in size. This cache is indexed by size (in # of pages), so it is very quick to check. Some programs allocate and deallocate larger allocations in a frantic way. Accomodate those programs by also keeping a cache of regions between 128k and 2M, in a cache of variable sized regions.
Tested by many in snaps; ok deraadt@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.272 |
|
19-Sep-2021 |
tb |
Switch two calls from memset() to explicit_bzero()
This matches the documented behavior more obviously and ensures that these aren't optimized away, although this is unlikely.
Discussed with deraadt and otto
|
#
1.271 |
|
23-Jul-2021 |
otto |
Make MALLOC_STATS compile again; noted by Omar Polo and Joe Nelson
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.270 |
|
09-Apr-2021 |
otto |
An extra internal consistency check and a missing stats adjustment. ok tb@
|
#
1.269 |
|
09-Mar-2021 |
otto |
Change the implementation of the malloc cache to keep lists of regions of a given size. In snaps for a while, committing since no issues were reported and a wider audience is good. ok deraadt@
|
#
1.268 |
|
25-Feb-2021 |
otto |
- Make use of the fact that we know how the chunks are aligned, and write 8 bytes at the time by using a uint64_t pointer. For an allocation a max of 4 such uint64_t's are written spread over the allocation. For pages sized and larger, the first page is junked in such a way. - Delayed free of a small chunk checks the corresponiding way. - Pages ending up in the cache are validated upon unmapping or re-use. In snaps for a while
|
#
1.267 |
|
23-Nov-2020 |
otto |
mapalign() only handles allocations >= a page; problem found by and ok semarie@
|
#
1.266 |
|
12-Oct-2020 |
deraadt |
make fixed-sized fixed-value mib[] arrays be const ok guenther tb millert
|
#
1.265 |
|
09-Oct-2020 |
otto |
As noted by tb@ previous commit only removed an unused fucntion. So redo previous commit properly: Use random value for canary bytes; ok tb@.
|
#
1.264 |
|
06-Oct-2020 |
otto |
Use random value for canary bytes; ok tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.263 |
|
06-Sep-2020 |
otto |
For page-sized and larger allocations do not put the pages we're shaving off into the cache but unamp them. Pages in the cache get re-used and then a future grow of the first allocation will be hampered. Also make realloc a no-op for small shrinkage. ok deraadt@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE
|
#
1.262 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.261 |
|
23-May-2019 |
otto |
Only override size of chunk if we're not given the actual length. Fixes malloc_conceal...freezero with malloc options C and/or G.
|
#
1.260 |
|
10-May-2019 |
otto |
Inroduce malloc_conceal() and calloc_conceal(). Similar to their counterparts but return memory in pages marked MAP_CONCEAL and on free() freezero() is actually called.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.259 |
|
10-Jan-2019 |
otto |
Move default numer of pools in the multi-threaded case to 8. Various tests by me and others indicate that it is the optimum.
|
#
1.258 |
|
10-Jan-2019 |
otto |
Make the "not my pool" searching loop a tiny bit smarter, while making the number of pools variable. Do not document the malloc conf settings atm, don't know yet if they will stay. Thanks to all the testers. ok deraadt@
|
#
1.257 |
|
10-Dec-2018 |
otto |
Improve speed for the multi-threaded case by reducing lock contention. tested by many; ok florian@
|
#
1.256 |
|
09-Dec-2018 |
florian |
style; OK otto
|
#
1.255 |
|
27-Nov-2018 |
otto |
Refactor "find the right pool" code into a function. ok djm@ tb@
|
#
1.254 |
|
21-Nov-2018 |
otto |
Introducing malloc_usable_size() was a mistake. While some other libs have it, it is a function that is considered harmful, so:
Delete malloc_usable_size(). It is a function that blurs the line between malloc managed memory and application managed memory and exposes some of the internal workings of malloc. If an application relies on that, it is likely to break using another implementation of malloc. If you want usable size x, just allocate x bytes. ok deraadt@ and other devs
|
#
1.253 |
|
19-Nov-2018 |
guenther |
Fix compilation on alpha, where DEF_WEAK() really must be paired with PROTO_NORMAL(). Problem noted by deraadt@
|
#
1.252 |
|
18-Nov-2018 |
otto |
Implement malloc_usable_size(); ok millert@ deraadt@ and jmc@ for the man page
|
#
1.251 |
|
06-Nov-2018 |
otto |
Use the new vm.malloc_conf sysctl; ok millert@ deraadt@
|
#
1.250 |
|
05-Nov-2018 |
otto |
Implement C11's aligned_alloc(3). ok guenther@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.249 |
|
07-Apr-2018 |
otto |
sys/uio.h is not used anymore
|
#
1.248 |
|
30-Mar-2018 |
otto |
fix MALLOC_STATS; spotted by and ok semarie@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.247 |
|
06-Mar-2018 |
deraadt |
use _ALIGN() which is uhm a bit OpenBSD-specific, but it means we don't need to use sys/param.h at all, guess which one i believe is greater namespace polution ok otto
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.276 |
|
27-Dec-2022 |
otto |
Change the way malloc_init() works so that the main data structures can be made immutable to provide extra protection. Also init pools on-demand: only pools that are actually used are initialized.
Tested by many
|
#
1.275 |
|
14-Oct-2022 |
deraadt |
put the malloc_readonly struct into the "openbsd.mutable" section, so that the kernel and ld.so will know not to mark it immutable. malloc handles the read/write transitions by itself.
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.274 |
|
30-Jun-2022 |
guenther |
To figure our whether a large allocation can be grown into the following page(s) we've been first mquery()ing for it, mmapp()ing w/o MAP_FIXED if available, and then munmap()ing if there was a race. Instead, just try it directly with mmap(MAP_FIXED | __MAP_NOREPLACE)
tested in snaps for weeks
ok deraadt@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.273 |
|
26-Feb-2022 |
otto |
Currently malloc caches a number of free'ed regions up to 128k in size. This cache is indexed by size (in # of pages), so it is very quick to check. Some programs allocate and deallocate larger allocations in a frantic way. Accomodate those programs by also keeping a cache of regions between 128k and 2M, in a cache of variable sized regions.
Tested by many in snaps; ok deraadt@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.272 |
|
19-Sep-2021 |
tb |
Switch two calls from memset() to explicit_bzero()
This matches the documented behavior more obviously and ensures that these aren't optimized away, although this is unlikely.
Discussed with deraadt and otto
|
#
1.271 |
|
23-Jul-2021 |
otto |
Make MALLOC_STATS compile again; noted by Omar Polo and Joe Nelson
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.270 |
|
09-Apr-2021 |
otto |
An extra internal consistency check and a missing stats adjustment. ok tb@
|
#
1.269 |
|
09-Mar-2021 |
otto |
Change the implementation of the malloc cache to keep lists of regions of a given size. In snaps for a while, committing since no issues were reported and a wider audience is good. ok deraadt@
|
#
1.268 |
|
25-Feb-2021 |
otto |
- Make use of the fact that we know how the chunks are aligned, and write 8 bytes at the time by using a uint64_t pointer. For an allocation a max of 4 such uint64_t's are written spread over the allocation. For pages sized and larger, the first page is junked in such a way. - Delayed free of a small chunk checks the corresponiding way. - Pages ending up in the cache are validated upon unmapping or re-use. In snaps for a while
|
#
1.267 |
|
23-Nov-2020 |
otto |
mapalign() only handles allocations >= a page; problem found by and ok semarie@
|
#
1.266 |
|
12-Oct-2020 |
deraadt |
make fixed-sized fixed-value mib[] arrays be const ok guenther tb millert
|
#
1.265 |
|
09-Oct-2020 |
otto |
As noted by tb@ previous commit only removed an unused fucntion. So redo previous commit properly: Use random value for canary bytes; ok tb@.
|
#
1.264 |
|
06-Oct-2020 |
otto |
Use random value for canary bytes; ok tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.263 |
|
06-Sep-2020 |
otto |
For page-sized and larger allocations do not put the pages we're shaving off into the cache but unamp them. Pages in the cache get re-used and then a future grow of the first allocation will be hampered. Also make realloc a no-op for small shrinkage. ok deraadt@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE
|
#
1.262 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.261 |
|
23-May-2019 |
otto |
Only override size of chunk if we're not given the actual length. Fixes malloc_conceal...freezero with malloc options C and/or G.
|
#
1.260 |
|
10-May-2019 |
otto |
Inroduce malloc_conceal() and calloc_conceal(). Similar to their counterparts but return memory in pages marked MAP_CONCEAL and on free() freezero() is actually called.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.259 |
|
10-Jan-2019 |
otto |
Move default numer of pools in the multi-threaded case to 8. Various tests by me and others indicate that it is the optimum.
|
#
1.258 |
|
10-Jan-2019 |
otto |
Make the "not my pool" searching loop a tiny bit smarter, while making the number of pools variable. Do not document the malloc conf settings atm, don't know yet if they will stay. Thanks to all the testers. ok deraadt@
|
#
1.257 |
|
10-Dec-2018 |
otto |
Improve speed for the multi-threaded case by reducing lock contention. tested by many; ok florian@
|
#
1.256 |
|
09-Dec-2018 |
florian |
style; OK otto
|
#
1.255 |
|
27-Nov-2018 |
otto |
Refactor "find the right pool" code into a function. ok djm@ tb@
|
#
1.254 |
|
21-Nov-2018 |
otto |
Introducing malloc_usable_size() was a mistake. While some other libs have it, it is a function that is considered harmful, so:
Delete malloc_usable_size(). It is a function that blurs the line between malloc managed memory and application managed memory and exposes some of the internal workings of malloc. If an application relies on that, it is likely to break using another implementation of malloc. If you want usable size x, just allocate x bytes. ok deraadt@ and other devs
|
#
1.253 |
|
19-Nov-2018 |
guenther |
Fix compilation on alpha, where DEF_WEAK() really must be paired with PROTO_NORMAL(). Problem noted by deraadt@
|
#
1.252 |
|
18-Nov-2018 |
otto |
Implement malloc_usable_size(); ok millert@ deraadt@ and jmc@ for the man page
|
#
1.251 |
|
06-Nov-2018 |
otto |
Use the new vm.malloc_conf sysctl; ok millert@ deraadt@
|
#
1.250 |
|
05-Nov-2018 |
otto |
Implement C11's aligned_alloc(3). ok guenther@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.249 |
|
07-Apr-2018 |
otto |
sys/uio.h is not used anymore
|
#
1.248 |
|
30-Mar-2018 |
otto |
fix MALLOC_STATS; spotted by and ok semarie@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.247 |
|
06-Mar-2018 |
deraadt |
use _ALIGN() which is uhm a bit OpenBSD-specific, but it means we don't need to use sys/param.h at all, guess which one i believe is greater namespace polution ok otto
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.275 |
|
14-Oct-2022 |
deraadt |
put the malloc_readonly struct into the "openbsd.mutable" section, so that the kernel and ld.so will know not to mark it immutable. malloc handles the read/write transitions by itself.
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.274 |
|
30-Jun-2022 |
guenther |
To figure our whether a large allocation can be grown into the following page(s) we've been first mquery()ing for it, mmapp()ing w/o MAP_FIXED if available, and then munmap()ing if there was a race. Instead, just try it directly with mmap(MAP_FIXED | __MAP_NOREPLACE)
tested in snaps for weeks
ok deraadt@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.273 |
|
26-Feb-2022 |
otto |
Currently malloc caches a number of free'ed regions up to 128k in size. This cache is indexed by size (in # of pages), so it is very quick to check. Some programs allocate and deallocate larger allocations in a frantic way. Accomodate those programs by also keeping a cache of regions between 128k and 2M, in a cache of variable sized regions.
Tested by many in snaps; ok deraadt@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.272 |
|
19-Sep-2021 |
tb |
Switch two calls from memset() to explicit_bzero()
This matches the documented behavior more obviously and ensures that these aren't optimized away, although this is unlikely.
Discussed with deraadt and otto
|
#
1.271 |
|
23-Jul-2021 |
otto |
Make MALLOC_STATS compile again; noted by Omar Polo and Joe Nelson
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.270 |
|
09-Apr-2021 |
otto |
An extra internal consistency check and a missing stats adjustment. ok tb@
|
#
1.269 |
|
09-Mar-2021 |
otto |
Change the implementation of the malloc cache to keep lists of regions of a given size. In snaps for a while, committing since no issues were reported and a wider audience is good. ok deraadt@
|
#
1.268 |
|
25-Feb-2021 |
otto |
- Make use of the fact that we know how the chunks are aligned, and write 8 bytes at the time by using a uint64_t pointer. For an allocation a max of 4 such uint64_t's are written spread over the allocation. For pages sized and larger, the first page is junked in such a way. - Delayed free of a small chunk checks the corresponiding way. - Pages ending up in the cache are validated upon unmapping or re-use. In snaps for a while
|
#
1.267 |
|
23-Nov-2020 |
otto |
mapalign() only handles allocations >= a page; problem found by and ok semarie@
|
#
1.266 |
|
12-Oct-2020 |
deraadt |
make fixed-sized fixed-value mib[] arrays be const ok guenther tb millert
|
#
1.265 |
|
09-Oct-2020 |
otto |
As noted by tb@ previous commit only removed an unused fucntion. So redo previous commit properly: Use random value for canary bytes; ok tb@.
|
#
1.264 |
|
06-Oct-2020 |
otto |
Use random value for canary bytes; ok tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.263 |
|
06-Sep-2020 |
otto |
For page-sized and larger allocations do not put the pages we're shaving off into the cache but unamp them. Pages in the cache get re-used and then a future grow of the first allocation will be hampered. Also make realloc a no-op for small shrinkage. ok deraadt@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE
|
#
1.262 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.261 |
|
23-May-2019 |
otto |
Only override size of chunk if we're not given the actual length. Fixes malloc_conceal...freezero with malloc options C and/or G.
|
#
1.260 |
|
10-May-2019 |
otto |
Inroduce malloc_conceal() and calloc_conceal(). Similar to their counterparts but return memory in pages marked MAP_CONCEAL and on free() freezero() is actually called.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.259 |
|
10-Jan-2019 |
otto |
Move default numer of pools in the multi-threaded case to 8. Various tests by me and others indicate that it is the optimum.
|
#
1.258 |
|
10-Jan-2019 |
otto |
Make the "not my pool" searching loop a tiny bit smarter, while making the number of pools variable. Do not document the malloc conf settings atm, don't know yet if they will stay. Thanks to all the testers. ok deraadt@
|
#
1.257 |
|
10-Dec-2018 |
otto |
Improve speed for the multi-threaded case by reducing lock contention. tested by many; ok florian@
|
#
1.256 |
|
09-Dec-2018 |
florian |
style; OK otto
|
#
1.255 |
|
27-Nov-2018 |
otto |
Refactor "find the right pool" code into a function. ok djm@ tb@
|
#
1.254 |
|
21-Nov-2018 |
otto |
Introducing malloc_usable_size() was a mistake. While some other libs have it, it is a function that is considered harmful, so:
Delete malloc_usable_size(). It is a function that blurs the line between malloc managed memory and application managed memory and exposes some of the internal workings of malloc. If an application relies on that, it is likely to break using another implementation of malloc. If you want usable size x, just allocate x bytes. ok deraadt@ and other devs
|
#
1.253 |
|
19-Nov-2018 |
guenther |
Fix compilation on alpha, where DEF_WEAK() really must be paired with PROTO_NORMAL(). Problem noted by deraadt@
|
#
1.252 |
|
18-Nov-2018 |
otto |
Implement malloc_usable_size(); ok millert@ deraadt@ and jmc@ for the man page
|
#
1.251 |
|
06-Nov-2018 |
otto |
Use the new vm.malloc_conf sysctl; ok millert@ deraadt@
|
#
1.250 |
|
05-Nov-2018 |
otto |
Implement C11's aligned_alloc(3). ok guenther@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.249 |
|
07-Apr-2018 |
otto |
sys/uio.h is not used anymore
|
#
1.248 |
|
30-Mar-2018 |
otto |
fix MALLOC_STATS; spotted by and ok semarie@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.247 |
|
06-Mar-2018 |
deraadt |
use _ALIGN() which is uhm a bit OpenBSD-specific, but it means we don't need to use sys/param.h at all, guess which one i believe is greater namespace polution ok otto
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.274 |
|
30-Jun-2022 |
guenther |
To figure our whether a large allocation can be grown into the following page(s) we've been first mquery()ing for it, mmapp()ing w/o MAP_FIXED if available, and then munmap()ing if there was a race. Instead, just try it directly with mmap(MAP_FIXED | __MAP_NOREPLACE)
tested in snaps for weeks
ok deraadt@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.273 |
|
26-Feb-2022 |
otto |
Currently malloc caches a number of free'ed regions up to 128k in size. This cache is indexed by size (in # of pages), so it is very quick to check. Some programs allocate and deallocate larger allocations in a frantic way. Accomodate those programs by also keeping a cache of regions between 128k and 2M, in a cache of variable sized regions.
