scudo: Support free_sized and free_aligned_sized from C23

Signed-off-by: Justin King <jcking@google.com>

Author: jcking

compiler-rt/lib/scudo/standalone/chunk.h

@@ -56,7 +56,7 @@ enum Origin : u8 {
   Malloc = 0,
   New = 1,
   NewArray = 2,
-  Memalign = 3,
+  AlignedAlloc = 3,
 };
 
 enum State : u8 { Available = 0, Allocated = 1, Quarantined = 2 };

compiler-rt/lib/scudo/standalone/combined.h

@@ -170,6 +170,12 @@ class Allocator {
       Primary.Options.set(OptionBit::DeallocTypeMismatch);
     if (getFlags()->delete_size_mismatch)
       Primary.Options.set(OptionBit::DeleteSizeMismatch);
+    if (getFlags()->free_size_mismatch)
+      Primary.Options.set(OptionBit::FreeSizeMismatch);
+    if (getFlags()->free_alignment_mismatch)
+      Primary.Options.set(OptionBit::FreeAlignmentMismatch);
+    if (getFlags()->delete_alignment_mismatch)
+      Primary.Options.set(OptionBit::DeleteAlignmentMismatch);
     if (allocatorSupportsMemoryTagging<AllocatorConfig>() &&
         systemSupportsMemoryTagging())
       Primary.Options.set(OptionBit::UseMemoryTagging);
@@ -433,7 +439,8 @@ class Allocator {
   }
 
   NOINLINE void deallocate(void *Ptr, Chunk::Origin Origin, uptr DeleteSize = 0,
-                           UNUSED uptr Alignment = MinAlignment) {
+                           bool HasDeleteSize = false, uptr DeleteAlignment = 0,
+                           bool HasDeleteAlignment = false) {
     if (UNLIKELY(!Ptr))
       return;
 
@@ -456,6 +463,9 @@ class Allocator {
     }
 #endif // GWP_ASAN_HOOKS
 
+    if (UNLIKELY(HasDeleteAlignment && !isPowerOfTwo(DeleteAlignment)))
+      reportAlignmentNotPowerOfTwo(DeleteAlignment);
+
     if (UNLIKELY(!isAligned(reinterpret_cast<uptr>(Ptr), MinAlignment)))
       reportMisalignedPointer(AllocatorAction::Deallocating, Ptr);
 
@@ -470,20 +480,35 @@ class Allocator {
 
     const Options Options = Primary.Options.load();
     if (Options.get(OptionBit::DeallocTypeMismatch)) {
-      if (UNLIKELY(Header.OriginOrWasZeroed != Origin)) {
-        // With the exception of memalign'd chunks, that can be still be free'd.
-        if (Header.OriginOrWasZeroed != Chunk::Origin::Memalign ||
-            Origin != Chunk::Origin::Malloc)
-          reportDeallocTypeMismatch(AllocatorAction::Deallocating, Ptr,
-                                    Header.OriginOrWasZeroed, Origin);
-      }
+      if (UNLIKELY(isOriginMismatch(
+              static_cast<Chunk::Origin>(Header.OriginOrWasZeroed), Origin,
+              HasDeleteSize)))
+        reportDeallocTypeMismatch(AllocatorAction::Deallocating, Ptr,
+                                  Header.OriginOrWasZeroed, Origin);
     }
 
