1Malloc Hooks 2============ 3 4Malloc hooks allows a program to intercept all allocation/free calls that 5happen during execution. It is only available in Android P and newer versions 6of the OS. 7 8There are two ways to enable these hooks, set a special system 9property, or set a special environment variable and run your app/program. 10 11When malloc hooks is enabled, it works by adding a shim layer that replaces 12the normal allocation calls. The replaced calls are: 13 14* `malloc` 15* `free` 16* `calloc` 17* `realloc` 18* `posix_memalign` 19* `memalign` 20* `aligned_alloc` 21* `malloc_usable_size` 22 23On 32 bit systems, these two deprecated functions are also replaced: 24 25* `pvalloc` 26* `valloc` 27 28These four hooks are defined in malloc.h: 29 30 void* (*volatile __malloc_hook)(size_t, const void*); 31 void* (*volatile __realloc_hook)(void*, size_t, const void*); 32 void (*volatile __free_hook)(void*, const void*); 33 void* (*volatile __memalign_hook)(size_t, size_t, const void*); 34 35When malloc is called and \_\_malloc\_hook has been set, then the hook 36function is called instead. 37 38When realloc is called and \_\_realloc\_hook has been set, then the hook 39function is called instead. 40 41When free is called and \_\_free\_hook has been set, then the hook 42function is called instead. 43 44When memalign is called and \_\_memalign\_hook has been set, then the hook 45function is called instead. 46 47For posix\_memalign, if \_\_memalign\_hook has been set, then the hook is 48called, but only if alignment is a power of 2. 49 50For aligned\_alloc, if \_\_memalign\_hook has been set, then the hook is 51called, but only if alignment is a power of 2. 52 53For calloc, if \_\_malloc\_hook has been set, then the hook function is 54called, then the allocated memory is set to zero. 55 56For the two deprecated functions pvalloc and valloc, if \_\_memalign\_hook 57has been set, then the hook is called with an appropriate alignment value. 58 59There is no hook for malloc\_usable\_size as of now. 60 61These hooks can be set at any time, but there is no thread safety, so 62the caller must guarantee that it does not depend on allocations/frees 63occurring at the same time. 64 65Implementation Details 66====================== 67When malloc hooks is enabled, then the hook pointers are set to 68the current default allocation functions. It is expected that if an 69app does intercept the allocation/free calls, it will eventually call 70the original hook function to do allocations. If the app does not do this, 71it runs the risk of crashing whenever a malloc\_usable\_size call is made. 72 73Example Implementation 74====================== 75Below is a simple implementation intercepting only malloc/calloc calls. 76 77 void* new_malloc_hook(size_t bytes, const char* arg) { 78 return orig_malloc_hook(bytes, arg); 79 } 80 81 void orig_malloc_hook = __malloc_hook; 82 __malloc_hook = new_malloc_hook; 83 84Enabling Examples 85================= 86 87### For platform developers 88 89Enable the hooks for all processes: 90 91 adb shell stop 92 adb shell setprop libc.debug.hooks.enable 1 93 adb shell start 94 95Enable malloc hooks using an environment variable: 96 97 adb shell 98 # export LIBC_HOOKS_ENABLE=1 99 # ls 100 101Any process spawned from this shell will run with malloc hooks enabled. 102 103### For app developers 104 105Enable malloc hooks for a specific program/application: 106 107 adb shell setprop wrap.<APP> '"LIBC_HOOKS_ENABLE=1"' 108 109For example, to enable malloc hooks for the google search box: 110 111 adb shell setprop wrap.com.google.android.googlequicksearchbox '"LIBC_HOOKS_ENABLE=1 logwrapper"' 112 adb shell am force-stop com.google.android.googlequicksearchbox 113 114NOTE: On pre-O versions of the Android OS, property names had a length limit 115of 32. This meant that to create a wrap property with the name of the app, it 116was necessary to truncate the name to fit. On O, property names can be 117an order of magnitude larger, so there should be no need to truncate the name 118at all. 119