Tested by many in snaps; ok deraadt@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.272 |
|
19-Sep-2021 |
tb |
Switch two calls from memset() to explicit_bzero()
This matches the documented behavior more obviously and ensures that these aren't optimized away, although this is unlikely.
Discussed with deraadt and otto
|
#
1.271 |
|
23-Jul-2021 |
otto |
Make MALLOC_STATS compile again; noted by Omar Polo and Joe Nelson
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.270 |
|
09-Apr-2021 |
otto |
An extra internal consistency check and a missing stats adjustment. ok tb@
|
#
1.269 |
|
09-Mar-2021 |
otto |
Change the implementation of the malloc cache to keep lists of regions of a given size. In snaps for a while, committing since no issues were reported and a wider audience is good. ok deraadt@
|
#
1.268 |
|
25-Feb-2021 |
otto |
- Make use of the fact that we know how the chunks are aligned, and write 8 bytes at the time by using a uint64_t pointer. For an allocation a max of 4 such uint64_t's are written spread over the allocation. For pages sized and larger, the first page is junked in such a way. - Delayed free of a small chunk checks the corresponiding way. - Pages ending up in the cache are validated upon unmapping or re-use. In snaps for a while
|
#
1.267 |
|
23-Nov-2020 |
otto |
mapalign() only handles allocations >= a page; problem found by and ok semarie@
|
#
1.266 |
|
12-Oct-2020 |
deraadt |
make fixed-sized fixed-value mib[] arrays be const ok guenther tb millert
|
#
1.265 |
|
09-Oct-2020 |
otto |
As noted by tb@ previous commit only removed an unused fucntion. So redo previous commit properly: Use random value for canary bytes; ok tb@.
|
#
1.264 |
|
06-Oct-2020 |
otto |
Use random value for canary bytes; ok tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.263 |
|
06-Sep-2020 |
otto |
For page-sized and larger allocations do not put the pages we're shaving off into the cache but unamp them. Pages in the cache get re-used and then a future grow of the first allocation will be hampered. Also make realloc a no-op for small shrinkage. ok deraadt@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE
|
#
1.262 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.261 |
|
23-May-2019 |
otto |
Only override size of chunk if we're not given the actual length. Fixes malloc_conceal...freezero with malloc options C and/or G.
|
#
1.260 |
|
10-May-2019 |
otto |
Inroduce malloc_conceal() and calloc_conceal(). Similar to their counterparts but return memory in pages marked MAP_CONCEAL and on free() freezero() is actually called.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.259 |
|
10-Jan-2019 |
otto |
Move default numer of pools in the multi-threaded case to 8. Various tests by me and others indicate that it is the optimum.
|
#
1.258 |
|
10-Jan-2019 |
otto |
Make the "not my pool" searching loop a tiny bit smarter, while making the number of pools variable. Do not document the malloc conf settings atm, don't know yet if they will stay. Thanks to all the testers. ok deraadt@
|
#
1.257 |
|
10-Dec-2018 |
otto |
Improve speed for the multi-threaded case by reducing lock contention. tested by many; ok florian@
|
#
1.256 |
|
09-Dec-2018 |
florian |
style; OK otto
|
#
1.255 |
|
27-Nov-2018 |
otto |
Refactor "find the right pool" code into a function. ok djm@ tb@
|
#
1.254 |
|
21-Nov-2018 |
otto |
Introducing malloc_usable_size() was a mistake. While some other libs have it, it is a function that is considered harmful, so:
Delete malloc_usable_size(). It is a function that blurs the line between malloc managed memory and application managed memory and exposes some of the internal workings of malloc. If an application relies on that, it is likely to break using another implementation of malloc. If you want usable size x, just allocate x bytes. ok deraadt@ and other devs
|
#
1.253 |
|
19-Nov-2018 |
guenther |
Fix compilation on alpha, where DEF_WEAK() really must be paired with PROTO_NORMAL(). Problem noted by deraadt@
|
#
1.252 |
|
18-Nov-2018 |
otto |
Implement malloc_usable_size(); ok millert@ deraadt@ and jmc@ for the man page
|
#
1.251 |
|
06-Nov-2018 |
otto |
Use the new vm.malloc_conf sysctl; ok millert@ deraadt@
|
#
1.250 |
|
05-Nov-2018 |
otto |
Implement C11's aligned_alloc(3). ok guenther@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.249 |
|
07-Apr-2018 |
otto |
sys/uio.h is not used anymore
|
#
1.248 |
|
30-Mar-2018 |
otto |
fix MALLOC_STATS; spotted by and ok semarie@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.247 |
|
06-Mar-2018 |
deraadt |
use _ALIGN() which is uhm a bit OpenBSD-specific, but it means we don't need to use sys/param.h at all, guess which one i believe is greater namespace polution ok otto
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.273 |
|
26-Feb-2022 |
otto |
Currently malloc caches a number of free'ed regions up to 128k in size. This cache is indexed by size (in # of pages), so it is very quick to check. Some programs allocate and deallocate larger allocations in a frantic way. Accomodate those programs by also keeping a cache of regions between 128k and 2M, in a cache of variable sized regions.
Tested by many in snaps; ok deraadt@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.272 |
|
19-Sep-2021 |
tb |
Switch two calls from memset() to explicit_bzero()
This matches the documented behavior more obviously and ensures that these aren't optimized away, although this is unlikely.
Discussed with deraadt and otto
|
#
1.271 |
|
23-Jul-2021 |
otto |
Make MALLOC_STATS compile again; noted by Omar Polo and Joe Nelson
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.270 |
|
09-Apr-2021 |
otto |
An extra internal consistency check and a missing stats adjustment. ok tb@
|
#
1.269 |
|
09-Mar-2021 |
otto |
Change the implementation of the malloc cache to keep lists of regions of a given size. In snaps for a while, committing since no issues were reported and a wider audience is good. ok deraadt@
|
#
1.268 |
|
25-Feb-2021 |
otto |
- Make use of the fact that we know how the chunks are aligned, and write 8 bytes at the time by using a uint64_t pointer. For an allocation a max of 4 such uint64_t's are written spread over the allocation. For pages sized and larger, the first page is junked in such a way. - Delayed free of a small chunk checks the corresponiding way. - Pages ending up in the cache are validated upon unmapping or re-use. In snaps for a while
|
#
1.267 |
|
23-Nov-2020 |
otto |
mapalign() only handles allocations >= a page; problem found by and ok semarie@
|
#
1.266 |
|
12-Oct-2020 |
deraadt |
make fixed-sized fixed-value mib[] arrays be const ok guenther tb millert
|
#
1.265 |
|
09-Oct-2020 |
otto |
As noted by tb@ previous commit only removed an unused fucntion. So redo previous commit properly: Use random value for canary bytes; ok tb@.
|
#
1.264 |
|
06-Oct-2020 |
otto |
Use random value for canary bytes; ok tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.263 |
|
06-Sep-2020 |
otto |
For page-sized and larger allocations do not put the pages we're shaving off into the cache but unamp them. Pages in the cache get re-used and then a future grow of the first allocation will be hampered. Also make realloc a no-op for small shrinkage. ok deraadt@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE
|
#
1.262 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.261 |
|
23-May-2019 |
otto |
Only override size of chunk if we're not given the actual length. Fixes malloc_conceal...freezero with malloc options C and/or G.
|
#
1.260 |
|
10-May-2019 |
otto |
Inroduce malloc_conceal() and calloc_conceal(). Similar to their counterparts but return memory in pages marked MAP_CONCEAL and on free() freezero() is actually called.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.259 |
|
10-Jan-2019 |
otto |
Move default numer of pools in the multi-threaded case to 8. Various tests by me and others indicate that it is the optimum.
|
#
1.258 |
|
10-Jan-2019 |
otto |
Make the "not my pool" searching loop a tiny bit smarter, while making the number of pools variable. Do not document the malloc conf settings atm, don't know yet if they will stay. Thanks to all the testers. ok deraadt@
|
#
1.257 |
|
10-Dec-2018 |
otto |
Improve speed for the multi-threaded case by reducing lock contention. tested by many; ok florian@
|
#
1.256 |
|
09-Dec-2018 |
florian |
style; OK otto
|
#
1.255 |
|
27-Nov-2018 |
otto |
Refactor "find the right pool" code into a function. ok djm@ tb@
|
#
1.254 |
|
21-Nov-2018 |
otto |
Introducing malloc_usable_size() was a mistake. While some other libs have it, it is a function that is considered harmful, so:
Delete malloc_usable_size(). It is a function that blurs the line between malloc managed memory and application managed memory and exposes some of the internal workings of malloc. If an application relies on that, it is likely to break using another implementation of malloc. If you want usable size x, just allocate x bytes. ok deraadt@ and other devs
|
#
1.253 |
|
19-Nov-2018 |
guenther |
Fix compilation on alpha, where DEF_WEAK() really must be paired with PROTO_NORMAL(). Problem noted by deraadt@
|
#
1.252 |
|
18-Nov-2018 |
otto |
Implement malloc_usable_size(); ok millert@ deraadt@ and jmc@ for the man page
|
#
1.251 |
|
06-Nov-2018 |
otto |
Use the new vm.malloc_conf sysctl; ok millert@ deraadt@
|
#
1.250 |
|
05-Nov-2018 |
otto |
Implement C11's aligned_alloc(3). ok guenther@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.249 |
|
07-Apr-2018 |
otto |
sys/uio.h is not used anymore
|
#
1.248 |
|
30-Mar-2018 |
otto |
fix MALLOC_STATS; spotted by and ok semarie@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.247 |
|
06-Mar-2018 |
deraadt |
use _ALIGN() which is uhm a bit OpenBSD-specific, but it means we don't need to use sys/param.h at all, guess which one i believe is greater namespace polution ok otto
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.272 |
|
19-Sep-2021 |
tb |
Switch two calls from memset() to explicit_bzero()
This matches the documented behavior more obviously and ensures that these aren't optimized away, although this is unlikely.
Discussed with deraadt and otto
|
#
1.271 |
|
23-Jul-2021 |
otto |
Make MALLOC_STATS compile again; noted by Omar Polo and Joe Nelson
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.270 |
|
09-Apr-2021 |
otto |
An extra internal consistency check and a missing stats adjustment. ok tb@
|
#
1.269 |
|
09-Mar-2021 |
otto |
Change the implementation of the malloc cache to keep lists of regions of a given size. In snaps for a while, committing since no issues were reported and a wider audience is good. ok deraadt@
|
#
1.268 |
|
25-Feb-2021 |
otto |
- Make use of the fact that we know how the chunks are aligned, and write 8 bytes at the time by using a uint64_t pointer. For an allocation a max of 4 such uint64_t's are written spread over the allocation. For pages sized and larger, the first page is junked in such a way. - Delayed free of a small chunk checks the corresponiding way. - Pages ending up in the cache are validated upon unmapping or re-use. In snaps for a while
|
#
1.267 |
|
23-Nov-2020 |
otto |
mapalign() only handles allocations >= a page; problem found by and ok semarie@
|
#
1.266 |
|
12-Oct-2020 |
deraadt |
make fixed-sized fixed-value mib[] arrays be const ok guenther tb millert
|
#
1.265 |
|
09-Oct-2020 |
otto |
As noted by tb@ previous commit only removed an unused fucntion. So redo previous commit properly: Use random value for canary bytes; ok tb@.
|
#
1.264 |
|
06-Oct-2020 |
otto |
Use random value for canary bytes; ok tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.263 |
|
06-Sep-2020 |
otto |
For page-sized and larger allocations do not put the pages we're shaving off into the cache but unamp them. Pages in the cache get re-used and then a future grow of the first allocation will be hampered. Also make realloc a no-op for small shrinkage. ok deraadt@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE
|
#
1.262 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.261 |
|
23-May-2019 |
otto |
Only override size of chunk if we're not given the actual length. Fixes malloc_conceal...freezero with malloc options C and/or G.
|
#
1.260 |
|
10-May-2019 |
otto |
Inroduce malloc_conceal() and calloc_conceal(). Similar to their counterparts but return memory in pages marked MAP_CONCEAL and on free() freezero() is actually called.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.259 |
|
10-Jan-2019 |
otto |
Move default numer of pools in the multi-threaded case to 8. Various tests by me and others indicate that it is the optimum.
