android: implement fatal_error() via async_safe_fatal()

async_safe_fatal() performs the following steps:
- logs the error message to stderr and logcat
- passes error message to debuggerd via android_set_abort_message(). debuggerd then saves the error
message in the crash report file ("tombstone")
- calls abort()

.clang-tidy

@@ -0,0 +1,2 @@
+Checks: 'bugprone-*,-bugprone-easily-swappable-parameters,-bugprone-macro-parentheses,-bugprone-too-small-loop-variable,cert-*,-cert-err33-c,clang-analyzer-*,-clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling,-clang-diagnostic-constant-logical-operand,readability-*,-readability-function-cognitive-complexity,-readability-identifier-length,-readability-inconsistent-declaration-parameter-name,-readability-magic-numbers,-readability-named-parameter,llvm-include-order,misc-*'
+WarningsAsErrors: '*'

.github/FUNDING.yml

@@ -1 +0,0 @@
-custom: https://grapheneos.org/donate

.github/dependabot.yml

@@ -0,0 +1,7 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: daily
+    target-branch: main

.github/workflows/build-and-test.yml

@@ -0,0 +1,39 @@
+name: Build and run tests
+
+on:
+  push:
+  pull_request:
+  schedule:
+    - cron: '0 2 * * *'
+
+jobs:
+  build-ubuntu-gcc:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Build
+        run: make test
+  build-ubuntu-clang:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Build
+        run: CC=clang CXX=clang++ make test
+  build-musl:
+    runs-on: ubuntu-latest
+    container:
+      image: alpine:latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install dependencies
+        run: apk update && apk add build-base python3
+      - name: Build
+        run: make test
+  build-ubuntu-gcc-aarch64:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install dependencies
+        run: sudo apt-get update && sudo apt-get install -y --no-install-recommends gcc-aarch64-linux-gnu g++-aarch64-linux-gnu libgcc-s1-arm64-cross cpp-aarch64-linux-gnu
+      - name: Build
+        run: CC=aarch64-linux-gnu-gcc CXX=aarch64-linux-gnu-gcc++ make CONFIG_NATIVE=false

.gitignore

@@ -1,2 +1,2 @@
-*.o
-*.so
+out/
+out-light/

Android.bp

@@ -1,15 +1,16 @@
 common_cflags = [
+    "-pipe",
     "-O3",
     //"-flto",
     "-fPIC",
     "-fvisibility=hidden",
     //"-fno-plt",
-    "-pipe",
     "-Wall",
     "-Wextra",
     "-Wcast-align",
     "-Wcast-qual",
     "-Wwrite-strings",
+    "-Werror",
     "-DH_MALLOC_PREFIX",
     "-DZERO_ON_FREE=true",
     "-DWRITE_AFTER_FREE_CHECK=true",
@@ -21,20 +22,21 @@ common_cflags = [
     "-DCONFIG_LARGE_SIZE_CLASSES=true",
     "-DGUARD_SLABS_INTERVAL=1",
     "-DGUARD_SIZE_DIVISOR=2",
-    "-DREGION_QUARANTINE_RANDOM_LENGTH=128",
+    "-DREGION_QUARANTINE_RANDOM_LENGTH=256",
     "-DREGION_QUARANTINE_QUEUE_LENGTH=1024",
     "-DREGION_QUARANTINE_SKIP_THRESHOLD=33554432", // 32MiB
     "-DFREE_SLABS_QUARANTINE_RANDOM_LENGTH=32",
-    "-DCONFIG_CLASS_REGION_SIZE=1073741824", // 1GiB
+    "-DCONFIG_CLASS_REGION_SIZE=34359738368", // 32GiB
     "-DN_ARENA=1",
     "-DCONFIG_STATS=true",
+    "-DCONFIG_SELF_INIT=false",
 ]
 
 cc_defaults {
     name: "hardened_malloc_defaults",
     defaults: ["linux_bionic_supported"],
     cflags: common_cflags,
-    conlyflags: ["-std=c11", "-Wmissing-prototypes"],
+    conlyflags: ["-std=c17", "-Wmissing-prototypes"],
     stl: "none",
 }
 
@@ -47,13 +49,32 @@ lib_src_files = [
     "util.c",
 ]
 
-cc_library_static {
+cc_library {
     name: "libhardened_malloc",
+    ramdisk_available: true,
+    vendor_ramdisk_available: true,
+    recovery_available: true,
     defaults: ["hardened_malloc_defaults"],
     srcs: lib_src_files,
+    export_include_dirs: ["include"],
+    static_libs: ["libasync_safe"],
+    target: {
+        android: {
+            shared: {
+                enabled: false,
+            },
+            system_shared_libs: [],
+        },
+        linux_bionic: {
+            system_shared_libs: [],
+        },
+    },
     product_variables: {
         debuggable: {
             cflags: ["-DLABEL_MEMORY"],
         },
     },
+    apex_available: [
+        "com.android.runtime",
+    ],
 }

CREDITS

@@ -4,7 +4,7 @@ chacha.c is a simple conversion of chacha-merged.c to a keystream-only implement
     D. J. Bernstein
     Public domain.
 
-malloc.c open-addressed hash table (regions_grow, regions_insert, regions_find, regions_delete):
+h_malloc.c open-addressed hash table (regions_grow, regions_insert, regions_find, regions_delete):
 
     Copyright (c) 2008, 2010, 2011, 2016 Otto Moerbeek <otto@drijf.net>
     Copyright (c) 2012 Matthew Dempsky <matthew@openbsd.org>
@@ -25,7 +25,8 @@ malloc.c open-addressed hash table (regions_grow, regions_insert, regions_find,
 
 libdivide:
 
-    Copyright (C) 2010 ridiculous_fish
+    Copyright (C) 2010 - 2019 ridiculous_fish, <libdivide@ridiculousfish.com>
+    Copyright (C) 2016 - 2019 Kim Walisch, <kim.walisch@gmail.com>
 
     Boost Software License - Version 1.0 - August 17th, 2003
 

KERNEL_FEATURE_WISHLIST.md

@@ -16,6 +16,8 @@ Somewhat important and an easy sell:
     * also needed by jemalloc for different reasons
     * not needed if the kernel gets first class support for arbitrarily sized
       guard pages and a virtual memory quarantine feature
+    * `MREMAP_DONTUNMAP` is now available but doesn't support expanding the
+      mapping which may be an issue due to VMA merging being unreliable
 
 Fairly infeasible to land but could reduce overhead and extend coverage of
 security features to other code directly using mmap:

LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2019 Daniel Micay
+Copyright © 2018-2023 GrapheneOS
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

Makefile

@@ -1,57 +1,60 @@
-CONFIG_NATIVE := true
-CONFIG_CXX_ALLOCATOR := true
-CONFIG_UBSAN := false
-CONFIG_SEAL_METADATA := false
-CONFIG_ZERO_ON_FREE := true
-CONFIG_WRITE_AFTER_FREE_CHECK := true
-CONFIG_SLOT_RANDOMIZE := true
-CONFIG_SLAB_CANARY := true
-CONFIG_SLAB_QUARANTINE_RANDOM_LENGTH := 1
-CONFIG_SLAB_QUARANTINE_QUEUE_LENGTH := 1
-CONFIG_EXTENDED_SIZE_CLASSES := true
-CONFIG_LARGE_SIZE_CLASSES := true
-CONFIG_GUARD_SLABS_INTERVAL := 1
-CONFIG_GUARD_SIZE_DIVISOR := 2
-CONFIG_REGION_QUARANTINE_RANDOM_LENGTH := 128
-CONFIG_REGION_QUARANTINE_QUEUE_LENGTH := 1024
-CONFIG_REGION_QUARANTINE_SKIP_THRESHOLD := 33554432 # 32MiB
-CONFIG_FREE_SLABS_QUARANTINE_RANDOM_LENGTH := 32
-CONFIG_CLASS_REGION_SIZE := 34359738368 # 32GiB
-CONFIG_N_ARENA := 4
-CONFIG_STATS := false
+VARIANT := default
+
+ifneq ($(VARIANT),)
+    CONFIG_FILE := config/$(VARIANT).mk
+    include config/$(VARIANT).mk
+endif
+
+ifeq ($(VARIANT),default)
+    SUFFIX :=
+else
+    SUFFIX := -$(VARIANT)
+endif
+
+OUT := out$(SUFFIX)
 
 define safe_flag
-$(shell $(CC) -E $1 - </dev/null >/dev/null 2>&1 && echo $1 || echo $2)
+$(shell $(CC) $(if $(filter clang%,$(CC)),-Werror=unknown-warning-option) -E $1 - </dev/null >/dev/null 2>&1 && echo $1 || echo $2)
 endef
 
-CPPFLAGS := -D_GNU_SOURCE
-SHARED_FLAGS := -O3 -flto -fPIC -fvisibility=hidden $(call safe_flag,-fno-plt) -pipe -Wall -Wextra $(call safe_flag,-Wcast-align=strict) -Wcast-qual -Wwrite-strings
+CPPFLAGS := $(CPPFLAGS) -D_GNU_SOURCE -I include
+SHARED_FLAGS := -pipe -O3 -flto -fPIC -fvisibility=hidden -fno-plt \
+    -fstack-clash-protection $(call safe_flag,-fcf-protection) -fstack-protector-strong \
+    -Wall -Wextra $(call safe_flag,-Wcast-align=strict,-Wcast-align) -Wcast-qual -Wwrite-strings \
+    -Wundef
+
+ifeq ($(CONFIG_WERROR),true)
+    SHARED_FLAGS += -Werror
+endif
 
 ifeq ($(CONFIG_NATIVE),true)
     SHARED_FLAGS += -march=native
 endif
 
-CFLAGS := -std=c11 $(SHARED_FLAGS) -Wmissing-prototypes
-CXXFLAGS := $(call safe_flag,-std=c++17,-std=c++14) $(SHARED_FLAGS)
-LDFLAGS := -Wl,--as-needed,-z,defs,-z,relro,-z,now,-z,nodlopen,-z,text
-TIDY_CHECKS := -checks=bugprone-*,-bugprone-macro-parentheses,cert-*,clang-analyzer-*,readability-*,-readability-inconsistent-declaration-parameter-name,-readability-magic-numbers,-readability-named-parameter,-bugprone-too-small-loop-variable
+ifeq ($(CONFIG_UBSAN),true)
+    SHARED_FLAGS += -fsanitize=undefined -fno-sanitize-recover=undefined
+endif
+
+CFLAGS := $(CFLAGS) -std=c17 $(SHARED_FLAGS) -Wmissing-prototypes -Wstrict-prototypes
+CXXFLAGS := $(CXXFLAGS) -std=c++17 -fsized-deallocation $(SHARED_FLAGS)
+LDFLAGS := $(LDFLAGS) -Wl,-O1,--as-needed,-z,defs,-z,relro,-z,now,-z,nodlopen,-z,text
 
 SOURCES := chacha.c h_malloc.c memory.c pages.c random.c util.c
 OBJECTS := $(SOURCES:.c=.o)
 
 ifeq ($(CONFIG_CXX_ALLOCATOR),true)
+    # make sure LTO is compatible in case CC and CXX don't match (such as clang and g++)
+    CXX := $(CC)
     LDLIBS += -lstdc++
+
     SOURCES += new.cc
     OBJECTS += new.o
 endif
 
-ifeq ($(CONFIG_UBSAN),true)
-    CFLAGS += -fsanitize=undefined
-    CXXFLAGS += -fsanitize=undefined
-endif
+OBJECTS := $(addprefix $(OUT)/,$(OBJECTS))
 
-ifeq ($(CONFIG_SEAL_METADATA),true)
-    CPPFLAGS += -DCONFIG_SEAL_METADATA
+ifeq (,$(filter $(CONFIG_SEAL_METADATA),true false))
+    $(error CONFIG_SEAL_METADATA must be true or false)
 endif
 
 ifeq (,$(filter $(CONFIG_ZERO_ON_FREE),true false))
@@ -82,7 +85,12 @@ ifeq (,$(filter $(CONFIG_STATS),true false))
     $(error CONFIG_STATS must be true or false)
 endif
 
+ifeq (,$(filter $(CONFIG_SELF_INIT),true false))
+    $(error CONFIG_SELF_INIT must be true or false)
+endif
+
 CPPFLAGS += \
+    -DCONFIG_SEAL_METADATA=$(CONFIG_SEAL_METADATA) \
     -DZERO_ON_FREE=$(CONFIG_ZERO_ON_FREE) \
     -DWRITE_AFTER_FREE_CHECK=$(CONFIG_WRITE_AFTER_FREE_CHECK) \
     -DSLOT_RANDOMIZE=$(CONFIG_SLOT_RANDOMIZE) \
@@ -99,23 +107,42 @@ CPPFLAGS += \
     -DFREE_SLABS_QUARANTINE_RANDOM_LENGTH=$(CONFIG_FREE_SLABS_QUARANTINE_RANDOM_LENGTH) \
     -DCONFIG_CLASS_REGION_SIZE=$(CONFIG_CLASS_REGION_SIZE) \
     -DN_ARENA=$(CONFIG_N_ARENA) \
-    -DCONFIG_STATS=$(CONFIG_STATS)
+    -DCONFIG_STATS=$(CONFIG_STATS) \
+    -DCONFIG_SELF_INIT=$(CONFIG_SELF_INIT)
 
-libhardened_malloc.so: $(OBJECTS)
+$(OUT)/libhardened_malloc$(SUFFIX).so: $(OBJECTS) | $(OUT)
 	$(CC) $(CFLAGS) $(LDFLAGS) -shared $^ $(LDLIBS) -o $@
 
