Merge branch 'zlo/tlsf-and-a-temple-of-memcorrupt' of https://github.com/flipperdevices/flipperzero-firmware into mntm-dev

2026-05-29 06:24:45 -07:00 · 2024-06-11 23:24:35 +02:00
parent f8a12cdd13 d4b70a6aa6
commit 5b8a9dcf9f
9 changed files with 1388 additions and 14 deletions
--- a/applications/debug/unit_tests/tests/furi/furi_memmgr_test.c
+++ b/applications/debug/unit_tests/tests/furi/furi_memmgr_test.c
@@ -1,5 +1,8 @@
 #include "../test.h" // IWYU pragma: keep
-#include <furi.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdbool.h>
+#include <stdint.h>

 void test_furi_memmgr(void) {
    void* ptr;
@@ -48,6 +51,11 @@ static void test_memmgr_malloc(const size_t allocation_size) {
        error_message = "malloc failed";
    }

+    // test that memory is aligned by 8 bytes
+    if(((uintptr_t)ptr % 8) != 0) {
+        error_message = "memory is not aligned by 8 bytes after malloc";
+    }
+
    // test that memory is zero-initialized after allocation
    for(size_t i = 0; i < allocation_size; i++) {
        if(ptr[i] != 0) {
@@ -99,6 +107,11 @@ static void test_memmgr_realloc(const size_t allocation_size) {
        error_message = "realloc(NULL) failed";
    }

+    // test that memory is aligned by 8 bytes
+    if(((uintptr_t)ptr % 8) != 0) {
+        error_message = "memory is not aligned by 8 bytes after realloc";
+    }
+
    // test that memory is zero-initialized after allocation
    for(size_t i = 0; i < allocation_size; i++) {
        if(ptr[i] != 0) {
@@ -124,6 +137,11 @@ static void test_memmgr_realloc(const size_t allocation_size) {
        }
    }

+    // test that memory is aligned by 8 bytes
+    if(((uintptr_t)ptr % 8) != 0) {
+        error_message = "memory is not aligned by 8 bytes after realloc";
+    }
+
    // test that remaining memory is zero-initialized
    size_t non_zero_count = 0;
    for(size_t i = allocation_size; i < allocation_size * 2; i++) {
@@ -290,4 +308,18 @@ void test_furi_memmgr_advanced(void) {
            free(guards[i]);
        }
    }
+}
+
+void test_furi_memmgr_aligned8(void) {
+    const size_t repeat_count = 100;
+
+    for(size_t i = 0; i < repeat_count; i++) {
+        uintptr_t ptr = (uintptr_t)malloc(10);
+        mu_assert_int_eq(0, ptr % 8);
+        ptr = (uintptr_t)realloc((void*)ptr, 20);
+        mu_assert_int_eq(0, ptr % 8);
+        ptr = (uintptr_t)realloc((void*)ptr, 30);
+        mu_assert_int_eq(0, ptr % 8);
+        free((void*)ptr);
+    }
 }
--- a/applications/debug/unit_tests/tests/furi/furi_test.c
+++ b/applications/debug/unit_tests/tests/furi/furi_test.c
@@ -8,6 +8,7 @@ void test_furi_concurrent_access(void);
 void test_furi_pubsub(void);
 void test_furi_memmgr(void);
 void test_furi_memmgr_advanced(void);
+void test_furi_memmgr_aligned8(void);
 void test_furi_event_loop(void);

 static int foo = 0;
@@ -38,6 +39,7 @@ MU_TEST(mu_test_furi_memmgr) {
    // that memory management is working fine
    test_furi_memmgr();
    test_furi_memmgr_advanced();
+    test_furi_memmgr_aligned8();
 }

 MU_TEST(mu_test_furi_event_loop) {
--- a/furi/core/memmgr_heap.c
+++ b/furi/core/memmgr_heap.c
@@ -1,6 +1,6 @@
 #include <furi.h>
 #include <tlsf.h>
-#include <tlsf_block_functions.h>
+// #include <tlsf_block_functions.h>
 #include <FreeRTOS.h>
 #include <task.h>
 #include <m-dict.h>
@@ -45,7 +45,7 @@ static void memmgr_heap_init(void) {