|
#
1.258 |
|
10-Jan-2019 |
otto |
Make the "not my pool" searching loop a tiny bit smarter, while making the number of pools variable. Do not document the malloc conf settings atm, don't know yet if they will stay. Thanks to all the testers. ok deraadt@
|
#
1.257 |
|
10-Dec-2018 |
otto |
Improve speed for the multi-threaded case by reducing lock contention. tested by many; ok florian@
|
#
1.256 |
|
09-Dec-2018 |
florian |
style; OK otto
|
#
1.255 |
|
27-Nov-2018 |
otto |
Refactor "find the right pool" code into a function. ok djm@ tb@
|
#
1.254 |
|
21-Nov-2018 |
otto |
Introducing malloc_usable_size() was a mistake. While some other libs have it, it is a function that is considered harmful, so:
Delete malloc_usable_size(). It is a function that blurs the line between malloc managed memory and application managed memory and exposes some of the internal workings of malloc. If an application relies on that, it is likely to break using another implementation of malloc. If you want usable size x, just allocate x bytes. ok deraadt@ and other devs
|
#
1.253 |
|
19-Nov-2018 |
guenther |
Fix compilation on alpha, where DEF_WEAK() really must be paired with PROTO_NORMAL(). Problem noted by deraadt@
|
#
1.252 |
|
18-Nov-2018 |
otto |
Implement malloc_usable_size(); ok millert@ deraadt@ and jmc@ for the man page
|
#
1.251 |
|
06-Nov-2018 |
otto |
Use the new vm.malloc_conf sysctl; ok millert@ deraadt@
|
#
1.250 |
|
05-Nov-2018 |
otto |
Implement C11's aligned_alloc(3). ok guenther@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.249 |
|
07-Apr-2018 |
otto |
sys/uio.h is not used anymore
|
#
1.248 |
|
30-Mar-2018 |
otto |
fix MALLOC_STATS; spotted by and ok semarie@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.247 |
|
06-Mar-2018 |
deraadt |
use _ALIGN() which is uhm a bit OpenBSD-specific, but it means we don't need to use sys/param.h at all, guess which one i believe is greater namespace polution ok otto
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.271 |
|
23-Jul-2021 |
otto |
Make MALLOC_STATS compile again; noted by Omar Polo and Joe Nelson
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.270 |
|
09-Apr-2021 |
otto |
An extra internal consistency check and a missing stats adjustment. ok tb@
|
#
1.269 |
|
09-Mar-2021 |
otto |
Change the implementation of the malloc cache to keep lists of regions of a given size. In snaps for a while, committing since no issues were reported and a wider audience is good. ok deraadt@
|
#
1.268 |
|
25-Feb-2021 |
otto |
- Make use of the fact that we know how the chunks are aligned, and write 8 bytes at the time by using a uint64_t pointer. For an allocation a max of 4 such uint64_t's are written spread over the allocation. For pages sized and larger, the first page is junked in such a way. - Delayed free of a small chunk checks the corresponiding way. - Pages ending up in the cache are validated upon unmapping or re-use. In snaps for a while
|
#
1.267 |
|
23-Nov-2020 |
otto |
mapalign() only handles allocations >= a page; problem found by and ok semarie@
|
#
1.266 |
|
12-Oct-2020 |
deraadt |
make fixed-sized fixed-value mib[] arrays be const ok guenther tb millert
|
#
1.265 |
|
09-Oct-2020 |
otto |
As noted by tb@ previous commit only removed an unused fucntion. So redo previous commit properly: Use random value for canary bytes; ok tb@.
|
#
1.264 |
|
06-Oct-2020 |
otto |
Use random value for canary bytes; ok tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.263 |
|
06-Sep-2020 |
otto |
For page-sized and larger allocations do not put the pages we're shaving off into the cache but unamp them. Pages in the cache get re-used and then a future grow of the first allocation will be hampered. Also make realloc a no-op for small shrinkage. ok deraadt@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE
|
#
1.262 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.261 |
|
23-May-2019 |
otto |
Only override size of chunk if we're not given the actual length. Fixes malloc_conceal...freezero with malloc options C and/or G.
|
#
1.260 |
|
10-May-2019 |
otto |
Inroduce malloc_conceal() and calloc_conceal(). Similar to their counterparts but return memory in pages marked MAP_CONCEAL and on free() freezero() is actually called.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.259 |
|
10-Jan-2019 |
otto |
Move default numer of pools in the multi-threaded case to 8. Various tests by me and others indicate that it is the optimum.
|
#
1.258 |
|
10-Jan-2019 |
otto |
Make the "not my pool" searching loop a tiny bit smarter, while making the number of pools variable. Do not document the malloc conf settings atm, don't know yet if they will stay. Thanks to all the testers. ok deraadt@
|
#
1.257 |
|
10-Dec-2018 |
otto |
Improve speed for the multi-threaded case by reducing lock contention. tested by many; ok florian@
|
#
1.256 |
|
09-Dec-2018 |
florian |
style; OK otto
|
#
1.255 |
|
27-Nov-2018 |
otto |
Refactor "find the right pool" code into a function. ok djm@ tb@
|
#
1.254 |
|
21-Nov-2018 |
otto |
Introducing malloc_usable_size() was a mistake. While some other libs have it, it is a function that is considered harmful, so:
Delete malloc_usable_size(). It is a function that blurs the line between malloc managed memory and application managed memory and exposes some of the internal workings of malloc. If an application relies on that, it is likely to break using another implementation of malloc. If you want usable size x, just allocate x bytes. ok deraadt@ and other devs
|
#
1.253 |
|
19-Nov-2018 |
guenther |
Fix compilation on alpha, where DEF_WEAK() really must be paired with PROTO_NORMAL(). Problem noted by deraadt@
|
#
1.252 |
|
18-Nov-2018 |
otto |
Implement malloc_usable_size(); ok millert@ deraadt@ and jmc@ for the man page
|
#
1.251 |
|
06-Nov-2018 |
otto |
Use the new vm.malloc_conf sysctl; ok millert@ deraadt@
|
#
1.250 |
|
05-Nov-2018 |
otto |
Implement C11's aligned_alloc(3). ok guenther@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.249 |
|
07-Apr-2018 |
otto |
sys/uio.h is not used anymore
|
#
1.248 |
|
30-Mar-2018 |
otto |
fix MALLOC_STATS; spotted by and ok semarie@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.247 |
|
06-Mar-2018 |
deraadt |
use _ALIGN() which is uhm a bit OpenBSD-specific, but it means we don't need to use sys/param.h at all, guess which one i believe is greater namespace polution ok otto
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.270 |
|
09-Apr-2021 |
otto |
An extra internal consistency check and a missing stats adjustment. ok tb@
|
#
1.269 |
|
09-Mar-2021 |
otto |
Change the implementation of the malloc cache to keep lists of regions of a given size. In snaps for a while, committing since no issues were reported and a wider audience is good. ok deraadt@
|
#
1.268 |
|
25-Feb-2021 |
otto |
- Make use of the fact that we know how the chunks are aligned, and write 8 bytes at the time by using a uint64_t pointer. For an allocation a max of 4 such uint64_t's are written spread over the allocation. For pages sized and larger, the first page is junked in such a way. - Delayed free of a small chunk checks the corresponiding way. - Pages ending up in the cache are validated upon unmapping or re-use. In snaps for a while
|
#
1.267 |
|
23-Nov-2020 |
otto |
mapalign() only handles allocations >= a page; problem found by and ok semarie@
|
#
1.266 |
|
12-Oct-2020 |
deraadt |
make fixed-sized fixed-value mib[] arrays be const ok guenther tb millert
|
#
1.265 |
|
09-Oct-2020 |
otto |
As noted by tb@ previous commit only removed an unused fucntion. So redo previous commit properly: Use random value for canary bytes; ok tb@.
|
#
1.264 |
|
06-Oct-2020 |
otto |
Use random value for canary bytes; ok tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.263 |
|
06-Sep-2020 |
otto |
For page-sized and larger allocations do not put the pages we're shaving off into the cache but unamp them. Pages in the cache get re-used and then a future grow of the first allocation will be hampered. Also make realloc a no-op for small shrinkage. ok deraadt@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE
|
#
1.262 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.261 |
|
23-May-2019 |
otto |
Only override size of chunk if we're not given the actual length. Fixes malloc_conceal...freezero with malloc options C and/or G.
|
#
1.260 |
|
10-May-2019 |
otto |
Inroduce malloc_conceal() and calloc_conceal(). Similar to their counterparts but return memory in pages marked MAP_CONCEAL and on free() freezero() is actually called.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.259 |
|
10-Jan-2019 |
otto |
Move default numer of pools in the multi-threaded case to 8. Various tests by me and others indicate that it is the optimum.
|
#
1.258 |
|
10-Jan-2019 |
otto |
Make the "not my pool" searching loop a tiny bit smarter, while making the number of pools variable. Do not document the malloc conf settings atm, don't know yet if they will stay. Thanks to all the testers. ok deraadt@
|
#
1.257 |
|
10-Dec-2018 |
otto |
Improve speed for the multi-threaded case by reducing lock contention. tested by many; ok florian@
|
#
1.256 |
|
09-Dec-2018 |
florian |
style; OK otto
|
#
1.255 |
|
27-Nov-2018 |
otto |
Refactor "find the right pool" code into a function. ok djm@ tb@
|
#
1.254 |
|
21-Nov-2018 |
otto |
Introducing malloc_usable_size() was a mistake. While some other libs have it, it is a function that is considered harmful, so:
Delete malloc_usable_size(). It is a function that blurs the line between malloc managed memory and application managed memory and exposes some of the internal workings of malloc. If an application relies on that, it is likely to break using another implementation of malloc. If you want usable size x, just allocate x bytes. ok deraadt@ and other devs
|
#
1.253 |
|
19-Nov-2018 |
guenther |
Fix compilation on alpha, where DEF_WEAK() really must be paired with PROTO_NORMAL(). Problem noted by deraadt@
|
#
1.252 |
|
18-Nov-2018 |
otto |
Implement malloc_usable_size(); ok millert@ deraadt@ and jmc@ for the man page
|
#
1.251 |
|
06-Nov-2018 |
otto |
Use the new vm.malloc_conf sysctl; ok millert@ deraadt@
|
#
1.250 |
|
05-Nov-2018 |
otto |
Implement C11's aligned_alloc(3). ok guenther@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.249 |
|
07-Apr-2018 |
otto |
sys/uio.h is not used anymore
|
#
1.248 |
|
30-Mar-2018 |
otto |
fix MALLOC_STATS; spotted by and ok semarie@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.247 |
|
06-Mar-2018 |
deraadt |
use _ALIGN() which is uhm a bit OpenBSD-specific, but it means we don't need to use sys/param.h at all, guess which one i believe is greater namespace polution ok otto
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.269 |
|
09-Mar-2021 |
otto |
Change the implementation of the malloc cache to keep lists of regions of a given size. In snaps for a while, committing since no issues were reported and a wider audience is good. ok deraadt@
|
#
1.268 |
|
25-Feb-2021 |
otto |
- Make use of the fact that we know how the chunks are aligned, and write 8 bytes at the time by using a uint64_t pointer. For an allocation a max of 4 such uint64_t's are written spread over the allocation. For pages sized and larger, the first page is junked in such a way. - Delayed free of a small chunk checks the corresponiding way. - Pages ending up in the cache are validated upon unmapping or re-use. In snaps for a while
|
#
1.267 |
|
23-Nov-2020 |
otto |
mapalign() only handles allocations >= a page; problem found by and ok semarie@
|
#
1.266 |
|
12-Oct-2020 |
deraadt |
make fixed-sized fixed-value mib[] arrays be const ok guenther tb millert
|
#
1.265 |
|
09-Oct-2020 |
otto |
As noted by tb@ previous commit only removed an unused fucntion. So redo previous commit properly: Use random value for canary bytes; ok tb@.
|
#
1.264 |
|
06-Oct-2020 |
otto |
Use random value for canary bytes; ok tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.263 |
|
06-Sep-2020 |
otto |
For page-sized and larger allocations do not put the pages we're shaving off into the cache but unamp them. Pages in the cache get re-used and then a future grow of the first allocation will be hampered. Also make realloc a no-op for small shrinkage. ok deraadt@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE
|
#
1.262 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.261 |
|
23-May-2019 |
otto |
Only override size of chunk if we're not given the actual length. Fixes malloc_conceal...freezero with malloc options C and/or G.
|
#
1.260 |
|
10-May-2019 |
otto |
Inroduce malloc_conceal() and calloc_conceal(). Similar to their counterparts but return memory in pages marked MAP_CONCEAL and on free() freezero() is actually called.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.259 |
|
10-Jan-2019 |
otto |
Move default numer of pools in the multi-threaded case to 8. Various tests by me and others indicate that it is the optimum.
|
#
1.258 |
|
10-Jan-2019 |
otto |
Make the "not my pool" searching loop a tiny bit smarter, while making the number of pools variable. Do not document the malloc conf settings atm, don't know yet if they will stay. Thanks to all the testers. ok deraadt@
|
#
1.257 |
|
10-Dec-2018 |
otto |
Improve speed for the multi-threaded case by reducing lock contention. tested by many; ok florian@
|
#
1.256 |
|
09-Dec-2018 |
florian |
style; OK otto
|
#
1.255 |
|
27-Nov-2018 |
otto |
Refactor "find the right pool" code into a function. ok djm@ tb@
|
#
1.254 |
|
21-Nov-2018 |
otto |
Introducing malloc_usable_size() was a mistake. While some other libs have it, it is a function that is considered harmful, so:
Delete malloc_usable_size(). It is a function that blurs the line between malloc managed memory and application managed memory and exposes some of the internal workings of malloc. If an application relies on that, it is likely to break using another implementation of malloc. If you want usable size x, just allocate x bytes. ok deraadt@ and other devs
|
#
1.253 |
|
19-Nov-2018 |
guenther |
Fix compilation on alpha, where DEF_WEAK() really must be paired with PROTO_NORMAL(). Problem noted by deraadt@
|
#
1.252 |
|
18-Nov-2018 |
otto |
Implement malloc_usable_size(); ok millert@ deraadt@ and jmc@ for the man page
|
#
1.251 |
|
06-Nov-2018 |
otto |
Use the new vm.malloc_conf sysctl; ok millert@ deraadt@
|
#
1.250 |
|
05-Nov-2018 |
otto |
Implement C11's aligned_alloc(3). ok guenther@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.249 |
|
07-Apr-2018 |
otto |
sys/uio.h is not used anymore
|
#
1.248 |
|
30-Mar-2018 |
otto |
fix MALLOC_STATS; spotted by and ok semarie@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.247 |
|
06-Mar-2018 |
deraadt |
use _ALIGN() which is uhm a bit OpenBSD-specific, but it means we don't need to use sys/param.h at all, guess which one i believe is greater namespace polution ok otto
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.268 |
|
25-Feb-2021 |
otto |
- Make use of the fact that we know how the chunks are aligned, and write 8 bytes at the time by using a uint64_t pointer. For an allocation a max of 4 such uint64_t's are written spread over the allocation. For pages sized and larger, the first page is junked in such a way. - Delayed free of a small chunk checks the corresponiding way. - Pages ending up in the cache are validated upon unmapping or re-use. In snaps for a while
|
#
1.267 |
|
23-Nov-2020 |
otto |
mapalign() only handles allocations >= a page; problem found by and ok semarie@
|
#
1.266 |
|
12-Oct-2020 |
deraadt |
make fixed-sized fixed-value mib[] arrays be const ok guenther tb millert
|
#
1.265 |
|
09-Oct-2020 |
otto |
As noted by tb@ previous commit only removed an unused fucntion. So redo previous commit properly: Use random value for canary bytes; ok tb@.