     const uptr Size = getSize(Ptr, &Header);
-    if (DeleteSize && Options.get(OptionBit::DeleteSizeMismatch)) {
+    if ((Origin == Chunk::Origin::New || Origin == Chunk::Origin::NewArray) &&
+        HasDeleteSize && Options.get(OptionBit::DeleteSizeMismatch)) {
       if (UNLIKELY(DeleteSize != Size))
         reportDeleteSizeMismatch(Ptr, DeleteSize, Size);
     }
+    if ((Origin == Chunk::Origin::New || Origin == Chunk::Origin::NewArray) &&
+        HasDeleteAlignment && Options.get(OptionBit::DeleteAlignmentMismatch)) {
+      if (UNLIKELY(!isAligned(reinterpret_cast<uptr>(Ptr), DeleteAlignment)))
+        reportDeleteAlignmentMismatch(Ptr, DeleteAlignment);
+    }
+    if ((Origin == Chunk::Origin::Malloc ||
+         Origin == Chunk::Origin::AlignedAlloc) &&
+        HasDeleteSize && Options.get(OptionBit::FreeSizeMismatch)) {
+      if (UNLIKELY(DeleteSize != Size))
+        reportFreeSizeMismatch(Ptr, DeleteSize, Size);
+    }
+    if (Origin == Chunk::Origin::AlignedAlloc && HasDeleteAlignment &&
+        Options.get(OptionBit::FreeAlignmentMismatch)) {
+      if (UNLIKELY(!isAligned(reinterpret_cast<uptr>(Ptr), DeleteAlignment)))
+        reportFreeAlignmentMismatch(Ptr, DeleteAlignment);
+    }
 
     quarantineOrDeallocateChunk(Options, TaggedPtr, &Header, Size);
   }
@@ -520,7 +545,7 @@ class Allocator {
     void *OldTaggedPtr = OldPtr;
     OldPtr = getHeaderTaggedPointer(OldPtr);
 
-    if (UNLIKELY(!isAligned(reinterpret_cast<uptr>(OldPtr), MinAlignment)))
+    if (UNLIKELY(!isAligned(reinterpret_cast<uptr>(OldPtr), Alignment)))
       reportMisalignedPointer(AllocatorAction::Reallocating, OldPtr);
 
     Chunk::UnpackedHeader Header;
@@ -529,11 +554,14 @@ class Allocator {
     if (UNLIKELY(Header.State != Chunk::State::Allocated))
       reportInvalidChunkState(AllocatorAction::Reallocating, OldPtr);
 
-    // Pointer has to be allocated with a malloc-type function. Some
-    // applications think that it is OK to realloc a memalign'ed pointer, which
-    // will trigger this check. It really isn't.
     if (Options.get(OptionBit::DeallocTypeMismatch)) {
-      if (UNLIKELY(Header.OriginOrWasZeroed != Chunk::Origin::Malloc))
+      // There is no language prohibiting the use of realloc with
+      // aligned_alloc/posix_memalign/memalign and etc. However there is no
+      // guarantee that the allocator being used with malloc is the same as
+      // operator new. There is also no guarantee that they share the same
+      // minimum alignment guarantees. So we reject these.
+      if (UNLIKELY(Header.OriginOrWasZeroed == Chunk::Origin::New ||
+                   Header.OriginOrWasZeroed == Chunk::Origin::NewArray))
         reportDeallocTypeMismatch(AllocatorAction::Reallocating, OldPtr,
                                   Header.OriginOrWasZeroed,
                                   Chunk::Origin::Malloc);
@@ -1746,6 +1774,18 @@ class Allocator {
     return (Bytes - sizeof(AllocationRingBuffer)) /
            sizeof(typename AllocationRingBuffer::Entry);
   }
+
+  static bool isOriginMismatch(Chunk::Origin Alloc, Chunk::Origin Dealloc,
+                               bool HasDeleteSize) {
+    if (Alloc == Dealloc) {
+      return false;
+    }
+    if (Alloc == Chunk::Origin::AlignedAlloc &&
+        Dealloc == Chunk::Origin::Malloc && !HasDeleteSize) {
+      return false;
+    }
+    return true;
+  }
 };
 
 } // namespace scudo

compiler-rt/lib/scudo/standalone/flags.inc

@@ -24,7 +24,7 @@ SCUDO_FLAG(int, quarantine_max_chunk_size, 0,
            "Size (in bytes) up to which chunks will be quarantined (if lower "
            "than or equal to).")
 
-SCUDO_FLAG(bool, dealloc_type_mismatch, false,
+SCUDO_FLAG(bool, dealloc_type_mismatch, !SCUDO_ANDROID,
            "Terminate on a type mismatch in allocation-deallocation functions, "
            "eg: malloc/delete, new/free, new/delete[], etc.")
 
