1/* $NetBSD: malloc.c,v 1.10 2023/07/08 04:09:26 simonb Exp $ */ 2 3/* 4 * Copyright (c) 1983, 1993 5 * The Regents of the University of California. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the University nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32#include <sys/cdefs.h> 33#if defined(LIBC_SCCS) && !defined(lint) 34#if 0 35static char sccsid[] = "@(#)malloc.c 8.1 (Berkeley) 6/4/93"; 36#else 37__RCSID("$NetBSD: malloc.c,v 1.10 2023/07/08 04:09:26 simonb Exp $"); 38#endif 39#endif /* LIBC_SCCS and not lint */ 40 41/* 42 * malloc.c (Caltech) 2/21/82 43 * Chris Kingsley, kingsley@cit-20. 44 * 45 * This is a very fast storage allocator. It allocates blocks of a small 46 * number of different sizes, and keeps free lists of each size. Blocks that 47 * don't exactly fit are passed up to the next larger size. In this 48 * implementation, the available sizes are 2^n-4 (or 2^n-10) bytes long. 49 * This is designed for use in a virtual memory environment. 50 */ 51 52#include <sys/types.h> 53#if defined(DEBUG) || defined(RCHECK) 54#include <sys/uio.h> 55#endif 56 57#include <errno.h> 58#include <limits.h> 59#include <stddef.h> 60#include <stdint.h> 61#if defined(RCHECK) || defined(MSTATS) 62#include <stdio.h> 63#endif 64#include <stdlib.h> 65#include <string.h> 66#include <unistd.h> 67 68#include "reentrant.h" 69 70 71/* 72 * The overhead on a block is at least 4 bytes. When free, this space 73 * contains a pointer to the next free block, and the bottom two bits must 74 * be zero. When in use, the first byte is set to MAGIC, and the second 75 * byte is the size index. The remaining bytes are for alignment. 76 * If range checking is enabled then a second word holds the size of the 77 * requested block, less 1, rounded up to a multiple of sizeof(RMAGIC). 78 * The order of elements is critical: ov_magic must overlay the low order 79 * bits of ov_next, and ov_magic can not be a valid ov_next bit pattern. 80 */ 81union overhead { 82 union overhead *ov_next; /* when free */ 83 struct { 84 u_char ovu_magic; /* magic number */ 85 u_char ovu_index; /* bucket # */ 86#ifdef RCHECK 87 u_short ovu_rmagic; /* range magic number */ 88 u_long ovu_size; /* actual block size */ 89#endif 90 } ovu; 91#define ov_magic ovu.ovu_magic 92#define ov_index ovu.ovu_index 93#define ov_rmagic ovu.ovu_rmagic 94#define ov_size ovu.ovu_size 95}; 96 97#define MAGIC 0xef /* magic # on accounting info */ 98#ifdef RCHECK 99#define RMAGIC 0x5555 /* magic # on range info */ 100#endif 101 102#ifdef RCHECK 103#define RSLOP sizeof (u_short) 104#else 105#define RSLOP 0 106#endif 107 108/* 109 * nextf[i] is the pointer to the next free block of size 2^(i+3). The 110 * smallest allocatable block is 8 bytes. The overhead information 111 * precedes the data area returned to the user. 112 */ 113#define NBUCKETS 30 114static union overhead *nextf[NBUCKETS]; 115 116static long pagesz; /* page size */ 117static int pagebucket; /* page size bucket */ 118 119#ifdef MSTATS 120/* 121 * nmalloc[i] is the difference between the number of mallocs and frees 122 * for a given block size. 123 */ 124static u_int nmalloc[NBUCKETS]; 125#endif 126 127#ifdef _REENT 128static mutex_t malloc_mutex = MUTEX_INITIALIZER; 129#endif 130 131static void morecore(int); 132static int findbucket(union overhead *, int); 133#ifdef MSTATS 134void mstats(const char *); 135#endif 136 137#if defined(DEBUG) || defined(RCHECK) 138#define ASSERT(p) if (!(p)) botch(__STRING(p)) 139 140static void botch(const char *); 141 142/* 143 * NOTE: since this may be called while malloc_mutex is locked, stdio must not 144 * be used in this function. 