• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright 2017 Google Inc.
3  *
4  * Use of this source code is governed by a BSD-style license that can be
5  * found in the LICENSE file.
6  */
7 
8 #ifndef SkMalloc_DEFINED
9 #define SkMalloc_DEFINED
10 
11 #include <cstddef>
12 #include <cstring>
13 
14 #include "SkTypes.h"
15 
16 /*
17     memory wrappers to be implemented by the porting layer (platform)
18 */
19 
20 
21 /** Free memory returned by sk_malloc(). It is safe to pass null. */
22 SK_API extern void sk_free(void*);
23 
24 /**
25  *  Called internally if we run out of memory. The platform implementation must
26  *  not return, but should either throw an exception or otherwise exit.
27  */
28 SK_API extern void sk_out_of_memory(void);
29 
30 enum {
31     /**
32      *  If this bit is set, the returned buffer must be zero-initialized. If this bit is not set
33      *  the buffer can be uninitialized.
34      */
35     SK_MALLOC_ZERO_INITIALIZE   = 1 << 0,
36 
37     /**
38      *  If this bit is set, the implementation must throw/crash/quit if the request cannot
39      *  be fulfilled. If this bit is not set, then it should return nullptr on failure.
40      */
41     SK_MALLOC_THROW             = 1 << 1,
42 };
43 /**
44  *  Return a block of memory (at least 4-byte aligned) of at least the specified size.
45  *  If the requested memory cannot be returned, either return nullptr or throw/exit, depending
46  *  on the SK_MALLOC_THROW bit. If the allocation succeeds, the memory will be zero-initialized
47  *  if the SK_MALLOC_ZERO_INITIALIZE bit was set.
48  *
49  *  To free the memory, call sk_free()
50  */
51 SK_API extern void* sk_malloc_flags(size_t size, unsigned flags);
52 
53 /** Same as standard realloc(), but this one never returns null on failure. It will throw
54  *  an exception if it fails.
55  */
56 SK_API extern void* sk_realloc_throw(void* buffer, size_t size);
57 
sk_malloc_throw(size_t size)58 static inline void* sk_malloc_throw(size_t size) {
59     return sk_malloc_flags(size, SK_MALLOC_THROW);
60 }
61 
sk_calloc_throw(size_t size)62 static inline void* sk_calloc_throw(size_t size) {
63     return sk_malloc_flags(size, SK_MALLOC_THROW | SK_MALLOC_ZERO_INITIALIZE);
64 }
65 
sk_calloc_canfail(size_t size)66 static inline void* sk_calloc_canfail(size_t size) {
67 #if defined(IS_FUZZING_WITH_LIBFUZZER)
68     // The Libfuzzer environment is very susceptible to OOM, so to avoid those
69     // just pretend we can't allocate more than 200kb.
70     if (size > 200000) {
71         return nullptr;
72     }
73 #endif
74     return sk_malloc_flags(size, SK_MALLOC_ZERO_INITIALIZE);
75 }
76 
77 // Performs a safe multiply count * elemSize, checking for overflow
78 SK_API extern void* sk_calloc_throw(size_t count, size_t elemSize);
79 SK_API extern void* sk_malloc_throw(size_t count, size_t elemSize);
80 SK_API extern void* sk_realloc_throw(void* buffer, size_t count, size_t elemSize);
81 
82 /**
83  *  These variants return nullptr on failure
84  */
sk_malloc_canfail(size_t size)85 static inline void* sk_malloc_canfail(size_t size) {
86 #if defined(IS_FUZZING_WITH_LIBFUZZER)
87     // The Libfuzzer environment is very susceptible to OOM, so to avoid those
88     // just pretend we can't allocate more than 200kb.
89     if (size > 200000) {
90         return nullptr;
91     }
92 #endif
93     return sk_malloc_flags(size, 0);
94 }
95 SK_API extern void* sk_malloc_canfail(size_t count, size_t elemSize);
96 
97 // bzero is safer than memset, but we can't rely on it, so... sk_bzero()
sk_bzero(void * buffer,size_t size)98 static inline void sk_bzero(void* buffer, size_t size) {
99     // Please c.f. sk_careful_memcpy.  It's undefined behavior to call memset(null, 0, 0).
100     if (size) {
101         memset(buffer, 0, size);
102     }
103 }
104 
105 /**
106  *  sk_careful_memcpy() is just like memcpy(), but guards against undefined behavior.
107  *
108  * It is undefined behavior to call memcpy() with null dst or src, even if len is 0.
109  * If an optimizer is "smart" enough, it can exploit this to do unexpected things.
110  *     memcpy(dst, src, 0);
111  *     if (src) {
112  *         printf("%x\n", *src);
113  *     }
114  * In this code the compiler can assume src is not null and omit the if (src) {...} check,
115  * unconditionally running the printf, crashing the program if src really is null.
116  * Of the compilers we pay attention to only GCC performs this optimization in practice.
117  */
sk_careful_memcpy(void * dst,const void * src,size_t len)118 static inline void* sk_careful_memcpy(void* dst, const void* src, size_t len) {
119     // When we pass >0 len we had better already be passing valid pointers.
120     // So we just need to skip calling memcpy when len == 0.
121     if (len) {
122         memcpy(dst,src,len);
123     }
124     return dst;
125 }
126 
127 #endif  // SkMalloc_DEFINED
128