Add malloc free leak detector scripts

Author: Chris Croft-White

README.md

@@ -28,6 +28,9 @@ Allows live-record to record both parent and child after `fork()` has been calle
 [**Load Debug Symbols**](load_debug_symbols/README.md)
 Loads debug symbols by parsing the relevant section addresses.
 
+[**Malloc Free Check**](malloc_free_check/README.md)
+Checks that no memory was leaked in your program by tracking calls to `malloc()` and `free()`.
+
 [**Reconstruct file**](reconstruct_file/README.md)
 Reconstructs the content of a file by analysing reads on the execution history
 of a debugged program or LiveRecorder recording.

malloc_free_check/Makefile

@@ -0,0 +1,13 @@
+memchecker: memchecker.c
+	gcc -g -o $@ $<
+
+memchecker.undo: memchecker
+	live-record -o $@ ./$<
+
+run: memchecker.undo
+	./malloc-free.py $<
+
+all: memchecker.undo
+
+clean:
+	rm *.undo *.pyc memchecker

malloc_free_check/README.md

@@ -0,0 +1,29 @@
+# Memory leak detection example
+This example implements a simple memory leak detector with the Undo Automation API.
+
+The `memchecker.c` example application has a single unmatched `malloc()` call (excluding some from before the application has actually started, including the 1KB buffer for printfs, which are detected).
+
+Using the Undo Automation API, the python scripts process the recording to find all `malloc()` and `free()` calls.  The script ignores all `malloc()` calls with matching `free()` call, and after parsing the entire recording, jumps back in time to each of the unmatched `malloc()` calls.  For each call, the scripts:
+* Output the backtrace at the time of the call.
+* Continue execution until `malloc()` returns.
+* Outputs the souce code for the calling function (if available) and locals.
+
+In the case of the example program, this is sufficient to clearly show the root cause for the deliberate leak.  Generally it should give a good hint for other recordings, and the output does clearly provide the timestamps for the `malloc()` calls to enable opening the recording and jumping directly to the leaking memory allocation to start debugging from there.
+
+These scripts can be used as a starting point to implement other kinds of analysis related to the standard allocation functions, such as producing a profile of how much memory is being used during execution.
+
+## How to run the demo
+Simply enter the directory and run:
+
+`make run`
+
+## How to use the scripts on other recordings
+Simply run the `malloc-free.py` script, passing the recording as the parameter:
+
+`./malloc-free.py <recording.undo>`
+
+## Enhancements ideas
+* Provide some way to filter out library code.
+* Add verbosity controls.
+* Support recordings without symbols (provide address for `malloc()` & `free()` at command line).
+* Automatically trace the use of leaking memory to identify the last read or write access to the memory.

malloc_free_check/malloc-free.py

@@ -0,0 +1,62 @@
+#! /usr/bin/env udb-automate
+"""
+Undo Automation command-line script for tracking calls to malloc() and free() and checking for
+leaked memory.
+
+This script only support the x86-64 architecture.
+
+Contributors: Chris Croft-White, Magne Hov
+"""
+
+import sys
+import textwrap
+
+from undo.udb_launcher import REDIRECTION_COLLECT, UdbLauncher
+
+
+def main(argv):
+    # Get the arguments from the command line.
+    try:
+        recording = argv[1]
+    except ValueError:
+        # Wrong number of arguments.
+        print(f"{sys.argv[0]} RECORDING_FILE", file=sys.stderr)
+        raise SystemExit(1)
+
+    # Prepare for launching UDB.
+    launcher = UdbLauncher()
+    # Make UDB run with our recording.
+    launcher.recording_file = recording
+    # Make UDB load the malloc_free_check_extension.py file from the current directory.
+    launcher.add_extension("malloc_free_check_extension")
+    # Finally, launch UDB!
+    # We collect the output as, in normal conditions, we don't want to show it
+    # to the user but, in case of errors, we want to display it.
+    res = launcher.run_debugger(redirect_debugger_output=REDIRECTION_COLLECT)
+
+    if res.exit_code == 0:
+        # All good as UDB exited with exit code 0 (i.e. no errors).
+        # The result_data attribute is used to pass information from the extension to this script.
+        unmatched = res.result_data["unmatched"]
+        print(f"The recording failed to free allocated memory {unmatched} time(s).")
+    else:
+        # Something went wrong! Print a useful message.
+        print(
+            textwrap.dedent(
+                f"""\
+                Error!
+                UDB exited with code {res.exit_code}.
+
+                The output was:
+
+                {res.output}
+                """
+            ),
+            file=sys.stderr,
+        )
+        # Exit this script with the same error code as UDB.
+        raise SystemExit(res.exit_code)
+
+
+if __name__ == "__main__":
+    main(sys.argv)

