summaryrefslogtreecommitdiffstats
path: root/libc/bionic/malloc_debug_qemu.cpp
blob: b3b604d86b84bbe3f9333d790418448ee472cd5c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
/*
 * Copyright (C) 2009 The Android Open Source Project
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *  * Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *  * Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

/*
 * Contains implementation of memory allocation routines instrumented for
 * usage in the emulator to detect memory allocation violations, such as
 * memory leaks, buffer overruns, etc.
 * Code, implemented here is intended to run in the emulated environment only,
 * and serves simply as hooks into memory allocation routines. Main job of this
 * code is to notify the emulator about memory being allocated/deallocated,
 * providing information about each allocation. The idea is that emulator will
 * keep list of currently allocated blocks, and, knowing boundaries of each
 * block it will be able to verify that ld/st access to these blocks don't step
 * over boundaries set for the user. To enforce that, each memory block
 * allocated by this code is guarded with "prefix" and "suffix" areas, so
 * every time emulator detects access to any of these guarding areas, it can be
 * considered as access violation.
 */

#include <stdlib.h>
#include <stddef.h>
#include <stdio.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <sys/param.h>
#include <pthread.h>
#include <unistd.h>
#include <errno.h>
#include "malloc_debug_common.h"
#include "private/bionic_macros.h"
#include "private/libc_logging.h"

/* This file should be included into the build only when
 * MALLOC_QEMU_INSTRUMENT macro is defined. */
#ifndef MALLOC_QEMU_INSTRUMENT
#error MALLOC_QEMU_INSTRUMENT is not defined.
#endif  // !MALLOC_QEMU_INSTRUMENT

/* Controls access violation test performed to make sure that we catch AVs
 * all the time they occur. See test_access_violation for more info. This macro
 * is used for internal testing purposes and should always be set to zero for
 * the production builds. */
#define TEST_ACCESS_VIOLATIONS  0

// =============================================================================
// Communication structures
// =============================================================================

/* Describes memory block allocated from the heap. This structure is passed
 * along with TRACE_DEV_REG_MALLOC event. This descriptor is used to inform
 * the emulator about new memory block being allocated from the heap. The entire
 * structure is initialized by the guest system before event is fired up. It is
 * important to remember that same structure (an exact copy, except for
 * replacing pointers with target_ulong) is also declared in the emulator's
 * sources (file memcheck/memcheck_common.h). So, every time a change is made to
 * any of these two declaration, another one must be also updated accordingly.
 */
struct MallocDesc {
    /* Pointer to the memory block actually allocated from the heap. Note that
     * this is not the pointer that is returned to the malloc's caller. Pointer
     * returned to the caller is calculated by adding value stored in this field
     * to the value stored in prefix_size field of this structure.
     */
    void*       ptr;

    /* Number of bytes requested by the malloc's caller. */
    uint32_t    requested_bytes;

    /* Byte size of the prefix data. Actual pointer returned to the malloc's
     * caller is calculated by adding value stored in this field to the value
     * stored in in the ptr field of this structure.
     */
    uint32_t    prefix_size;

    /* Byte size of the suffix data. */
    uint32_t    suffix_size;

    /* Id of the process that initialized libc instance, in which allocation
     * has occurred. This field is used by the emulator to report errors in
     * the course of TRACE_DEV_REG_MALLOC event handling. In case of an error,
     * emulator sets this field to zero (invalid value for a process ID).
     */
    uint32_t    libc_pid;

    /* Id of the process in context of which allocation has occurred.
     * Value in this field may differ from libc_pid value, if process that
     * is doing allocation has been forked from the process that initialized
     * libc instance.
     */
    uint32_t    allocator_pid;

    /* Number of access violations detected on this allocation. */
    uint32_t    av_count;
};

/* Describes memory block info queried from emulator. This structure is passed
 * along with TRACE_DEV_REG_QUERY_MALLOC event. When handling free and realloc
 * calls, it is required that we have information about memory blocks that were
 * actually allocated in previous calls to malloc, calloc, memalign, or realloc.
 * Since we don't keep this information directly in the allocated block, but
 * rather we keep it in the emulator, we need to query emulator for that
 * information with TRACE_DEV_REG_QUERY_MALLOC query. The entire structure is
 * initialized by the guest system before event is fired up. It is important to
 * remember that same structure (an exact copy, except for replacing pointers
 * with target_ulong) is also declared in the emulator's sources (file
 * memcheck/memecheck_common.h). So, every time a change is made to any of these
 * two declaration, another one must be also updated accordingly.
 */
struct MallocDescQuery {
    /* Pointer, for which information is queried. Note that this pointer doesn't
     * have to be exact pointer returned to malloc's caller, but can point
     * anywhere inside an allocated block, including guarding areas. Emulator
     * will respond with information about allocated block that contains this
     * pointer.
     */
    const void*       ptr;

    /* Id of the process that initialized libc instance, in which this query
     * is called. This field is used by the emulator to report errors in
     * the course of TRACE_DEV_REG_QUERY_MALLOC event handling. In case of an
     * error, emulator sets this field to zero (invalid value for a process ID).
     */
    uint32_t    libc_pid;

    /* Process ID in context of which query is made. */
    uint32_t    query_pid;

    /* Code of the allocation routine, in context of which query has been made:
     *  1 - free
     *  2 - realloc
     */
    uint32_t    routine;