|
#
1.264 |
|
06-Oct-2020 |
otto |
Use random value for canary bytes; ok tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.263 |
|
06-Sep-2020 |
otto |
For page-sized and larger allocations do not put the pages we're shaving off into the cache but unamp them. Pages in the cache get re-used and then a future grow of the first allocation will be hampered. Also make realloc a no-op for small shrinkage. ok deraadt@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE
|
#
1.262 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.261 |
|
23-May-2019 |
otto |
Only override size of chunk if we're not given the actual length. Fixes malloc_conceal...freezero with malloc options C and/or G.
|
#
1.260 |
|
10-May-2019 |
otto |
Inroduce malloc_conceal() and calloc_conceal(). Similar to their counterparts but return memory in pages marked MAP_CONCEAL and on free() freezero() is actually called.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.259 |
|
10-Jan-2019 |
otto |
Move default numer of pools in the multi-threaded case to 8. Various tests by me and others indicate that it is the optimum.
|
#
1.258 |
|
10-Jan-2019 |
otto |
Make the "not my pool" searching loop a tiny bit smarter, while making the number of pools variable. Do not document the malloc conf settings atm, don't know yet if they will stay. Thanks to all the testers. ok deraadt@
|
#
1.257 |
|
10-Dec-2018 |
otto |
Improve speed for the multi-threaded case by reducing lock contention. tested by many; ok florian@
|
#
1.256 |
|
09-Dec-2018 |
florian |
style; OK otto
|
#
1.255 |
|
27-Nov-2018 |
otto |
Refactor "find the right pool" code into a function. ok djm@ tb@
|
#
1.254 |
|
21-Nov-2018 |
otto |
Introducing malloc_usable_size() was a mistake. While some other libs have it, it is a function that is considered harmful, so:
Delete malloc_usable_size(). It is a function that blurs the line between malloc managed memory and application managed memory and exposes some of the internal workings of malloc. If an application relies on that, it is likely to break using another implementation of malloc. If you want usable size x, just allocate x bytes. ok deraadt@ and other devs
|
#
1.253 |
|
19-Nov-2018 |
guenther |
Fix compilation on alpha, where DEF_WEAK() really must be paired with PROTO_NORMAL(). Problem noted by deraadt@
|
#
1.252 |
|
18-Nov-2018 |
otto |
Implement malloc_usable_size(); ok millert@ deraadt@ and jmc@ for the man page
|
#
1.251 |
|
06-Nov-2018 |
otto |
Use the new vm.malloc_conf sysctl; ok millert@ deraadt@
|
#
1.250 |
|
05-Nov-2018 |
otto |
Implement C11's aligned_alloc(3). ok guenther@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.249 |
|
07-Apr-2018 |
otto |
sys/uio.h is not used anymore
|
#
1.248 |
|
30-Mar-2018 |
otto |
fix MALLOC_STATS; spotted by and ok semarie@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.247 |
|
06-Mar-2018 |
deraadt |
use _ALIGN() which is uhm a bit OpenBSD-specific, but it means we don't need to use sys/param.h at all, guess which one i believe is greater namespace polution ok otto
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.267 |
|
23-Nov-2020 |
otto |
mapalign() only handles allocations >= a page; problem found by and ok semarie@
|
#
1.266 |
|
12-Oct-2020 |
deraadt |
make fixed-sized fixed-value mib[] arrays be const ok guenther tb millert
|
#
1.265 |
|
09-Oct-2020 |
otto |
As noted by tb@ previous commit only removed an unused fucntion. So redo previous commit properly: Use random value for canary bytes; ok tb@.
|
#
1.264 |
|
06-Oct-2020 |
otto |
Use random value for canary bytes; ok tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.263 |
|
06-Sep-2020 |
otto |
For page-sized and larger allocations do not put the pages we're shaving off into the cache but unamp them. Pages in the cache get re-used and then a future grow of the first allocation will be hampered. Also make realloc a no-op for small shrinkage. ok deraadt@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE
|
#
1.262 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.261 |
|
23-May-2019 |
otto |
Only override size of chunk if we're not given the actual length. Fixes malloc_conceal...freezero with malloc options C and/or G.
|
#
1.260 |
|
10-May-2019 |
otto |
Inroduce malloc_conceal() and calloc_conceal(). Similar to their counterparts but return memory in pages marked MAP_CONCEAL and on free() freezero() is actually called.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.259 |
|
10-Jan-2019 |
otto |
Move default numer of pools in the multi-threaded case to 8. Various tests by me and others indicate that it is the optimum.
|
#
1.258 |
|
10-Jan-2019 |
otto |
Make the "not my pool" searching loop a tiny bit smarter, while making the number of pools variable. Do not document the malloc conf settings atm, don't know yet if they will stay. Thanks to all the testers. ok deraadt@
|
#
1.257 |
|
10-Dec-2018 |
otto |
Improve speed for the multi-threaded case by reducing lock contention. tested by many; ok florian@
|
#
1.256 |
|
09-Dec-2018 |
florian |
style; OK otto
|
#
1.255 |
|
27-Nov-2018 |
otto |
Refactor "find the right pool" code into a function. ok djm@ tb@
|
#
1.254 |
|
21-Nov-2018 |
otto |
Introducing malloc_usable_size() was a mistake. While some other libs have it, it is a function that is considered harmful, so:
Delete malloc_usable_size(). It is a function that blurs the line between malloc managed memory and application managed memory and exposes some of the internal workings of malloc. If an application relies on that, it is likely to break using another implementation of malloc. If you want usable size x, just allocate x bytes. ok deraadt@ and other devs
|
#
1.253 |
|
19-Nov-2018 |
guenther |
Fix compilation on alpha, where DEF_WEAK() really must be paired with PROTO_NORMAL(). Problem noted by deraadt@
|
#
1.252 |
|
18-Nov-2018 |
otto |
Implement malloc_usable_size(); ok millert@ deraadt@ and jmc@ for the man page
|
#
1.251 |
|
06-Nov-2018 |
otto |
Use the new vm.malloc_conf sysctl; ok millert@ deraadt@
|
#
1.250 |
|
05-Nov-2018 |
otto |
Implement C11's aligned_alloc(3). ok guenther@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.249 |
|
07-Apr-2018 |
otto |
sys/uio.h is not used anymore
|
#
1.248 |
|
30-Mar-2018 |
otto |
fix MALLOC_STATS; spotted by and ok semarie@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.247 |
|
06-Mar-2018 |
deraadt |
use _ALIGN() which is uhm a bit OpenBSD-specific, but it means we don't need to use sys/param.h at all, guess which one i believe is greater namespace polution ok otto
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.266 |
|
12-Oct-2020 |
deraadt |
make fixed-sized fixed-value mib[] arrays be const ok guenther tb millert
|
#
1.265 |
|
09-Oct-2020 |
otto |
As noted by tb@ previous commit only removed an unused fucntion. So redo previous commit properly: Use random value for canary bytes; ok tb@.
|
#
1.264 |
|
06-Oct-2020 |
otto |
Use random value for canary bytes; ok tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.263 |
|
06-Sep-2020 |
otto |
For page-sized and larger allocations do not put the pages we're shaving off into the cache but unamp them. Pages in the cache get re-used and then a future grow of the first allocation will be hampered. Also make realloc a no-op for small shrinkage. ok deraadt@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE
|
#
1.262 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.261 |
|
23-May-2019 |
otto |
Only override size of chunk if we're not given the actual length. Fixes malloc_conceal...freezero with malloc options C and/or G.
|
#
1.260 |
|
10-May-2019 |
otto |
Inroduce malloc_conceal() and calloc_conceal(). Similar to their counterparts but return memory in pages marked MAP_CONCEAL and on free() freezero() is actually called.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.259 |
|
10-Jan-2019 |
otto |
Move default numer of pools in the multi-threaded case to 8. Various tests by me and others indicate that it is the optimum.
|
#
1.258 |
|
10-Jan-2019 |
otto |
Make the "not my pool" searching loop a tiny bit smarter, while making the number of pools variable. Do not document the malloc conf settings atm, don't know yet if they will stay. Thanks to all the testers. ok deraadt@
|
#
1.257 |
|
10-Dec-2018 |
otto |
Improve speed for the multi-threaded case by reducing lock contention. tested by many; ok florian@
|
#
1.256 |
|
09-Dec-2018 |
florian |
style; OK otto
|
#
1.255 |
|
27-Nov-2018 |
otto |
Refactor "find the right pool" code into a function. ok djm@ tb@
|
#
1.254 |
|
21-Nov-2018 |
otto |
Introducing malloc_usable_size() was a mistake. While some other libs have it, it is a function that is considered harmful, so:
Delete malloc_usable_size(). It is a function that blurs the line between malloc managed memory and application managed memory and exposes some of the internal workings of malloc. If an application relies on that, it is likely to break using another implementation of malloc. If you want usable size x, just allocate x bytes. ok deraadt@ and other devs
|
#
1.253 |
|
19-Nov-2018 |
guenther |
Fix compilation on alpha, where DEF_WEAK() really must be paired with PROTO_NORMAL(). Problem noted by deraadt@
|
#
1.252 |
|
18-Nov-2018 |
otto |
Implement malloc_usable_size(); ok millert@ deraadt@ and jmc@ for the man page
|
#
1.251 |
|
06-Nov-2018 |
otto |
Use the new vm.malloc_conf sysctl; ok millert@ deraadt@
|
#
1.250 |
|
05-Nov-2018 |
otto |
Implement C11's aligned_alloc(3). ok guenther@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.249 |
|
07-Apr-2018 |
otto |
sys/uio.h is not used anymore
|
#
1.248 |
|
30-Mar-2018 |
otto |
fix MALLOC_STATS; spotted by and ok semarie@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.247 |
|
06-Mar-2018 |
deraadt |
use _ALIGN() which is uhm a bit OpenBSD-specific, but it means we don't need to use sys/param.h at all, guess which one i believe is greater namespace polution ok otto
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.265 |
|
09-Oct-2020 |
otto |
As noted by tb@ previous commit only removed an unused fucntion. So redo previous commit properly: Use random value for canary bytes; ok tb@.
|
#
1.264 |
|
06-Oct-2020 |
otto |
Use random value for canary bytes; ok tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.263 |
|
06-Sep-2020 |
otto |
For page-sized and larger allocations do not put the pages we're shaving off into the cache but unamp them. Pages in the cache get re-used and then a future grow of the first allocation will be hampered. Also make realloc a no-op for small shrinkage. ok deraadt@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE
|
#
1.262 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.261 |
|
23-May-2019 |
otto |
Only override size of chunk if we're not given the actual length. Fixes malloc_conceal...freezero with malloc options C and/or G.
|
#
1.260 |
|
10-May-2019 |
otto |
Inroduce malloc_conceal() and calloc_conceal(). Similar to their counterparts but return memory in pages marked MAP_CONCEAL and on free() freezero() is actually called.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.259 |
|
10-Jan-2019 |
otto |
Move default numer of pools in the multi-threaded case to 8. Various tests by me and others indicate that it is the optimum.
|
#
1.258 |
|
10-Jan-2019 |
otto |
Make the "not my pool" searching loop a tiny bit smarter, while making the number of pools variable. Do not document the malloc conf settings atm, don't know yet if they will stay. Thanks to all the testers. ok deraadt@
|
#
1.257 |
|
10-Dec-2018 |
otto |
Improve speed for the multi-threaded case by reducing lock contention. tested by many; ok florian@
|
#
1.256 |
|
09-Dec-2018 |
florian |
style; OK otto
|
#
1.255 |
|
27-Nov-2018 |
otto |
Refactor "find the right pool" code into a function. ok djm@ tb@
|
#
1.254 |
|
21-Nov-2018 |
otto |
Introducing malloc_usable_size() was a mistake. While some other libs have it, it is a function that is considered harmful, so:
Delete malloc_usable_size(). It is a function that blurs the line between malloc managed memory and application managed memory and exposes some of the internal workings of malloc. If an application relies on that, it is likely to break using another implementation of malloc. If you want usable size x, just allocate x bytes. ok deraadt@ and other devs
|
#
1.253 |
|
19-Nov-2018 |
guenther |
Fix compilation on alpha, where DEF_WEAK() really must be paired with PROTO_NORMAL(). Problem noted by deraadt@
|
#
1.252 |
|
18-Nov-2018 |
otto |
Implement malloc_usable_size(); ok millert@ deraadt@ and jmc@ for the man page
|
#
1.251 |
|
06-Nov-2018 |
otto |
Use the new vm.malloc_conf sysctl; ok millert@ deraadt@
|
#
1.250 |
|
05-Nov-2018 |
otto |
Implement C11's aligned_alloc(3). ok guenther@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.249 |
|
07-Apr-2018 |
otto |
sys/uio.h is not used anymore
|
#
1.248 |
|
30-Mar-2018 |
otto |
fix MALLOC_STATS; spotted by and ok semarie@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.247 |
|
06-Mar-2018 |
deraadt |
use _ALIGN() which is uhm a bit OpenBSD-specific, but it means we don't need to use sys/param.h at all, guess which one i believe is greater namespace polution ok otto
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.264 |
|
06-Oct-2020 |
otto |
Use random value for canary bytes; ok tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.263 |
|
06-Sep-2020 |
otto |
For page-sized and larger allocations do not put the pages we're shaving off into the cache but unamp them. Pages in the cache get re-used and then a future grow of the first allocation will be hampered. Also make realloc a no-op for small shrinkage. ok deraadt@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE
|
#
1.262 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.261 |
|
23-May-2019 |
otto |
Only override size of chunk if we're not given the actual length. Fixes malloc_conceal...freezero with malloc options C and/or G.
|
#
1.260 |
|
10-May-2019 |
otto |
Inroduce malloc_conceal() and calloc_conceal(). Similar to their counterparts but return memory in pages marked MAP_CONCEAL and on free() freezero() is actually called.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.259 |
|
10-Jan-2019 |
otto |
Move default numer of pools in the multi-threaded case to 8. Various tests by me and others indicate that it is the optimum.