145 */ 146static void 147botch(const char *s) 148{ 149 struct iovec iov[3]; 150 151 iov[0].iov_base = __UNCONST("\nassertion botched: "); 152 iov[0].iov_len = 20; 153 iov[1].iov_base = __UNCONST(s); 154 iov[1].iov_len = strlen(s); 155 iov[2].iov_base = __UNCONST("\n"); 156 iov[2].iov_len = 1; 157 158 /* 159 * This place deserves a word of warning: a cancellation point will 160 * occur when executing writev(), and we might be still owning 161 * malloc_mutex. At this point we need to disable cancellation 162 * until `after' abort() because i) establishing a cancellation handler 163 * might, depending on the implementation, result in another malloc() 164 * to be executed, and ii) it is really not desirable to let execution 165 * continue. `Fix me.' 166 * 167 * Note that holding mutex_lock during abort() is safe. 168 */ 169 170 (void)writev(STDERR_FILENO, iov, 3); 171 abort(); 172} 173#else 174#define ASSERT(p) ((void)sizeof((long)(p))) 175#endif 176 177void * 178malloc(size_t nbytes) 179{ 180 union overhead *op; 181 int bucket; 182 long n; 183 unsigned amt; 184 185 mutex_lock(&malloc_mutex); 186 187 /* 188 * First time malloc is called, setup page size and 189 * align break pointer so all data will be page aligned. 190 */ 191 if (pagesz == 0) { 192 pagesz = n = getpagesize(); 193 ASSERT(pagesz > 0); 194 op = (union overhead *)(void *)sbrk(0); 195 n = n - sizeof (*op) - ((long)op & (n - 1)); 196 if (n < 0) 197 n += pagesz; 198 if (n) { 199 if (sbrk((int)n) == (void *)-1) { 200 mutex_unlock(&malloc_mutex); 201 return (NULL); 202 } 203 } 204 bucket = 0; 205 amt = 8; 206 while (pagesz > amt) { 207 amt <<= 1; 208 bucket++; 209 } 210 pagebucket = bucket; 211 } 212 /* 213 * Convert amount of memory requested into closest block size 214 * stored in hash buckets which satisfies request. 215 * Account for space used per block for accounting. 216 */ 217 if (nbytes <= (n = pagesz - sizeof (*op) - RSLOP)) { 218#ifndef RCHECK 219 amt = 8; /* size of first bucket */ 220 bucket = 0; 221#else 222 amt = 16; /* size of first bucket */ 223 bucket = 1; 224#endif 225 n = -((long)sizeof (*op) + RSLOP); 226 } else { 227 amt = (unsigned)pagesz; 228 bucket = pagebucket; 229 } 230 while (nbytes > amt + n) { 231 amt <<= 1; 232 if (amt == 0) 233 return (NULL); 234 bucket++; 235 } 236 /* 237 * If nothing in hash bucket right now, 238 * request more memory from the system. 239 */ 240 if ((op = nextf[bucket]) == NULL) { 241 morecore(bucket); 242 if ((op = nextf[bucket]) == NULL) { 243 mutex_unlock(&malloc_mutex); 244 return (NULL); 245 } 246 } 247 /* remove from linked list */ 248 nextf[bucket] = op->ov_next; 249 op->ov_magic = MAGIC; 250 op->ov_index = bucket; 251#ifdef MSTATS 252 nmalloc[bucket]++; 253#endif 254 mutex_unlock(&malloc_mutex); 255#ifdef RCHECK 256 /* 257 * Record allocated size of block and 258 * bound space with magic numbers. 259 */ 260 op->ov_size = (nbytes + RSLOP - 1) & ~(RSLOP - 1); 261 op->ov_rmagic = RMAGIC; 262 *(u_short *)((caddr_t)(op + 1) + op->ov_size) = RMAGIC; 263#endif 264 return ((void *)(op + 1)); 265} 266 267/* 268 * Allocate more memory to the indicated bucket. 269 */ 270static void 271morecore(int bucket) 272{ 273 union overhead *op; 274 long sz; /* size of desired block */ 275 long amt; /* amount to allocate */ 276 long nblks; /* how many blocks we get */ 277 278 /* 279 * sbrk_size <= 0 only for big, FLUFFY, requests (about 280 * 2^30 bytes on a VAX, I think) or for a negative arg. 281 */ 282 sz = 1 << (bucket + 3); 283#ifdef DEBUG 284 ASSERT(sz > 0); 285#else 286 if (sz <= 0) 287 return; 288#endif 289 if (sz < pagesz) { 290 amt = pagesz; 291 nblks = amt / sz; 292 } else { 293 amt = sz + pagesz; 294 nblks = 1; 295 } 296 op = (union overhead *)(void *)sbrk((int)amt); 297 /* no more room! */ 298 if ((long)op == -1) 299 return; 300 /* 301 * Add new memory allocated to that on 302 * free list for this hash bucket. 