1 | /* |
2 | * Copyright 2017 Google Inc. |
3 | * |
4 | * Use of this source code is governed by a BSD-style license that can be |
5 | * found in the LICENSE file. |
6 | */ |
7 | |
8 | #ifndef SkMalloc_DEFINED |
9 | #define SkMalloc_DEFINED |
10 | |
11 | #include <cstddef> |
12 | #include <cstring> |
13 | |
14 | #include "include/core/SkTypes.h" |
15 | |
16 | /* |
17 | memory wrappers to be implemented by the porting layer (platform) |
18 | */ |
19 | |
20 | |
21 | /** Free memory returned by sk_malloc(). It is safe to pass null. */ |
22 | SK_API extern void sk_free(void*); |
23 | |
24 | /** |
25 | * Called internally if we run out of memory. The platform implementation must |
26 | * not return, but should either throw an exception or otherwise exit. |
27 | */ |
28 | SK_API extern void sk_out_of_memory(void); |
29 | |
30 | enum { |
31 | /** |
32 | * If this bit is set, the returned buffer must be zero-initialized. If this bit is not set |
33 | * the buffer can be uninitialized. |
34 | */ |
35 | SK_MALLOC_ZERO_INITIALIZE = 1 << 0, |
36 | |
37 | /** |
38 | * If this bit is set, the implementation must throw/crash/quit if the request cannot |
39 | * be fulfilled. If this bit is not set, then it should return nullptr on failure. |
40 | */ |
41 | SK_MALLOC_THROW = 1 << 1, |
42 | }; |
43 | /** |
44 | * Return a block of memory (at least 4-byte aligned) of at least the specified size. |
45 | * If the requested memory cannot be returned, either return nullptr or throw/exit, depending |
46 | * on the SK_MALLOC_THROW bit. If the allocation succeeds, the memory will be zero-initialized |
47 | * if the SK_MALLOC_ZERO_INITIALIZE bit was set. |
48 | * |
49 | * To free the memory, call sk_free() |
50 | */ |
51 | SK_API extern void* sk_malloc_flags(size_t size, unsigned flags); |
52 | |
53 | /** Same as standard realloc(), but this one never returns null on failure. It will throw |
54 | * an exception if it fails. |
55 | */ |
56 | SK_API extern void* sk_realloc_throw(void* buffer, size_t size); |
57 | |
58 | static inline void* sk_malloc_throw(size_t size) { |
59 | return sk_malloc_flags(size, SK_MALLOC_THROW); |
60 | } |
61 | |
62 | static inline void* sk_calloc_throw(size_t size) { |
63 | return sk_malloc_flags(size, SK_MALLOC_THROW | SK_MALLOC_ZERO_INITIALIZE); |
64 | } |
65 | |
66 | static inline void* sk_calloc_canfail(size_t size) { |
67 | #if defined(IS_FUZZING_WITH_LIBFUZZER) |
68 | // The Libfuzzer environment is very susceptible to OOM, so to avoid those |
69 | // just pretend we can't allocate more than 200kb. |
70 | if (size > 200000) { |
71 | return nullptr; |
72 | } |
73 | #endif |
74 | return sk_malloc_flags(size, SK_MALLOC_ZERO_INITIALIZE); |
75 | } |
76 | |
77 | // Performs a safe multiply count * elemSize, checking for overflow |
78 | SK_API extern void* sk_calloc_throw(size_t count, size_t elemSize); |
79 | SK_API extern void* sk_malloc_throw(size_t count, size_t elemSize); |
80 | SK_API extern void* sk_realloc_throw(void* buffer, size_t count, size_t elemSize); |
81 | |
82 | /** |
83 | * These variants return nullptr on failure |
84 | */ |
85 | static inline void* sk_malloc_canfail(size_t size) { |
86 | #if defined(IS_FUZZING_WITH_LIBFUZZER) |
87 | // The Libfuzzer environment is very susceptible to OOM, so to avoid those |
88 | // just pretend we can't allocate more than 200kb. |
89 | if (size > 200000) { |
90 | return nullptr; |
91 | } |
92 | #endif |
93 | return sk_malloc_flags(size, 0); |
94 | } |
95 | SK_API extern void* sk_malloc_canfail(size_t count, size_t elemSize); |
96 | |
97 | // bzero is safer than memset, but we can't rely on it, so... sk_bzero() |
98 | static inline void sk_bzero(void* buffer, size_t size) { |
99 | // Please c.f. sk_careful_memcpy. It's undefined behavior to call memset(null, 0, 0). |
100 | if (size) { |
101 | memset(buffer, 0, size); |
102 | } |
103 | } |
104 | |
105 | /** |
106 | * sk_careful_memcpy() is just like memcpy(), but guards against undefined behavior. |
107 | * |
108 | * It is undefined behavior to call memcpy() with null dst or src, even if len is 0. |
109 | * If an optimizer is "smart" enough, it can exploit this to do unexpected things. |
110 | * memcpy(dst, src, 0); |
111 | * if (src) { |
112 | * printf("%x\n", *src); |
113 | * } |
114 | * In this code the compiler can assume src is not null and omit the if (src) {...} check, |
115 | * unconditionally running the printf, crashing the program if src really is null. |
116 | * Of the compilers we pay attention to only GCC performs this optimization in practice. |
117 | */ |
118 | static inline void* sk_careful_memcpy(void* dst, const void* src, size_t len) { |
119 | // When we pass >0 len we had better already be passing valid pointers. |
120 | // So we just need to skip calling memcpy when len == 0. |
121 | if (len) { |
122 | memcpy(dst,src,len); |
123 | } |
124 | return dst; |
125 | } |
126 | |
127 | static inline void* sk_careful_memmove(void* dst, const void* src, size_t len) { |
128 | // When we pass >0 len we had better already be passing valid pointers. |
129 | // So we just need to skip calling memcpy when len == 0. |
130 | if (len) { |
131 | memmove(dst,src,len); |
132 | } |
133 | return dst; |
134 | } |
135 | |
136 | static inline int sk_careful_memcmp(const void* a, const void* b, size_t len) { |
137 | // When we pass >0 len we had better already be passing valid pointers. |
138 | // So we just need to skip calling memcmp when len == 0. |
139 | if (len == 0) { |
140 | return 0; // we treat zero-length buffers as "equal" |
141 | } |
142 | return memcmp(a, b, len); |
143 | } |
144 | |
145 | #endif // SkMalloc_DEFINED |
146 | |