@@ -49,3 +49,18 @@ SCUDO_FLAG(int, release_to_os_interval_ms, 5000,
 SCUDO_FLAG(int, allocation_ring_buffer_size, 32768,
            "Entries to keep in the allocation ring buffer for scudo. "
            "Values less or equal to zero disable the buffer.")
+
+SCUDO_FLAG(bool, delete_alignment_mismatch, true,
+           "Terminate on an alignment mismatch between a aligned-delete and "
+           "the actual "
+           "alignment of a chunk (as provided to new/new[]).")
+
+SCUDO_FLAG(bool, free_size_mismatch, true,
+           "Terminate on a size mismatch between a free_sized and the actual "
+           "size of a chunk (as provided to malloc/calloc/realloc).")
+
+SCUDO_FLAG(bool, free_alignment_mismatch, true,
+           "Terminate on an alignment mismatch between a free_aligned_sized "
+           "and the actual "
+           "alignment of a chunk (as provided to "
+           "aligned_alloc/posix_memalign/memalign).")

compiler-rt/lib/scudo/standalone/options.h

@@ -25,6 +25,9 @@ enum class OptionBit {
   UseOddEvenTags,
   UseMemoryTagging,
   AddLargeAllocationSlack,
+  DeleteAlignmentMismatch,
+  FreeSizeMismatch,
+  FreeAlignmentMismatch,
 };
 
 struct Options {

compiler-rt/lib/scudo/standalone/report.cpp

@@ -142,13 +142,55 @@ void NORETURN reportMisalignedPointer(AllocatorAction Action, const void *Ptr) {
                 stringifyAction(Action), Ptr);
 }
 
+static const char *stringifyAllocOrigin(Chunk::Origin AllocOrigin) {
+  switch (AllocOrigin) {
+  case Chunk::Origin::Malloc:
+    return "malloc";
+  case Chunk::Origin::New:
+    return "operator new";
+  case Chunk::Origin::NewArray:
+    return "operator new []";
+  case Chunk::Origin::AlignedAlloc:
+    return "aligned_alloc";
+  }
+  return "<invalid origin>";
+}
+
+static const char *stringifyDeallocOrigin(AllocatorAction Action,
+                                          Chunk::Origin AllocOrigin,
+                                          Chunk::Origin DeallocOrigin) {
+  switch (DeallocOrigin) {
+  case Chunk::Origin::Malloc:
+    if (AllocOrigin == Chunk::Origin::AlignedAlloc) {
+      if (Action == AllocatorAction::Reallocating)
+        return "realloc";
+      return "free_sized";
+    }
+    return "free";
+  case Chunk::Origin::New:
+    return "operator delete";
+  case Chunk::Origin::NewArray:
+    return "operator delete []";
+  case Chunk::Origin::AlignedAlloc:
+    if (AllocOrigin == Chunk::Origin::Malloc) {
+      return "free_aligned_sized";
+    }
+    return "free";
+  }
+  return "<invalid origin>";
+}
+
 // The deallocation function used is at odds with the one used to allocate the
 // chunk (eg: new[]/delete or malloc/delete, and so on).
 void NORETURN reportDeallocTypeMismatch(AllocatorAction Action, const void *Ptr,
                                         u8 TypeA, u8 TypeB) {
   ScopedErrorReport Report;
-  Report.append("allocation type mismatch when %s address %p (%d vs %d)\n",
-                stringifyAction(Action), Ptr, TypeA, TypeB);
+  Report.append("allocation type mismatch when %s address %p (%s vs %s)\n",
+                stringifyAction(Action), Ptr,
+                stringifyAllocOrigin(static_cast<Chunk::Origin>(TypeA)),
+                stringifyDeallocOrigin(Action,
+                                       static_cast<Chunk::Origin>(TypeA),
+                                       static_cast<Chunk::Origin>(TypeB)));
 }
 
 // The size specified to the delete operator does not match the one that was
@@ -161,6 +203,26 @@ void NORETURN reportDeleteSizeMismatch(const void *Ptr, uptr Size,
       Size, ExpectedSize);
 }
 
