From owner-freebsd-hackers  Mon Oct 20 10:15:03 1997
Return-Path: <owner-freebsd-hackers>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id KAA06193
          for hackers-outgoing; Mon, 20 Oct 1997 10:15:03 -0700 (PDT)
          (envelope-from owner-freebsd-hackers)
Received: from citadel.cdsec.com (citadel.cdsec.com [192.96.22.18])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id KAA05900
          for <hackers@freebsd.org>; Mon, 20 Oct 1997 10:11:11 -0700 (PDT)
          (envelope-from gram@cdsec.com)
Received: (from nobody@localhost) by citadel.cdsec.com (8.8.5/8.6.9) id TAA21063 for <hackers@freebsd.org>; Mon, 20 Oct 1997 19:20:56 +0200 (SAT)
Received: by citadel via recvmail id 21028; Mon Oct 20 19:20:14 1997
	by gram.cdsec.com (8.8.5/8.8.5) id SAA11704
	for hackers@freebsd.org; Mon, 20 Oct 1997 18:48:13 +0200 (SAT)
From: Graham Wheeler <gram@cdsec.com>
Message-Id: <199710201648.SAA11704@cdsec.com>
Subject: Re: Bug in 2.2.2
To: hackers@freebsd.org
Date: Mon, 20 Oct 1997 18:48:12 +0200 (SAT)
X-Mailer: ELM [version 2.4 PL25-h4.1]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> 
> 	can you tell me how to reproduce it within X hours?
> 	if i remember correctly, it was failing every X hours
> 	for you.  if its statically linked i can hack on 
> 	the shared library and see if i can track this down.

I wrote a small program to exercise the heap and ran it for about ten million
iterations without a problem. Then I decided to add a periodic call to fork(),
as both Midnight Commander and the firewall gateway program both do plenty 
of these. When I ran this the O/S panicked almost immediately.

Here is the program:

// A simple program to exercise the heap.

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <time.h>

main()
{
    const int vsize = 10000;
    char **vector = new char*[vsize];
    int i, allocs = 0, deletes = 0;
    int seed = time(0);
    srand(seed);
    for (i = 0; i < vsize; i++) vector[i] = 0;
    i = 0;
    for (;;)
    {
	if ((i%100000) == 0)
	    printf("%d: alloc %d delete %d seed %d\n",
			i, allocs, deletes, seed);
	if ((i % 100) == 0)
	{
	    int pid = fork();
	    if (pid == 0) exit(0);
	}
	int slot = random() % vsize;
	if (vector[slot])
	{
	    delete [] vector[slot];
	    vector[slot] = 0;
	    deletes++;
	}
	else
	{
	    int l = (random() % 4096)+1;
	    vector[slot] = new char[l];
	    memset(vector[slot], l, l);
	    allocs++;
	}
	if (++i < 0) i = 0;
    }
}

I hadn't bothered doing any signal catching here; this was quick 'n dirty.
Still, it shouldn't cause a panic. Perhaps there is a connection between
this and the other problem?

> > So it seems there is indeed a bug, either in phkmalloc or in some 
> > other FreeBSD library code which uses phkmalloc.

I strongly suspect the latter may be the case, and that the nature of
the bug is such that it affects phkmalloc but not the other malloc. 

cheers
gram
-- 
Dr Graham Wheeler                          E-mail: gram@cdsec.com
Citadel Data Security                      Phone:  +27(21)23-6065/6/7
Internet/Intranet Network Specialists      Mobile: +27(83)-253-9864
Firewalls/Virtual Private Networks         Fax:    +27(21)24-3656
Data Security Products                     WWW:    http://www.cdsec.com/