eal: annotate allocation functions

shemminger · david-marchand · commit 80da7efbb4c4 · 2024-10-10T18:56:56.000+02:00
The allocation functions take a alignment argument that
can be useful to hint the compiler optimizer.
This is supported by GCC and Clang but only useful with GCC
because Clang gives warning if alignment is 0.

Newer versions of GCC have a malloc attribute that can be used to find
mismatches between allocation and free; the typical problem caught is a
pointer allocated with rte_malloc() that is then incorrectly freed using
free().
The name of the DPDK wrapper macros for these attributes are chosen to
be similar to what GLIBC is using in cdefs.h.

Note: The rte_free function prototype was moved ahead of the allocation
functions since the dealloc attribute now refers to it.

Signed-off-by: Stephen Hemminger &lt;stephen@networkplumber.org&gt;
Reviewed-by: Morten Brørup &lt;mb@smartsharesystems.com&gt;
Acked-by: Chengwen Feng &lt;fengchengwen@huawei.com&gt;
Acked-by: Anatoly Burakov &lt;anatoly.burakov@intel.com&gt;
Acked-by: Wathsala Vithanage &lt;wathsala.vithanage@arm.com&gt;
Acked-by: Konstantin Ananyev &lt;konstantin.ananyev@huawei.com&gt;
diff --git a/doc/guides/rel_notes/release_24_11.rst b/doc/guides/rel_notes/release_24_11.rst
@@ -82,6 +82,14 @@ New Features
 
   The new statistics are useful for debugging and profiling.
 
+* **Hardened rte_malloc and related functions.**
+
+  Added function attributes to ``rte_malloc`` and similar functions
+  that can catch some obvious bugs at compile time (with GCC 11.0 or later).
+  Examples: calling ``free`` on pointer that was allocated with ``rte_malloc``
+  (and vice versa); freeing the same pointer twice in the same routine;
+  freeing an object that was not created by allocation; etc.
+
 * **Added cryptodev queue pair reset support.**
 
   A new API ``rte_cryptodev_queue_pair_reset`` is added
diff --git a/lib/eal/include/rte_common.h b/lib/eal/include/rte_common.h
@@ -228,6 +228,40 @@ typedef uint16_t unaligned_uint16_t;
 #define __rte_alloc_size(...)
 #endif
 
+/**
+ * Tells the compiler that the function returns a value that points to
+ * memory aligned by a function argument.
+ *
+ * Note: not enabled on Clang because it warns if align argument is zero.
+ */
+#if defined(RTE_CC_GCC)
+#define __rte_alloc_align(argno) \
+	__attribute__((alloc_align(argno)))
+#else
+#define __rte_alloc_align(argno)
+#endif
+
+/**
+ * Tells the compiler this is a function like malloc and that the pointer
+ * returned cannot alias any other pointer (ie new memory).
+ */
+#if defined(RTE_CC_GCC) || defined(RTE_CC_CLANG)
+#define __rte_malloc __attribute__((__malloc__))
+#else
+#define __rte_malloc
+#endif
+
+/**
+ * With recent GCC versions also able to track that proper
+ * deallocator function is used for this pointer.
+ */
+#if defined(RTE_TOOLCHAIN_GCC) && (GCC_VERSION >= 110000)
+#define __rte_dealloc(dealloc, argno) \
+	__attribute__((malloc(dealloc, argno)))
+#else
+#define __rte_dealloc(dealloc, argno)
+#endif
+
 #define RTE_PRIORITY_LOG 101
 #define RTE_PRIORITY_BUS 110
 #define RTE_PRIORITY_CLASS 120
diff --git a/lib/eal/include/rte_malloc.h b/lib/eal/include/rte_malloc.h
@@ -31,6 +31,26 @@ struct rte_malloc_socket_stats {
 	size_t heap_allocsz_bytes; /**< Total allocated bytes on heap */
 };
 