-chacha.o: chacha.c chacha.h util.h
-h_malloc.o: h_malloc.c h_malloc.h mutex.h memory.h pages.h random.h util.h
-memory.o: memory.c memory.h util.h
-new.o: new.cc h_malloc.h util.h
-pages.o: pages.c pages.h memory.h util.h
-random.o: random.c random.h chacha.h util.h
-util.o: util.c util.h
+$(OUT):
+	mkdir -p $(OUT)
+
+$(OUT)/chacha.o: chacha.c chacha.h util.h $(CONFIG_FILE) | $(OUT)
+	$(COMPILE.c) $(OUTPUT_OPTION) $<
+$(OUT)/h_malloc.o: h_malloc.c include/h_malloc.h mutex.h memory.h pages.h random.h util.h $(CONFIG_FILE) | $(OUT)
+	$(COMPILE.c) $(OUTPUT_OPTION) $<
+$(OUT)/memory.o: memory.c memory.h util.h $(CONFIG_FILE) | $(OUT)
+	$(COMPILE.c) $(OUTPUT_OPTION) $<
+$(OUT)/new.o: new.cc include/h_malloc.h util.h $(CONFIG_FILE) | $(OUT)
+	$(COMPILE.cc) $(OUTPUT_OPTION) $<
+$(OUT)/pages.o: pages.c pages.h memory.h util.h $(CONFIG_FILE) | $(OUT)
+	$(COMPILE.c) $(OUTPUT_OPTION) $<
+$(OUT)/random.o: random.c random.h chacha.h util.h $(CONFIG_FILE) | $(OUT)
+	$(COMPILE.c) $(OUTPUT_OPTION) $<
+$(OUT)/util.o: util.c util.h $(CONFIG_FILE) | $(OUT)
+	$(COMPILE.c) $(OUTPUT_OPTION) $<
+
+check: tidy
 
 tidy:
-	clang-tidy $(TIDY_CHECKS) $(SOURCES) -- $(CPPFLAGS)
+	clang-tidy --extra-arg=-std=c17 $(filter %.c,$(SOURCES)) -- $(CPPFLAGS)
+	clang-tidy --extra-arg=-std=c++17 $(filter %.cc,$(SOURCES)) -- $(CPPFLAGS)
 
 clean:
-	rm -f libhardened_malloc.so $(OBJECTS)
+	rm -f $(OUT)/libhardened_malloc.so $(OBJECTS)
+	$(MAKE) -C test/ clean
 
-.PHONY: clean tidy
+test: $(OUT)/libhardened_malloc$(SUFFIX).so
+	$(MAKE) -C test/
+	python3 -m unittest discover --start-directory test/
+
+.PHONY: check clean tidy test

README.md

@@ -1,5 +1,30 @@
 # Hardened malloc
 
+* [Introduction](#introduction)
+* [Dependencies](#dependencies)
+* [Testing](#testing)
+    * [Individual Applications](#individual-applications)
+    * [Automated Test Framework](#automated-test-framework)
+* [Compatibility](#compatibility)
+* [OS integration](#os-integration)
+    * [Android-based operating systems](#android-based-operating-systems)
+    * [Traditional Linux-based operating systems](#traditional-linux-based-operating-systems)
+* [Configuration](#configuration)
+* [Core design](#core-design)
+* [Security properties](#security-properties)
+* [Randomness](#randomness)
+* [Size classes](#size-classes)
+* [Scalability](#scalability)
+    * [Small (slab) allocations](#small-slab-allocations)
+        * [Thread caching (or lack thereof)](#thread-caching-or-lack-thereof)
+    * [Large allocations](#large-allocations)
+* [Memory tagging](#memory-tagging)
+* [API extensions](#api-extensions)
+* [Stats](#stats)
+* [System calls](#system-calls)
+
+## Introduction
+
 This is a security-focused general purpose memory allocator providing the
 malloc API along with various extensions. It provides substantial hardening
 against heap corruption vulnerabilities. The security-focused design also leads
@@ -7,7 +32,7 @@ to much less metadata overhead and memory waste from fragmentation than a more
 traditional allocator design. It aims to provide decent overall performance
 with a focus on long-term performance and memory usage rather than allocator
 micro-benchmarks. It offers scalability via a configurable number of entirely
-independently arenas, with the internal locking within arenas further divided
+independent arenas, with the internal locking within arenas further divided
 up per size class.
 
 This project currently supports Bionic (Android), musl and glibc. It may
@@ -20,17 +45,17 @@ and can cover the same use cases.
 This allocator is intended as a successor to a previous implementation based on
 extending OpenBSD malloc with various additional security features. It's still
 heavily based on the OpenBSD malloc design, albeit not on the existing code
-other than reusing the hash table implementation for the time being. The main
-differences in the design are that it is solely focused on hardening rather
-than finding bugs, uses finer-grained size classes along with slab sizes going
-beyond 4k to reduce internal fragmentation, doesn't rely on the kernel having
-fine-grained mmap randomization and only targets 64-bit to make aggressive use
-of the large address space.  There are lots of smaller differences in the
-implementation approach. It incorporates the previous extensions made to
-OpenBSD malloc including adding padding to allocations for canaries (distinct
-from the current OpenBSD malloc canaries), write-after-free detection tied to
-the existing clearing on free, queues alongside the existing randomized arrays
-for quarantining allocations and proper double-free detection for quarantined
+other than reusing the hash table implementation. The main differences in the
+design are that it's solely focused on hardening rather than finding bugs, uses
+finer-grained size classes along with slab sizes going beyond 4k to reduce
+internal fragmentation, doesn't rely on the kernel having fine-grained mmap
+randomization and only targets 64-bit to make aggressive use of the large
+address space. There are lots of smaller differences in the implementation
+approach. It incorporates the previous extensions made to OpenBSD malloc
+including adding padding to allocations for canaries (distinct from the current
+OpenBSD malloc canaries), write-after-free detection tied to the existing
+clearing on free, queues alongside the existing randomized arrays for
+quarantining allocations and proper double-free detection for quarantined
 allocations. The per-size-class memory regions with their own random bases were
 loosely inspired by the size and type-based partitioning in PartitionAlloc. The
 planned changes to OpenBSD malloc ended up being too extensive and invasive so
@@ -40,11 +65,14 @@ used instead as this allocator fundamentally doesn't support that environment.
 
 ## Dependencies
 
-Debian stable determines the most ancient set of supported dependencies:
+Debian stable (currently Debian 12) determines the most ancient set of
+supported dependencies:
 
-* glibc 2.24
-* Linux 4.9
-* Clang 3.8 or GCC 6.3
+* glibc 2.36
+* Linux 6.1
+* Clang 14.0.6 or GCC 12.2.0
+
+For Android, the Linux GKI 5.10, 5.15 and 6.1 branches are supported.
 
 However, using more recent releases is highly recommended. Older versions of
 the dependencies may be compatible at the moment but are not tested and will
@@ -54,18 +82,20 @@ For external malloc replacement with musl, musl 1.1.20 is required. However,
 there will be custom integration offering better performance in the future
 along with other hardening for the C standard library implementation.
 
-For Android, only current generation Android Open Source Project branches will
-be supported, which currently means pie-qpr2-release.
+For Android, only the current generation, actively developed maintenance branch of the Android
+Open Source Project will be supported, which currently means `android13-qpr2-release`.
 
 ## Testing
 
+### Individual Applications
+
 The `preload.sh` script can be used for testing with dynamically linked
 executables using glibc or musl:
 
     ./preload.sh krita --new-image RGBA,U8,500,500
 
 It can be necessary to substantially increase the `vm.max_map_count` sysctl to
-accomodate the large number of mappings caused by guard slabs and large
+accommodate the large number of mappings caused by guard slabs and large
 allocation guard regions. The number of mappings can also be drastically
 reduced via a significant increase to `CONFIG_GUARD_SLABS_INTERVAL` but the
 feature has a low performance and memory usage cost so that isn't recommended.
@@ -78,6 +108,79 @@ this allocator offers across different size classes. The intention is that this
 will be offered as part of hardened variants of the Bionic and musl C standard
 libraries.
 
+### Automated Test Framework
+
+A collection of simple, automated tests are provided and can be run with the
+make command as follows:
+
+    make test
+
+## Compatibility
+
+OpenSSH 8.1 or higher is required to allow the mprotect `PROT_READ|PROT_WRITE`
+system calls in the seccomp-bpf filter rather than killing the process.
+
+## OS integration
+
+### Android-based operating systems
+
+On GrapheneOS, hardened\_malloc is integrated into the standard C library as
+the standard malloc implementation. Other Android-based operating systems can
+reuse [the integration
+code](https://github.com/GrapheneOS/platform_bionic/commit/20160b81611d6f2acd9ab59241bebeac7cf1d71c)
+to provide it. If desired, jemalloc can be left as a runtime configuration
+option by only conditionally using hardened\_malloc to give users the choice
+between performance and security. However, this reduces security for threat
+models where persistent state is untrusted, i.e. verified boot and attestation
+(see the [attestation sister project](https://attestation.app/about)).
+
+Make sure to raise `vm.max_map_count` substantially too to accommodate the very
+large number of guard pages created by hardened\_malloc. This can be done in
+`init.rc` (`system/core/rootdir/init.rc`) near the other virtual memory
+configuration:
+
+    write /proc/sys/vm/max_map_count 1048576
+
+This is unnecessary if you set `CONFIG_GUARD_SLABS_INTERVAL` to a very large
+value in the build configuration.
+
+### Traditional Linux-based operating systems
+
+On traditional Linux-based operating systems, hardened\_malloc can either be
+integrated into the libc implementation as a replacement for the standard
+malloc implementation or loaded as a dynamic library. Rather than rebuilding
+each executable to be linked against it, it can be added as a preloaded
+library to `/etc/ld.so.preload`. For example, with `libhardened_malloc.so`
+installed to `/usr/local/lib/libhardened_malloc.so`, add that full path as a
+line to the `/etc/ld.so.preload` configuration file:
+
+    /usr/local/lib/libhardened_malloc.so
+
+The format of this configuration file is a whitespace-separated list, so it's
+good practice to put each library on a separate line.
+
+Using the `LD_PRELOAD` environment variable to load it on a case-by-case basis
+will not work when `AT_SECURE` is set such as with setuid binaries. It's also
+generally not a recommended approach for production usage. The recommendation
+is to enable it globally and make exceptions for performance critical cases by
+running the application in a container / namespace without it enabled.
+
+Make sure to raise `vm.max_map_count` substantially too to accommodate the very
+large number of guard pages created by hardened\_malloc. As an example, in
+`/etc/sysctl.d/hardened_malloc.conf`:
+
+    vm.max_map_count = 1048576
+
+This is unnecessary if you set `CONFIG_GUARD_SLABS_INTERVAL` to a very large
+value in the build configuration.
+
+On arm64, make sure your kernel is configured to use 4k pages since we haven't
+yet added support for 16k and 64k pages. The kernel also has to be configured
+to use 4 level page tables for the full 48 bit address space instead of only
+having a 39 bit address space for the default hardened\_malloc configuration.
+It's possible to reduce the class region size substantially to make a 39 bit
+address space workable but the defaults won't work.
+
 ## Configuration
 
 You can set some configuration options at compile-time via arguments to the
@@ -90,8 +193,45 @@ between portability, performance, memory usage or security. The core design
 choices are not configurable and the allocator remains very security-focused
 even with all the optional features disabled.
 
+The configuration system supports a configuration template system with two
+standard presets: the default configuration (`config/default.mk`) and a light
+configuration (`config/light.mk`). Packagers are strongly encouraged to ship
+both the standard `default` and `light` configuration. You can choose the
+configuration to build using `make VARIANT=light` where `make VARIANT=default`
+is the same as `make`. Non-default configuration templates will build a library
+with the suffix `-variant` such as `libhardened_malloc-light.so` and will use
+an `out-variant` directory instead of `out` for the build.
+
+The `default` configuration template has all normal optional security features
+enabled (just not the niche `CONFIG_SEAL_METADATA`) and is quite aggressive in
+terms of sacrificing performance and memory usage for security. The `light`
+configuration template disables the slab quarantines, write after free check,
+slot randomization and raises the guard slab interval from 1 to 8 but leaves
+zero-on-free and slab canaries enabled. The `light` configuration has solid
+performance and memory usage while still being far more secure than mainstream
+allocators with much better security properties. Disabling zero-on-free would
+gain more performance but doesn't make much difference for small allocations
+without also disabling slab canaries. Slab canaries slightly raise memory use
+and slightly slow down performance but are quite important to mitigate small
+overflows and C string overflows. Disabling slab canaries is not recommended
+in most cases since it would no longer be a strict upgrade over traditional
+allocators with headers on allocations and basic consistency checks for them.
+
+For reduced memory usage at the expense of performance (this will also reduce
+the size of the empty slab caches and quarantines, saving a lot of memory,
+since those are currently based on the size of the largest size class):
+
+    make \
+    N_ARENA=1 \
+    CONFIG_EXTENDED_SIZE_CLASSES=false
+
 The following boolean configuration options are available:
 
+* `CONFIG_WERROR`: `true` (default) or `false` to control whether compiler
+  warnings are treated as errors. This is highly recommended, but it can be
+  disabled to avoid patching the Makefile if a compiler version not tested by
+  the project is being used and has warnings. Investigating these warnings is
+  still recommended and the intention is to always be free of any warnings.
 * `CONFIG_NATIVE`: `true` (default) or `false` to control whether the code is
   optimized for the detected CPU on the host. If this is disabled, setting up a
   custom `-march` higher than the baseline architecture is highly recommended
@@ -104,12 +244,15 @@ The following boolean configuration options are available:
   allocations are zeroed on free, to mitigate use-after-free and uninitialized
   use vulnerabilities along with purging lots of potentially sensitive data
   from the process as soon as possible. This has a performance cost scaling to
-  the size of the allocation, which is usually acceptable.
+  the size of the allocation, which is usually acceptable. This is not relevant
+  to large allocations because the pages are given back to the kernel.
 * `CONFIG_WRITE_AFTER_FREE_CHECK`: `true` (default) or `false` to control
-  sanity checking that new allocations contain zeroed memory. This can detect
-  writes caused by a write-after-free vulnerability and mixes well with the
-  features for making memory reuse randomized / delayed. This has a performance
-  cost scaling to the size of the allocation, which is usually acceptable.
+  sanity checking that new small allocations contain zeroed memory. This can
+  detect writes caused by a write-after-free vulnerability and mixes well with
+  the features for making memory reuse randomized / delayed. This has a
+  performance cost scaling to the size of the allocation, which is usually
+  acceptable. This is not relevant to large allocations because they're always
+  a fresh memory mapping from the kernel.
 * `CONFIG_SLOT_RANDOMIZE`: `true` (default) or `false` to randomize selection
   of free slots within slabs. This has a measurable performance cost and isn't
   one of the important security features, but the cost has been deemed more
@@ -126,84 +269,112 @@ The following boolean configuration options are available:
 * `CONFIG_SEAL_METADATA`: `true` or `false` (default) to control whether Memory
   Protection Keys are used to disable access to all writable allocator state
   outside of the memory allocator code. It's currently disabled by default due
-  to being extremely experimental and a significant performance cost for this
-  use case on current generation hardware, which may become drastically lower
-  in the future. Whether or not this feature is enabled, the metadata is all
-  contained within an isolated memory region with high entropy random guard
-  regions around it.
+  to a significant performance cost for this use case on current generation
+  hardware, which may become drastically lower in the future. Whether or not
+  this feature is enabled, the metadata is all contained within an isolated
+  memory region with high entropy random guard regions around it.
 