 __attribute__((constructor)) static void memmgr_init(void) {
    size_t pool_size = (size_t)&__heap_end__ - (size_t)&__heap_start__;
-    tlsf = tlsf_create_with_pool((void*)&__heap_start__, pool_size, pool_size);
+    tlsf = tlsf_create_with_pool((void*)&__heap_start__, pool_size);
    memmgr_heap_init();
 }

@@ -116,8 +116,7 @@ size_t memmgr_heap_get_thread_memory(FuriThreadId thread_id) {
                MemmgrHeapAllocDict_next(alloc_dict_it)) {
                MemmgrHeapAllocDict_itref_t* data = MemmgrHeapAllocDict_ref(alloc_dict_it);
                if(data->key != 0) {
-                    block_header_t* block = block_from_ptr((uint8_t*)data->key);
-                    if(!block_is_free(block)) {
+                    if(!tlsf_pointer_is_free((uint8_t*)data->key)) {
                        leftovers += data->value;
                    }
                }
@@ -129,7 +128,7 @@ size_t memmgr_heap_get_thread_memory(FuriThreadId thread_id) {
    return leftovers;
 }

-static bool tlsf_walker_max_free(void* ptr, size_t size, int used, void* user) {
+static void tlsf_walker_max_free(void* ptr, size_t size, int used, void* user) {
    UNUSED(ptr);

    bool free = !used;
@@ -137,8 +136,6 @@ static bool tlsf_walker_max_free(void* ptr, size_t size, int used, void* user) {
    if(free && size > *max_free_block_size) {
        *max_free_block_size = size;
    }
-
-    return true;
 }

 size_t memmgr_heap_get_max_free_block(void) {
@@ -159,9 +156,9 @@ typedef struct {
    void* context;
 } BlockWalkerWrapper;

-static bool tlsf_walker_wrapper(void* ptr, size_t size, int used, void* user) {
+static void tlsf_walker_wrapper(void* ptr, size_t size, int used, void* user) {
    BlockWalkerWrapper* wrapper = (BlockWalkerWrapper*)user;
-    return wrapper->walker(ptr, size, used, wrapper->context);
+    wrapper->walker(ptr, size, used, wrapper->context);
 }

 void memmgr_heap_walk_blocks(BlockWalker walker, void* context) {
@@ -336,7 +333,8 @@ extern void* pvPortRealloc(void* pv, size_t xSize) {
 }

 size_t xPortGetFreeHeapSize(void) {
-    return memmgr_get_heap_size() - heap_used - tlsf_size(tlsf);
+    return memmgr_get_heap_size() - heap_used - tlsf_struct_size();
+    return 0;
 }

 size_t xPortGetTotalHeapSize(void) {
@@ -344,5 +342,6 @@ size_t xPortGetTotalHeapSize(void) {
 }

 size_t xPortGetMinimumEverFreeHeapSize(void) {
-    return memmgr_get_heap_size() - heap_max_used - tlsf_size(tlsf);
+    return memmgr_get_heap_size() - heap_max_used - tlsf_struct_size();
+    return 0;
 }
--- a/lib/SConscript
+++ b/lib/SConscript
@@ -14,9 +14,9 @@ env.Append(

 libs = env.BuildModules(
    [
-        "tlsf",
        "mlib",
        "stm32wb",
+        "tlsf",
        "freertos",
        "print",
        "microtar",
--- a/lib/tlsf.scons
+++ b/lib/tlsf.scons
@@ -11,7 +11,9 @@ libenv = env.Clone(FW_LIB_NAME="tlsf")
 libenv.ApplyLibFlags()

 libenv.Append(
-    CPPDEFINES=[],
+    CPPDEFINES=[
+        "CONFIG_MALLOC_ALIGNMENT=4",
+    ],
 )