303 */ 304 nextf[bucket] = op; 305 while (--nblks > 0) { 306 op->ov_next = 307 (union overhead *)(void *)((caddr_t)(void *)op+(size_t)sz); 308 op = op->ov_next; 309 } 310} 311 312void 313free(void *cp) 314{ 315 long size; 316 union overhead *op; 317 318 if (cp == NULL) 319 return; 320 op = (union overhead *)(void *)((caddr_t)cp - sizeof (union overhead)); 321#ifdef DEBUG 322 ASSERT(op->ov_magic == MAGIC); /* make sure it was in use */ 323#else 324 if (op->ov_magic != MAGIC) 325 return; /* sanity */ 326#endif 327#ifdef RCHECK 328 ASSERT(op->ov_rmagic == RMAGIC); 329 ASSERT(*(u_short *)((caddr_t)(op + 1) + op->ov_size) == RMAGIC); 330#endif 331 size = op->ov_index; 332 ASSERT(size < NBUCKETS); 333 mutex_lock(&malloc_mutex); 334 op->ov_next = nextf[(unsigned int)size];/* also clobbers ov_magic */ 335 nextf[(unsigned int)size] = op; 336#ifdef MSTATS 337 nmalloc[(size_t)size]--; 338#endif 339 mutex_unlock(&malloc_mutex); 340} 341 342/* 343 * When a program attempts "storage compaction" as mentioned in the 344 * old malloc man page, it realloc's an already freed block. Usually 345 * this is the last block it freed; occasionally it might be farther 346 * back. We have to search all the free lists for the block in order 347 * to determine its bucket: 1st we make one pass thru the lists 348 * checking only the first block in each; if that fails we search 349 * ``__realloc_srchlen'' blocks in each list for a match (the variable 350 * is extern so the caller can modify it). If that fails we just copy 351 * however many bytes was given to realloc() and hope it's not huge. 352 */ 353int __realloc_srchlen = 4; /* 4 should be plenty, -1 =>'s whole list */ 354 355void * 356realloc(void *cp, size_t nbytes) 357{ 358 u_long onb; 359 long i; 360 union overhead *op; 361 char *res; 362 int was_alloced = 0; 363 364 if (cp == NULL) 365 return (malloc(nbytes)); 366 if (nbytes == 0) { 367 free (cp); 368 return (NULL); 369 } 370 op = (union overhead *)(void *)((caddr_t)cp - sizeof (union overhead)); 371 mutex_lock(&malloc_mutex); 372 if (op->ov_magic == MAGIC) { 373 was_alloced++; 374 i = op->ov_index; 375 } else { 376 /* 377 * Already free, doing "compaction". 378 * 379 * Search for the old block of memory on the 380 * free list. First, check the most common 381 * case (last element free'd), then (this failing) 382 * the last ``__realloc_srchlen'' items free'd. 383 * If all lookups fail, then assume the size of 384 * the memory block being realloc'd is the 385 * largest possible (so that all "nbytes" of new 386 * memory are copied into). Note that this could cause 387 * a memory fault if the old area was tiny, and the moon 388 * is gibbous. However, that is very unlikely. 389 */ 390 if ((i = findbucket(op, 1)) < 0 && 391 (i = findbucket(op, __realloc_srchlen)) < 0) 392 i = NBUCKETS; 393 } 394 onb = (u_long)1 << (u_long)(i + 3); 395 if (onb < pagesz) 396 onb -= sizeof (*op) + RSLOP; 397 else 398 onb += pagesz - sizeof (*op) - RSLOP; 399 /* avoid the copy if same size block */ 400 if (was_alloced) { 401 if (i) { 402 i = (long)1 << (long)(i + 2); 403 if (i < pagesz) 404 i -= sizeof (*op) + RSLOP; 405 else 406 i += pagesz - sizeof (*op) - RSLOP; 407 } 408 if (nbytes <= onb && nbytes > i) { 409#ifdef RCHECK 410 op->ov_size = (nbytes + RSLOP - 1) & ~(RSLOP - 1); 411 *(u_short *)((caddr_t)(op + 1) + op->ov_size) = RMAGIC; 412#endif 413 mutex_unlock(&malloc_mutex); 414 return (cp); 415 416 } 417#ifndef _REENT 418 else 419 free(cp); 420#endif 421 } 422 mutex_unlock(&malloc_mutex); 423 if ((res = malloc(nbytes)) == NULL) { 424#ifdef _REENT 425 free(cp); 426#endif 427 return (NULL); 428 } 429#ifndef _REENT 430 if (cp != res) /* common optimization if "compacting" */ 431 (void)memmove(res, cp, (size_t)((nbytes < onb) ? nbytes : onb)); 432#else 433 (void)memmove(res, cp, (size_t)((nbytes < onb) ? nbytes : onb)); 434 free(cp); 435#endif 436 return (res); 437} 438 439/* 440 * Search ``srchlen'' elements of each free list for a block whose 441 * header starts at ``freep''. If srchlen is -1 search the whole list. 442 * Return bucket number, or -1 if not found. 