|
#
1.258 |
|
10-Jan-2019 |
otto |
Make the "not my pool" searching loop a tiny bit smarter, while making the number of pools variable. Do not document the malloc conf settings atm, don't know yet if they will stay. Thanks to all the testers. ok deraadt@
|
#
1.257 |
|
10-Dec-2018 |
otto |
Improve speed for the multi-threaded case by reducing lock contention. tested by many; ok florian@
|
#
1.256 |
|
09-Dec-2018 |
florian |
style; OK otto
|
#
1.255 |
|
27-Nov-2018 |
otto |
Refactor "find the right pool" code into a function. ok djm@ tb@
|
#
1.254 |
|
21-Nov-2018 |
otto |
Introducing malloc_usable_size() was a mistake. While some other libs have it, it is a function that is considered harmful, so:
Delete malloc_usable_size(). It is a function that blurs the line between malloc managed memory and application managed memory and exposes some of the internal workings of malloc. If an application relies on that, it is likely to break using another implementation of malloc. If you want usable size x, just allocate x bytes. ok deraadt@ and other devs
|
#
1.253 |
|
19-Nov-2018 |
guenther |
Fix compilation on alpha, where DEF_WEAK() really must be paired with PROTO_NORMAL(). Problem noted by deraadt@
|
#
1.252 |
|
18-Nov-2018 |
otto |
Implement malloc_usable_size(); ok millert@ deraadt@ and jmc@ for the man page
|
#
1.251 |
|
06-Nov-2018 |
otto |
Use the new vm.malloc_conf sysctl; ok millert@ deraadt@
|
#
1.250 |
|
05-Nov-2018 |
otto |
Implement C11's aligned_alloc(3). ok guenther@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.249 |
|
07-Apr-2018 |
otto |
sys/uio.h is not used anymore
|
#
1.248 |
|
30-Mar-2018 |
otto |
fix MALLOC_STATS; spotted by and ok semarie@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.247 |
|
06-Mar-2018 |
deraadt |
use _ALIGN() which is uhm a bit OpenBSD-specific, but it means we don't need to use sys/param.h at all, guess which one i believe is greater namespace polution ok otto
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.263 |
|
06-Sep-2020 |
otto |
For page-sized and larger allocations do not put the pages we're shaving off into the cache but unamp them. Pages in the cache get re-used and then a future grow of the first allocation will be hampered. Also make realloc a no-op for small shrinkage. ok deraadt@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE
|
#
1.262 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.261 |
|
23-May-2019 |
otto |
Only override size of chunk if we're not given the actual length. Fixes malloc_conceal...freezero with malloc options C and/or G.
|
#
1.260 |
|
10-May-2019 |
otto |
Inroduce malloc_conceal() and calloc_conceal(). Similar to their counterparts but return memory in pages marked MAP_CONCEAL and on free() freezero() is actually called.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.259 |
|
10-Jan-2019 |
otto |
Move default numer of pools in the multi-threaded case to 8. Various tests by me and others indicate that it is the optimum.
|
#
1.258 |
|
10-Jan-2019 |
otto |
Make the "not my pool" searching loop a tiny bit smarter, while making the number of pools variable. Do not document the malloc conf settings atm, don't know yet if they will stay. Thanks to all the testers. ok deraadt@
|
#
1.257 |
|
10-Dec-2018 |
otto |
Improve speed for the multi-threaded case by reducing lock contention. tested by many; ok florian@
|
#
1.256 |
|
09-Dec-2018 |
florian |
style; OK otto
|
#
1.255 |
|
27-Nov-2018 |
otto |
Refactor "find the right pool" code into a function. ok djm@ tb@
|
#
1.254 |
|
21-Nov-2018 |
otto |
Introducing malloc_usable_size() was a mistake. While some other libs have it, it is a function that is considered harmful, so:
Delete malloc_usable_size(). It is a function that blurs the line between malloc managed memory and application managed memory and exposes some of the internal workings of malloc. If an application relies on that, it is likely to break using another implementation of malloc. If you want usable size x, just allocate x bytes. ok deraadt@ and other devs
|
#
1.253 |
|
19-Nov-2018 |
guenther |
Fix compilation on alpha, where DEF_WEAK() really must be paired with PROTO_NORMAL(). Problem noted by deraadt@
|
#
1.252 |
|
18-Nov-2018 |
otto |
Implement malloc_usable_size(); ok millert@ deraadt@ and jmc@ for the man page
|
#
1.251 |
|
06-Nov-2018 |
otto |
Use the new vm.malloc_conf sysctl; ok millert@ deraadt@
|
#
1.250 |
|
05-Nov-2018 |
otto |
Implement C11's aligned_alloc(3). ok guenther@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.249 |
|
07-Apr-2018 |
otto |
sys/uio.h is not used anymore
|
#
1.248 |
|
30-Mar-2018 |
otto |
fix MALLOC_STATS; spotted by and ok semarie@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.247 |
|
06-Mar-2018 |
deraadt |
use _ALIGN() which is uhm a bit OpenBSD-specific, but it means we don't need to use sys/param.h at all, guess which one i believe is greater namespace polution ok otto
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.262 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.261 |
|
23-May-2019 |
otto |
Only override size of chunk if we're not given the actual length. Fixes malloc_conceal...freezero with malloc options C and/or G.
|
#
1.260 |
|
10-May-2019 |
otto |
Inroduce malloc_conceal() and calloc_conceal(). Similar to their counterparts but return memory in pages marked MAP_CONCEAL and on free() freezero() is actually called.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.259 |
|
10-Jan-2019 |
otto |
Move default numer of pools in the multi-threaded case to 8. Various tests by me and others indicate that it is the optimum.
|
#
1.258 |
|
10-Jan-2019 |
otto |
Make the "not my pool" searching loop a tiny bit smarter, while making the number of pools variable. Do not document the malloc conf settings atm, don't know yet if they will stay. Thanks to all the testers. ok deraadt@
|
#
1.257 |
|
10-Dec-2018 |
otto |
Improve speed for the multi-threaded case by reducing lock contention. tested by many; ok florian@
|
#
1.256 |
|
09-Dec-2018 |
florian |
style; OK otto
|
#
1.255 |
|
27-Nov-2018 |
otto |
Refactor "find the right pool" code into a function. ok djm@ tb@
|
#
1.254 |
|
21-Nov-2018 |
otto |
Introducing malloc_usable_size() was a mistake. While some other libs have it, it is a function that is considered harmful, so:
Delete malloc_usable_size(). It is a function that blurs the line between malloc managed memory and application managed memory and exposes some of the internal workings of malloc. If an application relies on that, it is likely to break using another implementation of malloc. If you want usable size x, just allocate x bytes. ok deraadt@ and other devs
|
#
1.253 |
|
19-Nov-2018 |
guenther |
Fix compilation on alpha, where DEF_WEAK() really must be paired with PROTO_NORMAL(). Problem noted by deraadt@
|
#
1.252 |
|
18-Nov-2018 |
otto |
Implement malloc_usable_size(); ok millert@ deraadt@ and jmc@ for the man page
|
#
1.251 |
|
06-Nov-2018 |
otto |
Use the new vm.malloc_conf sysctl; ok millert@ deraadt@
|
#
1.250 |
|
05-Nov-2018 |
otto |
Implement C11's aligned_alloc(3). ok guenther@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.249 |
|
07-Apr-2018 |
otto |
sys/uio.h is not used anymore
|
#
1.248 |
|
30-Mar-2018 |
otto |
fix MALLOC_STATS; spotted by and ok semarie@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.247 |
|
06-Mar-2018 |
deraadt |
use _ALIGN() which is uhm a bit OpenBSD-specific, but it means we don't need to use sys/param.h at all, guess which one i believe is greater namespace polution ok otto
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.261 |
|
23-May-2019 |
otto |
Only override size of chunk if we're not given the actual length. Fixes malloc_conceal...freezero with malloc options C and/or G.
|
#
1.260 |
|
10-May-2019 |
otto |
Inroduce malloc_conceal() and calloc_conceal(). Similar to their counterparts but return memory in pages marked MAP_CONCEAL and on free() freezero() is actually called.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.259 |
|
10-Jan-2019 |
otto |
Move default numer of pools in the multi-threaded case to 8. Various tests by me and others indicate that it is the optimum.
|
#
1.258 |
|
10-Jan-2019 |
otto |
Make the "not my pool" searching loop a tiny bit smarter, while making the number of pools variable. Do not document the malloc conf settings atm, don't know yet if they will stay. Thanks to all the testers. ok deraadt@
|
#
1.257 |
|
10-Dec-2018 |
otto |
Improve speed for the multi-threaded case by reducing lock contention. tested by many; ok florian@
|
#
1.256 |
|
09-Dec-2018 |
florian |
style; OK otto
|
#
1.255 |
|
27-Nov-2018 |
otto |
Refactor "find the right pool" code into a function. ok djm@ tb@
|
#
1.254 |
|
21-Nov-2018 |
otto |
Introducing malloc_usable_size() was a mistake. While some other libs have it, it is a function that is considered harmful, so:
Delete malloc_usable_size(). It is a function that blurs the line between malloc managed memory and application managed memory and exposes some of the internal workings of malloc. If an application relies on that, it is likely to break using another implementation of malloc. If you want usable size x, just allocate x bytes. ok deraadt@ and other devs
|
#
1.253 |
|
19-Nov-2018 |
guenther |
Fix compilation on alpha, where DEF_WEAK() really must be paired with PROTO_NORMAL(). Problem noted by deraadt@
|
#
1.252 |
|
18-Nov-2018 |
otto |
Implement malloc_usable_size(); ok millert@ deraadt@ and jmc@ for the man page
|
#
1.251 |
|
06-Nov-2018 |
otto |
Use the new vm.malloc_conf sysctl; ok millert@ deraadt@
|
#
1.250 |
|
05-Nov-2018 |
otto |
Implement C11's aligned_alloc(3). ok guenther@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.249 |
|
07-Apr-2018 |
otto |
sys/uio.h is not used anymore
|
#
1.248 |
|
30-Mar-2018 |
otto |
fix MALLOC_STATS; spotted by and ok semarie@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.247 |
|
06-Mar-2018 |
deraadt |
use _ALIGN() which is uhm a bit OpenBSD-specific, but it means we don't need to use sys/param.h at all, guess which one i believe is greater namespace polution ok otto
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.260 |
|
10-May-2019 |
otto |
Inroduce malloc_conceal() and calloc_conceal(). Similar to their counterparts but return memory in pages marked MAP_CONCEAL and on free() freezero() is actually called.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.259 |
|
10-Jan-2019 |
otto |
Move default numer of pools in the multi-threaded case to 8. Various tests by me and others indicate that it is the optimum.
|
#
1.258 |
|
10-Jan-2019 |
otto |
Make the "not my pool" searching loop a tiny bit smarter, while making the number of pools variable. Do not document the malloc conf settings atm, don't know yet if they will stay. Thanks to all the testers. ok deraadt@
|
#
1.257 |
|
10-Dec-2018 |
otto |
Improve speed for the multi-threaded case by reducing lock contention. tested by many; ok florian@
|
#
1.256 |
|
09-Dec-2018 |
florian |
style; OK otto
|
#
1.255 |
|
27-Nov-2018 |
otto |
Refactor "find the right pool" code into a function. ok djm@ tb@
|
#
1.254 |
|
21-Nov-2018 |
otto |
Introducing malloc_usable_size() was a mistake. While some other libs have it, it is a function that is considered harmful, so:
Delete malloc_usable_size(). It is a function that blurs the line between malloc managed memory and application managed memory and exposes some of the internal workings of malloc. If an application relies on that, it is likely to break using another implementation of malloc. If you want usable size x, just allocate x bytes. ok deraadt@ and other devs
|
#
1.253 |
|
19-Nov-2018 |
guenther |
Fix compilation on alpha, where DEF_WEAK() really must be paired with PROTO_NORMAL(). Problem noted by deraadt@
|
#
1.252 |
|
18-Nov-2018 |
otto |
Implement malloc_usable_size(); ok millert@ deraadt@ and jmc@ for the man page
|
#
1.251 |
|
06-Nov-2018 |
otto |
Use the new vm.malloc_conf sysctl; ok millert@ deraadt@
|
#
1.250 |
|
05-Nov-2018 |
otto |
Implement C11's aligned_alloc(3). ok guenther@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.249 |
|
07-Apr-2018 |
otto |
sys/uio.h is not used anymore
|
#
1.248 |
|
30-Mar-2018 |
otto |
fix MALLOC_STATS; spotted by and ok semarie@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.247 |
|
06-Mar-2018 |
deraadt |
use _ALIGN() which is uhm a bit OpenBSD-specific, but it means we don't need to use sys/param.h at all, guess which one i believe is greater namespace polution ok otto
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.259 |
|
10-Jan-2019 |
otto |
Move default numer of pools in the multi-threaded case to 8. Various tests by me and others indicate that it is the optimum.