-The following integer configuration options are available. Proper sanity checks
-for the chosen values are not written yet, so use them at your own peril:
+The following integer configuration options are available:
 
 * `CONFIG_SLAB_QUARANTINE_RANDOM_LENGTH`: `1` (default) to control the number
   of slots in the random array used to randomize reuse for small memory
-  allocations. This sets the length for the largest size class (currently
-  16384) and the quarantine length for smaller size classes is scaled to match
-  the total memory of the quarantined allocations (1 becomes 1024 for 16 byte
-  allocations).
+  allocations. This sets the length for the largest size class (either 16kiB
+  or 128kiB based on `CONFIG_EXTENDED_SIZE_CLASSES`) and the quarantine length
+  for smaller size classes is scaled to match the total memory of the
+  quarantined allocations (1 becomes 1024 for 16 byte allocations with 16kiB
+  as the largest size class, or 8192 with 128kiB as the largest).
 * `CONFIG_SLAB_QUARANTINE_QUEUE_LENGTH`: `1` (default) to control the number of
   slots in the queue used to delay reuse for small memory allocations. This
-  sets the length for the largest size class (currently 16384) and the
-  quarantine length for smaller size classes is scaled to match the total
-  memory of the quarantined allocations (1 becomes 1024 for 16 byte
-  allocations).
+  sets the length for the largest size class (either 16kiB or 128kiB based on
+  `CONFIG_EXTENDED_SIZE_CLASSES`) and the quarantine length for smaller size
+  classes is scaled to match the total memory of the quarantined allocations (1
+  becomes 1024 for 16 byte allocations with 16kiB as the largest size class, or
+  8192 with 128kiB as the largest).
 * `CONFIG_GUARD_SLABS_INTERVAL`: `1` (default) to control the number of slabs
-  before a slab is skipped and left as an unused memory protected guard slab
+  before a slab is skipped and left as an unused memory protected guard slab.
+  The default of `1` leaves a guard slab between every slab. This feature does
+  not have a *direct* performance cost, but it makes the address space usage
+  sparser which can indirectly hurt performance. The kernel also needs to track
+  a lot more memory mappings, which uses a bit of extra memory and slows down
+  memory mapping and memory protection changes in the process. The kernel uses
+  O(log n) algorithms for this and system calls are already fairly slow anyway,
+  so having many extra mappings doesn't usually add up to a significant cost.
 * `CONFIG_GUARD_SIZE_DIVISOR`: `2` (default) to control the maximum size of the
   guard regions placed on both sides of large memory allocations, relative to
-  the usable size of the memory allocation
-* `CONFIG_REGION_QUARANTINE_RANDOM_LENGTH`: `128` (default) to control the
+  the usable size of the memory allocation.
+* `CONFIG_REGION_QUARANTINE_RANDOM_LENGTH`: `256` (default) to control the
   number of slots in the random array used to randomize region reuse for large
-  memory allocations
+  memory allocations.
 * `CONFIG_REGION_QUARANTINE_QUEUE_LENGTH`: `1024` (default) to control the
   number of slots in the queue used to delay region reuse for large memory
-  allocations
+  allocations.
 * `CONFIG_REGION_QUARANTINE_SKIP_THRESHOLD`: `33554432` (default) to control
-  the size threshold where large allocations will not be quarantined
+  the size threshold where large allocations will not be quarantined.
 * `CONFIG_FREE_SLABS_QUARANTINE_RANDOM_LENGTH`: `32` (default) to control the
-  number of slots in the random array used to randomize free slab reuse
+  number of slots in the random array used to randomize free slab reuse.
 * `CONFIG_CLASS_REGION_SIZE`: `34359738368` (default) to control the size of
-  the size class regions
-* `CONFIG_N_ARENA`: `1` (default) to control the number of arenas
+  the size class regions.
+* `CONFIG_N_ARENA`: `4` (default) to control the number of arenas
 * `CONFIG_STATS`: `false` (default) to control whether stats on allocation /
-  deallocation count and active allocations are tracked. This is currently only
-  exposed via the mallinfo APIs on Android.
+  deallocation count and active allocations are tracked. See the [section on
+  stats](#stats) for more details.
 * `CONFIG_EXTENDED_SIZE_CLASSES`: `true` (default) to control whether small
-  size class go up to 64k instead of the minimum requirement for avoiding
-  memory waste of 16k. The option to extend it even further will be offered in
-  the future when better support for larger slab allocations is added.
+  size class go up to 128kiB instead of the minimum requirement for avoiding
+  memory waste of 16kiB. The option to extend it even further will be offered
+  in the future when better support for larger slab allocations is added. See
+  the [section on size classes](#size-classes) below for details.
 * `CONFIG_LARGE_SIZE_CLASSES`: `true` (default) to control whether large
   allocations use the slab allocation size class scheme instead of page size
-  granularity (see the section on size classes below)
+  granularity. See the [section on size classes](#size-classes) below for
+  details.
 
 There will be more control over enabled features in the future along with
 control over fairly arbitrarily chosen values like the size of empty slab
 caches (making them smaller improves security and reduces memory usage while
 larger caches can substantially improves performance).
 
-## Basic design
+## Core design
 
-The current design is very simple and will become a bit more sophisticated as
-the basic features are completed and the implementation is hardened and
-optimized. The allocator is exclusive to 64-bit platforms in order to take full
-advantage of the abundant address space without being constrained by needing to
-keep the design compatible with 32-bit.
+The core design of the allocator is very simple / minimalist. The allocator is
+exclusive to 64-bit platforms in order to take full advantage of the abundant
+address space without being constrained by needing to keep the design
+compatible with 32-bit.
+
+The mutable allocator state is entirely located within a dedicated metadata
+region, and the allocator is designed around this approach for both small
+(slab) allocations and large allocations. This provides reliable, deterministic
+protections against invalid free including double frees, and protects metadata
+from attackers. Traditional allocator exploitation techniques do not work with
+the hardened\_malloc implementation.
 
 Small allocations are always located in a large memory region reserved for slab
-allocations. It can be determined that an allocation is one of the small size
-classes from the address range. Each small size class has a separate reserved
-region within the larger region, and the size of a small allocation can simply
-be determined from the range. Each small size class has a separate out-of-line
-metadata array outside of the overall allocation region, with the index of the
-metadata struct within the array mapping to the index of the slab within the
-dedicated size class region. Slabs are a multiple of the page size and are
-page aligned. The entire small size class region starts out memory protected
-and becomes readable / writable as it gets allocated, with idle slabs beyond
-the cache limit having their pages dropped and the memory protected again.
+allocations. On free, it can be determined that an allocation is one of the
+small size classes from the address range. If arenas are enabled, the arena is
+also determined from the address range as each arena has a dedicated sub-region
+in the slab allocation region. Arenas provide totally independent slab
+allocators with their own allocator state and no coordination between them.
+Once the base region is determined (simply the slab allocation region as a
+whole without any arenas enabled), the size class is determined from the
+address range too, since it's divided up into a sub-region for each size class.
+There's a top level slab allocation region, divided up into arenas, with each
+of those divided up into size class regions. The size class regions each have a
+random base within a large guard region. Once the size class is determined, the
+slab size is known, and the index of the slab is calculated and used to obtain
+the slab metadata for the slab from the slab metadata array. Finally, the index
+of the slot within the slab provides the index of the bit tracking the slot in
+the bitmap. Every slab allocation slot has a dedicated bit in a bitmap tracking
+whether it's free, along with a separate bitmap for tracking allocations in the
+quarantine. The slab metadata entries in the array have intrusive lists
+threaded through them to track partial slabs (partially filled, and these are
+the first choice for allocation), empty slabs (limited amount of cached free
+memory) and free slabs (purged / memory protected).
 
 Large allocations are tracked via a global hash table mapping their address to
-their size and guard size. They're simply memory mappings and get mapped on
-allocation and then unmapped on free.
+their size and random guard size. They're simply memory mappings and get mapped
+on allocation and then unmapped on free. Large allocations are the only dynamic
+memory mappings made by the allocator, since the address space for allocator
+state (including both small / large allocation metadata) and slab allocations
+is statically reserved.
 
 This allocator is aimed at production usage, not aiding with finding and fixing
 memory corruption bugs for software development. It does find many latent bugs
@@ -268,6 +439,7 @@ was a bit less important and if a core goal was finding latent bugs.
 * Slab allocations are zeroed on free
 * Detection of write-after-free for slab allocations by verifying zero filling
   is intact at allocation time
+* Delayed free via a combination of FIFO and randomization for slab allocations
 * Large allocations are purged and memory protected on free with the memory
   mapping kept reserved in a quarantine to detect use-after-free
     * The quarantine is primarily based on a FIFO ring buffer, with the oldest
@@ -278,7 +450,6 @@ was a bit less important and if a core goal was finding latent bugs.
       of the quarantine
 * Memory in fresh allocations is consistently zeroed due to it either being
   fresh pages or zeroed on free after previous usage
-* Delayed free via a combination of FIFO and randomization for slab allocations
 * Random canaries placed after each slab allocation to *absorb*
   and then later detect overflows/underflows
     * High entropy per-slab random values
@@ -287,8 +458,9 @@ was a bit less important and if a core goal was finding latent bugs.
   size class regions interspersed with guard pages
 * Zero size allocations are a dedicated size class with the entire region
   remaining non-readable and non-writable
-* Extension for retrieving the size of allocations with fallback
-  to a sentinel for pointers not managed by the allocator
+* Extension for retrieving the size of allocations with fallback to a sentinel
+  for pointers not managed by the allocator [in-progress, full implementation
+  needs to be ported from the previous OpenBSD malloc-based allocator]
     * Can also return accurate values for pointers *within* small allocations
     * The same applies to pointers within the first page of large allocations,
       otherwise it currently has to return a sentinel
@@ -313,23 +485,24 @@ was a bit less important and if a core goal was finding latent bugs.
 
 The current implementation of random number generation for randomization-based
 mitigations is based on generating a keystream from a stream cipher (ChaCha8)
-in small chunks. A separate CSPRNG is used for each small size class, large
-allocations, etc. in order to fit into the existing fine-grained locking model
-without needing to waste memory per thread by having the CSPRNG state in Thread
-Local Storage. Similarly, it's protected via the same approach taken for the
-rest of the metadata. The stream cipher is regularly reseeded from the OS to
-provide backtracking and prediction resistance with a negligible cost. The
-reseed interval simply needs to be adjusted to the point that it stops
-registering as having any significant performance impact. The performance
-impact on recent Linux kernels is primarily from the high cost of system calls
-and locking since the implementation is quite efficient (ChaCha20), especially
-for just generating the key and nonce for another stream cipher (ChaCha8).
+in small chunks. Separate CSPRNGs are used for each small size class in each
+arena, large allocations and initialization in order to fit into the
+fine-grained locking model without needing to waste memory per thread by
+having the CSPRNG state in Thread Local Storage. Similarly, it's protected via
+the same approach taken for the rest of the metadata. The stream cipher is
+regularly reseeded from the OS to provide backtracking and prediction
+resistance with a negligible cost. The reseed interval simply needs to be
+adjusted to the point that it stops registering as having any significant
+performance impact. The performance impact on recent Linux kernels is
+primarily from the high cost of system calls and locking since the
+implementation is quite efficient (ChaCha20), especially for just generating
+the key and nonce for another stream cipher (ChaCha8).
 
 ChaCha8 is a great fit because it's extremely fast across platforms without
 relying on hardware support or complex platform-specific code. The security
 margins of ChaCha20 would be completely overkill for the use case. Using
 ChaCha8 avoids needing to resort to a non-cryptographically secure PRNG or
-something without a lot of scrunity. The current implementation is simply the
+something without a lot of scrutiny. The current implementation is simply the
 reference implementation of ChaCha8 converted into a pure keystream by ripping
 out the XOR of the message into the keystream.
 
@@ -423,10 +596,10 @@ retaining the isolation.
 
 | size class | worst case internal fragmentation | slab slots | slab size | internal fragmentation for slabs |
 | - | - | - | - | - |
-| 20480 | 20.0% | 2 | 40960 | 0.0% |
-| 24576 | 16.66% | 2 | 49152 | 0.0% |
-| 28672 | 14.28% | 2 | 57344 | 0.0% |
-| 32768 | 12.5% | 2 | 65536 | 0.0% |
+| 20480 | 20.0% | 1 | 20480 | 0.0% |
+| 24576 | 16.66% | 1 | 24576 | 0.0% |
+| 28672 | 14.28% | 1 | 28672 | 0.0% |
+| 32768 | 12.5% | 1 | 32768 | 0.0% |
 | 40960 | 20.0% | 1 | 40960 | 0.0% |
 | 49152 | 16.66% | 1 | 49152 | 0.0% |
 | 57344 | 14.28% | 1 | 57344 | 0.0% |
@@ -461,7 +634,7 @@ to finding the per-size-class metadata. The part that's still open to different
 design choices is how arenas are assigned to threads. One approach is
 statically assigning arenas via round-robin like the standard jemalloc
 implementation, or statically assigning to a random arena which is essentially
-the current implementation.  Another option is dynamic load balancing via a
+the current implementation. Another option is dynamic load balancing via a
 heuristic like `sched_getcpu` for per-CPU arenas, which would offer better
 performance than randomly choosing an arena each time while being more
 predictable for an attacker. There are actually some security benefits from
@@ -472,7 +645,7 @@ varying usage of size classes.
 When there's substantial allocation or deallocation pressure, the allocator
 does end up calling into the kernel to purge / protect unused slabs by
 replacing them with fresh `PROT_NONE` regions along with unprotecting slabs
-when partially filled and cached empty slabs are depleted.  There will be
+when partially filled and cached empty slabs are depleted. There will be
 configuration over the amount of cached empty slabs, but it's not entirely a
 performance vs. memory trade-off since memory protecting unused slabs is a nice
 opportunistic boost to security. However, it's not really part of the core
@@ -549,7 +722,7 @@ freeing as there would be if the kernel supported these features directly.
 ## Memory tagging
 
 Integrating extensive support for ARMv8.5 memory tagging is planned and this
-section will be expanded cover the details on the chosen design. The approach
+section will be expanded to cover the details on the chosen design. The approach
 for slab allocations is currently covered, but it can also be used for the
 allocator metadata region and large allocations.
 