+void NORETURN reportDeleteAlignmentMismatch(const void *Ptr, uptr Alignment) {
+  ScopedErrorReport Report;
+  Report.append("invalid aligned delete when deallocating address %p (%zu)\n",
+                Ptr, Alignment);
+}
+
+void NORETURN reportFreeSizeMismatch(const void *Ptr, uptr Size,
+                                     uptr ExpectedSize) {
+  ScopedErrorReport Report;
+  Report.append(
+      "invalid sized free when deallocating address %p (%zu vs %zu)\n", Ptr,
+      Size, ExpectedSize);
+}
+
+void NORETURN reportFreeAlignmentMismatch(const void *Ptr, uptr Alignment) {
+  ScopedErrorReport Report;
+  Report.append("invalid aligned free when deallocating address %p (%zu)\n",
+                Ptr, Alignment);
+}
+
 void NORETURN reportAlignmentNotPowerOfTwo(uptr Alignment) {
   ScopedErrorReport Report;
   Report.append(

compiler-rt/lib/scudo/standalone/report.h

@@ -47,6 +47,10 @@ void NORETURN reportDeallocTypeMismatch(AllocatorAction Action, const void *Ptr,
                                         u8 TypeA, u8 TypeB);
 void NORETURN reportDeleteSizeMismatch(const void *Ptr, uptr Size,
                                        uptr ExpectedSize);
+void NORETURN reportDeleteAlignmentMismatch(const void *Ptr, uptr Alignment);
+void NORETURN reportFreeSizeMismatch(const void *Ptr, uptr Size,
+                                     uptr ExpectedSize);
+void NORETURN reportFreeAlignmentMismatch(const void *Ptr, uptr Alignment);
 
 // C wrappers errors.
 void NORETURN reportAlignmentNotPowerOfTwo(uptr Alignment);

compiler-rt/lib/scudo/standalone/tests/combined_test.cpp

@@ -327,7 +327,7 @@ void ScudoCombinedTest<Config>::BasicTest(scudo::uptr SizeLog) {
       EXPECT_LE(Size, Allocator->getUsableSize(P));
       memset(P, 0xaa, Size);
       checkMemoryTaggingMaybe(Allocator, P, Size, Align);
-      Allocator->deallocate(P, Origin, Size);
+      Allocator->deallocate(P, Origin, Size, true);
     }
   }
 
@@ -374,7 +374,7 @@ SCUDO_TYPED_TEST(ScudoCombinedTest, ZeroContents) {
       for (scudo::uptr I = 0; I < Size; I++)
         ASSERT_EQ((reinterpret_cast<char *>(P))[I], '\0');
       memset(P, 0xaa, Size);
-      Allocator->deallocate(P, Origin, Size);
+      Allocator->deallocate(P, Origin, Size, true);
     }
   }
 }
@@ -392,7 +392,7 @@ SCUDO_TYPED_TEST(ScudoCombinedTest, ZeroFill) {
       for (scudo::uptr I = 0; I < Size; I++)
         ASSERT_EQ((reinterpret_cast<char *>(P))[I], '\0');
       memset(P, 0xaa, Size);
-      Allocator->deallocate(P, Origin, Size);
+      Allocator->deallocate(P, Origin, Size, true);
     }
   }
 }
@@ -709,7 +709,7 @@ SCUDO_TYPED_TEST(ScudoCombinedTest, ThreadedCombined) {
 
       while (!V.empty()) {
         auto Pair = V.back();
-        Allocator->deallocate(Pair.first, Origin, Pair.second);
+        Allocator->deallocate(Pair.first, Origin, Pair.second, true);
         V.pop_back();
       }
     });
@@ -782,26 +782,26 @@ TEST(ScudoCombinedDeathTest, DeathCombined) {
   EXPECT_NE(P, nullptr);
 
   // Invalid sized deallocation.
-  EXPECT_DEATH(Allocator->deallocate(P, Origin, Size + 8U), "");
+  EXPECT_DEATH(Allocator->deallocate(P, Origin, Size + 8U, true), "");
 