    /* Address of memory allocation descriptor for the queried pointer.
     * Descriptor, addressed by this field is initialized by the emulator in
     * response to the query.
     */
    MallocDesc*  desc;
};

/* Describes memory block that is being freed back to the heap. This structure
 * is passed along with TRACE_DEV_REG_FREE_PTR event. The entire structure is
 * initialized by the guest system before event is fired up. It is important to
 * remember that same structure (an exact copy, except for replacing pointers
 * with target_ulong) is also declared in the emulator's sources (file
 * memcheck/memecheck_common.h). So, every time a change is made to any of these
 * two declaration, another one must be also updated accordingly.
 */
struct MallocFree {
    /* Pointer to be freed. */
    void*       ptr;

    /* Id of the process that initialized libc instance, in which this free
     * is called. This field is used by the emulator to report errors in
     * the course of TRACE_DEV_REG_FREE_PTR event handling. In case of an
     * error, emulator sets this field to zero (invalid value for a process ID).
     */
    uint32_t    libc_pid;

    /* Process ID in context of which memory is being freed. */
    uint32_t    free_pid;
};

// =============================================================================
// Communication events
// =============================================================================

/* Notifies the emulator that libc has been initialized for a process.
 * Event's value parameter is PID for the process in context of which libc has
 * been initialized.
 */
#define TRACE_DEV_REG_LIBC_INIT             1536

/* Notifies the emulator about new memory block been allocated.
 * Event's value parameter points to MallocDesc instance that contains
 * allocated block information. Note that 'libc_pid' field of the descriptor
 * is used by emulator to report failure in handling this event. In case
 * of a failure emulator will zero that field before completing this event.
 */
#define TRACE_DEV_REG_MALLOC                1537

/* Notifies the emulator about memory block being freed.
 * Event's value parameter points to MallocFree descriptor that contains
 * information about block that's being freed. Note that 'libc_pid' field
 * of the descriptor is used by emulator to report failure in handling this
 * event. In case of a failure emulator will zero that field before completing
 * this event.
 */
#define TRACE_DEV_REG_FREE_PTR              1538

/* Queries the emulator about allocated memory block information.
 * Event's value parameter points to MallocDescQuery descriptor that contains
 * query parameters. Note that 'libc_pid' field of the descriptor is used by
 * emulator to report failure in handling this event. In case of a failure
 * emulator will zero that field before completing this event.
 */
#define TRACE_DEV_REG_QUERY_MALLOC          1539

/* Queries the emulator to print a string to its stdout.
 * Event's value parameter points to a zero-terminated string to be printed.
 */
#define TRACE_DEV_REG_PRINT_USER_STR        1540

static void notify_qemu_string(const char* str);
static void qemu_log(int prio, const char* fmt, ...);
static void dump_malloc_descriptor(char* str,
                                   size_t str_buf_size,
                                   const MallocDesc* desc);

// =============================================================================
// Macros
// =============================================================================

/* Defines default size of allocation prefix.
 * Note that we make prefix area quite large in order to increase chances of
 * catching buffer overflow. */
#define DEFAULT_PREFIX_SIZE     (malloc_alignment * 4)

/* Defines default size of allocation suffix.
 * Note that we make suffix area quite large in order to increase chances of
 * catching buffer overflow. */
#define DEFAULT_SUFFIX_SIZE     (malloc_alignment * 4)

/* Debug tracing has been enabled by the emulator. */
#define DEBUG_TRACING_ENABLED   0x00000001
/* Error tracing has been enabled by the emulator. */
#define ERROR_TRACING_ENABLED   0x00000002
/* Info tracing has been enabled by the emulator. */
#define INFO_TRACING_ENABLED    0x00000004
/* All tracing flags combined. */
#define ALL_TRACING_ENABLED (DEBUG_TRACING_ENABLED |    \
                             ERROR_TRACING_ENABLED |    \
                             INFO_TRACING_ENABLED)

/* Prints a string to the emulator's stdout.
 * In early stages of system loading, logging messages to logcat
 * is not available, because ADB API has not been
 * hooked up yet. So, in order to see such messages we need to print them to
 * the emulator's stdout.
 * Parameters passed to this macro are the same as parameters for printf
 * routine.
 */
#define TR(...)                                         \
    do {                                                \
        char tr_str[4096];                              \
        snprintf(tr_str, sizeof(tr_str), __VA_ARGS__);  \
        tr_str[sizeof(tr_str) - 1] = '\0';              \
        notify_qemu_string(&tr_str[0]);                 \
    } while (0)

// =============================================================================
// Logging macros. Note that we simultaneously log messages to ADB and emulator.
// =============================================================================

/*
 * Helper macros for checking if particular trace level is enabled.
 */
#define debug_LOG_ENABLED       ((tracing_flags & DEBUG_TRACING_ENABLED) != 0)
#define error_LOG_ENABLED       ((tracing_flags & ERROR_TRACING_ENABLED) != 0)
#define info_LOG_ENABLED        ((tracing_flags & INFO_TRACING_ENABLED)  != 0)
#define tracing_enabled(type)   (type##_LOG_ENABLED)

/*
 * Logging helper macros.
 */
#define qemu_debug_log(format, ...)                                         \
    do {                                                                    \
        __libc_format_log(ANDROID_LOG_DEBUG, "memcheck", (format), ##__VA_ARGS__); \
        if (tracing_flags & DEBUG_TRACING_ENABLED) {                        \
            qemu_log(ANDROID_LOG_DEBUG, (format), ##__VA_ARGS__);           \
        }                                                                   \
    } while (0)