@@ -587,38 +760,38 @@ reuse after a certain number of allocation cycles. Similarly to the initial tag
 generation, tag values for adjacent allocations will be skipped by incrementing
 past them.
 
-For example, consider this slab of allocations that are not yet used with 16
+For example, consider this slab of allocations that are not yet used with 15
 representing the tag for free memory. For the sake of simplicity, there will be
 no quarantine or other slabs for this example:
 
-    | 16 | 16 | 16 | 16 | 16 | 16 |
+    | 15 | 15 | 15 | 15 | 15 | 15 |
 
 Three slots are randomly chosen for allocations, with random tags assigned (2,
-15, 7) since these slots haven't ever been used and don't have saved values:
+7, 14) since these slots haven't ever been used and don't have saved values:
 
-    | 16 | 2  | 16 | 15 |  7 | 16 |
+    | 15 | 2  | 15 | 7  | 14 | 15 |
 
 The 2nd allocation slot is freed, and is set back to the tag for free memory
-(16), but with the previous tag value stored in the freed space:
+(15), but with the previous tag value stored in the freed space:
 
-    | 16 | 16 | 16 | 7  | 15 | 16 |
+    | 15 | 15 | 15 | 7  | 14 | 15 |
 
 The first slot is allocated for the first time, receiving the random value 3:
 
-    | 3  | 16 | 16 | 7  | 15 | 16 |
+    | 3  | 15 | 15 | 7  | 14 | 15 |
 
 The 2nd slot is randomly chosen again, so the previous tag (2) is retrieved and
 incremented to 3 as part of the use-after-free mitigation. An adjacent
 allocation already uses the tag 3, so the tag is further incremented to 4 (it
 would be incremented to 5 if one of the adjacent tags was 4):
 
-    | 3  | 4  | 16 | 7  | 15 | 16 |
+    | 3  | 4  | 15 | 7  | 14 | 15 |
 
-The last slot is randomly chosen for the next alocation, and is assigned the
-random value 15. However, it's placed next to an allocation with the tag 15 so
+The last slot is randomly chosen for the next allocation, and is assigned the
+random value 14. However, it's placed next to an allocation with the tag 14 so
 the tag is incremented and wraps around to 0:
 
-    | 3  | 4  | 16 | 7  | 15 | 0 |
+    | 3  | 4  | 15 | 7  | 14 | 0  |
 
 ## API extensions
 
@@ -647,6 +820,183 @@ this implementation, it retrieves an upper bound on the size for small memory
 allocations based on calculating the size class region. This function is safe
 to use from signal handlers already.
 
+## Stats
+
+If stats are enabled, hardened\_malloc keeps tracks allocator statistics in
+order to provide implementations of `mallinfo` and `malloc_info`.
+
+On Android, `mallinfo` is used for [mallinfo-based garbage collection
+triggering](https://developer.android.com/preview/features#mallinfo) so
+hardened\_malloc enables `CONFIG_STATS` by default. The `malloc_info`
+implementation on Android is the standard one in Bionic, with the information
+provided to Bionic via Android's internal extended `mallinfo` API with support
+for arenas and size class bins. This means the `malloc_info` output is fully
+compatible, including still having `jemalloc-1` as the version of the data
+format to retain compatibility with existing tooling.
+
+On non-Android Linux, `mallinfo` has zeroed fields even with `CONFIG_STATS`
+enabled because glibc `mallinfo` is inherently broken. It defines the fields as
+`int` instead of `size_t`, resulting in undefined signed overflows. It also
+misuses the fields and provides a strange, idiosyncratic set of values rather
+than following the SVID/XPG `mallinfo` definition. The `malloc_info` function
+is still provided, with a similar format as what Android uses, with tweaks for
+hardened\_malloc and the version set to `hardened_malloc-1`. The data format
+may be changed in the future.
+
+As an example, consider the following program from the hardened\_malloc tests:
+
+```c
+#include <pthread.h>
+
+#include <malloc.h>
+
+__attribute__((optimize(0)))
+void leak_memory(void) {
+    (void)malloc(1024 * 1024 * 1024);
+    (void)malloc(16);
+    (void)malloc(32);
+    (void)malloc(4096);
+}
+
+void *do_work(void *p) {
+    leak_memory();
+    return NULL;
+}
+
+int main(void) {
+    pthread_t thread[4];
+    for (int i = 0; i < 4; i++) {
+        pthread_create(&thread[i], NULL, do_work, NULL);
+    }
+    for (int i = 0; i < 4; i++) {
+        pthread_join(thread[i], NULL);
+    }
+
+    malloc_info(0, stdout);
+}
+```
+
+This produces the following output when piped through `xmllint --format -`:
+
+```xml
+<?xml version="1.0"?>
+<malloc version="hardened_malloc-1">
+  <heap nr="0">
+    <bin nr="2" size="32">
+      <nmalloc>1</nmalloc>
+      <ndalloc>0</ndalloc>
+      <slab_allocated>4096</slab_allocated>
+      <allocated>32</allocated>
+    </bin>
+    <bin nr="3" size="48">
+      <nmalloc>1</nmalloc>
+      <ndalloc>0</ndalloc>
+      <slab_allocated>4096</slab_allocated>
+      <allocated>48</allocated>
+    </bin>
+    <bin nr="13" size="320">
+      <nmalloc>4</nmalloc>
+      <ndalloc>0</ndalloc>
+      <slab_allocated>20480</slab_allocated>
+      <allocated>1280</allocated>
+    </bin>
+    <bin nr="29" size="5120">
+      <nmalloc>2</nmalloc>
+      <ndalloc>0</ndalloc>
+      <slab_allocated>40960</slab_allocated>
+      <allocated>10240</allocated>
+    </bin>
+    <bin nr="45" size="81920">
+      <nmalloc>1</nmalloc>
+      <ndalloc>0</ndalloc>
+      <slab_allocated>81920</slab_allocated>
+      <allocated>81920</allocated>
+    </bin>
+  </heap>
+  <heap nr="1">
+    <bin nr="2" size="32">
+      <nmalloc>1</nmalloc>
+      <ndalloc>0</ndalloc>
+      <slab_allocated>4096</slab_allocated>
+      <allocated>32</allocated>
+    </bin>
+    <bin nr="3" size="48">
+      <nmalloc>1</nmalloc>
+      <ndalloc>0</ndalloc>
+      <slab_allocated>4096</slab_allocated>
+      <allocated>48</allocated>
+    </bin>
+    <bin nr="29" size="5120">
+      <nmalloc>1</nmalloc>
+      <ndalloc>0</ndalloc>
+      <slab_allocated>40960</slab_allocated>
+      <allocated>5120</allocated>
+    </bin>
+  </heap>
+  <heap nr="2">
+    <bin nr="2" size="32">
+      <nmalloc>1</nmalloc>
+      <ndalloc>0</ndalloc>
+      <slab_allocated>4096</slab_allocated>
+      <allocated>32</allocated>
+    </bin>
+    <bin nr="3" size="48">
+      <nmalloc>1</nmalloc>
+      <ndalloc>0</ndalloc>
+      <slab_allocated>4096</slab_allocated>
+      <allocated>48</allocated>
+    </bin>
+    <bin nr="29" size="5120">
+      <nmalloc>1</nmalloc>
+      <ndalloc>0</ndalloc>
+      <slab_allocated>40960</slab_allocated>
+      <allocated>5120</allocated>
+    </bin>
+  </heap>
+  <heap nr="3">
+    <bin nr="2" size="32">
+      <nmalloc>1</nmalloc>
+      <ndalloc>0</ndalloc>
+      <slab_allocated>4096</slab_allocated>
+      <allocated>32</allocated>
+    </bin>
+    <bin nr="3" size="48">
+      <nmalloc>1</nmalloc>
+      <ndalloc>0</ndalloc>
+      <slab_allocated>4096</slab_allocated>
+      <allocated>48</allocated>
+    </bin>
+    <bin nr="29" size="5120">
+      <nmalloc>1</nmalloc>
+      <ndalloc>0</ndalloc>
+      <slab_allocated>40960</slab_allocated>
+      <allocated>5120</allocated>
+    </bin>
+  </heap>
+  <heap nr="4">
+    <allocated_large>4294967296</allocated_large>
+  </heap>
+</malloc>
+```
+
+The heap entries correspond to the arenas. Unlike jemalloc, hardened\_malloc
+doesn't handle large allocations within the arenas, so it presents those in the
+`malloc_info` statistics as a separate arena dedicated to large allocations.
+For example, with 4 arenas enabled, there will be a 5th arena in the statistics
+for the large allocations.
+
+The `nmalloc` / `ndalloc` fields are 64-bit integers tracking allocation and
+deallocation count. These are defined as wrapping on overflow, per the jemalloc
+implementation.
+
+See the [section on size classes](#size-classes) to map the size class bin
+number to the corresponding size class. The bin index begins at 0, mapping to
+the 0 byte size class, followed by 1 for the 16 bytes, 2 for 32 bytes, etc. and
+large allocations are treated as one group.
+
+When stats aren't enabled, the `malloc_info` output will be an empty `malloc`
+element.
+
 ## System calls
 
 This is intended to aid with creating system call whitelists via seccomp-bpf
@@ -665,6 +1015,7 @@ System calls used by all build configurations:
 * `mremap(old, old_size, new_size, MREMAP_MAYMOVE|MREMAP_FIXED, new)`
 * `munmap`
 * `write(STDERR_FILENO, buf, len)` (before aborting due to memory corruption)
+* `madvise(ptr, size, MADV_DONTNEED)`
 
 The main distinction from a typical malloc implementation is the use of
 getrandom. A common compatibility issue is that existing system call whitelists
@@ -677,7 +1028,6 @@ Additional system calls when `CONFIG_SEAL_METADATA=true` is set:
 * `pkey_alloc`
 * `pkey_mprotect` instead of `mprotect` with an additional `pkey` parameter,
   but otherwise the same (regular `mprotect` is never called)
-* `uname` (to detect old buggy kernel versions)
 
 Additional system calls for Android builds with `LABEL_MEMORY`:
 

config/default.mk

@@ -0,0 +1,23 @@
+CONFIG_WERROR := true
+CONFIG_NATIVE := true
+CONFIG_CXX_ALLOCATOR := true
+CONFIG_UBSAN := false
+CONFIG_SEAL_METADATA := false
+CONFIG_ZERO_ON_FREE := true
+CONFIG_WRITE_AFTER_FREE_CHECK := true
+CONFIG_SLOT_RANDOMIZE := true
+CONFIG_SLAB_CANARY := true
+CONFIG_SLAB_QUARANTINE_RANDOM_LENGTH := 1
+CONFIG_SLAB_QUARANTINE_QUEUE_LENGTH := 1
+CONFIG_EXTENDED_SIZE_CLASSES := true
+CONFIG_LARGE_SIZE_CLASSES := true
+CONFIG_GUARD_SLABS_INTERVAL := 1
+CONFIG_GUARD_SIZE_DIVISOR := 2
+CONFIG_REGION_QUARANTINE_RANDOM_LENGTH := 256
+CONFIG_REGION_QUARANTINE_QUEUE_LENGTH := 1024
+CONFIG_REGION_QUARANTINE_SKIP_THRESHOLD := 33554432 # 32MiB
+CONFIG_FREE_SLABS_QUARANTINE_RANDOM_LENGTH := 32
+CONFIG_CLASS_REGION_SIZE := 34359738368 # 32GiB
+CONFIG_N_ARENA := 4
+CONFIG_STATS := false
+CONFIG_SELF_INIT := true

config/light.mk

@@ -0,0 +1,23 @@
+CONFIG_WERROR := true
+CONFIG_NATIVE := true
+CONFIG_CXX_ALLOCATOR := true
+CONFIG_UBSAN := false
+CONFIG_SEAL_METADATA := false
+CONFIG_ZERO_ON_FREE := true
+CONFIG_WRITE_AFTER_FREE_CHECK := false
+CONFIG_SLOT_RANDOMIZE := false
+CONFIG_SLAB_CANARY := true
+CONFIG_SLAB_QUARANTINE_RANDOM_LENGTH := 0
+CONFIG_SLAB_QUARANTINE_QUEUE_LENGTH := 0
+CONFIG_EXTENDED_SIZE_CLASSES := true
+CONFIG_LARGE_SIZE_CLASSES := true
+CONFIG_GUARD_SLABS_INTERVAL := 8
+CONFIG_GUARD_SIZE_DIVISOR := 2
+CONFIG_REGION_QUARANTINE_RANDOM_LENGTH := 256
+CONFIG_REGION_QUARANTINE_QUEUE_LENGTH := 1024
+CONFIG_REGION_QUARANTINE_SKIP_THRESHOLD := 33554432 # 32MiB
+CONFIG_FREE_SLABS_QUARANTINE_RANDOM_LENGTH := 32
+CONFIG_CLASS_REGION_SIZE := 34359738368 # 32GiB
+CONFIG_N_ARENA := 4
+CONFIG_STATS := false
+CONFIG_SELF_INIT := true

include/h_malloc.h

@@ -5,7 +5,9 @@
 
 #include <malloc.h>
 
-__BEGIN_DECLS
+#ifdef __cplusplus
+extern "C" {
+#endif
 
 #ifndef H_MALLOC_PREFIX
 #define h_malloc malloc
@@ -21,6 +23,7 @@ __BEGIN_DECLS
 #define h_malloc_trim malloc_trim
 #define h_malloc_stats malloc_stats
 #define h_mallinfo mallinfo
+#define h_mallinfo2 mallinfo2
 #define h_malloc_info malloc_info
 
