Date: Sat, 19 May 2007 02:08:55 +0400 (MSD) From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@FreeBSD.org Cc: jasone@FreeBSD.org Subject: bin/112771: unwrapped magic checks in the malloc code Message-ID: <20070518220855.81FCBB85C@void.codelabs.ru> Resent-Message-ID: <200705182210.l4IMA46X015517@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 112771
>Category: bin
>Synopsis: unwrapped magic checks in the malloc code
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri May 18 22:10:03 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Eygene Ryabinkin
>Release: FreeBSD 7.0-CURRENT i386
>Organization:
Code Labs
>Environment:
System: FreeBSD XXX 7.0-CURRENT FreeBSD 7.0-CURRENT #25: Fri May 18 17:25:48 MSD 2007 root@XXX:/usr/src/sys/i386/compile/XXX i386
>Description:
Checks for arenas magic are not wrapped with the
'#ifdef MALLOC_DEBUG ... #endif' construct, but the field 'magic'
is defined only for MALLOC_DEBUG.
>How-To-Repeat:
Look at the /usr/src/lib/libc/stdlib/malloc.c (latest revision FreeBSD
tree has now is 1.146). Search for the '->magic' and see it unwrapped.
Search for the 'struct arena_run_s' and 'struct arena_s' definitions
and see the 'magic' field wrapped with MALLOC_DEBUG.
>Fix:
The following patch wraps all occurences I found:
--- malloc.c.orig Sat May 19 01:18:31 2007
+++ malloc.c Sat May 19 01:21:43 2007
@@ -1568,7 +1568,9 @@
void *ret;
unsigned i, mask, bit, regind;
+#ifdef MALLOC_DEBUG
assert(run->magic == ARENA_RUN_MAGIC);
+#endif
assert(run->regs_minelm < bin->regs_mask_nelms);
/*
@@ -1659,7 +1661,9 @@
};
unsigned diff, regind, elm, bit;
+#ifdef MALLOC_DEBUG
assert(run->magic == ARENA_RUN_MAGIC);
+#endif
assert(((sizeof(size_invs)) / sizeof(unsigned)) + 3
>= (SMALL_MAX_DEFAULT >> QUANTUM_2POW_MIN));
@@ -2041,7 +2045,9 @@
{
void *ret;
+#ifdef MALLOC_DEBUG
assert(run->magic == ARENA_RUN_MAGIC);
+#endif
assert(run->nfree > 0);
ret = arena_run_reg_alloc(run, bin);
@@ -2059,7 +2065,9 @@
bin->runcur = arena_bin_nonfull_run_get(arena, bin);
if (bin->runcur == NULL)
return (NULL);
+#ifdef MALLOC_DEBUG
assert(bin->runcur->magic == ARENA_RUN_MAGIC);
+#endif
assert(bin->runcur->nfree > 0);
return (arena_bin_malloc_easy(arena, bin, bin->runcur));
@@ -2156,7 +2164,9 @@
void *ret;
assert(arena != NULL);
+#ifdef MALLOC_DEBUG
assert(arena->magic == ARENA_MAGIC);
+#endif
assert(size != 0);
assert(QUANTUM_CEILING(size) <= arena_maxclass);
@@ -2359,7 +2369,9 @@
run = (arena_run_t *)((uintptr_t)chunk + (pageind <<
pagesize_2pow));
+#ifdef MALLOC_DEBUG
assert(run->magic == ARENA_RUN_MAGIC);
+#endif
ret = run->bin->reg_size;
} else
ret = mapelm->npages << pagesize_2pow;
@@ -2423,7 +2435,9 @@
size_t size;
assert(arena != NULL);
+#ifdef MALLOC_DEBUG
assert(arena->magic == ARENA_MAGIC);
+#endif
assert(chunk->arena == arena);
assert(ptr != NULL);
assert(CHUNK_ADDR2BASE(ptr) != ptr);
@@ -2441,7 +2455,9 @@
run = (arena_run_t *)((uintptr_t)chunk + (pageind <<
pagesize_2pow));
+#ifdef MALLOC_DEBUG
assert(run->magic == ARENA_RUN_MAGIC);
+#endif
bin = run->bin;
size = bin->reg_size;
@@ -2975,7 +2991,9 @@
chunk = (arena_chunk_t *)CHUNK_ADDR2BASE(ptr);
if (chunk != ptr) {
/* Region. */
+#ifdef MALLOC_DEBUG
assert(chunk->arena->magic == ARENA_MAGIC);
+#endif
ret = arena_salloc(ptr);
} else {
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070518220855.81FCBB85C>