+/**
+ * Functions that expect return value to be freed with rte_free()
+ */
+#define __rte_dealloc_free __rte_dealloc(rte_free, 1)
+
+/**
+ * Frees the memory space pointed to by the provided pointer.
+ *
+ * This pointer must have been returned by a previous call to
+ * rte_malloc(), rte_zmalloc(), rte_calloc() or rte_realloc(). The behaviour of
+ * rte_free() is undefined if the pointer does not match this requirement.
+ *
+ * If the pointer is NULL, the function does nothing.
+ *
+ * @param ptr
+ *   The pointer to memory to be freed.
+ */
+void
+rte_free(void *ptr);
+
 /**
  * This function allocates memory from the huge-page area of memory. The memory
  * is not cleared. In NUMA systems, the memory allocated resides on the same
@@ -54,7 +74,8 @@ struct rte_malloc_socket_stats {
  */
 void *
 rte_malloc(const char *type, size_t size, unsigned align)
-	__rte_alloc_size(2);
+	__rte_alloc_size(2) __rte_alloc_align(3)
+	__rte_malloc __rte_dealloc_free;
 
 /**
  * Allocate zeroed memory from the heap.
@@ -81,7 +102,8 @@ rte_malloc(const char *type, size_t size, unsigned align)
  */
 void *
 rte_zmalloc(const char *type, size_t size, unsigned align)
-	__rte_alloc_size(2);
+	__rte_alloc_size(2) __rte_alloc_align(3)
+	__rte_malloc __rte_dealloc_free;
 
 /**
  * Replacement function for calloc(), using huge-page memory. Memory area is
@@ -108,7 +130,8 @@ rte_zmalloc(const char *type, size_t size, unsigned align)
  */
 void *
 rte_calloc(const char *type, size_t num, size_t size, unsigned align)
-	__rte_alloc_size(2, 3);
+	__rte_alloc_size(2, 3)	__rte_alloc_align(4)
+	__rte_malloc __rte_dealloc_free;
 
 /**
  * Replacement function for realloc(), using huge-page memory. Reserved area
@@ -132,7 +155,8 @@ rte_calloc(const char *type, size_t num, size_t size, unsigned align)
  */
 void *
 rte_realloc(void *ptr, size_t size, unsigned int align)
-	__rte_alloc_size(2);
+	__rte_alloc_size(2) __rte_alloc_align(3)
+	__rte_malloc __rte_dealloc_free;
 
 /**
  * Replacement function for realloc(), using huge-page memory. Reserved area
@@ -158,7 +182,8 @@ rte_realloc(void *ptr, size_t size, unsigned int align)
  */
 void *
 rte_realloc_socket(void *ptr, size_t size, unsigned int align, int socket)
-	__rte_alloc_size(2);
+	__rte_alloc_size(2) __rte_alloc_align(3)
+	__rte_malloc __rte_dealloc_free;
 
 /**
  * This function allocates memory from the huge-page area of memory. The memory
@@ -185,7 +210,8 @@ rte_realloc_socket(void *ptr, size_t size, unsigned int align, int socket)
  */
 void *
 rte_malloc_socket(const char *type, size_t size, unsigned align, int socket)
-	__rte_alloc_size(2);
+	__rte_alloc_size(2) __rte_alloc_align(3)
+	__rte_malloc __rte_dealloc_free;
 
 /**
  * Allocate zeroed memory from the heap.
@@ -214,7 +240,8 @@ rte_malloc_socket(const char *type, size_t size, unsigned align, int socket)
  */
 void *
 rte_zmalloc_socket(const char *type, size_t size, unsigned align, int socket)
-	__rte_alloc_size(2);
+	__rte_alloc_size(2) __rte_alloc_align(3)
+	__rte_malloc __rte_dealloc_free;
 
 /**
  * Replacement function for calloc(), using huge-page memory. Memory area is
@@ -243,22 +270,8 @@ rte_zmalloc_socket(const char *type, size_t size, unsigned align, int socket)
  */
 void *
 rte_calloc_socket(const char *type, size_t num, size_t size, unsigned align, int socket)
-	__rte_alloc_size(2, 3);
-
-/**
- * Frees the memory space pointed to by the provided pointer.
- *
- * This pointer must have been returned by a previous call to
- * rte_malloc(), rte_zmalloc(), rte_calloc() or rte_realloc(). The behaviour of
- * rte_free() is undefined if the pointer does not match this requirement.
- *
- * If the pointer is NULL, the function does nothing.
- *
- * @param ptr
- *   The pointer to memory to be freed.
- */
-void
-rte_free(void *ptr);
+	__rte_alloc_size(2, 3)	__rte_alloc_align(4)
+	__rte_malloc __rte_dealloc_free;
 
 /**
  * If malloc debug is enabled, check a memory block for header