 #define h_memalign memalign
@@ -30,7 +33,12 @@ __BEGIN_DECLS
 #define h_malloc_get_state malloc_get_state
 #define h_malloc_set_state malloc_set_state
 
-#define h_iterate iterate
+#define h_mallinfo_narenas mallinfo_narenas
+#define h_mallinfo_nbins mallinfo_nbins
+#define h_mallinfo_arena_info mallinfo_arena_info
+#define h_mallinfo_bin_info mallinfo_bin_info
+
+#define h_malloc_iterate malloc_iterate
 #define h_malloc_disable malloc_disable
 #define h_malloc_enable malloc_enable
 
@@ -40,9 +48,10 @@ __BEGIN_DECLS
 #endif
 
 // C standard
-void *h_malloc(size_t size);
-void *h_calloc(size_t nmemb, size_t size);
-void *h_realloc(void *ptr, size_t size);
+__attribute__((malloc)) __attribute__((alloc_size(1))) void *h_malloc(size_t size);
+__attribute__((malloc)) __attribute__((alloc_size(1, 2))) void *h_calloc(size_t nmemb, size_t size);
+__attribute__((alloc_size(2))) void *h_realloc(void *ptr, size_t size);
+__attribute__((malloc)) __attribute__((alloc_size(2))) __attribute__((alloc_align(1)))
 void *h_aligned_alloc(size_t alignment, size_t size);
 void h_free(void *ptr);
 
@@ -68,10 +77,11 @@ int h_malloc_info(int options, FILE *fp);
 #endif
 
 // obsolete glibc extensions
+__attribute__((malloc)) __attribute__((alloc_size(2))) __attribute__((alloc_align(1)))
 void *h_memalign(size_t alignment, size_t size);
 #ifndef __ANDROID__
-void *h_valloc(size_t size);
-void *h_pvalloc(size_t size);
+__attribute__((malloc)) __attribute__((alloc_size(1))) void *h_valloc(size_t size);
+__attribute__((malloc)) void *h_pvalloc(size_t size);
 #endif
 #ifdef __GLIBC__
 void h_cfree(void *ptr) __THROW;
@@ -81,11 +91,11 @@ int h_malloc_set_state(void *state);
 
 // Android extensions
 #ifdef __ANDROID__
-size_t __mallinfo_narenas(void);
-size_t __mallinfo_nbins(void);
-struct mallinfo __mallinfo_arena_info(size_t arena);
-struct mallinfo __mallinfo_bin_info(size_t arena, size_t bin);
-int h_iterate(uintptr_t base, size_t size, void (*callback)(uintptr_t ptr, size_t size, void *arg),
+size_t h_mallinfo_narenas(void);
+size_t h_mallinfo_nbins(void);
+struct mallinfo h_mallinfo_arena_info(size_t arena);
+struct mallinfo h_mallinfo_bin_info(size_t arena, size_t bin);
+int h_malloc_iterate(uintptr_t base, size_t size, void (*callback)(uintptr_t ptr, size_t size, void *arg),
               void *arg);
 void h_malloc_disable(void);
 void h_malloc_enable(void);
@@ -94,10 +104,10 @@ void h_malloc_enable(void);
 // hardened_malloc extensions
 
 // return an upper bound on object size for any pointer based on malloc metadata
-size_t h_malloc_object_size(void *ptr);
+size_t h_malloc_object_size(const void *ptr);
 
 // similar to malloc_object_size, but avoiding locking so the results are much more limited
-size_t h_malloc_object_size_fast(void *ptr);
+size_t h_malloc_object_size_fast(const void *ptr);
 
 // The free function with an extra parameter for passing the size requested at
 // allocation time.
@@ -111,6 +121,8 @@ size_t h_malloc_object_size_fast(void *ptr);
 // passed size matches the allocated size.
 void h_free_sized(void *ptr, size_t expected_size);
 
-__END_DECLS
+#ifdef __cplusplus
+}
+#endif
 
 #endif

memory.c

@@ -1,7 +1,10 @@
 #include <errno.h>
 
 #include <sys/mman.h>
+
+#ifdef LABEL_MEMORY
 #include <sys/prctl.h>
+#endif
 
 #ifndef PR_SET_VMA
 #define PR_SET_VMA 0x53564d41
@@ -25,30 +28,28 @@ void *memory_map(size_t size) {
     return p;
 }
 
-int memory_map_fixed(void *ptr, size_t size) {
+bool memory_map_fixed(void *ptr, size_t size) {
     void *p = mmap(ptr, size, PROT_NONE, MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED, -1, 0);
-    if (unlikely(p == MAP_FAILED)) {
-        if (errno != ENOMEM) {
-            fatal_error("non-ENOMEM MAP_FIXED mmap failure");
-        }
-        return 1;
+    bool ret = p == MAP_FAILED;
+    if (unlikely(ret) && errno != ENOMEM) {
+        fatal_error("non-ENOMEM MAP_FIXED mmap failure");
     }
-    return 0;
+    return ret;
 }
 
-int memory_unmap(void *ptr, size_t size) {
-    int ret = munmap(ptr, size);
+bool memory_unmap(void *ptr, size_t size) {
+    bool ret = munmap(ptr, size);
     if (unlikely(ret) && errno != ENOMEM) {
         fatal_error("non-ENOMEM munmap failure");
     }
     return ret;
 }
 
-static int memory_protect_prot(void *ptr, size_t size, int prot, UNUSED int pkey) {
+static bool memory_protect_prot(void *ptr, size_t size, int prot, UNUSED int pkey) {
 #ifdef USE_PKEY
-    int ret = pkey_mprotect(ptr, size, prot, pkey);
+    bool ret = pkey_mprotect(ptr, size, prot, pkey);
 #else
-    int ret = mprotect(ptr, size, prot);
+    bool ret = mprotect(ptr, size, prot);
 #endif
     if (unlikely(ret) && errno != ENOMEM) {
         fatal_error("non-ENOMEM mprotect failure");
@@ -56,42 +57,50 @@ static int memory_protect_prot(void *ptr, size_t size, int prot, UNUSED int pkey
     return ret;
 }
 
-int memory_protect_ro(void *ptr, size_t size) {
+bool memory_protect_ro(void *ptr, size_t size) {
     return memory_protect_prot(ptr, size, PROT_READ, -1);
 }
 
-int memory_protect_rw(void *ptr, size_t size) {
+bool memory_protect_rw(void *ptr, size_t size) {
     return memory_protect_prot(ptr, size, PROT_READ|PROT_WRITE, -1);
 }
 
-int memory_protect_rw_metadata(void *ptr, size_t size) {
+bool memory_protect_rw_metadata(void *ptr, size_t size) {
     return memory_protect_prot(ptr, size, PROT_READ|PROT_WRITE, get_metadata_key());
 }
 
-int memory_remap(void *old, size_t old_size, size_t new_size) {
+#ifdef HAVE_COMPATIBLE_MREMAP
+bool memory_remap(void *old, size_t old_size, size_t new_size) {
     void *ptr = mremap(old, old_size, new_size, 0);
-    if (unlikely(ptr == MAP_FAILED)) {
-        if (errno != ENOMEM) {
-            fatal_error("non-ENOMEM mremap failure");
-        }
-        return 1;
+    bool ret = ptr == MAP_FAILED;
+    if (unlikely(ret) && errno != ENOMEM) {
+        fatal_error("non-ENOMEM mremap failure");
     }
-    return 0;
+    return ret;
 }
 
-int memory_remap_fixed(void *old, size_t old_size, void *new, size_t new_size) {
+bool memory_remap_fixed(void *old, size_t old_size, void *new, size_t new_size) {
     void *ptr = mremap(old, old_size, new_size, MREMAP_MAYMOVE|MREMAP_FIXED, new);
-    if (unlikely(ptr == MAP_FAILED)) {
-        if (errno != ENOMEM) {
-            fatal_error("non-ENOMEM MREMAP_FIXED mremap failure");
-        }
-        return 1;
+    bool ret = ptr == MAP_FAILED;
+    if (unlikely(ret) && errno != ENOMEM) {
+        fatal_error("non-ENOMEM MREMAP_FIXED mremap failure");
     }
-    return 0;
+    return ret;
+}
+#endif
+
+bool memory_purge(void *ptr, size_t size) {
+    int ret = madvise(ptr, size, MADV_DONTNEED);
+    if (unlikely(ret) && errno != ENOMEM) {
+        fatal_error("non-ENOMEM MADV_DONTNEED madvise failure");
+    }
+    return ret;
 }
 
-void memory_set_name(UNUSED void *ptr, UNUSED size_t size, UNUSED const char *name) {
+bool memory_set_name(UNUSED void *ptr, UNUSED size_t size, UNUSED const char *name) {
 #ifdef LABEL_MEMORY
-    prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, ptr, size, name);
+    return prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, ptr, size, name);
+#else
+    return false;
 #endif
 }

memory.h

@@ -1,18 +1,26 @@
 #ifndef MEMORY_H
 #define MEMORY_H
 
+#include <stdbool.h>
 #include <stddef.h>
 
+#ifdef __linux__
+#define HAVE_COMPATIBLE_MREMAP
+#endif
+
 int get_metadata_key(void);
 
 void *memory_map(size_t size);
-int memory_map_fixed(void *ptr, size_t size);
-int memory_unmap(void *ptr, size_t size);
-int memory_protect_ro(void *ptr, size_t size);
-int memory_protect_rw(void *ptr, size_t size);
-int memory_protect_rw_metadata(void *ptr, size_t size);
-int memory_remap(void *old, size_t old_size, size_t new_size);
-int memory_remap_fixed(void *old, size_t old_size, void *new, size_t new_size);
-void memory_set_name(void *ptr, size_t size, const char *name);
+bool memory_map_fixed(void *ptr, size_t size);
+bool memory_unmap(void *ptr, size_t size);
+bool memory_protect_ro(void *ptr, size_t size);
+bool memory_protect_rw(void *ptr, size_t size);
+bool memory_protect_rw_metadata(void *ptr, size_t size);
+#ifdef HAVE_COMPATIBLE_MREMAP
+bool memory_remap(void *old, size_t old_size, size_t new_size);
+bool memory_remap_fixed(void *old, size_t old_size, void *new, size_t new_size);
+#endif
+bool memory_purge(void *ptr, size_t size);
+bool memory_set_name(void *ptr, size_t size, const char *name);
 
 #endif

new.cc

@@ -1,7 +1,9 @@
+// needed with libstdc++ but not libc++
+#if __has_include(<bits/functexcept.h>)
 #include <bits/functexcept.h>
-#include <new>
+#endif
 
-#define noreturn
+#include <new>
 
 #include "h_malloc.h"
 #include "util.h"
@@ -78,7 +80,6 @@ EXPORT void operator delete[](void *ptr, size_t size) noexcept {
     h_free_sized(ptr, size);
 }
 
-#if __cplusplus >= 201703L
 COLD static void *handle_out_of_memory(size_t size, size_t alignment, bool nothrow) {
     void *ptr = nullptr;
 
@@ -150,4 +151,3 @@ EXPORT void operator delete(void *ptr, size_t size, std::align_val_t) noexcept {
 EXPORT void operator delete[](void *ptr, size_t size, std::align_val_t) noexcept {
     h_free_sized(ptr, size);
 }
-#endif

pages.c

@@ -9,10 +9,6 @@ static bool add_guards(size_t size, size_t guard_size, size_t *total_size) {
         __builtin_add_overflow(*total_size, guard_size, total_size);
 }
 
-static uintptr_t alignment_ceiling(uintptr_t s, uintptr_t alignment) {
-    return ((s) + (alignment - 1)) & ((~alignment) + 1);
-}
-
 void *allocate_pages(size_t usable_size, size_t guard_size, bool unprotect, const char *name) {
     size_t real_size;
     if (unlikely(add_guards(usable_size, guard_size, &real_size))) {
@@ -33,7 +29,7 @@ void *allocate_pages(size_t usable_size, size_t guard_size, bool unprotect, cons
 }
 
 void *allocate_pages_aligned(size_t usable_size, size_t alignment, size_t guard_size, const char *name) {
-    usable_size = PAGE_CEILING(usable_size);
+    usable_size = page_align(usable_size);
     if (unlikely(!usable_size)) {
         errno = ENOMEM;
         return NULL;
@@ -59,7 +55,7 @@ void *allocate_pages_aligned(size_t usable_size, size_t alignment, size_t guard_
 
     void *usable = (char *)real + guard_size;
 
-    size_t lead_size = alignment_ceiling((uintptr_t)usable, alignment) - (uintptr_t)usable;
+    size_t lead_size = align((uintptr_t)usable, alignment) - (uintptr_t)usable;
     size_t trail_size = alloc_size - lead_size - usable_size;
     void *base = (char *)usable + lead_size;
 
@@ -86,5 +82,7 @@ void *allocate_pages_aligned(size_t usable_size, size_t alignment, size_t guard_
 }
 
 void deallocate_pages(void *usable, size_t usable_size, size_t guard_size) {
-    memory_unmap((char *)usable - guard_size, usable_size + guard_size * 2);
+    if (unlikely(memory_unmap((char *)usable - guard_size, usable_size + guard_size * 2))) {
+        memory_purge(usable, usable_size);
+    }
 }

pages.h

@@ -5,16 +5,21 @@
 #include <stddef.h>
 #include <stdint.h>
 
+#include "util.h"
+
 #define PAGE_SHIFT 12
 #ifndef PAGE_SIZE
 #define PAGE_SIZE ((size_t)1 << PAGE_SHIFT)
 #endif
-#define PAGE_CEILING(s) (((s) + PAGE_SIZE - 1) & ~(PAGE_SIZE - 1))
 
 void *allocate_pages(size_t usable_size, size_t guard_size, bool unprotect, const char *name);
 void *allocate_pages_aligned(size_t usable_size, size_t alignment, size_t guard_size, const char *name);
 void deallocate_pages(void *usable, size_t usable_size, size_t guard_size);
 
+static inline size_t page_align(size_t size) {
+    return align(size, PAGE_SIZE);
+}
+
 static inline size_t hash_page(const void *p) {
     uintptr_t u = (uintptr_t)p >> PAGE_SHIFT;
     size_t sum = u;

random.c

@@ -5,17 +5,7 @@
 #include "random.h"
 #include "util.h"
 