#define qemu_error_log(format, ...)                                         \
    do {                                                                    \
        __libc_format_log(ANDROID_LOG_ERROR, "memcheck", (format), ##__VA_ARGS__); \
        if (tracing_flags & ERROR_TRACING_ENABLED) {                        \
            qemu_log(ANDROID_LOG_ERROR, (format), ##__VA_ARGS__);           \
        }                                                                   \
    } while (0)

#define qemu_info_log(format, ...)                                          \
    do {                                                                    \
        __libc_format_log(ANDROID_LOG_INFO, "memcheck", (format), ##__VA_ARGS__); \
        if (tracing_flags & INFO_TRACING_ENABLED) {                         \
            qemu_log(ANDROID_LOG_INFO, (format), ##__VA_ARGS__);            \
        }                                                                   \
    } while (0)

/* Logs message dumping MallocDesc instance at the end of the message.
 * Param:
 *  type - Message type: debug, error, or info
 *  desc - MallocDesc instance to dump.
 *  fmt + rest - Formats message preceding dumped descriptor.
*/
#define log_mdesc(type, desc, fmt, ...)                                    \
    do {                                                                    \
        if (tracing_enabled(type)) {                                        \
            char log_str[4096];                                             \
            __libc_format_buffer(log_str, sizeof(log_str), fmt, ##__VA_ARGS__); \
            log_str[sizeof(log_str) - 1] = '\0';                            \
            size_t str_len = strlen(log_str);                               \
            dump_malloc_descriptor(log_str + str_len,                       \
                                   sizeof(log_str) - str_len,               \
                                   (desc));                                 \
            type##_log("%s", log_str);                                      \
        }                                                                   \
    } while (0)

// =============================================================================
// Static data
// =============================================================================

// The underlying malloc implementation to use to get memory.
static const MallocDebug* g_malloc_dispatch = NULL;

/* Emulator's magic page address.
 * This page (mapped on /dev/qemu_trace device) is used to fire up events
 * in the emulator. */
static volatile void* qtrace = NULL;

/* Cached PID of the process in context of which this libc instance
 * has been initialized. */
static uint32_t malloc_pid = 0;

/* Memory allocation alignment that is used in the malloc implementation.
 * This variable is updated by memcheck_initialize routine. */
static uint32_t malloc_alignment = 8;

/* Tracing flags. These flags control which types of logging messages are
 * enabled by the emulator. See XXX_TRACING_ENABLED for the values of flags
 * stored in this variable. This variable is updated by memcheck_initialize
 * routine. */
static uint32_t tracing_flags = 0;

// =============================================================================
// Static routines
// =============================================================================

/* Gets pointer, returned to malloc caller for the given allocation decriptor.
 * Param:
 *  desc - Allocation descriptor.
 * Return:
 *  Pointer to the allocated memory returned to the malloc caller.
 */
static inline void* mallocdesc_user_ptr(const MallocDesc* desc) {
    return static_cast<char*>(desc->ptr) + desc->prefix_size;
}

/* Gets size of memory block actually allocated from the heap for the given
 * allocation decriptor.
 * Param:
 *  desc - Allocation descriptor.
 * Return:
 *  Size of memory block actually allocated from the heap.
 */
static inline uint32_t mallocdesc_alloc_size(const MallocDesc* desc) {
    return desc->prefix_size + desc->requested_bytes + desc->suffix_size;
}

/* Gets pointer to the end of the allocated block for the given descriptor.
 * Param:
 *  desc - Descriptor for the memory block, allocated in malloc handler.
 * Return:
 *  Pointer to the end of (one byte past) the allocated block.
 */
static inline void* mallocdesc_alloc_end(const MallocDesc* desc) {
    return static_cast<char*>(desc->ptr) + mallocdesc_alloc_size(desc);
}

/* Fires up an event in the emulator.
 * Param:
 *  code - Event code (one of the TRACE_DEV_XXX).
 *  val  - Event's value parameter.
 */
static inline void notify_qemu(uint32_t code, uintptr_t val) {
    if (NULL != qtrace) {
        *(volatile uintptr_t*)((uintptr_t)qtrace + ((code - 1024) << 2)) = val;
    }
}

/* Prints a zero-terminated string to the emulator's stdout (fires up
 * TRACE_DEV_REG_PRINT_USER_STR event in the emulator).
 * Param:
 *  str - Zero-terminated string to print.
 */
static void notify_qemu_string(const char* str) {
    if (str != NULL) {
        notify_qemu(TRACE_DEV_REG_PRINT_USER_STR, reinterpret_cast<uintptr_t>(str));
    }
}

/* Fires up TRACE_DEV_REG_LIBC_INIT event in the emulator.
 * Param:
 *  pid - ID of the process that initialized libc.
 */
static void notify_qemu_libc_initialized(uint32_t pid) {
    notify_qemu(TRACE_DEV_REG_LIBC_INIT, pid);
}

/* Fires up TRACE_DEV_REG_MALLOC event in the emulator.
 * Param:
 *  desc - Pointer to MallocDesc instance containing allocated block
 *      information.
 * Return:
 *  Zero on success, or -1 on failure. Note that on failure libc_pid field of
 *  the desc parameter passed to this routine has been zeroed out by the
 *  emulator.
 */
static inline int notify_qemu_malloc(volatile MallocDesc* desc) {
    desc->libc_pid = malloc_pid;
    desc->allocator_pid = getpid();
    desc->av_count = 0;
    notify_qemu(TRACE_DEV_REG_MALLOC, reinterpret_cast<uintptr_t>(desc));

