Fix localtime/1 memory leak on newlib/picolibc platforms

petermm · petermm · commit d791eaff7a2e · 2026-04-05T21:40:29.000+02:00
Both newlib and picolibc leak the old "NAME=value" string when setenv overwrites an environment variable with a longer value. On ESP32 this causes unbounded heap growth when localtime/1 is called repeatedly with a timezone argument. Fix by replacing setenv/unsetenv with a static putenv buffer that is installed once and modified in place, avoiding all further allocations. The workaround is guarded by __NEWLIB__/__PICOLIBC__ so platforms with a non-leaking libc (glibc, musl) continue to use standard setenv/unsetenv. Additional fixes: - Replace space-padding with zero-fill to avoid TZ parser issues - Reject oversized TZ values instead of silently truncating - Restore "UTC0" instead of empty string when TZ was originally unset, giving well-defined UTC behavior on newlib/picolibc - Check strdup for OOM - Check putenv return value - Check localtime_r for NULL See: espressif/esp-idf#3046 See: espressif/esp-idf#9764 Signed-off-by: Peter M <petermm@gmail.com>
diff --git a/src/libAtomVM/nifs.c b/src/libAtomVM/nifs.c
@@ -1939,6 +1939,55 @@ term nif_erlang_universaltime_0(Context *ctx, int argc, term argv[])
     return build_datetime_from_tm(ctx, gmtime_r(&ts.tv_sec, &broken_down_time));
 }
 
+// Workaround for newlib/picolibc setenv memory leak: use putenv with a
+// fixed-size static buffer. The buffer is installed once via putenv and then
+// modified in place so repeated TZ changes never allocate.
+// See: https://github.com/espressif/esp-idf/issues/3046
+// Both newlib and picolibc leak the old "NAME=value" string on overwrite.
+#if defined(__NEWLIB__) || defined(__PICOLIBC__)
+#define AVM_TZ_SETENV_LEAKS 1
+#else
+#define AVM_TZ_SETENV_LEAKS 0
+#endif
+
+#if AVM_TZ_SETENV_LEAKS
+
+// Max TZ value length is 60 bytes; longest POSIX TZ strings (e.g.
+// "CET-1CEST,M3.5.0/2,M10.5.0/3") are well under this limit.
+#define TZ_BUFFER_SIZE 64
+#define TZ_MAX_VALUE_LEN (TZ_BUFFER_SIZE - 4) // 3 for "TZ=" + 1 for '\0'
+
+static char tz_buffer[TZ_BUFFER_SIZE] = "TZ=";
+static bool tz_buffer_installed = false;
+static char *tz_env_value = NULL;
+
+// Write a TZ value into the static buffer. Returns false if the value is
+// too long to fit (the buffer is left unchanged in that case).
+// Caller must hold env_spinlock.
+static bool set_tz_value(const char *tz)
+{
+    size_t tz_len = strlen(tz);
+    if (tz_len > TZ_MAX_VALUE_LEN) {
+        return false;
+    }
+    if (!tz_buffer_installed) {
+        memset(tz_buffer + 3, 0, TZ_BUFFER_SIZE - 3);
+        if (putenv(tz_buffer) != 0) {
+            return false;
+        }
+        tz_buffer_installed = true;
+        tz_env_value = getenv("TZ");
+        if (tz_env_value == NULL) {
+            tz_env_value = tz_buffer + 3;
+        }
+    }
+    memcpy(tz_env_value, tz, tz_len);
+    memset(tz_env_value + tz_len, 0, TZ_MAX_VALUE_LEN - tz_len);
+    return true;
+}
+
+#endif // AVM_TZ_SETENV_LEAKS
+
 term nif_erlang_localtime(Context *ctx, int argc, term argv[])
 {
     char *tz;
@@ -1962,17 +2011,45 @@ term nif_erlang_localtime(Context *ctx, int argc, term argv[])
     smp_spinlock_lock(&ctx->global->env_spinlock);
 #endif
     if (tz) {
-        char *oldtz = getenv("TZ");
+        char *oldtz = NULL;
+        char *oldtz_env = getenv("TZ");
+        if (oldtz_env) {
+            oldtz = strdup(oldtz_env);
+            if (UNLIKELY(oldtz == NULL)) {
+#ifndef AVM_NO_SMP
+                smp_spinlock_unlock(&ctx->global->env_spinlock);
+#endif
+                free(tz);
+                RAISE_ERROR(OUT_OF_MEMORY_ATOM);
+            }
+        }
+
+#if AVM_TZ_SETENV_LEAKS
+        set_tz_value(tz);
+#else
         setenv("TZ", tz, 1);
+#endif
         tzset();
         localtime = localtime_r(&ts.tv_sec, &storage);
+
         if (oldtz) {
+#if AVM_TZ_SETENV_LEAKS
+            set_tz_value(oldtz);
+#else
             setenv("TZ", oldtz, 1);
+#endif
+            free(oldtz);
         } else {
+#if AVM_TZ_SETENV_LEAKS
+            // Cannot truly unset TZ with the static buffer approach.
+            // Setting to "UTC0" gives well-defined UTC behavior.
+            set_tz_value("UTC0");
+#else
             unsetenv("TZ");
+#endif
         }
+        tzset();
     } else {
-        // Call tzset to handle DST changes
         tzset();
         localtime = localtime_r(&ts.tv_sec, &storage);
     }
@@ -1981,6 +2058,11 @@ term nif_erlang_localtime(Context *ctx, int argc, term argv[])
 #endif
 
     free(tz);
+
+    if (UNLIKELY(localtime == NULL)) {
+        RAISE_ERROR(BADARG_ATOM);
+    }
+
     return build_datetime_from_tm(ctx, localtime);
 }
 