-#if __has_include(<sys/random.h>)
-// glibc 2.25 and later
 #include <sys/random.h>
-#else
-#include <unistd.h>
-#include <sys/syscall.h>
-
-static ssize_t getrandom(void *buf, size_t buflen, unsigned int flags) {
-    return syscall(SYS_getrandom, buf, buflen, flags);
-}
-#endif
 
 static void get_random_seed(void *buf, size_t size) {
     while (size) {
@@ -102,7 +92,7 @@ u16 get_random_u16_uniform(struct random_state *state, u16 bound) {
     if (leftover < bound) {
         u16 threshold = -bound % bound;
         while (leftover < threshold) {
-            random =  get_random_u16(state);
+            random = get_random_u16(state);
             multiresult = random * bound;
             leftover = (u16)multiresult;
         }
@@ -129,7 +119,7 @@ u64 get_random_u64_uniform(struct random_state *state, u64 bound) {
     if (leftover < bound) {
         u64 threshold = -bound % bound;
         while (leftover < threshold) {
-            random =  get_random_u64(state);
+            random = get_random_u64(state);
             multiresult = random * bound;
             leftover = multiresult;
         }

test/.gitignore

@@ -1,4 +1,44 @@
 large_array_growth
 mallinfo
+mallinfo2
 malloc_info
 offset
+delete_type_size_mismatch
+double_free_large
+double_free_large_delayed
+double_free_small
+double_free_small_delayed
+invalid_free_protected
+invalid_free_small_region
+invalid_free_small_region_far
+invalid_free_unprotected
+read_after_free_large
+read_after_free_small
+read_zero_size
+string_overflow
+unaligned_free_large
+unaligned_free_small
+uninitialized_free
+uninitialized_malloc_usable_size
+uninitialized_realloc
+write_after_free_large
+write_after_free_large_reuse
+write_after_free_small
+write_after_free_small_reuse
+write_zero_size
+unaligned_malloc_usable_size_small
+invalid_malloc_usable_size_small
+invalid_malloc_usable_size_small_quarantine
+malloc_object_size
+malloc_object_size_offset
+invalid_malloc_object_size_small
+invalid_malloc_object_size_small_quarantine
+impossibly_large_malloc
+overflow_large_1_byte
+overflow_large_8_byte
+overflow_small_1_byte
+overflow_small_8_byte
+uninitialized_read_large
+uninitialized_read_small
+realloc_init
+__pycache__/

test/Makefile

@@ -1,23 +1,76 @@
 CONFIG_SLAB_CANARY := true
 CONFIG_EXTENDED_SIZE_CLASSES := true
 
+ifneq ($(VARIANT),)
+    $(error testing non-default variants not yet supported)
+endif
+
 ifeq (,$(filter $(CONFIG_SLAB_CANARY),true false))
     $(error CONFIG_SLAB_CANARY must be true or false)
 endif
 
-LDLIBS := -lpthread
+dir=$(dir $(realpath $(firstword $(MAKEFILE_LIST))))
 
-CPPFLAGS += \
+CPPFLAGS := \
+    -D_GNU_SOURCE \
     -DSLAB_CANARY=$(CONFIG_SLAB_CANARY) \
     -DCONFIG_EXTENDED_SIZE_CLASSES=$(CONFIG_EXTENDED_SIZE_CLASSES)
 
+SHARED_FLAGS := -O3
+
+CFLAGS := -std=c17 $(SHARED_FLAGS) -Wmissing-prototypes
+CXXFLAGS := -std=c++17 -fsized-deallocation $(SHARED_FLAGS)
+LDFLAGS := -Wl,-L$(dir)../out,-R,$(dir)../out
+
+LDLIBS := -lpthread -lhardened_malloc
+
 EXECUTABLES := \
     offset \
     mallinfo \
+    mallinfo2 \
     malloc_info \
-    large_array_growth
+    large_array_growth \
+    double_free_large \
+    double_free_large_delayed \
+    double_free_small \
+    double_free_small_delayed \
+    unaligned_free_large \
+    unaligned_free_small \
+    read_after_free_large \
+    read_after_free_small \
+    write_after_free_large \
+    write_after_free_large_reuse \
+    write_after_free_small \
+    write_after_free_small_reuse \
+    read_zero_size \
+    write_zero_size \
+    invalid_free_protected \
+    invalid_free_unprotected \
+    invalid_free_small_region \
+    invalid_free_small_region_far \
+    uninitialized_read_small \
+    uninitialized_read_large \
+    uninitialized_free \
+    uninitialized_realloc \
+    uninitialized_malloc_usable_size \
+    overflow_large_1_byte \
+    overflow_large_8_byte \
+    overflow_small_1_byte \
+    overflow_small_8_byte \
+    string_overflow \
+    delete_type_size_mismatch \
+    unaligned_malloc_usable_size_small \
+    invalid_malloc_usable_size_small \
+    invalid_malloc_usable_size_small_quarantine \
+    malloc_object_size \
+    malloc_object_size_offset \
+    invalid_malloc_object_size_small \
+    invalid_malloc_object_size_small_quarantine \
+    impossibly_large_malloc \
+    realloc_init
 
 all: $(EXECUTABLES)
 
 clean:
 	rm -f $(EXECUTABLES)
+	rm -fr ./__pycache__

test/delete_type_size_mismatch.cc

@@ -1,11 +1,12 @@
 #include <stdint.h>
 
+#include "test_util.h"
+
 struct foo {
     uint64_t a, b, c, d;
 };
 
-__attribute__((optimize(0)))
-int main(void) {
+OPTNONE int main(void) {
     void *p = new char;
     struct foo *c = (struct foo *)p;
     delete c;

test/double_free_large.c

@@ -1,8 +1,9 @@
 #include <stdlib.h>
 
-__attribute__((optimize(0)))
-int main(void) {
-    void *p = malloc(128 * 1024);
+#include "test_util.h"
+
+OPTNONE int main(void) {
+    void *p = malloc(256 * 1024);
     if (!p) {
         return 1;
     }

test/double_free_large_delayed.c

@@ -1,12 +1,13 @@
 #include <stdlib.h>
 
-__attribute__((optimize(0)))
-int main(void) {
-    void *p = malloc(128 * 1024);
+#include "test_util.h"
+
+OPTNONE int main(void) {
+    void *p = malloc(256 * 1024);
     if (!p) {
         return 1;
     }
-    void *q = malloc(128 * 1024);
+    void *q = malloc(256 * 1024);
     if (!q) {
         return 1;
     }

test/double_free_small.c

@@ -1,7 +1,8 @@
 #include <stdlib.h>
 
-__attribute__((optimize(0)))
-int main(void) {
+#include "test_util.h"
+
+OPTNONE int main(void) {
     void *p = malloc(16);
     if (!p) {
         return 1;

test/double_free_small_delayed.c

@@ -1,7 +1,8 @@
 #include <stdlib.h>
 
-__attribute__((optimize(0)))
-int main(void) {
+#include "test_util.h"
+
+OPTNONE int main(void) {
     void *p = malloc(16);
     if (!p) {
         return 1;

test/impossibly_large_malloc.c

@@ -0,0 +1,8 @@
+#include <stdlib.h>
+
+#include "test_util.h"
+
+OPTNONE int main(void) {
+    char *p = malloc(-8);
+    return !(p == NULL);
+}

test/invalid_free_protected.c

@@ -2,8 +2,9 @@
 
 #include <sys/mman.h>
 
-__attribute__((optimize(0)))
-int main(void) {
+#include "test_util.h"
+
+OPTNONE int main(void) {
     free(malloc(16));
     char *p = mmap(NULL, 4096 * 16, PROT_NONE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
     if (p == MAP_FAILED) {

test/invalid_free_small_region.c

@@ -1,7 +1,8 @@
 #include <stdlib.h>
 
-__attribute__((optimize(0)))
-int main(void) {
+#include "test_util.h"
+
+OPTNONE int main(void) {
     char *p = malloc(16);
     if (!p) {
         return 1;

test/invalid_free_small_region_far.c

@@ -1,7 +1,8 @@
 #include <stdlib.h>
 
-__attribute__((optimize(0)))
-int main(void) {
+#include "test_util.h"
+
+OPTNONE int main(void) {
     char *p = malloc(16);
     if (!p) {
         return 1;

test/invalid_free_unprotected.c

@@ -2,8 +2,9 @@
 
 #include <sys/mman.h>
 
-__attribute__((optimize(0)))
-int main(void) {
+#include "test_util.h"
+
+OPTNONE int main(void) {
     free(malloc(16));
     char *p = mmap(NULL, 4096 * 16, PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
     if (p == MAP_FAILED) {

test/invalid_malloc_object_size_small.c

@@ -0,0 +1,15 @@
+#include <stdlib.h>
+
+#include "test_util.h"
+
+size_t malloc_object_size(void *ptr);
+
+OPTNONE int main(void) {
+    char *p = malloc(16);
+    if (!p) {
+        return 1;
+    }
+    char *q = p + 4096 * 4;
+    malloc_object_size(q);
+    return 0;
+}

test/invalid_malloc_object_size_small_quarantine.c

@@ -0,0 +1,15 @@
+#include <stdlib.h>
+
+#include "test_util.h"
+
+size_t malloc_object_size(void *ptr);
+
+OPTNONE int main(void) {
+    void *p = malloc(16);
+    if (!p) {
+        return 1;
+    }
+    free(p);
+    malloc_object_size(p);
+    return 0;
+}

test/invalid_malloc_usable_size_small.c

@@ -0,0 +1,13 @@
+#include <malloc.h>
+
+#include "test_util.h"
+
+OPTNONE int main(void) {
+    char *p = malloc(16);
+    if (!p) {
+        return 1;
+    }
+    char *q = p + 4096 * 4;
+    malloc_usable_size(q);
+    return 0;
+}

test/invalid_malloc_usable_size_small_quarantine.c

@@ -0,0 +1,13 @@
+#include <malloc.h>
+
+#include "test_util.h"
+
+OPTNONE int main(void) {
+    void *p = malloc(16);
+    if (!p) {
+        return 1;
+    }
+    free(p);
+    malloc_usable_size(p);
+    return 0;
+}

test/large_array_growth.c

@@ -1,8 +1,9 @@
 #include <stdlib.h>
 #include <string.h>
 
-__attribute__((optimize(0)))
-int main(void) {
+#include "test_util.h"
+
+OPTNONE int main(void) {
     void *p = NULL;
     size_t size = 256 * 1024;
 

test/mallinfo.c

@@ -1,21 +1,44 @@
+#include <stdlib.h>
+#include <stdio.h>
+
+#if defined(__GLIBC__) || defined(__ANDROID__)
 #include <malloc.h>
+#endif
 
-__attribute__((optimize(0)))
-int main(void) {
-    malloc(1024 * 1024 * 1024);
-    malloc(16);
-    malloc(32);
-    malloc(64);
+#include "test_util.h"
 
+static void print_mallinfo(void) {
+#if defined(__GLIBC__) || defined(__ANDROID__)
     struct mallinfo info = mallinfo();
-    printf("arena: %zu\n", info.arena);
-    printf("ordblks: %zu\n", info.ordblks);
-    printf("smblks: %zu\n", info.smblks);
-    printf("hblks: %zu\n", info.hblks);
-    printf("hblkhd: %zu\n", info.hblkhd);
-    printf("usmblks: %zu\n", info.usmblks);
-    printf("fsmblks: %zu\n", info.fsmblks);
-    printf("uordblks: %zu\n", info.uordblks);
-    printf("fordblks: %zu\n", info.fordblks);
-    printf("keepcost: %zu\n", info.keepcost);
+    printf("mallinfo:\n");
+    printf("arena: %zu\n", (size_t)info.arena);
+    printf("ordblks: %zu\n", (size_t)info.ordblks);
+    printf("smblks: %zu\n", (size_t)info.smblks);
+    printf("hblks: %zu\n", (size_t)info.hblks);
+    printf("hblkhd: %zu\n", (size_t)info.hblkhd);
+    printf("usmblks: %zu\n", (size_t)info.usmblks);
+    printf("fsmblks: %zu\n", (size_t)info.fsmblks);
+    printf("uordblks: %zu\n", (size_t)info.uordblks);
+    printf("fordblks: %zu\n", (size_t)info.fordblks);
+    printf("keepcost: %zu\n", (size_t)info.keepcost);
+#endif
+}
+
+OPTNONE int main(void) {
+    void *a[4];
+
+    a[0] = malloc(1024 * 1024 * 1024);
+    a[1] = malloc(16);
+    a[2] = malloc(32);
+    a[3] = malloc(64);
+
+    print_mallinfo();
+
+    free(a[0]);
+    free(a[1]);
+    free(a[2]);
+    free(a[3]);
+
+    printf("\n");
+    print_mallinfo();
 }

test/mallinfo2.c

@@ -0,0 +1,44 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+#if defined(__GLIBC__)
+#include <malloc.h>
+#endif
+
+#include "test_util.h"
+
+static void print_mallinfo2(void) {
+#if defined(__GLIBC__)
+    struct mallinfo2 info = mallinfo2();
+    printf("mallinfo2:\n");
+    printf("arena: %zu\n", (size_t)info.arena);
+    printf("ordblks: %zu\n", (size_t)info.ordblks);
+    printf("smblks: %zu\n", (size_t)info.smblks);
+    printf("hblks: %zu\n", (size_t)info.hblks);
+    printf("hblkhd: %zu\n", (size_t)info.hblkhd);
+    printf("usmblks: %zu\n", (size_t)info.usmblks);
+    printf("fsmblks: %zu\n", (size_t)info.fsmblks);
+    printf("uordblks: %zu\n", (size_t)info.uordblks);
+    printf("fordblks: %zu\n", (size_t)info.fordblks);
+    printf("keepcost: %zu\n", (size_t)info.keepcost);
+#endif
+}
+
+OPTNONE int main(void) {
+    void *a[4];
+
+    a[0] = malloc(1024 * 1024 * 1024);
+    a[1] = malloc(16);
+    a[2] = malloc(32);
+    a[3] = malloc(64);
+
+    print_mallinfo2();
+
+    free(a[0]);
+    free(a[1]);
+    free(a[2]);
+    free(a[3]);
+
+    printf("\n");
+    print_mallinfo2();
+}

test/malloc_info.c

@@ -1,16 +1,21 @@
 #include <pthread.h>
+#include <stdio.h>
 
+#if defined(__GLIBC__) || defined(__ANDROID__)
 #include <malloc.h>
+#endif
 
-__attribute__((optimize(0)))
-void leak_memory(void) {
-    (void)malloc(1024 * 1024 * 1024);
-    (void)malloc(16);
-    (void)malloc(32);
-    (void)malloc(4096);
+#include "test_util.h"
+#include "../util.h"
+
+OPTNONE static void leak_memory(void) {
+    (void)!malloc(1024 * 1024 * 1024);
+    (void)!malloc(16);
+    (void)!malloc(32);
+    (void)!malloc(4096);
 }
 