    /* Emulator reports failure by zeroing libc_pid field of the
     * descriptor. */
    return desc->libc_pid != 0 ? 0 : -1;
}

/* Fires up TRACE_DEV_REG_FREE_PTR event in the emulator.
 * Param:
 *  ptr - Pointer to the memory block that's being freed.
 * Return:
 *  Zero on success, or -1 on failure.
 */
static inline int notify_qemu_free(void* ptr_to_free) {
    volatile MallocFree free_desc;

    free_desc.ptr = ptr_to_free;
    free_desc.libc_pid = malloc_pid;
    free_desc.free_pid = getpid();
    notify_qemu(TRACE_DEV_REG_FREE_PTR, reinterpret_cast<uintptr_t>(&free_desc));

    /* Emulator reports failure by zeroing libc_pid field of the
     * descriptor. */
    return free_desc.libc_pid != 0 ? 0 : -1;
}

/* Fires up TRACE_DEV_REG_QUERY_MALLOC event in the emulator.
 * Param:
 *  ptr - Pointer to request allocation information for.
 *  desc - Pointer to MallocDesc instance that will receive allocation
 *      information.
 *  routine - Code of the allocation routine, in context of which query is made:
 *      1 - free
 *      2 - realloc
 * Return:
 *  Zero on success, or -1 on failure.
 */
static inline int query_qemu_malloc_info(const void* ptr, MallocDesc* desc, uint32_t routine) {
    volatile MallocDescQuery query;

    query.ptr = ptr;
    query.libc_pid = malloc_pid;
    query.query_pid = getpid();
    query.routine = routine;
    query.desc = desc;
    notify_qemu(TRACE_DEV_REG_QUERY_MALLOC, reinterpret_cast<uintptr_t>(&query));

    /* Emulator reports failure by zeroing libc_pid field of the
     * descriptor. */
    return query.libc_pid != 0 ? 0 : -1;
}

/* Logs a message to emulator's stdout.
 * Param:
 *  prio - Message priority (debug, info, or error)
 *  fmt + rest - Message format and parameters.
 */
static void qemu_log(int prio, const char* fmt, ...) {
    va_list ap;
    char buf[4096];
    const char* prefix;

    /* Choose message prefix depending on the priority value. */
    switch (prio) {
        case ANDROID_LOG_ERROR:
            if (!tracing_enabled(error)) {
                return;
            }
            prefix = "E";
            break;
        case ANDROID_LOG_INFO:
            if (!tracing_enabled(info)) {
                return;
            }
            prefix = "I";
            break;
        case ANDROID_LOG_DEBUG:
        default:
            if (!tracing_enabled(debug)) {
                return;
            }
            prefix = "D";
            break;
    }

    va_start(ap, fmt);
    vsnprintf(buf, sizeof(buf), fmt, ap);
    va_end(ap);
    buf[sizeof(buf) - 1] = '\0';

    TR("%s/memcheck: %s\n", prefix, buf);
}

/* Dumps content of memory allocation descriptor to a string.
 * Param:
 *  str - String to dump descriptor to.
 *  str_buf_size - Size of string's buffer.
 *  desc - Descriptor to dump.
 */
static void dump_malloc_descriptor(char* str, size_t str_buf_size, const MallocDesc* desc) {
    if (str_buf_size) {
        snprintf(str, str_buf_size,
                 "MDesc: %p: %p <-> %p [%u + %u + %u] by pid=%03u in libc_pid=%03u",
                 mallocdesc_user_ptr(desc), desc->ptr,
                 mallocdesc_alloc_end(desc), desc->prefix_size,
                 desc->requested_bytes, desc->suffix_size, desc->allocator_pid,
                 desc->libc_pid);
        str[str_buf_size - 1] = '\0';
    }
}

#if TEST_ACCESS_VIOLATIONS
/* Causes an access violation on allocation descriptor, and verifies that
 * violation has been detected by memory checker in the emulator.
 */
static void test_access_violation(const MallocDesc* desc) {
    MallocDesc desc_chk;
    char ch;
    volatile char* prefix = (volatile char*)desc->ptr;
    volatile char* suffix = (volatile char*)mallocdesc_user_ptr(desc) +
                                            desc->requested_bytes;
    /* We're causing AV by reading from the prefix and suffix areas of the
     * allocated block. This should produce two access violations, so when we
     * get allocation descriptor from QEMU, av_counter should be bigger than
     * av_counter of the original descriptor by 2. */
    ch = *prefix;
    ch = *suffix;
    if (!query_qemu_malloc_info(mallocdesc_user_ptr(desc), &desc_chk, 2) &&
        desc_chk.av_count != (desc->av_count + 2)) {
        log_mdesc(error, &desc_chk,
                  "<libc_pid=%03u, pid=%03u>: malloc: Access violation test failed:\n"
                  "Expected violations count %u is not equal to the actually reported %u",
                  malloc_pid, getpid(), desc->av_count + 2,
                  desc_chk.av_count);
    }
}
#endif  // TEST_ACCESS_VIOLATIONS

