Date: Thu, 19 Jan 2006 23:40:21 -0800 From: Jason Evans <jasone@FreeBSD.org> To: Joe Marcus Clarke <marcus@FreeBSD.org> Cc: freebsd-current@FreeBSD.org Subject: Re: Typical malloc-related application bugs Message-ID: <61EE2752-7328-4068-9888-7F7B5C918439@FreeBSD.org> In-Reply-To: <1137741767.75264.27.camel@shumai.marcuscom.com> References: <6BD97F93-5E85-4A5A-8751-DC0C0382B916@FreeBSD.org> <1137741767.75264.27.camel@shumai.marcuscom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jan 19, 2006, at 11:22 PM, Joe Marcus Clarke wrote: > On Thu, 2006-01-19 at 23:10 -0800, Jason Evans wrote: >> 2) Out-of-bounds writes. Lots of programs have been found to write >> past the end of the space they allocate. At the moment, jemalloc's >> redzone code is enabled, so these errors are causing messages to >> stderr that look like: >> >> ifconfig: (malloc) Corrupted redzone 1 byte after 0xa000150 (size >> 18) (0x0) > > I'm seeing a lot of this when I run gnome-system-monitor. There > appears > to be a bug in libgtop, but I don't know how to make these messages > fatal in order to produce a backtrace I can use to narrow down > where the > problem lies. What can I do to isolate where in the code the redzone > corruption is occurring? If you have the 'A' flag set, then you should be getting coredumps, unless gnome-system-monitor masks the SIGABRT signal. If you can't get coredumps, then you could try running gnome-system-monitor in gdb, with a breakpoint set in the branch of malloc.c:redzone_check() that calls abort(). > Additionally, do you have any example code that produces this kind of > redzone corruption? Thanks. Here is a quick hack that I wrote when testing the redzone code: --- #include <stdio.h> #include <stdlib.h> #define SIZE 25 int main(void) { char *p; int i; p = (char *)malloc(SIZE); for (i = 1; i <= 16; i++) { p[-i] = 0x42 - i; } for (i = 0; i < 16; i++) { p[SIZE + i] = 0x43 + i; } free(p); return 0; } --- Note that redzones are currently defined to be 16 bytes, but there may be more than 16 bytes of trailing redzone space, depending on (size % 16). Jason
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?61EE2752-7328-4068-9888-7F7B5C918439>