Date: Thu, 18 Sep 1997 18:24:04 +0200 From: Poul-Henning Kamp <phk@critter.freebsd.dk> To: Graham Wheeler <gram@cdsec.com> Cc: hackers@freebsd.org, freebsd-bugs@freebsd.org Subject: Re: Bug in malloc/free (was: Memory leak in getservbyXXX?) Message-ID: <10531.874599844@critter.freebsd.dk> In-Reply-To: Your message of "Sat, 18 Sep 1997 18:06:51 %2B0200." <199709181606.SAA00506@cdsec.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <199709181606.SAA00506@cdsec.com>, Graham Wheeler writes: >i.e. the size is stored both immediately preceding and immediately >following the useable space. As part of the consistency checking, >these two sizes are compared and should match. This should catch almost >all small overruns or underruns, and abort the process. So this >malloc should be less tolerant of bugs in my code than pkhmalloc is, >rather than more tolerant, again: depends. >Can you offer an explanation as to why the process never returns from >the call to malloc, nor does it abort? This seems to indicate an infinite >loop. Not having delved too deeply into your code, I can only speculate >that the linked list is being made circular, so the process is in an >infinite, looping traversal. Perhaps that is a check that can be added; >namely that walking the list must always proceed forward, never backward >(assuming that the list is kept in sequential order). This is about the only way you could get it to loop I think. That means that somebody wrote to memory malloc hadn't passed them (ie: your code). This would indicate a bug of the class where memory is written to after being free()'ed, a kind of bug which phkmalloc makes no attempt to catch. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?10531.874599844>