|
#
1.258 |
|
10-Jan-2019 |
otto |
Make the "not my pool" searching loop a tiny bit smarter, while making the number of pools variable. Do not document the malloc conf settings atm, don't know yet if they will stay. Thanks to all the testers. ok deraadt@
|
#
1.257 |
|
10-Dec-2018 |
otto |
Improve speed for the multi-threaded case by reducing lock contention. tested by many; ok florian@
|
#
1.256 |
|
09-Dec-2018 |
florian |
style; OK otto
|
#
1.255 |
|
27-Nov-2018 |
otto |
Refactor "find the right pool" code into a function. ok djm@ tb@
|
#
1.254 |
|
21-Nov-2018 |
otto |
Introducing malloc_usable_size() was a mistake. While some other libs have it, it is a function that is considered harmful, so:
Delete malloc_usable_size(). It is a function that blurs the line between malloc managed memory and application managed memory and exposes some of the internal workings of malloc. If an application relies on that, it is likely to break using another implementation of malloc. If you want usable size x, just allocate x bytes. ok deraadt@ and other devs
|
#
1.253 |
|
19-Nov-2018 |
guenther |
Fix compilation on alpha, where DEF_WEAK() really must be paired with PROTO_NORMAL(). Problem noted by deraadt@
|
#
1.252 |
|
18-Nov-2018 |
otto |
Implement malloc_usable_size(); ok millert@ deraadt@ and jmc@ for the man page
|
#
1.251 |
|
06-Nov-2018 |
otto |
Use the new vm.malloc_conf sysctl; ok millert@ deraadt@
|
#
1.250 |
|
05-Nov-2018 |
otto |
Implement C11's aligned_alloc(3). ok guenther@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.249 |
|
07-Apr-2018 |
otto |
sys/uio.h is not used anymore
|
#
1.248 |
|
30-Mar-2018 |
otto |
fix MALLOC_STATS; spotted by and ok semarie@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.247 |
|
06-Mar-2018 |
deraadt |
use _ALIGN() which is uhm a bit OpenBSD-specific, but it means we don't need to use sys/param.h at all, guess which one i believe is greater namespace polution ok otto
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.257 |
|
10-Dec-2018 |
otto |
Improve speed for the multi-threaded case by reducing lock contention. tested by many; ok florian@
|
#
1.256 |
|
09-Dec-2018 |
florian |
style; OK otto
|
#
1.255 |
|
27-Nov-2018 |
otto |
Refactor "find the right pool" code into a function. ok djm@ tb@
|
#
1.254 |
|
21-Nov-2018 |
otto |
Introducing malloc_usable_size() was a mistake. While some other libs have it, it is a function that is considered harmful, so:
Delete malloc_usable_size(). It is a function that blurs the line between malloc managed memory and application managed memory and exposes some of the internal workings of malloc. If an application relies on that, it is likely to break using another implementation of malloc. If you want usable size x, just allocate x bytes. ok deraadt@ and other devs
|
#
1.253 |
|
19-Nov-2018 |
guenther |
Fix compilation on alpha, where DEF_WEAK() really must be paired with PROTO_NORMAL(). Problem noted by deraadt@
|
#
1.252 |
|
18-Nov-2018 |
otto |
Implement malloc_usable_size(); ok millert@ deraadt@ and jmc@ for the man page
|
#
1.251 |
|
06-Nov-2018 |
otto |
Use the new vm.malloc_conf sysctl; ok millert@ deraadt@
|
#
1.250 |
|
05-Nov-2018 |
otto |
Implement C11's aligned_alloc(3). ok guenther@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.249 |
|
07-Apr-2018 |
otto |
sys/uio.h is not used anymore
|
#
1.248 |
|
30-Mar-2018 |
otto |
fix MALLOC_STATS; spotted by and ok semarie@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.247 |
|
06-Mar-2018 |
deraadt |
use _ALIGN() which is uhm a bit OpenBSD-specific, but it means we don't need to use sys/param.h at all, guess which one i believe is greater namespace polution ok otto
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.254 |
|
21-Nov-2018 |
otto |
Introducing malloc_usable_size() was a mistake. While some other libs have it, it is a function that is considered harmful, so:
Delete malloc_usable_size(). It is a function that blurs the line between malloc managed memory and application managed memory and exposes some of the internal workings of malloc. If an application relies on that, it is likely to break using another implementation of malloc. If you want usable size x, just allocate x bytes. ok deraadt@ and other devs
|
#
1.253 |
|
19-Nov-2018 |
guenther |
Fix compilation on alpha, where DEF_WEAK() really must be paired with PROTO_NORMAL(). Problem noted by deraadt@
|
#
1.252 |
|
18-Nov-2018 |
otto |
Implement malloc_usable_size(); ok millert@ deraadt@ and jmc@ for the man page
|
#
1.251 |
|
06-Nov-2018 |
otto |
Use the new vm.malloc_conf sysctl; ok millert@ deraadt@
|
#
1.250 |
|
05-Nov-2018 |
otto |
Implement C11's aligned_alloc(3). ok guenther@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.249 |
|
07-Apr-2018 |
otto |
sys/uio.h is not used anymore
|
#
1.248 |
|
30-Mar-2018 |
otto |
fix MALLOC_STATS; spotted by and ok semarie@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.247 |
|
06-Mar-2018 |
deraadt |
use _ALIGN() which is uhm a bit OpenBSD-specific, but it means we don't need to use sys/param.h at all, guess which one i believe is greater namespace polution ok otto
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.252 |
|
18-Nov-2018 |
otto |
Implement malloc_usable_size(); ok millert@ deraadt@ and jmc@ for the man page
|
#
1.251 |
|
06-Nov-2018 |
otto |
Use the new vm.malloc_conf sysctl; ok millert@ deraadt@
|
#
1.250 |
|
05-Nov-2018 |
otto |
Implement C11's aligned_alloc(3). ok guenther@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.249 |
|
07-Apr-2018 |
otto |
sys/uio.h is not used anymore
|
#
1.248 |
|
30-Mar-2018 |
otto |
fix MALLOC_STATS; spotted by and ok semarie@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.247 |
|
06-Mar-2018 |
deraadt |
use _ALIGN() which is uhm a bit OpenBSD-specific, but it means we don't need to use sys/param.h at all, guess which one i believe is greater namespace polution ok otto
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.251 |
|
06-Nov-2018 |
otto |
Use the new vm.malloc_conf sysctl; ok millert@ deraadt@
|
#
1.250 |
|
05-Nov-2018 |
otto |
Implement C11's aligned_alloc(3). ok guenther@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.249 |
|
07-Apr-2018 |
otto |
sys/uio.h is not used anymore
|
#
1.248 |
|
30-Mar-2018 |
otto |
fix MALLOC_STATS; spotted by and ok semarie@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.247 |
|
06-Mar-2018 |
deraadt |
use _ALIGN() which is uhm a bit OpenBSD-specific, but it means we don't need to use sys/param.h at all, guess which one i believe is greater namespace polution ok otto
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.249 |
|
07-Apr-2018 |
otto |
sys/uio.h is not used anymore
|
#
1.248 |
|
30-Mar-2018 |
otto |
fix MALLOC_STATS; spotted by and ok semarie@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.247 |
|
06-Mar-2018 |
deraadt |
use _ALIGN() which is uhm a bit OpenBSD-specific, but it means we don't need to use sys/param.h at all, guess which one i believe is greater namespace polution ok otto
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.248 |
|
30-Mar-2018 |
otto |
fix MALLOC_STATS; spotted by and ok semarie@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.247 |
|
06-Mar-2018 |
deraadt |
use _ALIGN() which is uhm a bit OpenBSD-specific, but it means we don't need to use sys/param.h at all, guess which one i believe is greater namespace polution ok otto
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.246 |
|
05-Mar-2018 |
deraadt |
Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok guenther kettenis
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.245 |
|
07-Feb-2018 |
otto |
use consistent style for for loop in unmap(), no functional change
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.244 |
|
30-Jan-2018 |
otto |
keep in sync with ld.so malloc.c
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.243 |
|
28-Jan-2018 |
otto |
- An error in the multithreaded case could print the wrong function name - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.242 |
|
26-Jan-2018 |
otto |
- do not junk pages returned by free_bytes(), all freed chunks are already junked - freezero(): only clear requested size
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.241 |
|
18-Jan-2018 |
otto |
Zap the rotor, it was a wrong idea. Cluebat applied by kshe who came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
|
#
1.240 |
|
18-Jan-2018 |
otto |
Move to ffs(3) for bitmask scanning. I played with this earlier, but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
|
#
1.239 |
|
08-Jan-2018 |
otto |
optimization and some cleanup; mostly from kshe (except the unmap() part)
|
#
1.238 |
|
01-Jan-2018 |
otto |
Only init chunk_info once, plus some moving of code to group related functions.
|
#
1.237 |
|
27-Dec-2017 |
otto |
step one in avoiding unneccesary init of chunk_info; some cleanup; tested by sthen@ on a ports build
|
#
1.236 |
|
02-Nov-2017 |
otto |
's' should include 'f'; from Jacqueline Jolicoeur
|
#
1.235 |
|
19-Oct-2017 |
jsing |
Restore a return that was inadvertently removed from freezero() in r1.234, which results in an internal double free when internal functions are not in use.
ok otto@
|
#
1.234 |
|
05-Oct-2017 |
otto |
do not return f() where f is a void function; loop var type fix
|
#
1.233 |
|
05-Oct-2017 |
otto |
Use dprintf instead of snprintf/write
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.232 |
|
23-Sep-2017 |
otto |
Make delayed free non-optional and make F do an extensive double free check. ok tb@ tedu@
|
#
1.231 |
|
12-Sep-2017 |
otto |
mapalign returns MAP_FAILED for failuer; from George Koehler
|
#
1.230 |
|
11-Sep-2017 |
otto |
check double free before canary for chunks; ok millert@
|
#
1.229 |
|
20-Aug-2017 |
otto |
two MALLOC_STATS only tweaks; one from David CARLIER, the other found by clang
|
#
1.228 |
|
10-Jul-2017 |
otto |
one more instance of the previous commit; also initialize ->offset to a definite value in the size == 0 case
|
#
1.227 |
|
07-Jul-2017 |
otto |
Only access offset if canaries are enabled *and* size > 0, otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
#
1.226 |
|
19-Jun-2017 |
dlg |
port the RBT code to userland by making it part of libc.
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with annotations for symbol visibility. changes to one should be reflected in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into the kernel and build subr_tree.c itself now.
mild enthusiasm from many ok guenther@
|
#
1.225 |
|
13-May-2017 |
otto |
- fix bug wrt posix_memalign(3) of blocks between half a page and a page - document posix_memalign() does not play nice with reacallocarray(3) and freezero(3)
|
#
1.224 |
|
22-Apr-2017 |
otto |
For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code.
|
#
1.223 |
|
18-Apr-2017 |
otto |
don't forget to fill in canary bytes for posix_memalign(3); reported by and ok jeremy@
|
#
1.222 |
|
17-Apr-2017 |
otto |
whitespace fixes
|
#
1.221 |
|
13-Apr-2017 |
otto |
allow clearing less than allocated and document freezero(3) better
|
#
1.220 |
|
10-Apr-2017 |
otto |
Introducing freezero(3) a version of free that guarantees the process no longer has access to the content of a memmory object. It does this by either clearing (if the object memory remains cached) or by calling munmap(2). ok millert@, deraadt@, guenther@
|
#
1.219 |
|
06-Apr-2017 |
otto |
first print size in meta-data then supplied arg size when an inconsistency is detected wrt recallocarray()
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.218 |
|
28-Mar-2017 |
otto |
small cleanup & optimization; ok deraadt@ millert@
|
#
1.217 |
|
24-Mar-2017 |
otto |
add a helper function to print all pools #ifdef MALLOC_STATS from David CARLIER
|
#
1.216 |
|
24-Mar-2017 |
otto |
move recallocarray to malloc.c and - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
|
#
1.215 |
|
15-Feb-2017 |
jsg |
Add a NULL test to wrterror() to avoid a NULL deref when called from a free() error path.
ok otto@
|
#
1.214 |
|
02-Feb-2017 |
otto |
fix a comment and rm some dead code as a result of the previous diff
|
#
1.213 |
|
01-Feb-2017 |
otto |
Let realloc handle and produce moved pointers for allocations between half a page and a page. ok jmatthew@ tb@
|
#
1.212 |
|
21-Jan-2017 |
otto |
1. When shrinking a chunk allocation, compare the size of the current allocation to the size of the new allocation (instead of the requested size). 2. Previously realloc takes the easy way and always reallocates if C is active. This commit fixes by carefully updating the recorded requested size in all cases, and writing the canary bytes in the proper location after reallocating. 3. Introduce defines to test if MALLOC_MOVE should be done and to compute the new value.
|
#
1.211 |
|
04-Nov-2016 |
otto |
MALLOC_STATS tweaks, by default not compiled in
|
#
1.210 |
|
03-Nov-2016 |
otto |
small tweak to also check canaries if F is in effect
|
#
1.209 |
|
31-Oct-2016 |
otto |
remove some old option letters and also make P non-settable. It has been the default for ages, and I see no valid reason to be able to disable it. ok natano@
|
#
1.208 |
|
28-Oct-2016 |
otto |
Pages in the malloc cache are either reused quickly or unmapped quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
|
#
1.207 |
|
22-Oct-2016 |
otto |
- fix MALLOC_STATS compile - redundant cast is redundant
|
#
1.206 |
|
21-Oct-2016 |
otto |
fix some void * arithmetic by casting
|
#
1.205 |
|
21-Oct-2016 |
otto |
and recommit with fixed GC
|
#
1.204 |
|
20-Oct-2016 |
otto |
backout for now; flag combination GC is not ok
|
#
1.203 |
|
20-Oct-2016 |
otto |
Also place canaries in > page sized objects (if C is in effect); ok tb@
|
#
1.202 |
|
15-Oct-2016 |
guenther |
Wrap _malloc_init() so internal calls go directly
prodded by otto@ ok kettenis@ otto@
|
#
1.201 |
|
14-Oct-2016 |
otto |
0xd0 -> 0xdb; ok deraadt@ millert@ tedu@
|
#
1.200 |
|
12-Oct-2016 |
otto |
optimize canary code a bit by storing offset of sizes table instead of recomputing it all the time
|
#
1.199 |
|
07-Oct-2016 |
otto |
stray tab
|
#
1.198 |
|
07-Oct-2016 |
otto |
Beter implementation of chunk canaries: store size in chunk meta data instead of chunk itself; does not change actual allocated size; ok tedu@
|
#
1.197 |
|
21-Sep-2016 |
guenther |
Delete casts to off_t and size_t that are implied by assignments or prototypes. Ditto for some of the char* and void* casts too.
verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@
|
#
1.196 |
|
18-Sep-2016 |
otto |
move page junking tp unmap(), right before we stick the region in the cache; ok tedu@
|
#
1.195 |
|
01-Sep-2016 |
otto |
Less lock contention by using more pools for mult-threaded programs. tested by many (thanks!) ok tedu, guenther@
|
#
1.194 |
|
01-Sep-2016 |
tedu |
black magic for sparc page size can go
|
#
1.193 |
|
17-Aug-2016 |
otto |
wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.192 |
|
06-Jul-2016 |
otto |
J/j is a three valued option, document and fix code to actuall support that with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
|
#
1.191 |
|
30-Jun-2016 |
otto |
adapt S option: add C, rm F (not relevant with 0 cache and disables chunk rnd), rm P: is default
|
#
1.190 |
|
28-Jun-2016 |
tb |
Back out previous; otto saw a potential race that could lead to a double unmap and I experienced a much more unstable firefox.
discussed with otto on icb
|
#
1.189 |
|
27-Jun-2016 |
tedu |
defer munmap to after unlocking malloc. this can (unfortunately) be an expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
|
#
1.188 |
|
12-Apr-2016 |
otto |
two times a define to an inline function, from Michael McConville; ok djm@
|
#
1.187 |
|
09-Apr-2016 |
otto |
tweak MALLOC_STATS printing (switched off by default), prodded by Michael McConville
|
#
1.186 |
|
09-Apr-2016 |
otto |
redundant memset(3), from Michael McConville, ok armani@
|
#
1.185 |
|
17-Mar-2016 |
mmcc |
properly guard to macros
ok otto@
|
#
1.184 |
|
14-Mar-2016 |
otto |
small step towards multiple pools: move two globls into the struct dir_info ok @stefan armani@
|
#
1.183 |
|
13-Mar-2016 |
guenther |
environ and __progname are not declared in a public header; declare them in libc's hidden/stdlib.h instead of in each .c file that needs one
ok deraadt@ gsoares@ mpi@
|
#
1.182 |
|
25-Feb-2016 |
deraadt |
refactor option letter parsing into a subfunction, to increase clarity about which options are turned on/off by 's' and 'S' ok tedu
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.181 |
|
26-Jan-2016 |
otto |
Don't crash dumping malloc stats if malloc_init hasn't been called, noted by David CARLIER
|
#
1.180 |
|
06-Jan-2016 |
tedu |
Long ago, malloc internally had two kinds of failures, warnings and errors. The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
|
#
1.179 |
|
30-Dec-2015 |
tedu |
another case where bad things would happen after wrterror
|
#
1.178 |
|
30-Dec-2015 |
tedu |
if somebody makes the mistake of disabling abort, don't deref null in validate_junk. from Michal Mazurek
|
#
1.177 |
|
09-Dec-2015 |
tedu |
Integrate two patches originally from Daniel Micay. 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
|
#
1.176 |
|
13-Sep-2015 |
guenther |
For now, permit overriding of the malloc family, to make emacs happy
|
#
1.175 |
|
13-Sep-2015 |
guenther |
Wrap <stdlib.h> so that calls go direct and the symbols not in the C standard are all weak. Apply __{BEGIN,END}_HIDDEN_DECLS to gdtoa{,imp}.h, hiding the arch-specific __strtorx, __ULtox_D2A, __strtorQ, __ULtoQ_D2A symbols.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.174 |
|
06-Apr-2015 |
tedu |
improve realloc. when expanding a region, actually use the free page cache instead of simply zapping it. this can save many syscalls in a program that repeatedly grows and shrinks a buffer, as observed in the wild.