 sources = [File("tlsf/tlsf.c")]
--- a/lib/tlsf/tlsf.c
+++ b/lib/tlsf/tlsf.c
--- a/lib/tlsf/tlsf.h
+++ b/lib/tlsf/tlsf.h
@@ -0,0 +1,96 @@
+#ifndef INCLUDED_tlsf
+#define INCLUDED_tlsf
+
+/*
+** Two Level Segregated Fit memory allocator, version 3.1.
+** Written by Matthew Conte
+**	http://tlsf.baisoku.org
+**
+** Based on the original documentation by Miguel Masmano:
+**	http://www.gii.upv.es/tlsf/main/docs
+**
+** This implementation was written to the specification
+** of the document, therefore no GPL restrictions apply.
+**
+** Copyright (c) 2006-2016, Matthew Conte
+** All rights reserved.
+**
+** Redistribution and use in source and binary forms, with or without
+** modification, are permitted provided that the following conditions are met:
+**     * Redistributions of source code must retain the above copyright
+**       notice, this list of conditions and the following disclaimer.
+**     * Redistributions in binary form must reproduce the above copyright
+**       notice, this list of conditions and the following disclaimer in the
+**       documentation and/or other materials provided with the distribution.
+**     * Neither the name of the copyright holder nor the
+**       names of its contributors may be used to endorse or promote products
+**       derived from this software without specific prior written permission.
+**
+** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+** ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+** WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+** DISCLAIMED. IN NO EVENT SHALL MATTHEW CONTE BE LIABLE FOR ANY
+** DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+** (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+** LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+** ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+** (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+** SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+#include <core/check.h>
+
+#define tlsf_assert furi_check
+
+/* tlsf_t: a TLSF structure. Can contain 1 to N pools. */
+/* pool_t: a block of memory that TLSF can manage. */
+typedef void* tlsf_t;
+typedef void* pool_t;
+
+/* Create/destroy a memory pool. */
+tlsf_t tlsf_create(void* mem);
+tlsf_t tlsf_create_with_pool(void* mem, size_t bytes);
+void tlsf_destroy(tlsf_t tlsf);
+pool_t tlsf_get_pool(tlsf_t tlsf);
+
+/* Add/remove memory pools. */
+pool_t tlsf_add_pool(tlsf_t tlsf, void* mem, size_t bytes);
+void tlsf_remove_pool(tlsf_t tlsf, pool_t pool);
+
+/* malloc/memalign/realloc/free replacements. */
+void* tlsf_malloc(tlsf_t tlsf, size_t bytes);
+void* tlsf_memalign(tlsf_t tlsf, size_t align, size_t bytes);
+void* tlsf_realloc(tlsf_t tlsf, void* ptr, size_t size);
+void tlsf_free(tlsf_t tlsf, void* ptr);
+
+/* Returns internal block size, not original request size */
+size_t tlsf_block_size(void* ptr);
+
+/* Overheads/limits of internal structures. */
+size_t tlsf_size(void);
+size_t tlsf_align_size(void);
+size_t tlsf_block_size_min(void);
+size_t tlsf_block_size_max(void);
+size_t tlsf_pool_overhead(void);
+size_t tlsf_alloc_overhead(void);
+
+/* Debugging. */
+typedef void (*tlsf_walker)(void* ptr, size_t size, int used, void* user);
+void tlsf_walk_pool(pool_t pool, tlsf_walker walker, void* user);
+/* Returns nonzero if any internal consistency check fails. */
+int tlsf_check(tlsf_t tlsf);
+int tlsf_check_pool(pool_t pool);
+
+/* Memory statistics. */
+size_t tlsf_struct_size(void);
+bool tlsf_pointer_is_free(void* ptr);
+
+#if defined(__cplusplus)
+};
+#endif
+
+#endif
--- a/lib/tlsf/tlsfbits.h
+++ b/lib/tlsf/tlsfbits.h
@@ -0,0 +1,72 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+
+#ifndef INCLUDED_tlsfbits
+#define INCLUDED_tlsfbits
+
+#include <stdint.h>
+typedef uint32_t u32;
+
+#define BITS_PER_BYTE		8
+#define BITS_PER_LONG		(sizeof(long) * BITS_PER_BYTE)
+
+#define BITS_PER_TYPE(type)	(sizeof(type) * BITS_PER_BYTE)
+#define BITS_TO_LONGS(nr)	DIV_ROUND_UP(nr, BITS_PER_TYPE(long))
+#define BITS_TO_U64(nr)		DIV_ROUND_UP(nr, BITS_PER_TYPE(u64))
+#define BITS_TO_U32(nr)		DIV_ROUND_UP(nr, BITS_PER_TYPE(u32))
+#define BITS_TO_BYTES(nr)	DIV_ROUND_UP(nr, BITS_PER_TYPE(char))
+#define BYTES_TO_BITS(nb)	(((BITS_PER_LONG * (nb)) / sizeof(long)))
+
+#ifdef CONFIG_64BIT
+#define TLSF_64BIT
+#endif
+
+/*
+** Architecture-specific bit manipulation routines.
+**
+** TLSF achieves O(1) cost for malloc and free operations by limiting
+** the search for a free block to a free list of guaranteed size
+** adequate to fulfill the request, combined with efficient free list
+** queries using bitmasks and architecture-specific bit-manipulation
+** routines.
+**
+** Most modern processors provide instructions to count leading zeroes
+** in a word, find the lowest and highest set bit, etc. These
+** specific implementations will be used when available, falling back
+** to a reasonably efficient generic implementation.
+**
+** NOTE: TLSF spec relies on ffs/fls returning value 0..31.
+** ffs/fls return 1-32 by default, returning 0 for error.
+*/
+
+static int tlsf_ffs(unsigned int word)
+{
+	return ffs(word) - 1;
+}
+
+static int tlsf_fls(unsigned int word)
+{
+	return fls(word) - 1;
+}
+
+/* Possibly 64-bit version of tlsf_fls. */
+#if defined (TLSF_64BIT)
+static int tlsf_fls_sizet(size_t size)
+{
+	int high = (int)(size >> 32);
+	int bits = 0;
+	if (high)
+	{
+		bits = 32 + tlsf_fls(high);
+	}
+	else
+	{
+		bits = tlsf_fls((int)size & 0xffffffff);
+
+	}
+	return bits;
+}
+#else
+#define tlsf_fls_sizet tlsf_fls
+#endif
+
+#endif
--- a/targets/f7/furi_hal/furi_hal_interrupt.c
+++ b/targets/f7/furi_hal/furi_hal_interrupt.c
@@ -286,6 +286,47 @@ void MemManage_Handler(void) {
 }