-void *do_work(void *p) {
+static void *do_work(UNUSED void *p) {
     leak_memory();
     return NULL;
 }
@@ -24,5 +29,7 @@ int main(void) {
         pthread_join(thread[i], NULL);
     }
 
+#if defined(__GLIBC__) || defined(__ANDROID__)
     malloc_info(0, stdout);
+#endif
 }

test/malloc_object_size.c

@@ -0,0 +1,12 @@
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include "test_util.h"
+
+size_t malloc_object_size(void *ptr);
+
+OPTNONE int main(void) {
+    char *p = malloc(16);
+    size_t size = malloc_object_size(p);
+    return size != (SLAB_CANARY ? 24 : 32);
+}

test/malloc_object_size_offset.c

@@ -0,0 +1,12 @@
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include "test_util.h"
+
+size_t malloc_object_size(void *ptr);
+
+OPTNONE int main(void) {
+    char *p = malloc(16);
+    size_t size = malloc_object_size(p + 5);
+    return size != (SLAB_CANARY ? 19 : 27);
+}

test/offset.c

@@ -3,7 +3,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 
-static unsigned size_classes[] = {
+static size_t size_classes[] = {
     /* large */ 4 * 1024 * 1024,
     /* 0 */ 0,
     /* 16 */ 16, 32, 48, 64, 80, 96, 112, 128,
@@ -32,9 +32,9 @@ int main(void) {
 
     void *p[N_SIZE_CLASSES];
     for (unsigned i = 0; i < N_SIZE_CLASSES; i++) {
-        unsigned size = size_classes[i];
+        size_t size = size_classes[i];
         p[i] = malloc(size);
-        if (!p) {
+        if (!p[i]) {
             return 1;
         }
         void *q = malloc(size);

test/overflow_large_1_byte.c

@@ -0,0 +1,15 @@
+#include <malloc.h>
+#include <stdlib.h>
+
+#include "test_util.h"
+
+OPTNONE int main(void) {
+    char *p = malloc(256 * 1024);
+    if (!p) {
+        return 1;
+    }
+    size_t size = malloc_usable_size(p);
+    *(p + size) = 0;
+    free(p);
+    return 0;
+}

test/overflow_large_8_byte.c

@@ -0,0 +1,15 @@
+#include <malloc.h>
+#include <stdlib.h>
+
+#include "test_util.h"
+
+OPTNONE int main(void) {
+    char *p = malloc(256 * 1024);
+    if (!p) {
+        return 1;
+    }
+    size_t size = malloc_usable_size(p);
+    *(p + size + 7) = 0;
+    free(p);
+    return 0;
+}

test/overflow_small_1_byte.c

@@ -0,0 +1,15 @@
+#include <malloc.h>
+#include <stdlib.h>
+
+#include "test_util.h"
+
+OPTNONE int main(void) {
+    char *p = malloc(8);
+    if (!p) {
+        return 1;
+    }
+    size_t size = malloc_usable_size(p);
+    *(p + size) = 1;
+    free(p);
+    return 0;
+}

test/overflow_small_8_byte.c

@@ -0,0 +1,16 @@
+#include <malloc.h>
+#include <stdlib.h>
+
+#include "test_util.h"
+
+OPTNONE int main(void) {
+    char *p = malloc(8);
+    if (!p) {
+        return 1;
+    }
+    size_t size = malloc_usable_size(p);
+    // XOR is used to avoid the test having a 1/256 chance to fail
+    *(p + size + 7) ^= 1;
+    free(p);
+    return 0;
+}

test/read_after_free_large.c

@@ -0,0 +1,21 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "test_util.h"
+
+OPTNONE int main(void) {
+    char *p = malloc(256 * 1024);
+    if (!p) {
+        return 1;
+    }
+    memset(p, 'a', 16);
+    free(p);
+    for (size_t i = 0; i < 256 * 1024; i++) {
+        printf("%x\n", p[i]);
+        if (p[i] != '\0') {
+            return 1;
+        }
+    }
+    return 0;
+}

test/read_after_free_small.c

@@ -2,8 +2,9 @@
 #include <stdlib.h>
 #include <string.h>
 
-__attribute__((optimize(0)))
-int main(void) {
+#include "test_util.h"
+
+OPTNONE int main(void) {
     char *p = malloc(16);
     if (!p) {
         return 1;
@@ -12,6 +13,9 @@ int main(void) {
     free(p);
     for (size_t i = 0; i < 16; i++) {
         printf("%x\n", p[i]);
+        if (p[i] != '\0') {
+            return 1;
+        }
     }
     return 0;
 }

test/read_zero_size.c

@@ -1,8 +1,9 @@
 #include <stdlib.h>
 #include <stdio.h>
 
-__attribute__((optimize(0)))
-int main(void) {
+#include "test_util.h"
+
+OPTNONE int main(void) {
     char *p = malloc(0);
     if (!p) {
         return 1;

test/realloc_init.c

@@ -0,0 +1,33 @@
+#include <pthread.h>
+#include <stdlib.h>
+
+static void *thread_func(void *arg) {
+    arg = realloc(arg, 1024);
+    if (!arg) {
+        exit(EXIT_FAILURE);
+    }
+
+    free(arg);
+
+    return NULL;
+}
+
+int main(void) {
+    void *mem = realloc(NULL, 12);
+    if (!mem) {
+        return EXIT_FAILURE;
+    }
+
+    pthread_t thread;
+    int r = pthread_create(&thread, NULL, thread_func, mem);
+    if (r != 0) {
+        return EXIT_FAILURE;
+    }
+
+    r = pthread_join(thread, NULL);
+    if (r != 0) {
+        return EXIT_FAILURE;
+    }
+
+    return EXIT_SUCCESS;
+}

test/simple-memory-corruption/.gitignore

@@ -1,25 +0,0 @@
-delete_type_size_mismatch
-double_free_large
-double_free_large_delayed
-double_free_small
-double_free_small_delayed
-eight_byte_overflow_large
-eight_byte_overflow_small
-invalid_free_protected
-invalid_free_small_region
-invalid_free_small_region_far
-invalid_free_unprotected
-read_after_free_large
-read_after_free_small
-read_zero_size
-string_overflow
-unaligned_free_large
-unaligned_free_small
-uninitialized_free
-uninitialized_malloc_usable_size
-uninitialized_realloc
-write_after_free_large
-write_after_free_large_reuse
-write_after_free_small
-write_after_free_small_reuse
-write_zero_size

test/simple-memory-corruption/Makefile

@@ -1,31 +0,0 @@
-EXECUTABLES := \
-    double_free_large \
-    double_free_large_delayed \
-    double_free_small \
-    double_free_small_delayed \
-    unaligned_free_large \
-    unaligned_free_small \
-    read_after_free_large \
-    read_after_free_small \
-    write_after_free_large \
-    write_after_free_large_reuse \
-    write_after_free_small \
-    write_after_free_small_reuse \
-    read_zero_size \
-    write_zero_size \
-    invalid_free_protected \
-    invalid_free_unprotected \
-    invalid_free_small_region \
-    invalid_free_small_region_far \
-    uninitialized_free \
-    uninitialized_realloc \
-    uninitialized_malloc_usable_size \
-    eight_byte_overflow_small \
-    eight_byte_overflow_large \
-    string_overflow \
-    delete_type_size_mismatch
-
-all: $(EXECUTABLES)
-
-clean:
-	rm -f $(EXECUTABLES)

test/simple-memory-corruption/eight_byte_overflow_large.c

@@ -1,12 +0,0 @@
-#include <stdlib.h>
-
-__attribute__((optimize(0)))
-int main(void) {
-    char *p = malloc(128 * 1024);
-    if (!p) {
-        return 1;
-    }
-    *(p + 128 * 1024 + 7) = 0;
-    free(p);
-    return 0;
-}

test/simple-memory-corruption/eight_byte_overflow_small.c

@@ -1,12 +0,0 @@
-#include <stdlib.h>
-
-__attribute__((optimize(0)))
-int main(void) {
-    char *p = malloc(8);
-    if (!p) {
-        return 1;
-    }
-    *(p + 8 + 7) = 0;
-    free(p);
-    return 0;
-}

test/simple-memory-corruption/read_after_free_large.c

@@ -1,17 +0,0 @@
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-__attribute__((optimize(0)))
-int main(void) {
-    char *p = malloc(128 * 1024);
-    if (!p) {
-        return 1;
-    }
-    memset(p, 'a', 16);
-    free(p);
-    for (size_t i = 0; i < 128 * 1024; i++) {
-        printf("%x\n", p[i]);
-    }
-    return 0;
-}

test/simple-memory-corruption/write_after_free_large_reuse.c

@@ -1,14 +0,0 @@
-#include <stdlib.h>
-#include <string.h>
-
-__attribute__((optimize(0)))
-int main(void) {
-    char *p = malloc(128 * 1024);
-    if (!p) {
-        return 1;
-    }
-    free(p);
-    char *q = malloc(128 * 1024);
-    p[64 * 1024 + 1] = 'a';
-    return 0;
-}

test/string_overflow.c

@@ -4,8 +4,9 @@
 
 #include <malloc.h>
 
-__attribute__((optimize(0)))
-int main(void) {
+#include "test_util.h"
+
+OPTNONE int main(void) {
     char *p = malloc(16);
     if (!p) {
         return 1;