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.173 |
|
16-Jan-2015 |
deraadt |
Move to the <limits.h> universe. review by millert, binary checking process with doug, concept with guenther
|
#
1.172 |
|
05-Jan-2015 |
tedu |
rename kern enter/exit macros to malloc enter/leave to better reflect what's going on.
|
#
1.171 |
|
18-Aug-2014 |
tedu |
a small tweak to improve malloc in multithreaded programs. we don't need to hold the malloc lock across mmap syscalls in all cases. dropping it allows another thread to access the existing chunk cache if necessary. could be improved to be a bit more aggressive, but i've been testing this simple diff for some time now with good results.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.170 |
|
09-Jul-2014 |
tedu |
reduce obvious dependency on global g_pool by moving to local aliases ok otto
|
#
1.169 |
|
27-Jun-2014 |
deraadt |
extra evil spaces snuck in over the last while
|
#
1.168 |
|
27-Jun-2014 |
otto |
Move to a smaller rbytes buffer and skip a random part. Not to improve the random stream itself (it doesn't), but to introduce noise in the arc4random calling pattern. Thanks to matthew@ who pointed out bias in a previous diff, ok deraadt@ matthew@
|
#
1.167 |
|
02-Jun-2014 |
otto |
move random bytes buffer to be part of mmaped pages; ok tedu@
|
#
1.166 |
|
26-May-2014 |
otto |
move all stats collecting under MALLOC_STATS; ok krw@
|
#
1.165 |
|
21-May-2014 |
otto |
fix MALLOC_STATS (not compiled in by default); ok tedu@
|
#
1.164 |
|
18-May-2014 |
tedu |
factor out a bit of the chunk index code and use it to make sure that a freed chunk is actually freeable immediately. catch more errors. hints/ok otto
|
#
1.163 |
|
12-May-2014 |
tedu |
change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
|
#
1.162 |
|
10-May-2014 |
otto |
fix MALLOC_STATS code that was broken in rev 1.159, not compiled in by default
|
#
1.161 |
|
08-May-2014 |
deraadt |
move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
|
#
1.160 |
|
07-May-2014 |
halex |
comment style fix
ok crickets@
|
#
1.159 |
|
01-May-2014 |
tedu |
nibbles aren't enough random, use bytes. does a better job of picking a free chunk at random and may allow to increase delayed chunk array. ok otto
|
#
1.158 |
|
23-Apr-2014 |
tedu |
remove Z option and default to something halfway to J. we always junk small chunks now, and the first part of pages, but only after free. J still does the old thing. j disables everything. Consider experimental as we evaluate performance in the real world. ok otto
|
#
1.157 |
|
23-Apr-2014 |
espie |
explain a bit more what's going on for stupid me. okay otto@
|
#
1.156 |
|
23-Apr-2014 |
otto |
Better, cleaner hash function that computes the same on be and le archs. Should improve sparc64 and other be archs. ok matthew@ miod@
|
#
1.155 |
|
22-Apr-2014 |
tedu |
change mallocarray to reallocarray. useful in a few more situations. malloc can, as always, be emulated via realloc(NULL). ok deraadt
|
#
1.154 |
|
21-Apr-2014 |
deraadt |
Introducing: void *mallocarray(size_t nmemb, size_t size); Like calloc(), except without the cleared-memory gaurantee ok beck guenther, discussed for more than a year...
|
#
1.153 |
|
14-Apr-2014 |
otto |
print pid in error messages; ok reyk@
|
#
1.152 |
|
03-Apr-2014 |
schwarze |
Update Copyright notice; ok otto@ beck@ deraadt@. This is merely a by-product of figuring out the amount of phk@ code contained herein; i'm not planning to hack on this file.
|
#
1.151 |
|
25-Mar-2014 |
beck |
Poul-Henning Kamp informed me he is allright with this licensing change.
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.150 |
|
12-Nov-2013 |
deraadt |
avoid arithetic on void * ok guenther otto
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.149 |
|
22-Dec-2012 |
otto |
Fix bug in random offset introduced in rev 1.143; random range was expanded, but not enough due to precedence error. Spotted by Thorsten Glaser.
|
#
1.148 |
|
02-Nov-2012 |
djm |
Add a new malloc option 'U' => "Free unmap" that does the guarding/ unmapping of freed allocations without disabling chunk randomisation like the "Freeguard" ('F') option does. Make security 'S' option use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging use-after-free, but chunk randomisation offers better defence against "heap feng shui" style attacks that depend on carefully constructing a particular heap layout so we should leave this enabled when requesting security options.
|
#
1.147 |
|
13-Sep-2012 |
pirofti |
Fix precedence bug (& has lower precedence than !=).
Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks!
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.146 |
|
09-Jul-2012 |
deraadt |
use PAGE_SHIFT instead of PGSHIFT, in preperation for future param.h symbol reduction. ok guenther
|
#
1.145 |
|
26-Jun-2012 |
tedu |
after a talk with ariane, use MAP_FIXED for mquery to avoid the cost of scanning for free space if the hint isn't available. also, on further inspection, this will prevent pmap_prefer from "improving" our hint.
|
#
1.144 |
|
22-Jun-2012 |
tedu |
two changes which should improve realloc. first, fix zapcacheregion to clear out the entire requested area, not just a perfect fit. second, use mquery to check for room to avoid getting an address we don't like and having to send it back.
|
#
1.143 |
|
20-Jun-2012 |
tedu |
two small fixes to free page cache. first, we need two nibbles of random in order to span the the entire cache. second, on free use the same offset to put things in the cache instead of always starting at zero. ok otto
|
#
1.142 |
|
18-Jun-2012 |
matthew |
Support larger-than-page-alignment requests in posix_memalign() by overallocating and then releasing unneeded memory pages.
ok otto
|
#
1.141 |
|
29-Feb-2012 |
otto |
- Test for the retrieved page address not being NULL. This turns free((void*)1) into an bogus pointer error instead of a segfault. - Document that we use the assumption that a non-MAP_FIXED mmap() with hint 0 never returns NULL.
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.140 |
|
06-Oct-2011 |
otto |
Make struct chunk_info a variable sized struct, wasting less space for meta data by only allocating space actually needed for the bitmap (modulo alignment requirements). ok deraadt@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.139 |
|
12-Jul-2011 |
otto |
on malloc flag S, set cache size to 0; will catch even more use-after-free bugs; ok krw@ dlg@ pirofti@
|
#
1.138 |
|
20-Jun-2011 |
tedu |
as man page states, lower case undoes upper case. add support for little s, no security, for consistency. use of this option is discouraged. :) ok deraadt guenther millert
|
#
1.137 |
|
20-May-2011 |
otto |
save errno dance in wrterror() and malloc_dump(); prompted by and ok deraadt@
|
#
1.136 |
|
18-May-2011 |
otto |
introduce symbolic constant for initial number of regions
|
#
1.135 |
|
18-May-2011 |
otto |
zap regions_bits and rework MALLOC_MAXSHIFT a bit; ok djm@
|
#
1.134 |
|
12-May-2011 |
otto |
Avoid fp computations for stats, this make calling malloc_dump() safe in more cases.
|
#
1.133 |
|
12-May-2011 |
otto |
fix comment, the bitmap is an array of u_short now
|
#
1.132 |
|
12-May-2011 |
otto |
Introduce leak detection code for MALLOC_STATS
|
#
1.131 |
|
08-May-2011 |
otto |
Move MALLOC_STATS code to bottom of file, so the real stuff is more at the top.
|
#
1.130 |
|
05-May-2011 |
otto |
Up until now, malloc scanned the bits of the chunk bitmap from position zero, skipping a random number of free slots and then picking the next free one. This slowed things down, especially if the number of full slots increases.
This changes the scannning to start at a random position in the bitmap and then taking the first available free slot, wrapping if the end of the bitmap is reached. Of course we'll still scan more if the bitmap becomes more full, but the extra iterations skipping free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented by a few random bits every time a chunk is needed (with a small optimization if only one free slot is left).
Thanks to the testers!
|
#
1.129 |
|
30-Apr-2011 |
otto |
Now that we use an array of u_short for the chunk bitmap change a few 1UL to 1U.
|
#
1.128 |
|
30-Apr-2011 |
otto |
More efficient scanning for free chunks while not losing any randomization; thanks to all testers.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.127 |
|
16-Dec-2010 |
dhill |
avoid pointer arithmetic on void *
tested for a while by me.
ok otto@
|
#
1.126 |
|
21-Oct-2010 |
otto |
print the pointer value that caused the error (if available); ok deraadt@ nicm@ (on an earlier version)
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.125 |
|
18-May-2010 |
tedu |
add posix_madvise, posix_memalign, strndup, and strnlen. mostly from brad and millert, with hints from guenther, jmc, and otto I think. ok previous.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.124 |
|
13-Jan-2010 |
otto |
New options 'S', as a shorthand for the options most suitable as an extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@
|
#
1.123 |
|
16-Dec-2009 |
otto |
save calls to arc4random() by using a nibble at a time; not because arc4random() is slow, but it induces getpid() calls; also saves a bit on stirring efforts
|
#
1.122 |
|
07-Dec-2009 |
miod |
Make userland malloc use __LDPGSZ granularity on mips, regardless of the actual kernel page size.
|
#
1.121 |
|
27-Nov-2009 |
otto |
Switch the chunk_info lists to doubly-linked lists and use the queue macros for them. Avoids walking the lists and greatly enhances speed of freeing chunks in reverse or random order at the cost of a little space. Suggested by Fabien Romano and Jonathan Armani; ok djm@
|
#
1.120 |
|
27-Nov-2009 |
otto |
Don't forget to fill region from the cache with junk if needed in one case; from Fabien Romano and Jonathan Armani
|
#
1.119 |
|
27-Nov-2009 |
otto |
No need to clear a mmapped region; from Fabien Romano and Jonathan Armani
|
#
1.118 |
|
02-Nov-2009 |
todd |
permit -DMALLOC_STATS to compile again noticed by Jonathan Armani & Fabien Romano ugh+ok otto@
|
#
1.117 |
|
20-Oct-2009 |
pirofti |
Check mmap return value against MAP_FAILED not NULL.
Okay deraadt@, otto@.
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.116 |
|
08-Jun-2009 |
deraadt |
quieten compiler by converting pointers to uintptr_t before truncating them to u_int32_t to do integer math with (in a situation where that is legit) ok otto millert
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.115 |
|
03-Jan-2009 |
djm |
reintroduce extra malloc protections, but avoiding the use of PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the sparc architecture; ok otto@ tested on my reanimated ss20
|
#
1.114 |
|
31-Dec-2008 |
deraadt |
PAGE_SIZE is not a valid symbol to use in that way. In particular, on sparc, it expands to something that just plain does not work, because the page size can be variable. Sorry we didn't spot this before. Backing it all out to allow sparc to build; please find a different way to fix it.
|
#
1.113 |
|
30-Dec-2008 |
djm |
Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security.
requested by deraadt@ grumbling ok otto@
|
#
1.112 |
|
29-Dec-2008 |
djm |
extra paranoia for malloc(3):
Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar ok otto
|
#
1.111 |
|
15-Dec-2008 |
otto |
shave off more bytes than you expect by declaring a few const local arrays as static const
|
#
1.110 |
|
20-Nov-2008 |
otto |
move allocations between half a page and a page as close to the end of the page as possible (i.e. make malloc option P a default). ok art@ millert@ krw@
|
#
1.109 |
|
20-Nov-2008 |
otto |
Reduce the leeway malloc allows when moving allocations to the end of a page to 0. P default will be changed in a separate commit. ok millert@ art@ krw@
|
#
1.108 |
|
13-Nov-2008 |
otto |
To allow for easier playing with more strict settings introduce a separate symbolic constant for the leeway we allow when moving allocations towards the end of a page. No functional change.
|
#
1.107 |
|
12-Nov-2008 |
otto |
avoid a few strlen calls for constant strings; prompted by tg; ok djm@
|
#
1.106 |
|
06-Nov-2008 |
otto |
if the freeprot flag (F) is set, do not do delayed frees for chunks (might catch errors closer to the trouble spot) and junk fill pages just before reuse instead of immediate (we can't access the page anyway) since we set PROT_NONE in the F case. ok djm@
|
#
1.105 |
|
02-Nov-2008 |
otto |
remove distinction between warnings and errors, ok deraadt@ djm@
|
#
1.104 |
|
29-Oct-2008 |
otto |
if MALLOC_STATS is defined, record how many "cheap reallocs" were tried and how many actually succeeded.
|
#
1.103 |
|
20-Oct-2008 |
otto |
oops, assign errno the right way. caught by david running regress tests
|
#
1.102 |
|
03-Oct-2008 |
otto |
reduce rbyte cache to 512 bytes, no measurable slowdown (even in the threaded case) but much smaller working set; prompted by and ok deraadt@
|
#
1.101 |
|
03-Oct-2008 |
otto |
save and restore errno on success. while it is not stricly needed for non-syscalls, there's just too much code not doing the right thing on error paths; prompted by and ok deraadt@
|
#
1.100 |
|
03-Oct-2008 |
otto |
when increasing the size of a larger than a page allocation try mapping the region next to the existing one first; there's a pretty high chance there's a hole there we can use; ok deraadt@ tedu@
|
#
1.99 |
|
03-Oct-2008 |
otto |
avoid spitting up regions when purging stuff from the cache, it puts too much pressure on the amaps. ok tedu@ deraadt@
|
#
1.98 |
|
25-Aug-2008 |
otto |
Make all combinations of G, P, J and zero-fill work with as little effort as possible in most cases; ok djm@
|
#
1.97 |
|
23-Aug-2008 |
djm |
unbreak MALLOC_OPTIONS=G that I broke in my last commit; slightly kludgey solution for until otto fixes it properly; ok otto@
|
#
1.96 |
|
23-Aug-2008 |
djm |
fix calloc() for MALLOC_OPTIONS=J case: SOME_JUNK was being filled into the freshly mmaped pages disrupting their pure zeroness; ok otto@ deraadt@
|
#
1.95 |
|
22-Aug-2008 |
otto |
make sure we always map and unmap multiples of MALLOC_PAGESIZE; case spotted by beck, one by me; ok deraadt@ beck@
|
#
1.94 |
|
22-Aug-2008 |
otto |
Smarter implementation of calloc(3), which uses the fact that mmap(2) returns zero filled pages; remember to replace this function as well if you provide your own malloc implementation; ok djm@ deraadt@
|
#
1.93 |
|
07-Aug-2008 |
otto |
small cleanup of error/warning strings
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.92 |
|
28-Jul-2008 |
otto |
Almost complete rewrite of malloc, to have a more efficient data structure of tracking pages returned by mmap(). Lots of testing by lots of people, thanks to you all. ok djm@ (for a slighly earlier version) deraadt@
|
#
1.91 |
|
13-Jun-2008 |
otto |
remove _MALLOC_LOCK_INIT; major bump; ok deraadt@
|
#
1.90 |
|
19-May-2008 |
otto |
remove recalloc(3); it is buggy and impossible to repair without big costs; ok jmc@ for the man page bits; ok millert@ deraadt@
|
#
1.89 |
|
13-Apr-2008 |
djm |
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound is not a power of two
ok deraadt@ millert@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.88 |
|
20-Feb-2008 |
otto |
use pgfree pool like other code does to reserve free list slots. prevents a few "cannot free mem because i need mem to free mem" scenarios (one found by weingart@). ok weingart@ millert@ miod@
|
#
1.87 |
|
03-Sep-2007 |
millert |
add recaloc(3)
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.86 |
|
12-Feb-2007 |
otto |
get cheaper random bytes, less waste and no getpid() calls, which are done by arc4random(); ok millert@ deraadt@
|
#
1.85 |
|
19-Dec-2006 |
otto |
a failed mmap returns MAP_FAILED, not NULL. found while exercising pax in low-mem conditions; ok dim@
|
#
1.84 |
|
24-Oct-2006 |
tedu |
respond to ben hawkes's ruxcon presentation. create special allocators for pginfo and pgfree structs instead of imalloc. this keeps them separated from application memory. for chunks, to prevent deterministic reuse, keep a small array and swizzle the to be freed chunk with a random previously freed chunk. this last bit only for chunks because keeping arbitrarily large regions of pages around may cause out of memory issues (and pages are, to some extent, returned in random order). all changes enabled by default. thanks to ben for pointing out these issues. ok tech@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.83 |
|
14-May-2006 |
otto |
Fix the second malloc_ulimit regression: maintaining the free list requires memory; try to make sure we have it. If all fails, leak instead of crash. Test case originally found by cloder@, fix tested by many.