 void BusFault_Handler(void) {
+    furi_log_puts("\r\n" _FURI_LOG_CLR_E "Bus fault:\r\n");
+    if(FURI_BIT(SCB->CFSR, SCB_CFSR_LSPERR_Pos)) {
+        furi_log_puts(" - lazy stacking for exception entry\r\n");
+    }
+
+    if(FURI_BIT(SCB->CFSR, SCB_CFSR_STKERR_Pos)) {
+        furi_log_puts(" - stacking for exception entry\r\n");
+    }
+
+    if(FURI_BIT(SCB->CFSR, SCB_CFSR_UNSTKERR_Pos)) {
+        furi_log_puts(" - unstacking for exception return\r\n");
+    }
+
+    if(FURI_BIT(SCB->CFSR, SCB_CFSR_IMPRECISERR_Pos)) {
+        furi_log_puts(" - imprecise data access\r\n");
+    }
+
+    if(FURI_BIT(SCB->CFSR, SCB_CFSR_PRECISERR_Pos)) {
+        furi_log_puts(" - precise data access\r\n");
+    }
+
+    if(FURI_BIT(SCB->CFSR, SCB_CFSR_IBUSERR_Pos)) {
+        furi_log_puts(" - instruction\r\n");
+    }
+
+    if(FURI_BIT(SCB->CFSR, SCB_CFSR_BFARVALID_Pos)) {
+        uint32_t busfault_address = SCB->BFAR;
+        furi_log_puts(" -- at 0x");
+
+        char tmp_str[] = "0xFFFFFFFF";
+        itoa(busfault_address, tmp_str, 16);
+        furi_log_puts(tmp_str);
+
+        furi_log_puts("\r\n");
+
+        if(busfault_address == (uint32_t)NULL) {
+            furi_log_puts(" -- NULL pointer dereference\r\n");
+        }
+    }
+    furi_log_puts(_FURI_LOG_CLR_RESET);
+
    furi_crash("BusFault");
 }