// =============================================================================
// API routines
// =============================================================================

extern "C" void* qemu_instrumented_calloc(size_t, size_t);
extern "C" void  qemu_instrumented_free(void*);
extern "C" struct mallinfo qemu_instrumented_mallinfo();
extern "C" void* qemu_instrumented_malloc(size_t);
extern "C" size_t qemu_instrumented_malloc_usable_size(const void*);
extern "C" void* qemu_instrumented_memalign(size_t, size_t);
extern "C" int qemu_instrumented_posix_memalign(void**, size_t, size_t);
extern "C" void* qemu_instrumented_pvalloc(size_t);
extern "C" void* qemu_instrumented_realloc(void*, size_t);
extern "C" void* qemu_instrumented_valloc(size_t);

/* Initializes malloc debugging instrumentation for the emulator.
 * This routine is called from malloc_init_impl routine implemented in
 * bionic/libc/bionic/malloc_debug_common.c when malloc debugging gets
 * initialized for a process. The way malloc debugging implementation is
 * done, it is guaranteed that this routine will be called just once per
 * process.
 * Return:
 *  0 on success, or -1 on failure.
*/
extern "C" bool malloc_debug_initialize(HashTable*, const MallocDebug* malloc_dispatch) {
    g_malloc_dispatch = malloc_dispatch;

    /* We will be using emulator's magic page to report memory allocation
     * activities. In essence, what magic page does, it translates writes to
     * the memory mapped spaces into writes to an I/O port that emulator
     * "listens to" on the other end. Note that until we open and map that
     * device, logging to emulator's stdout will not be available. */
    int fd = open("/dev/qemu_trace", O_RDWR);
    if (fd < 0) {
        error_log("Unable to open /dev/qemu_trace");
        return false;
    } else {
        qtrace = mmap(NULL, PAGESIZE, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
        close(fd);

        if (qtrace == MAP_FAILED) {
            qtrace = NULL;
            error_log("Unable to mmap /dev/qemu_trace");
            return false;
        }
    }

    /* Cache pid of the process this library has been initialized for. */
    malloc_pid = getpid();
    return true;
}

/* Completes malloc debugging instrumentation for the emulator.
 * Note that this routine is called after successful return from
 * malloc_debug_initialize, which means that connection to the emulator via
 * "magic page" has been established.
 * Param:
 *  alignment - Alignment requirement set for memiry allocations.
 *  memcheck_param - Emulator's -memcheck option parameters. This string
 *      contains abbreviation for guest events that are enabled for tracing.
 * Return:
 *  0 on success, or -1 on failure.
*/
extern "C" int memcheck_initialize(int alignment, const char* memcheck_param) {
    malloc_alignment = alignment;

    /* Parse -memcheck parameter for the guest tracing flags. */
    while (*memcheck_param != '\0') {
        switch (*memcheck_param) {
            case 'a':
                // Enable all messages from the guest.
                tracing_flags |= ALL_TRACING_ENABLED;
                break;
            case 'd':
                // Enable debug messages from the guest.
                tracing_flags |= DEBUG_TRACING_ENABLED;
                break;
            case 'e':
                // Enable error messages from the guest.
                tracing_flags |= ERROR_TRACING_ENABLED;
                break;
            case 'i':
                // Enable info messages from the guest.
                tracing_flags |= INFO_TRACING_ENABLED;
                break;
            default:
                break;
        }
        if (tracing_flags == ALL_TRACING_ENABLED) {
            break;
        }
        memcheck_param++;
    }

    notify_qemu_libc_initialized(malloc_pid);

    qemu_debug_log("Instrumented for pid=%03u: malloc=%p, free=%p, calloc=%p, realloc=%p, memalign=%p",
              malloc_pid, qemu_instrumented_malloc, qemu_instrumented_free,
              qemu_instrumented_calloc, qemu_instrumented_realloc,
              qemu_instrumented_memalign);

    return 0;
}

/* This routine serves as entry point for 'malloc'.
 * Primary responsibility of this routine is to allocate requested number of
 * bytes (plus prefix, and suffix guards), and report allocation to the
 * emulator.
 */
extern "C" void* qemu_instrumented_malloc(size_t bytes) {
    MallocDesc desc;

    /* Initialize block descriptor and allocate memory. Note that malloc
     * returns a valid pointer on zero allocation. Lets mimic this behavior. */
    desc.prefix_size = DEFAULT_PREFIX_SIZE;
    desc.requested_bytes = bytes;
    desc.suffix_size = DEFAULT_SUFFIX_SIZE;
    size_t size = mallocdesc_alloc_size(&desc);
    if (size < bytes) { // Overflow
        qemu_error_log("<libc_pid=%03u, pid=%03u> malloc: malloc(%zu) overflow caused failure.",
                       malloc_pid, getpid(), bytes);
        errno = ENOMEM;
        return NULL;
    }
    desc.ptr = g_malloc_dispatch->malloc(size);
    if (desc.ptr == NULL) {
        qemu_error_log("<libc_pid=%03u, pid=%03u> malloc(%zu): malloc(%zu) failed.",
                       malloc_pid, getpid(), bytes, size);
        return NULL;
    }