test/test_smc.py

@@ -0,0 +1,242 @@
+import os
+import subprocess
+import unittest
+
+
+class TestSimpleMemoryCorruption(unittest.TestCase):
+
+    @classmethod
+    def setUpClass(self):
+        self.dir = os.path.dirname(os.path.realpath(__file__))
+
+    def run_test(self, test_name):
+        sub = subprocess.Popen(self.dir + "/" + test_name,
+                               stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+        stdout, stderr = sub.communicate()
+        return stdout, stderr, sub.returncode
+
+    def test_delete_type_size_mismatch(self):
+        _stdout, stderr, returncode = self.run_test(
+            "delete_type_size_mismatch")
+        self.assertEqual(returncode, -6)
+        self.assertEqual(stderr.decode(
+            "utf-8"), "fatal allocator error: sized deallocation mismatch (small)\n")
+
+    def test_double_free_large_delayed(self):
+        _stdout, stderr, returncode = self.run_test(
+            "double_free_large_delayed")
+        self.assertEqual(returncode, -6)
+        self.assertEqual(stderr.decode("utf-8"),
+                         "fatal allocator error: invalid free\n")
+
+    def test_double_free_large(self):
+        _stdout, stderr, returncode = self.run_test("double_free_large")
+        self.assertEqual(returncode, -6)
+        self.assertEqual(stderr.decode("utf-8"),
+                         "fatal allocator error: invalid free\n")
+
+    def test_double_free_small_delayed(self):
+        _stdout, stderr, returncode = self.run_test(
+            "double_free_small_delayed")
+        self.assertEqual(returncode, -6)
+        self.assertEqual(stderr.decode("utf-8"),
+                         "fatal allocator error: double free (quarantine)\n")
+
+    def test_double_free_small(self):
+        _stdout, stderr, returncode = self.run_test("double_free_small")
+        self.assertEqual(returncode, -6)
+        self.assertEqual(stderr.decode("utf-8"),
+                         "fatal allocator error: double free (quarantine)\n")
+
+    def test_overflow_large_1_byte(self):
+        _stdout, _stderr, returncode = self.run_test(
+            "overflow_large_1_byte")
+        self.assertEqual(returncode, -11)
+
+    def test_overflow_large_8_byte(self):
+        _stdout, _stderr, returncode = self.run_test(
+            "overflow_large_8_byte")
+        self.assertEqual(returncode, -11)
+
+    def test_overflow_small_1_byte(self):
+        _stdout, stderr, returncode = self.run_test(
+            "overflow_small_1_byte")
+        self.assertEqual(returncode, -6)
+        self.assertEqual(stderr.decode("utf-8"),
+                         "fatal allocator error: canary corrupted\n")
+
+    def test_overflow_small_8_byte(self):
+        _stdout, stderr, returncode = self.run_test(
+            "overflow_small_8_byte")
+        self.assertEqual(returncode, -6)
+        self.assertEqual(stderr.decode("utf-8"),
+                         "fatal allocator error: canary corrupted\n")
+
+    def test_invalid_free_protected(self):
+        _stdout, stderr, returncode = self.run_test("invalid_free_protected")
+        self.assertEqual(returncode, -6)
+        self.assertEqual(stderr.decode("utf-8"),
+                         "fatal allocator error: invalid free\n")
+
+    def test_invalid_free_small_region_far(self):
+        _stdout, stderr, returncode = self.run_test(
+            "invalid_free_small_region_far")
+        self.assertEqual(returncode, -6)
+        self.assertEqual(stderr.decode(
+            "utf-8"), "fatal allocator error: invalid free within a slab yet to be used\n")
+
+    def test_invalid_free_small_region(self):
+        _stdout, stderr, returncode = self.run_test(
+            "invalid_free_small_region")
+        self.assertEqual(returncode, -6)
+        self.assertEqual(stderr.decode("utf-8"),
+                         "fatal allocator error: double free\n")
+
+    def test_invalid_free_unprotected(self):
+        _stdout, stderr, returncode = self.run_test("invalid_free_unprotected")
+        self.assertEqual(returncode, -6)
+        self.assertEqual(stderr.decode("utf-8"),
+                         "fatal allocator error: invalid free\n")
+
+    def test_invalid_malloc_usable_size_small_quarantene(self):
+        _stdout, stderr, returncode = self.run_test(
+            "invalid_malloc_usable_size_small_quarantine")
+        self.assertEqual(returncode, -6)
+        self.assertEqual(stderr.decode(
+            "utf-8"), "fatal allocator error: invalid malloc_usable_size (quarantine)\n")
+
+    def test_invalid_malloc_usable_size_small(self):
+        _stdout, stderr, returncode = self.run_test(
+            "invalid_malloc_usable_size_small")
+        self.assertEqual(returncode, -6)
+        self.assertEqual(stderr.decode(
+            "utf-8"), "fatal allocator error: invalid malloc_usable_size\n")
+
+    def test_read_after_free_large(self):
+        _stdout, _stderr, returncode = self.run_test("read_after_free_large")
+        self.assertEqual(returncode, -11)
+
+    def test_read_after_free_small(self):
+        stdout, _stderr, returncode = self.run_test("read_after_free_small")
+        self.assertEqual(returncode, 0)
+        self.assertEqual(stdout.decode("utf-8"),
+                         "0\n0\n0\n0\n0\n0\n0\n0\n0\n0\n0\n0\n0\n0\n0\n0\n")
+
+    def test_read_zero_size(self):
+        _stdout, _stderr, returncode = self.run_test("read_zero_size")
+        self.assertEqual(returncode, -11)
+
+    def test_string_overflow(self):
+        stdout, _stderr, returncode = self.run_test("string_overflow")
+        self.assertEqual(returncode, 0)
+        self.assertEqual(stdout.decode("utf-8"), "overflow by 0 bytes\n")
+
+    def test_unaligned_free_large(self):
+        _stdout, stderr, returncode = self.run_test("unaligned_free_large")
+        self.assertEqual(returncode, -6)
+        self.assertEqual(stderr.decode("utf-8"),
+                         "fatal allocator error: invalid free\n")
+
+    def test_unaligned_free_small(self):
+        _stdout, stderr, returncode = self.run_test("unaligned_free_small")
+        self.assertEqual(returncode, -6)
+        self.assertEqual(stderr.decode("utf-8"),
+                         "fatal allocator error: invalid unaligned free\n")
+
+    def test_unaligned_malloc_usable_size_small(self):
+        _stdout, stderr, returncode = self.run_test(
+            "unaligned_malloc_usable_size_small")
+        self.assertEqual(returncode, -6)
+        self.assertEqual(stderr.decode("utf-8"),
+                         "fatal allocator error: invalid unaligned malloc_usable_size\n")
+
+    def test_uninitialized_free(self):
+        _stdout, stderr, returncode = self.run_test("uninitialized_free")
+        self.assertEqual(returncode, -6)
+        self.assertEqual(stderr.decode("utf-8"),
+                         "fatal allocator error: invalid free\n")
+
+    def test_uninitialized_malloc_usable_size(self):
+        _stdout, stderr, returncode = self.run_test(
+            "uninitialized_malloc_usable_size")
+        self.assertEqual(returncode, -6)
+        self.assertEqual(stderr.decode("utf-8"),
+                         "fatal allocator error: invalid malloc_usable_size\n")
+
+    def test_uninitialized_realloc(self):
+        _stdout, stderr, returncode = self.run_test("uninitialized_realloc")
+        self.assertEqual(returncode, -6)
+        self.assertEqual(stderr.decode("utf-8"),
+                         "fatal allocator error: invalid realloc\n")
+
+    def test_write_after_free_large_reuse(self):
+        _stdout, _stderr, returncode = self.run_test(
+            "write_after_free_large_reuse")
+        self.assertEqual(returncode, -11)
+
+    def test_write_after_free_large(self):
+        _stdout, _stderr, returncode = self.run_test("write_after_free_large")
+        self.assertEqual(returncode, -11)
+
+    def test_write_after_free_small_reuse(self):
+        _stdout, stderr, returncode = self.run_test(
+            "write_after_free_small_reuse")
+        self.assertEqual(returncode, -6)
+        self.assertEqual(stderr.decode("utf-8"),
+                         "fatal allocator error: detected write after free\n")
+
+    def test_write_after_free_small(self):
+        _stdout, stderr, returncode = self.run_test("write_after_free_small")
+        self.assertEqual(returncode, -6)
+        self.assertEqual(stderr.decode("utf-8"),
+                         "fatal allocator error: detected write after free\n")
+
+    def test_write_zero_size(self):
+        _stdout, _stderr, returncode = self.run_test("write_zero_size")
+        self.assertEqual(returncode, -11)
+
+    def test_malloc_object_size(self):
+        _stdout, _stderr, returncode = self.run_test("malloc_object_size")
+        self.assertEqual(returncode, 0)
+
+    def test_malloc_object_size_offset(self):
+        _stdout, _stderr, returncode = self.run_test(
+            "malloc_object_size_offset")
+        self.assertEqual(returncode, 0)
+
+    def test_invalid_malloc_object_size_small(self):
+        _stdout, stderr, returncode = self.run_test(
+            "invalid_malloc_object_size_small")
+        self.assertEqual(returncode, -6)
+        self.assertEqual(stderr.decode(
+            "utf-8"), "fatal allocator error: invalid malloc_object_size\n")
+
+    def test_invalid_malloc_object_size_small_quarantine(self):
+        _stdout, stderr, returncode = self.run_test(
+            "invalid_malloc_object_size_small_quarantine")
+        self.assertEqual(returncode, -6)
+        self.assertEqual(stderr.decode(
+            "utf-8"), "fatal allocator error: invalid malloc_object_size (quarantine)\n")
+
+    def test_impossibly_large_malloc(self):
+        _stdout, stderr, returncode = self.run_test(
+            "impossibly_large_malloc")
+        self.assertEqual(returncode, 0)
+
+    def test_uninitialized_read_small(self):
+        _stdout, stderr, returncode = self.run_test(
+            "uninitialized_read_small")
+        self.assertEqual(returncode, 0)
+
+    def test_uninitialized_read_large(self):
+        _stdout, stderr, returncode = self.run_test(
+            "uninitialized_read_large")
+        self.assertEqual(returncode, 0)
+
+    def test_realloc_init(self):
+        _stdout, _stderr, returncode = self.run_test(
+            "realloc_init")
+        self.assertEqual(returncode, 0)
+
+if __name__ == '__main__':
+    unittest.main()

test/test_util.h

@@ -0,0 +1,10 @@
+#ifndef TEST_UTIL_H
+#define TEST_UTIL_H
+
+#ifdef __clang__
+#define OPTNONE __attribute__((optnone))
+#else
+#define OPTNONE __attribute__((optimize(0)))
+#endif
+
+#endif

test/unaligned_free_large.c

@@ -1,8 +1,9 @@
 #include <stdlib.h>
 
-__attribute__((optimize(0)))
-int main(void) {
-    char *p = malloc(128 * 1024);
+#include "test_util.h"
+
+OPTNONE int main(void) {
+    char *p = malloc(256 * 1024);
     if (!p) {
         return 1;
     }

test/unaligned_free_small.c

@@ -1,7 +1,8 @@
 #include <stdlib.h>
 
-__attribute__((optimize(0)))
-int main(void) {
+#include "test_util.h"
+
+OPTNONE int main(void) {
     char *p = malloc(16);
     if (!p) {
         return 1;

test/unaligned_malloc_usable_size_small.c

@@ -0,0 +1,12 @@
+#include <malloc.h>
+
+#include "test_util.h"
+
+OPTNONE int main(void) {
+    char *p = malloc(16);
+    if (!p) {
+        return 1;
+    }
+    malloc_usable_size(p + 1);
+    return 0;
+}

test/uninitialized_free.c

@@ -1,7 +1,8 @@
 #include <stdlib.h>
 
-__attribute__((optimize(0)))
-int main(void) {
+#include "test_util.h"
+
+OPTNONE int main(void) {
     free((void *)1);
     return 0;
 }

test/uninitialized_malloc_usable_size.c

@@ -1,7 +1,8 @@
 #include <malloc.h>
 
-__attribute__((optimize(0)))
-int main(void) {
+#include "test_util.h"
+
+OPTNONE int main(void) {
     malloc_usable_size((void *)1);
     return 0;
 }

test/uninitialized_read_large.c

@@ -0,0 +1,14 @@
+#include <stdlib.h>
+
+#include "test_util.h"
+
+OPTNONE int main(void) {
+    char *p = malloc(256 * 1024);
+    for (unsigned i = 0; i < 256 * 1024; i++) {
+        if (p[i] != 0) {
+            return 1;
+        }
+    }
+    free(p);
+    return 0;
+}

test/uninitialized_read_small.c

@@ -0,0 +1,14 @@
+#include <stdlib.h>
+
+#include "test_util.h"
+
+OPTNONE int main(void) {
+    char *p = malloc(8);
+    for (unsigned i = 0; i < 8; i++) {
+        if (p[i] != 0) {
+            return 1;
+        }
+    }
+    free(p);
+    return 0;
+}

test/uninitialized_realloc.c

@@ -1,7 +1,8 @@
 #include <stdlib.h>
 
-__attribute__((optimize(0)))
-int main(void) {
+#include "test_util.h"
+
+OPTNONE int main(void) {
     void *p = realloc((void *)1, 16);
     if (!p) {
         return 1;

test/write_after_free_large.c

@@ -1,9 +1,9 @@
 #include <stdlib.h>
-#include <string.h>
 
-__attribute__((optimize(0)))
-int main(void) {
-    char *p = malloc(128 * 1024);
+#include "test_util.h"
+
+OPTNONE int main(void) {
+    char *p = malloc(256 * 1024);
     if (!p) {
         return 1;
     }

test/write_after_free_large_reuse.c

@@ -0,0 +1,16 @@
+#include <stdlib.h>
+#include <string.h>
+
+#include "test_util.h"
+#include "../util.h"
+
+OPTNONE int main(void) {
+    char *p = malloc(256 * 1024);
+    if (!p) {
+        return 1;
+    }
+    free(p);
+    UNUSED char *q = malloc(256 * 1024);
+    p[64 * 1024 + 1] = 'a';
+    return 0;
+}

test/write_after_free_small.c

@@ -1,8 +1,8 @@
 #include <stdlib.h>
-#include <string.h>
 
-__attribute__((optimize(0)))
-int main(void) {
+#include "test_util.h"
+
+OPTNONE int main(void) {
     char *p = malloc(128);
     if (!p) {
         return 1;

test/write_after_free_small_reuse.c

@@ -1,14 +1,15 @@
 #include <stdlib.h>
-#include <string.h>
 
-__attribute__((optimize(0)))
-int main(void) {
+#include "test_util.h"
+#include "../util.h"
+
+OPTNONE int main(void) {
     char *p = malloc(128);
     if (!p) {
         return 1;
     }
     free(p);
-    char *q = malloc(128);
+    UNUSED char *q = malloc(128);
 
     p[65] = 'a';
 

test/write_zero_size.c

@@ -1,8 +1,8 @@
 #include <stdlib.h>
-#include <stdio.h>
 
-__attribute__((optimize(0)))
-int main(void) {
+#include "test_util.h"
+
+OPTNONE int main(void) {
     char *p = malloc(0);
     if (!p) {
         return 1;

util.c

@@ -4,8 +4,13 @@
 
 #include <unistd.h>
 
+#ifdef __ANDROID__
+#include <async_safe/log.h>
+#endif
+
 #include "util.h"
 
+#ifndef __ANDROID__
 static int write_full(int fd, const char *buf, size_t length) {
     do {
         ssize_t bytes_written = write(fd, buf, length);
@@ -21,11 +26,16 @@ static int write_full(int fd, const char *buf, size_t length) {
 
     return 0;
 }
+#endif
 
 COLD noreturn void fatal_error(const char *s) {
+#ifdef __ANDROID__
+    async_safe_fatal("hardened_malloc: fatal allocator error: %s", s);
+#else
     const char *prefix = "fatal allocator error: ";
     (void)(write_full(STDERR_FILENO, prefix, strlen(prefix)) != -1 &&
         write_full(STDERR_FILENO, s, strlen(s)) != -1 &&
         write_full(STDERR_FILENO, "\n", 1));
     abort();
+#endif
 }

util.h

@@ -1,8 +1,12 @@
 #ifndef UTIL_H
 #define UTIL_H
 
+#include <stdbool.h>
+#include <stddef.h>
 #include <stdint.h>
-#include <stdnoreturn.h>
+
+// C11 noreturn doesn't work in C++
+#define noreturn __attribute__((noreturn))
 
 #define likely(x) __builtin_expect(!!(x), 1)
 #define unlikely(x) __builtin_expect(!!(x), 0)
@@ -26,40 +30,40 @@
 #define STRINGIFY(s) #s
 #define ALIAS(f) __attribute__((alias(STRINGIFY(f))))
 
-static inline int ffzl(long x) {
-    return __builtin_ffsl(~x);
-}
-
-COLD noreturn void fatal_error(const char *s);
-
 typedef uint8_t u8;
 typedef uint16_t u16;
 typedef uint32_t u32;
 typedef uint64_t u64;
 typedef unsigned __int128 u128;
 
-// use __register_atfork directly to avoid linking with libpthread for glibc < 2.28
-#ifdef __GLIBC__
-#if !__GLIBC_PREREQ(2, 28)
-extern void *__dso_handle;
-extern int __register_atfork(void (*)(void), void (*)(void), void (*)(void), void *);
-#define atfork(prepare, parent, child) __register_atfork(prepare, parent, child, __dso_handle)
-#endif
-#endif
+#define U64_WIDTH 64
 
-#ifndef atfork
-#define atfork pthread_atfork
-#endif
+static inline int ffz64(u64 x) {
+    return __builtin_ffsll(~x);
+}
 
-#ifdef CONFIG_SEAL_METADATA
+// parameter must not be 0
+static inline int clz64(u64 x) {
+    return __builtin_clzll(x);
+}
+
+// parameter must not be 0
+static inline u64 log2u64(u64 x) {
+    return U64_WIDTH - clz64(x) - 1;
+}
+
+static inline size_t align(size_t size, size_t align) {
+    size_t mask = align - 1;
+    return (size + mask) & ~mask;
+}
+
+COLD noreturn void fatal_error(const char *s);
+
+#if CONFIG_SEAL_METADATA
 
 #ifdef __GLIBC__
-#if __GLIBC_PREREQ(2, 27)
 #define USE_PKEY
-#endif
-#endif
-
-#ifndef USE_PKEY
+#else
 #error "CONFIG_SEAL_METADATA requires Memory Protection Key support"
 #endif