|
#
1.82 |
|
24-Apr-2006 |
otto |
Do not leave an hole in the directory list if allocation of the region succeeds, but allocation a required page dir failed. This can happen if we're really close to ulimit after allocation the region of the size requested. See malloc_ulimit1 regress test. Tested by many; thanks.
|
#
1.81 |
|
18-Apr-2006 |
otto |
delint; original from deraadt@ with fixes from tdeval@ and me; tested by quite a few developers. ok deraadt@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.80 |
|
14-Feb-2006 |
espie |
quick path for free(0) `looks to be safe' millert, okay tedu.
|
#
1.79 |
|
10-Oct-2005 |
espie |
Remove a few warnings. Those were not apparent thanks to a bug in gcc 2.95.
Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br> Thanks.
|
#
1.78 |
|
05-Oct-2005 |
deraadt |
further knf and cleaning; ok tdeval
|
#
1.77 |
|
05-Oct-2005 |
deraadt |
first KNF (no binary diffs)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.76 |
|
08-Aug-2005 |
espie |
zap remaining rcsid.
Kill old files that are no longer compiled.
okay theo
|
#
1.75 |
|
07-Jul-2005 |
tdeval |
Fix the unmapping of freed pages, leaving just 64k worth of cache pages. Prodded by art@ and fgsch@, ok deraadt@
|
#
1.74 |
|
07-Jun-2005 |
tedu |
adding pointer protection to 'G' was too heavyweight. Since malloc guard should be generally usable, split this out into option 'P'. ok deraadt
|
#
1.73 |
|
24-May-2005 |
tedu |
handle sizeof(void *) allocations specially when using malloc guard. they get a whole page and go right at the end of it. ok deraadt tdeval
|
#
1.72 |
|
31-Mar-2005 |
tdeval |
MMAP(2) malloc, here we go again.
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.71 |
|
11-Aug-2004 |
tdeval |
Back out to brk(2) version.
The mmap(2) code is cool and it has already uncovered some bugs in other code. But some issues remain on some archs, and we can't afford that for production.
Don't worry, it will be back soon... I'll make sure of it...
|
#
1.70 |
|
05-Aug-2004 |
tdeval |
- Remove the userland data limit check. It's mmap(2)'s job. - When malloc_abort==0 (MALLOC_OPTIONS=a), don't abort in wrterror().
fine deraadt@
|
#
1.69 |
|
04-Aug-2004 |
tdeval |
Missing check for NULL.
|
#
1.68 |
|
01-Aug-2004 |
tdeval |
After a long gestation period, here comes our custom version of malloc(3) using mmap(2) instead of sbrk(2). To make a long story short, using mmap(2) in malloc(3) allows us to draw all the benefits from our mmap(2)'s randomization feature, closing the effort we did for returning memory blocks from random addresses.
Tested for a long time by many, thanks to them. Go for it ! deraadt@
|
#
1.67 |
|
12-Apr-2004 |
tdeval |
Clean up malloc_active state when aborting. This allows for safe abort handling, without tripping into false recursivity problems.
Ok tedu@, deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.66 |
|
19-Feb-2004 |
tdeval |
Sanity fix. reviewed by deraadt@, tedu@
|
#
1.65 |
|
19-Nov-2003 |
tedu |
only whine about recursion once, so we don't get into problems with loops.
|
#
1.64 |
|
16-Oct-2003 |
tedu |
by popular demand, malloc guard pages. insert an unreadable/unwriteable page after each page size allocation to detect overrun. this is somewhat electric fence like, while attempting to be mostly usable in production. also, use tdeval's chunk randomization code. enabled with the G option. ok deraadt and co.
|
#
1.63 |
|
15-Oct-2003 |
tedu |
abort on errors by default. workaround so running out of memory isn't actually an error, A still applies full effect. suggested by phk. ok deraadt@ tdeval@
|
#
1.62 |
|
02-Oct-2003 |
tedu |
two minor fixes. set errno on recursive calls. ENOMEM suggested by marc@. lock before setting malloc_func, not after. ok cloder@ deraadt@
|
#
1.61 |
|
30-Sep-2003 |
tedu |
full stop. reverse course. remove all periods, so as to be aligned with error messages elsewhere. requested ok deraadt@ henning@
|
#
1.60 |
|
27-Sep-2003 |
tedu |
remove register. end all sentences with periods. ok deraadt@ henning@ millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
04-Aug-2003 |
jfb |
ansify function arguments
ok tdeval@
|
#
1.58 |
|
19-Jul-2003 |
tdeval |
- just warn in case of mmap/brk failure - extend_pgdir and malloc_make_chunks return int, not void*
ok tedu@
|
#
1.57 |
|
13-Jul-2003 |
otto |
Fix two cases where malloc() returns NULL but does not set errno to ENOMEM. ok tdeval@ henning@ millert@
|
#
1.56 |
|
14-May-2003 |
tdeval |
Unbreak 64-bit archs...
|
#
1.55 |
|
14-May-2003 |
tdeval |
Pointer cleaning. ok ian@, tedu@, krw@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
14-Jan-2003 |
millert |
Add sanity check to prevent int oflow for very large allocations. Also fix a signed vs. unsigned issue while I am at it. Found by Jim Geovedi. OK deraadt@
|
#
1.53 |
|
27-Nov-2002 |
tdeval |
Honour malloc_junk ('J') with realloc(3), and fix page_dir shrink update.
|
#
1.52 |
|
25-Nov-2002 |
cloder |
Warn if atexit(3) fails. Change some tabs to spaces. Use STDERR_FILENO instead of 2.
OK millert@
|
#
1.51 |
|
05-Nov-2002 |
marc |
thread safe libc -- 2nd try. OK miod@, millert@ Thanks to miod@ for m68k and vax fixes
|
#
1.50 |
|
03-Nov-2002 |
marc |
back out previous patch.. there are still some vax/m68k issues
|
#
1.49 |
|
03-Nov-2002 |
marc |
libc changes for thread safety. Tested on: alpha (millert@), i386 (marc@), m68k (millert@ and miod@), powerpc (drahn@ and dhartmei@), sparc (millert@ and marc@), sparc64 (marc@), and vax (millert@ and miod@). Thanks to millert@, miod@, and mickey@ for fixes along the way.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.48 |
|
27-May-2002 |
deraadt |
unsigned vs unsigned int
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.47 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
#
1.46 |
|
23-Jan-2002 |
fgsch |
THREAD_UNLOCK() on error before returning; millert@ ok.
|
#
1.45 |
|
05-Dec-2001 |
tdeval |
correct an alignment mis-conception for malloc(0) returned regions. OK deraadt@
|
#
1.44 |
|
01-Nov-2001 |
mickey |
remove dangling spaces and tabs
|
#
1.43 |
|
30-Oct-2001 |
tdeval |
mprotect allocations sized at 0 bytes. This will cause a fault for access to such, permitting them to be discovered, instead of exploited as the ssh crc insertion detector was. Idea by theo, written by tdeval.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.42 |
|
11-May-2001 |
art |
-1 -> MAP_FAILED
|
#
1.41 |
|
10-May-2001 |
art |
Use madvise(MADV_FREE) to allow the 'h' option. (the code was already there, just not enabled).
|
Revision tags: OPENBSD_2_7_BASE OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.40 |
|
10-Apr-2000 |
deraadt |
missing THREAD_UNLOCK; netch@segfault.kiev.ua
|
#
1.39 |
|
01-Mar-2000 |
deraadt |
typo fix; halogen@nol.net
|
#
1.38 |
|
10-Nov-1999 |
millert |
calloc() needs to be separate from malloc in case a user wants to have their own malloc() implementation.
|
#
1.37 |
|
09-Nov-1999 |
millert |
Move calloc() into malloc.c and only zero out the area if malloc() didn't do so for us. By default, malloc() zeros out the space it allocates but the programmer cannot rely on this as it is implementation- specific (and configurable via /etc/malloc.conf)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.36 |
|
16-Sep-1999 |
deraadt |
use writev() where possible
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.35 |
|
03-Feb-1999 |
d |
wrong ret type for write define (millert@)
|
#
1.34 |
|
01-Feb-1999 |
d |
malloc can't use write() if it fails very early, so use the unwrapped syscall _thread_sys_write() if we are threaded
|
#
1.33 |
|
20-Nov-1998 |
d |
Add thread-safety to libc, so that libc_r will build (on i386 at least). All POSIX libc api now there (to P1003.1c/D10) (more md stuff is needed for other libc/arch/*) (setlogin is no longer a special syscall) Add -pthread option to gcc (that makes it use -lc_r and -D_POSIX_THREADS). Doc some re-entrant routines Add libc_r to intro(3) dig() uses some libc srcs and an extra -I was needed there. Add more md stuff to libc_r. Update includes for the pthreads api Update libc_r TODO
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.32 |
|
06-Aug-1998 |
millert |
Don't enumerate every arch in the #if since all OpenBSD platforms use the same values for malloc_pageshift and malloc_minsize except for sparc
|
#
1.31 |
|
28-Jun-1998 |
rahnds |
Oh fun, mucking about with files used on all archs.
This is one of many places in the source that have #if defined("list all architectures") Is there some possible way to eliminate, reduce these or at least have a file that describes all occurrances so that when a new port is done this could be addressed. like the recent hppa port, does it need to take a look at this????
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.30 |
|
02-Jan-1998 |
deraadt |
make mmap() return void *, add MAP_FAILED
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.29 |
|
23-Aug-1997 |
pefo |
Change realloc(foo,0) to behave like malloc(0). Both now return a pointer to an object of size zero. This will allow testing on reallocs return value to determine if the operation was successful or not.
|
#
1.28 |
|
22-Aug-1997 |
deraadt |
malloc_init() should try to not modify errno
|
#
1.27 |
|
02-Jul-1997 |
millert |
Use MALLOC_EXTRA_SANITY consistently (EXTRA_SANITY was used in many places) sizeof *pt -> sizeof *px (point to same type of struct but looked wrong).
|
#
1.26 |
|
31-May-1997 |
tholo |
Make it possible to not output warnings (errors causing aborts are always output).
|
#
1.25 |
|
31-May-1997 |
tholo |
Add x/X option to behave like X11 xmalloc; from FreeBSD Reduce diffs wrt. FreeBSD some
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.24 |
|
30-Apr-1997 |
tholo |
Be more careful with mixing types
|
#
1.23 |
|
05-Apr-1997 |
tholo |
Check for overflow; from FreeBSD
|
#
1.22 |
|
11-Feb-1997 |
niklas |
is we were set[ug]id an unitialized ptr bit us
|
#
1.21 |
|
09-Feb-1997 |
tholo |
Make this 64-bit safe again
|
#
1.20 |
|
05-Jan-1997 |
tholo |
Integrate latest malloc(3) from FreeBSD
|
#
1.19 |
|
24-Nov-1996 |
niklas |
more 64bit fixes
|
#
1.18 |
|
23-Nov-1996 |
niklas |
64 bit clean
|
#
1.17 |
|
22-Nov-1996 |
kstailey |
removed plus sign from start of line
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.16 |
|
26-Sep-1996 |
tholo |
Make sure we don't dereference stray pointer when running suid or sgid
|
#
1.15 |
|
26-Sep-1996 |
tholo |
Restore check for suid / sgid
|
#
1.14 |
|
26-Sep-1996 |
tholo |
Latest changes from FreeBSD
|
#
1.13 |
|
19-Sep-1996 |
tholo |
From FreeBSD: > Fix a very rare error condition: The code to free VM back to the kernel > as done after a quasi-recursive call to free() had modified what we > thought we knew about the last chunk of pages. > This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr, > then make would coredump in the lpd directory.
|
#
1.12 |
|
16-Sep-1996 |
tholo |
Avoid pulling in stdio
|
#
1.11 |
|
15-Sep-1996 |
tholo |
Remove dead code Remove unused variables Silence some warnings lint(1) is your friend
|
#
1.10 |
|
11-Sep-1996 |
deraadt |
only support MALLOC_OPTIONS for non-setuid
|
#
1.9 |
|
06-Sep-1996 |
tholo |
asm -> __asm, clean lint(1) warnings
|
#
1.8 |
|
21-Aug-1996 |
tholo |
Move cfree(3) weak symbol into a seperate file
|
#
1.7 |
|
20-Aug-1996 |
tholo |
Make the binding cfree() -> free() weak if possible
|
#
1.6 |
|
20-Aug-1996 |
downsj |
Remove ANSI function delcarations and add a cfree() stub function.
|
#
1.5 |
|
19-Aug-1996 |
tholo |
Fix RCS ids Make sure everything uses {SYS,}LIBC_SCCS properly
|
#
1.4 |
|
02-Aug-1996 |
tholo |
malloc(3) implementation from FreeBSD; uses mmap(2) to get memory
|
#
1.3 |
|
25-Mar-1996 |
tholo |
Add prototypes for internal functions Change inline to __inline
|
#
1.2 |
|
29-Jan-1996 |
deraadt |
realloc(ptr, 0) does not free; from seebs@taniemarie.solon.com; netbsd pr#1806
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|