    // Fire up event in the emulator.
    if (notify_qemu_malloc(&desc)) {
        log_mdesc(error, &desc, "<libc_pid=%03u, pid=%03u>: malloc: notify_malloc failed for ",
                  malloc_pid, getpid());
        g_malloc_dispatch->free(desc.ptr);
        errno = ENOMEM;
        return NULL;
    } else {
#if TEST_ACCESS_VIOLATIONS
        test_access_violation(&desc);
#endif  // TEST_ACCESS_VIOLATIONS
        log_mdesc(info, &desc, "+++ <libc_pid=%03u, pid=%03u> malloc(%zu) -> ",
                  malloc_pid, getpid(), bytes);
        return mallocdesc_user_ptr(&desc);
    }
}

/* This routine serves as entry point for 'malloc'.
 * Primary responsibility of this routine is to free requested memory, and
 * report free block to the emulator.
 */
extern "C" void qemu_instrumented_free(void* mem) {
    MallocDesc desc;

    if (mem == NULL) {
        // Just let go NULL free
        g_malloc_dispatch->free(mem);
        return;
    }

    // Query emulator for the freeing block information.
    if (query_qemu_malloc_info(mem, &desc, 1)) {
        error_log("<libc_pid=%03u, pid=%03u>: free(%p) query_info failed.",
                  malloc_pid, getpid(), mem);
        return;
    }

#if TEST_ACCESS_VIOLATIONS
    test_access_violation(&desc);
#endif  // TEST_ACCESS_VIOLATIONS

    /* Make sure that pointer that's being freed matches what we expect
     * for this memory block. Note that this violation should be already
     * caught in the emulator. */
    if (mem != mallocdesc_user_ptr(&desc)) {
        log_mdesc(error, &desc, "<libc_pid=%03u, pid=%03u>: free(%p) is invalid for ",
                  malloc_pid, getpid(), mem);
        return;
    }

    // Fire up event in the emulator and free block that was actually allocated.
    if (notify_qemu_free(mem)) {
        log_mdesc(error, &desc, "<libc_pid=%03u, pid=%03u>: free(%p) notify_free failed for ",
                  malloc_pid, getpid(), mem);
    } else {
        log_mdesc(info, &desc, "--- <libc_pid=%03u, pid=%03u> free(%p) -> ",
                  malloc_pid, getpid(), mem);
        g_malloc_dispatch->free(desc.ptr);
    }
}

/* This routine serves as entry point for 'calloc'.
 * This routine behaves similarly to qemu_instrumented_malloc.
 */
extern "C" void* qemu_instrumented_calloc(size_t n_elements, size_t elem_size) {
    if (n_elements == 0 || elem_size == 0) {
        // Just let go zero bytes allocation.
        qemu_info_log("::: <libc_pid=%03u, pid=%03u>: Zero calloc redir to malloc",
                      malloc_pid, getpid());
        return qemu_instrumented_malloc(0);
    }

    // Fail on overflow - just to be safe even though this code runs only
    // within the debugging C library, not the production one.
    if (n_elements && SIZE_MAX / n_elements < elem_size) {
        qemu_error_log("<libc_pid=%03u, pid=%03u> calloc: calloc(%zu, %zu) overflow caused failure.",
                       malloc_pid, getpid(), n_elements, elem_size);
        errno = ENOMEM;
        return NULL;
    }

    MallocDesc desc;

    /* Calculating prefix size. The trick here is to make sure that
     * first element (returned to the caller) is properly aligned. */
    if (DEFAULT_PREFIX_SIZE >= elem_size) {
        /* If default alignment is bigger than element size, we will
         * set our prefix size to the default alignment size. */
        desc.prefix_size = DEFAULT_PREFIX_SIZE;
        /* For the suffix we will use whatever bytes remain from the prefix
         * allocation size, aligned to the size of an element, plus the usual
         * default suffix size. */
        desc.suffix_size = (DEFAULT_PREFIX_SIZE % elem_size) +
                           DEFAULT_SUFFIX_SIZE;
    } else {
        /* Make sure that prefix, and suffix sizes is at least elem_size,
         * and first element returned to the caller is properly aligned. */
        desc.prefix_size = elem_size + DEFAULT_PREFIX_SIZE - 1;
        desc.prefix_size &= ~(malloc_alignment - 1);
        desc.suffix_size = DEFAULT_SUFFIX_SIZE;
    }
    desc.requested_bytes = n_elements * elem_size;
    size_t total_size = desc.requested_bytes + desc.prefix_size + desc.suffix_size;
    if (total_size < desc.requested_bytes) { // Overflow
        qemu_error_log("<libc_pid=%03u, pid=%03u> calloc: calloc(%zu, %zu) overflow caused failure.",
                       malloc_pid, getpid(), n_elements, elem_size);
        errno = ENOMEM;
        return NULL;
    }
    size_t total_elements = total_size / elem_size;
    total_size %= elem_size;
    if (total_size != 0) {
        // Add extra to the suffix area.
        total_elements++;
        desc.suffix_size += (elem_size - total_size);
    }
    desc.ptr = g_malloc_dispatch->calloc(total_elements, elem_size);
    if (desc.ptr == NULL) {
        error_log("<libc_pid=%03u, pid=%03u> calloc: calloc(%zu(%zu), %zu) (prx=%u, sfx=%u) failed.",
                   malloc_pid, getpid(), n_elements, total_elements, elem_size,
                   desc.prefix_size, desc.suffix_size);
        return NULL;
    }

    if (notify_qemu_malloc(&desc)) {
        log_mdesc(error, &desc, "<libc_pid=%03u, pid=%03u>: calloc(%zu(%zu), %zu): notify_malloc failed for ",
                  malloc_pid, getpid(), n_elements, total_elements, elem_size);
        g_malloc_dispatch->free(desc.ptr);
        errno = ENOMEM;
        return NULL;
    } else {
#if TEST_ACCESS_VIOLATIONS
        test_access_violation(&desc);
#endif  // TEST_ACCESS_VIOLATIONS
        log_mdesc(info, &desc, "### <libc_pid=%03u, pid=%03u> calloc(%zu(%zu), %zu) -> ",
                  malloc_pid, getpid(), n_elements, total_elements, elem_size);
        return mallocdesc_user_ptr(&desc);
    }
}