malloc_free_check/malloc_free_check_extension.py

@@ -0,0 +1,134 @@
+"""
+Undo Automation extension module for tracking calls to malloc() and free() and checking for
+leaked memory.
+
+This script only support the x86-64 architecture.
+
+Contributors: Chris Croft-White, Magne Hov
+"""
+
+import collections
+import re
+
+import gdb
+
+from undodb.debugger_extensions import udb
+from undodb.debugger_extensions.debugger_io import redirect_to_launcher_output
+
+
+def leak_check():
+    """
+    Implements breakpoints and stops on all calls to malloc() and free(), capturing the
+    timestamp, size and returned pointer for malloc(), then confirms the address pointer is later
+    seen in a free() call.
+
+    If a subsequent free() is not seen, then at the end of execution, output the timestamp and
+    details of the memory which was never freed.
+    """
+    # Set a breakpoint for the specified function.
+    gdb.Breakpoint("malloc")
+    gdb.Breakpoint("free")
+
+    # Declare allocations dictionary structure.
+    allocations = collections.OrderedDict()
+
+    # Do "continue" until we have gone through the whole recording, potentially
+    # hitting the breakpoints several times.
+    end_of_time = udb.get_event_log_extent().end
+    while True:
+        gdb.execute("continue")
+
+        # Rather than having the check directly in the while condition we have
+        # it here as we don't want to print the backtrace when we hit the end of
+        # the recording but only when we stop at a breakpoint.
+        if udb.time.get().bbcount >= end_of_time:
+            break
+
+        # Use the $PC output to get the symbol and idenfity whether execution has stopped
+        # at a malloc() or free() call.
+        mypc = format(gdb.parse_and_eval("$pc"))
+        if re.search("malloc", mypc):
+            # In malloc(), set a FinishBreakpoint to capture the pointer returned later.
+            mfbp = gdb.FinishBreakpoint()
+
+            # For now, capture the timestamp and size of memory requested.
+            time = udb.time.get()
+            size = gdb.parse_and_eval("$rdi")
+
+            gdb.execute("continue")
+
+            # Should stop at the finish breakpoint, so capture the pointer.
+            addr = mfbp.return_value
+
+            if addr:
+                # Store details in the dictionary.
+                allocations[format(addr)] = time, size
+            else:
+                print(f"-- INFO: Malloc called for {size} byte(s) but null returned.")
+
+            print(f"{time}: malloc() called: {size} byte(s) allocated at {addr}.")
+
+        elif re.search("free", mypc):
+            # In free(), get the pointer address.
+            addr = gdb.parse_and_eval("$rdi")
+
+            time = udb.time.get()
+
+            # Delete entry from the dictionary as this memory was released.
+            if addr > 0:
+                if allocations[hex(int(format(addr)))]:
+                    del allocations[hex(int(format(addr)))]
+                else:
+                    print("--- INFO: Free called with unknown address")
+            else:
+                print("--- INFO: Free called with null address")
+
+            #with redirect_to_launcher_output():
+            print(f"{time}: free() called for {int(addr):#x}")
+
+
+    # If Allocations has any entries remaining, they were not released.
+    with redirect_to_launcher_output():
+        print ()
+        print (f"{len(allocations)} unmatched memory allocation(s):")
+        print ()
+
+        total = 0
+
+        # Increase the amount of source from default (10) to 16 lines for more context.
+        gdb.execute("set listsize 16")
+        for addr in allocations:
+            time, size = allocations[addr]
+            total += size
+            print("===============================================================================")
+            print(f"{time}: {size} bytes was allocated at {addr}, but never freed.")
+            print("===============================================================================")
+            udb.time.goto(time)
+            print("Backtrace:")
+            gdb.execute("backtrace")
+            print()
+            print("Source (if available):")
+            gdb.execute("finish")
+            gdb.execute("list")
+            print()
+            print("Locals (after malloc returns):")
+            gdb.execute("info locals")
+            print()
+            print()
+        print("===============================================================================")
+        print(f"  In total, {total} byte(s) were allocated and not released")
+        print()
+
+    return len(allocations)
+
+
+# UDB will automatically load the modules passed to UdbLauncher.add_extension and, if present,
+# automatically execute any function (with no arguments) called "run".
+def run():
+    # Needed to allow GDB to fixup breakpoints properly after glibc has been loaded
+    gdb.Breakpoint("main")
+
+    unmatched = leak_check()
+
+    # Pass the number of time we hit the breakpoint back to the outer script.
+    udb.result_data["unmatched"] = unmatched

malloc_free_check/memchecker.c

@@ -0,0 +1,20 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+int
+main(void)
+{
+    int i;
+
+    for (i = 1; i < 20; ++i)
+    {
+        int *addr = (int *)malloc(10 * sizeof(int));
+        printf("Address allocated: %p\n", addr);
+
+        if (!(i % 10 == 0))
+        {
+            printf("Address freed: %p\n", addr);
+            free(addr);
+        }
+    }
+}