   // Misaligned pointer. Potentially unused if EXPECT_DEATH isn't available.
   UNUSED void *MisalignedP =
       reinterpret_cast<void *>(reinterpret_cast<scudo::uptr>(P) | 1U);
-  EXPECT_DEATH(Allocator->deallocate(MisalignedP, Origin, Size), "");
-  EXPECT_DEATH(Allocator->reallocate(MisalignedP, Size * 2U), "");
+  EXPECT_DEATH(Allocator->deallocate(MisalignedP, Origin, Size, true), "");
+  EXPECT_DEATH(Allocator->reallocate(MisalignedP, Size * 2U, true), "");
 
   // Header corruption.
   scudo::u64 *H =
       reinterpret_cast<scudo::u64 *>(scudo::Chunk::getAtomicHeader(P));
   *H ^= 0x42U;
-  EXPECT_DEATH(Allocator->deallocate(P, Origin, Size), "");
+  EXPECT_DEATH(Allocator->deallocate(P, Origin, Size, true), "");
   *H ^= 0x420042U;
-  EXPECT_DEATH(Allocator->deallocate(P, Origin, Size), "");
+  EXPECT_DEATH(Allocator->deallocate(P, Origin, Size, true), "");
   *H ^= 0x420000U;
 
   // Invalid chunk state.
-  Allocator->deallocate(P, Origin, Size);
-  EXPECT_DEATH(Allocator->deallocate(P, Origin, Size), "");
+  Allocator->deallocate(P, Origin, Size, true);
+  EXPECT_DEATH(Allocator->deallocate(P, Origin, Size, true), "");
   EXPECT_DEATH(Allocator->reallocate(P, Size * 2U), "");
   EXPECT_DEATH(Allocator->getUsableSize(P), "");
 }
@@ -908,13 +908,13 @@ SCUDO_TYPED_TEST(ScudoCombinedTest, DisableMemInit) {
       memset(Ptrs[I], 0xaa, Size);
     }
     for (unsigned I = 0; I != Ptrs.size(); ++I)
-      Allocator->deallocate(Ptrs[I], Origin, Size);
+      Allocator->deallocate(Ptrs[I], Origin, Size, true);
     for (unsigned I = 0; I != Ptrs.size(); ++I) {
       Ptrs[I] = Allocator->allocate(Size - 8, Origin);
       memset(Ptrs[I], 0xbb, Size - 8);
     }
     for (unsigned I = 0; I != Ptrs.size(); ++I)
-      Allocator->deallocate(Ptrs[I], Origin, Size - 8);
+      Allocator->deallocate(Ptrs[I], Origin, Size - 8, true);
     for (unsigned I = 0; I != Ptrs.size(); ++I) {
       Ptrs[I] = Allocator->allocate(Size, Origin, 1U << MinAlignLog, true);
       for (scudo::uptr J = 0; J < Size; ++J)

compiler-rt/lib/scudo/standalone/tests/scudo_unit_test.h

@@ -58,4 +58,14 @@ using Test = ::testing::Test;
 #define SCUDO_NO_TEST_MAIN
 #endif
 
+// Match Android's default configuration, which disables Scudo's mismatch
+// allocation check, as it is being triggered by some third party code.
+#if SCUDO_ANDROID
+#define DEALLOC_TYPE_MISMATCH "false"
+#define SKIP_ON_ANDROID(T) DISABLED_##T
+#else
+#define DEALLOC_TYPE_MISMATCH "true"
+#define SKIP_ON_ANDROID(T) T
+#endif
+
 extern bool UseQuarantine;

compiler-rt/lib/scudo/standalone/tests/scudo_unit_test_main.cpp

@@ -9,14 +9,6 @@
 #include "memtag.h"
 #include "tests/scudo_unit_test.h"
 
-// Match Android's default configuration, which disables Scudo's mismatch
-// allocation check, as it is being triggered by some third party code.
-#if SCUDO_ANDROID
-#define DEALLOC_TYPE_MISMATCH "false"
-#else
-#define DEALLOC_TYPE_MISMATCH "true"
-#endif
-
 static void EnableMemoryTaggingIfSupported() {
   if (!scudo::archSupportsMemoryTagging())
     return;