/* This routine serves as entry point for 'realloc'.
 * This routine behaves similarly to qemu_instrumented_free +
 * qemu_instrumented_malloc. Note that this modifies behavior of "shrinking" an
 * allocation, but overall it doesn't seem to matter, as caller of realloc
 * should not expect that pointer returned after shrinking will remain the same.
 */
extern "C" void* qemu_instrumented_realloc(void* mem, size_t bytes) {
    if (mem == NULL) {
        // Nothing to realloc. just do regular malloc.
        qemu_info_log("::: <libc_pid=%03u, pid=%03u>: realloc(%p, %zu) redir to malloc",
                      malloc_pid, getpid(), mem, bytes);
        return qemu_instrumented_malloc(bytes);
    }

    if (bytes == 0) {
        // This is a "free" condition.
        qemu_info_log("::: <libc_pid=%03u, pid=%03u>: realloc(%p, %zu) redir to free and malloc",
                      malloc_pid, getpid(), mem, bytes);
        qemu_instrumented_free(mem);

        // This is what realloc does for a "free" realloc.
        return NULL;
    }

    // Query emulator for the reallocating block information.
    MallocDesc cur_desc;
    if (query_qemu_malloc_info(mem, &cur_desc, 2)) {
        // Note that this violation should be already caught in the emulator.
        error_log("<libc_pid=%03u, pid=%03u>: realloc(%p, %zu) query_info failed.",
                  malloc_pid, getpid(), mem, bytes);
        errno = ENOMEM;
        return NULL;
    }

#if TEST_ACCESS_VIOLATIONS
    test_access_violation(&cur_desc);
#endif  // TEST_ACCESS_VIOLATIONS

    /* Make sure that reallocating pointer value is what we would expect
     * for this memory block. Note that this violation should be already caught
     * in the emulator.*/
    if (mem != mallocdesc_user_ptr(&cur_desc)) {
        log_mdesc(error, &cur_desc, "<libc_pid=%03u, pid=%03u>: realloc(%p, %zu) is invalid for ",
                  malloc_pid, getpid(), mem, bytes);
        errno = ENOMEM;
        return NULL;
    }

    /* TODO: We're a bit inefficient here, always allocating new block from
     * the heap. If this realloc shrinks current buffer, we can just do the
     * shrinking "in place", adjusting suffix_size in the allocation descriptor
     * for this block that is stored in the emulator. */

    // Initialize descriptor for the new block.
    MallocDesc new_desc;
    new_desc.prefix_size = DEFAULT_PREFIX_SIZE;
    new_desc.requested_bytes = bytes;
    new_desc.suffix_size = DEFAULT_SUFFIX_SIZE;
    size_t new_size = mallocdesc_alloc_size(&new_desc);
    if (new_size < bytes) { // Overflow
        qemu_error_log("<libc_pid=%03u, pid=%03u>: realloc(%p, %zu): malloc(%zu) failed due to overflow",
                       malloc_pid, getpid(), mem, bytes, new_size);
        errno = ENOMEM;
        return NULL;
    }
    new_desc.ptr = g_malloc_dispatch->malloc(new_size);
    if (new_desc.ptr == NULL) {
        log_mdesc(error, &cur_desc, "<libc_pid=%03u, pid=%03u>: realloc(%p, %zu): malloc(%zu) failed on ",
                  malloc_pid, getpid(), mem, bytes, new_size);
        return NULL;
    }
    void* new_mem = mallocdesc_user_ptr(&new_desc);

    // Copy user data from old block to the new one.
    size_t to_copy = bytes < cur_desc.requested_bytes ? bytes : cur_desc.requested_bytes;
    if (to_copy != 0) {
        memcpy(new_mem, mallocdesc_user_ptr(&cur_desc), to_copy);
    }

    // Register new block with emulator.
    if (notify_qemu_malloc(&new_desc)) {
        log_mdesc(error, &new_desc, "<libc_pid=%03u, pid=%03u>: realloc(%p, %zu) notify_malloc failed -> ",
                  malloc_pid, getpid(), mem, bytes);
        log_mdesc(error, &cur_desc, "                                                                <- ");
        g_malloc_dispatch->free(new_desc.ptr);
        errno = ENOMEM;
        return NULL;
    }

#if TEST_ACCESS_VIOLATIONS
    test_access_violation(&new_desc);
#endif  // TEST_ACCESS_VIOLATIONS

