/src/libunistring/lib/malloca.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* Safe automatic memory allocation. |
2 | | Copyright (C) 2003, 2006-2007, 2009-2024 Free Software Foundation, Inc. |
3 | | Written by Bruno Haible <bruno@clisp.org>, 2003, 2018. |
4 | | |
5 | | This file is free software: you can redistribute it and/or modify |
6 | | it under the terms of the GNU Lesser General Public License as |
7 | | published by the Free Software Foundation; either version 2.1 of the |
8 | | License, or (at your option) any later version. |
9 | | |
10 | | This file is distributed in the hope that it will be useful, |
11 | | but WITHOUT ANY WARRANTY; without even the implied warranty of |
12 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
13 | | GNU Lesser General Public License for more details. |
14 | | |
15 | | You should have received a copy of the GNU Lesser General Public License |
16 | | along with this program. If not, see <https://www.gnu.org/licenses/>. */ |
17 | | |
18 | | #define _GL_USE_STDLIB_ALLOC 1 |
19 | | #include <config.h> |
20 | | |
21 | | /* Specification. */ |
22 | | #include "malloca.h" |
23 | | |
24 | | #include <stdckdint.h> |
25 | | #if defined __CHERI_PURE_CAPABILITY__ |
26 | | # include <cheri.h> |
27 | | #endif |
28 | | |
29 | | #include "idx.h" |
30 | | |
31 | | /* The speed critical point in this file is freea() applied to an alloca() |
32 | | result: it must be fast, to match the speed of alloca(). The speed of |
33 | | mmalloca() and freea() in the other case are not critical, because they |
34 | | are only invoked for big memory sizes. |
35 | | Here we use a bit in the address as an indicator, an idea by Ondřej Bílka. |
36 | | malloca() can return three types of pointers: |
37 | | - Pointers ≡ 0 mod 2*sa_alignment_max come from stack allocation. |
38 | | - Pointers ≡ sa_alignment_max mod 2*sa_alignment_max come from heap |
39 | | allocation. |
40 | | - NULL comes from a failed heap allocation. */ |
41 | | |
42 | | #if defined __CHERI_PURE_CAPABILITY__ |
43 | | /* Type for holding the original malloc() result. */ |
44 | | typedef uintptr_t small_t; |
45 | | #else |
46 | | /* Type for holding very small pointer differences. */ |
47 | | typedef unsigned char small_t; |
48 | | /* Verify that it is wide enough. */ |
49 | | static_assert (2 * sa_alignment_max - 1 <= (small_t) -1); |
50 | | #endif |
51 | | |
52 | | void * |
53 | | mmalloca (size_t n) |
54 | 0 | { |
55 | 0 | #if HAVE_ALLOCA |
56 | | /* Allocate one more word, used to determine the address to pass to freea(), |
57 | | and room for the alignment ≡ sa_alignment_max mod 2*sa_alignment_max. */ |
58 | 0 | uintptr_t alignment2_mask = 2 * sa_alignment_max - 1; |
59 | 0 | int plus = sizeof (small_t) + alignment2_mask; |
60 | 0 | idx_t nplus; |
61 | 0 | if (!ckd_add (&nplus, n, plus) && !xalloc_oversized (nplus, 1)) |
62 | 0 | { |
63 | 0 | char *mem = (char *) malloc (nplus); |
64 | |
|
65 | 0 | if (mem != NULL) |
66 | 0 | { |
67 | 0 | uintptr_t umem = (uintptr_t) mem; |
68 | | /* The ckd_add avoids signed integer overflow on |
69 | | theoretical platforms where UINTPTR_MAX <= INT_MAX. */ |
70 | 0 | uintptr_t umemplus; |
71 | 0 | ckd_add (&umemplus, umem, sizeof (small_t) + sa_alignment_max - 1); |
72 | 0 | idx_t offset = (umemplus - umemplus % (2 * sa_alignment_max) |
73 | 0 | + sa_alignment_max - umem); |
74 | 0 | void *p = mem + offset; |
75 | | /* Here p >= mem + sizeof (small_t), |
76 | | and p <= mem + sizeof (small_t) + 2 * sa_alignment_max - 1 |
77 | | hence p + n <= mem + nplus. |
78 | | So, the memory range [p, p+n) lies in the allocated memory range |
79 | | [mem, mem + nplus). */ |
80 | 0 | small_t *sp = p; |
81 | | # if defined __CHERI_PURE_CAPABILITY__ |
82 | | sp[-1] = umem; |
83 | | p = (char *) cheri_bounds_set ((char *) p - sizeof (small_t), |
84 | | sizeof (small_t) + n) |
85 | | + sizeof (small_t); |
86 | | # else |
87 | 0 | sp[-1] = offset; |
88 | 0 | # endif |
89 | | /* p ≡ sa_alignment_max mod 2*sa_alignment_max. */ |
90 | 0 | return p; |
91 | 0 | } |
92 | 0 | } |
93 | | /* Out of memory. */ |
94 | 0 | return NULL; |
95 | | #else |
96 | | # if !MALLOC_0_IS_NONNULL |
97 | | if (n == 0) |
98 | | n = 1; |
99 | | # endif |
100 | | return malloc (n); |
101 | | #endif |
102 | 0 | } |
103 | | |
104 | | #if HAVE_ALLOCA |
105 | | void |
106 | | freea (void *p) |
107 | 0 | { |
108 | | /* Check argument. */ |
109 | 0 | uintptr_t u = (uintptr_t) p; |
110 | 0 | if (u & (sa_alignment_max - 1)) |
111 | 0 | { |
112 | | /* p was not the result of a malloca() call. Invalid argument. */ |
113 | 0 | abort (); |
114 | 0 | } |
115 | | /* Determine whether p was a non-NULL pointer returned by mmalloca(). */ |
116 | 0 | if (u & sa_alignment_max) |
117 | 0 | { |
118 | 0 | char *cp = p; |
119 | 0 | small_t *sp = p; |
120 | | # if defined __CHERI_PURE_CAPABILITY__ |
121 | | void *mem = sp[-1]; |
122 | | # else |
123 | 0 | void *mem = cp - sp[-1]; |
124 | 0 | # endif |
125 | 0 | free (mem); |
126 | 0 | } |
127 | 0 | } |
128 | | #endif |
129 | | |
130 | | /* |
131 | | * Hey Emacs! |
132 | | * Local Variables: |
133 | | * coding: utf-8 |
134 | | * End: |
135 | | */ |