443 */ 444static int 445findbucket(union overhead *freep, int srchlen) 446{ 447 union overhead *p; 448 int i, j; 449 450 for (i = 0; i < NBUCKETS; i++) { 451 j = 0; 452 for (p = nextf[i]; p && j != srchlen; p = p->ov_next) { 453 if (p == freep) 454 return (i); 455 j++; 456 } 457 } 458 return (-1); 459} 460 461#ifdef MSTATS 462/* 463 * mstats - print out statistics about malloc 464 * 465 * Prints two lines of numbers, one showing the length of the free list 466 * for each size category, the second showing the number of mallocs - 467 * frees for each size category. 468 */ 469void 470mstats(const char *s) 471{ 472 int i, j; 473 union overhead *p; 474 int totfree = 0, 475 totused = 0; 476 477 fprintf(stderr, "Memory allocation statistics %s\nfree:\t", s); 478 for (i = 0; i < NBUCKETS; i++) { 479 for (j = 0, p = nextf[i]; p; p = p->ov_next, j++) 480 ; 481 fprintf(stderr, " %d", j); 482 totfree += j * (1 << (i + 3)); 483 } 484 fprintf(stderr, "\nused:\t"); 485 for (i = 0; i < NBUCKETS; i++) { 486 fprintf(stderr, " %d", nmalloc[i]); 487 totused += nmalloc[i] * (1 << (i + 3)); 488 } 489 fprintf(stderr, "\n\tTotal in use: %d, total free: %d\n", 490 totused, totfree); 491} 492#endif 493 494/* 495 * Additional front ends: 496 * - aligned_alloc (C11) 497 * - calloc(n,m) = malloc(n*m) without overflow 498 * - posix_memalign (POSIX) 499 * 500 * These must all be in the same compilation unit as malloc, realloc, 501 * and free (or -lbsdmalloc must be surrounded by -Wl,--whole-archive 502 * -lbsdmalloc -Wl,--no-whole-archive) in order to override the libc 503 * built-in malloc implementation. 504 * 505 * Allocations of size n, up to and including the page size, are 506 * already aligned by malloc on multiples of n. Larger alignment is 507 * not supported. 508 */ 509 510static long __constfunc 511cachedpagesize(void) 512{ 513 long n; 514 515 /* XXX atomic_load_relaxed, but that's not defined in userland atm */ 516 if (__predict_false((n = pagesz) == 0)) { 517 mutex_lock(&malloc_mutex); 518 if ((n = pagesz) == 0) 519 n = pagesz = getpagesize(); 520 mutex_unlock(&malloc_mutex); 521 } 522 523 return n; 524} 525 526void * 527aligned_alloc(size_t alignment, size_t size) 528{ 529 char *p; 530 531 if (alignment == 0 || 532 (alignment & (alignment - 1)) != 0 || 533 alignment > cachedpagesize()) { 534 errno = EINVAL; 535 return NULL; 536 } 537 p = malloc(size < alignment ? alignment : size); 538 if (__predict_false(p == NULL)) 539 ASSERT((uintptr_t)p % alignment == 0); 540 return p; 541} 542 543void * 544calloc(size_t nmemb, size_t size) 545{ 546 void *p; 547 size_t n; 548 549 if (__builtin_mul_overflow(nmemb, size, &n)) { 550 errno = ENOMEM; 551 return NULL; 552 } 553 p = malloc(n); 554 if (__predict_false(p == NULL)) 555 return NULL; 556 memset(p, 0, n); 557 return p; 558} 559 560int 561posix_memalign(void **memptr, size_t alignment, size_t size) 562{ 563 char *p; 564 565 if (alignment < sizeof(void *) || 566 (alignment & (alignment - 1)) != 0 || 567 alignment > cachedpagesize()) 568 return EINVAL; 569 p = malloc(size < alignment ? alignment : size); 570 if (__predict_false(p == NULL)) 571 return ENOMEM; 572 ASSERT((uintptr_t)p % alignment == 0); 573 *memptr = p; 574 return 0; 575} 576 577/* 578 * libc hooks required by fork 579 */ 580 581#include "../libc/include/extern.h" 582 583void 584_malloc_prefork(void) 585{ 586 587 mutex_lock(&malloc_mutex); 588} 589 590void 591_malloc_postfork(void) 592{ 593 594 mutex_unlock(&malloc_mutex); 595} 596 597void 598_malloc_postfork_child(void) 599{ 600 601 mutex_unlock(&malloc_mutex); 602} 603