    // Free old block.
    if (notify_qemu_free(mem)) {
        log_mdesc(error, &cur_desc, "<libc_pid=%03u, pid=%03u>: realloc(%p, %zu): notify_free failed for ",
                  malloc_pid, getpid(), mem, bytes);
        /* Since we registered new decriptor with the emulator, we need
         * to unregister it before freeing newly allocated block. */
        notify_qemu_free(mallocdesc_user_ptr(&new_desc));
        g_malloc_dispatch->free(new_desc.ptr);
        errno = ENOMEM;
        return NULL;
    }
    g_malloc_dispatch->free(cur_desc.ptr);

    log_mdesc(info, &new_desc, "=== <libc_pid=%03u, pid=%03u>: realloc(%p, %zu) -> ",
              malloc_pid, getpid(), mem, bytes);
    log_mdesc(info, &cur_desc, "                                               <- ");

    return new_mem;
}

/* This routine serves as entry point for 'memalign'.
 * This routine behaves similarly to qemu_instrumented_malloc.
 */
extern "C" void* qemu_instrumented_memalign(size_t alignment, size_t bytes) {
    MallocDesc desc;

    if (bytes == 0) {
        // Just let go zero bytes allocation.
        qemu_info_log("::: <libc_pid=%03u, pid=%03u>: memalign(%zx, %zu) redir to malloc",
                 malloc_pid, getpid(), alignment, bytes);
        return qemu_instrumented_malloc(0);
    }

    // Prefix size for aligned allocation must be equal to the alignment used
    // for allocation in order to ensure proper alignment of the returned
    // pointer. in case that alignment requirement is greater than prefix
    // size.
    if (alignment < DEFAULT_PREFIX_SIZE) {
        alignment = DEFAULT_PREFIX_SIZE;
    } else if (!powerof2(alignment)) {
        alignment = BIONIC_ROUND_UP_POWER_OF_2(alignment);
    }
    desc.prefix_size = alignment;
    desc.requested_bytes = bytes;
    desc.suffix_size = DEFAULT_SUFFIX_SIZE;
    size_t size = mallocdesc_alloc_size(&desc);
    if (size < bytes) { // Overflow
        qemu_error_log("<libc_pid=%03u, pid=%03u> memalign(%zx, %zu): malloc(%zu) failed due to overflow.",
                       malloc_pid, getpid(), alignment, bytes, size);

        return NULL;
    }
    desc.ptr = g_malloc_dispatch->memalign(desc.prefix_size, size);
    if (desc.ptr == NULL) {
        error_log("<libc_pid=%03u, pid=%03u> memalign(%zx, %zu): malloc(%zu) failed.",
                  malloc_pid, getpid(), alignment, bytes, size);
        return NULL;
    }
    if (notify_qemu_malloc(&desc)) {
        log_mdesc(error, &desc, "<libc_pid=%03u, pid=%03u>: memalign(%zx, %zu): notify_malloc failed for ",
                  malloc_pid, getpid(), alignment, bytes);
        g_malloc_dispatch->free(desc.ptr);
        return NULL;
    }

#if TEST_ACCESS_VIOLATIONS
    test_access_violation(&desc);
#endif  // TEST_ACCESS_VIOLATIONS

    log_mdesc(info, &desc, "@@@ <libc_pid=%03u, pid=%03u> memalign(%zx, %zu) -> ",
              malloc_pid, getpid(), alignment, bytes);
    return mallocdesc_user_ptr(&desc);
}

extern "C" size_t qemu_instrumented_malloc_usable_size(const void* mem) {
    MallocDesc cur_desc;

    // Query emulator for the reallocating block information.
    if (query_qemu_malloc_info(mem, &cur_desc, 2)) {
        // Note that this violation should be already caught in the emulator.
        error_log("<libc_pid=%03u, pid=%03u>: malloc_usable_size(%p) query_info failed.",
                  malloc_pid, getpid(), mem);
        return 0;
    }

    /* Make sure that reallocating pointer value is what we would expect
     * for this memory block. Note that this violation should be already caught
     * in the emulator.*/
    if (mem != mallocdesc_user_ptr(&cur_desc)) {
        log_mdesc(error, &cur_desc, "<libc_pid=%03u, pid=%03u>: malloc_usable_size(%p) is invalid for ",
                  malloc_pid, getpid(), mem);
        return 0;
    }

    /* during instrumentation, we can't really report anything more than requested_bytes */
    return cur_desc.requested_bytes;
}

extern "C" struct mallinfo qemu_instrumented_mallinfo() {
  return g_malloc_dispatch->mallinfo();
}

extern "C" int qemu_instrumented_posix_memalign(void** memptr, size_t alignment, size_t size) {
  if ((alignment & (alignment - 1)) != 0) {
    qemu_error_log("<libc_pid=%03u, pid=%03u> posix_memalign(%p, %zu, %zu): invalid alignment.",
                   malloc_pid, getpid(), memptr, alignment, size);
    return EINVAL;
  }
  int saved_errno = errno;
  *memptr = qemu_instrumented_memalign(alignment, size);
  errno = saved_errno;
  return (*memptr != NULL) ? 0 : ENOMEM;
}

extern "C" void* qemu_instrumented_pvalloc(size_t bytes) {
  size_t pagesize = getpagesize();
  size_t size = BIONIC_ALIGN(bytes, pagesize);
  if (size < bytes) { // Overflow
    qemu_error_log("<libc_pid=%03u, pid=%03u> pvalloc(%zu): overflow (%zu).",
                   malloc_pid, getpid(), bytes, size);
    return NULL;
  }
  return qemu_instrumented_memalign(pagesize, size);
}

extern "C" void* qemu_instrumented_valloc(size_t size) {
  return qemu_instrumented_memalign(getpagesize(), size);
}