Date: Wed, 02 Oct 2002 15:04:09 -0700 From: "Jin Guojun [DSD]" <j_guojun@lbl.gov> To: FreeBSD-gnats-submit@FreeBSD.org, freebsd-bugs@FreeBSD.org Subject: Re: kern/43599: Balloc did not check mallocated pointer in libc/stdlib/strtod.c Message-ID: <3D9B6D58.517BE8A4@lbl.gov> References: <200210022140.g92Le18Z084749@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
FreeBSD-gnats-submit@FreeBSD.org wrote:
> >Category: kern
> >Responsible: freebsd-bugs
> >Synopsis: Balloc did not check mallocated pointer in libc/stdlib/strtod.c
> >Arrival-Date: Wed Oct 02 14:40:01 PDT 2002
# define THREAD_LOCK() if (__isthreaded) _SPINLOCK(&thread_lock);
The reason that causes malloc a piece of small memory failure is the malloc
THREAD_LOCK() failure. One printf() in a regular session is allocating memory,
and timeout (SIGALARM) starts another printf() which causes overtaking the
malloc() and returns 0 (NULL):
void *
malloc(size_t size)
{
register void *r;
THREAD_LOCK();
malloc_func = " in malloc():";
if (malloc_active++) {
wrtwarning("recursive call\n");
malloc_active--;
THREAD_UNLOCK();
return (0);
}
...
}
In libc (not libc_r), THREAD_LOCK() may not exist, so above if {...} block sounds
like big under this situation.
Program terminated with signal 11, Segmentation fault.
#0 0x80676f2 in Balloc (k=1) at /usr/src/lib/libc/../libc/stdlib/strtod.c:387
(xxgdb) up
#1 0x80684e1 in d2b (d=0.18469299376010895, e=0xbfbfe81c, bits=0xbfbfe828) at
/usr/src/lib/libc/../libc/stdlib/strtod.c:1011
(xxgdb) where
#0 0x80676f2 in Balloc (k=1) at /usr/src/lib/libc/../libc/stdlib/strtod.c:387
#1 0x80684e1 in d2b (d=0.18469299376010895, e=0xbfbfe81c, bits=0xbfbfe828) at
/usr/src/lib/libc/../libc/stdlib/strtod.c:1011
#2 0x8069a6e in __dtoa (d=0.18469299376010895, mode=3, ndigits=4,
decpt=0xbfbfeae0, sign=0xbfbfe874, rve=0xbfbfe868, resultp=0xbfbfeacc) at
/usr/src/lib/libc/../libc/stdlib/strtod.c:1930
#3 0x8066c98 in cvt (value=0.18469299376010895, ndigits=4, flags=256,
sign=0xbfbfeaf2 "", decpt=0xbfbfeae0, ch=102, length=0xbfbfead8,
dtoaresultp=0xbfbfeacc) at /usr/src/lib/libc/../libc/stdio/vfprintf.c:1222
#4 0x80647bd in vfprintf (fp=0x8086338, fmt0=0x807e475 "%d %.4f sec. %s%s\n",
ap=0xbfbfeb68 "¼ë¿¿àä\a\b\220ë¿¿lñ¿¿æò¿¿") at
/usr/src/lib/libc/../libc/stdio/vfprintf.c:603
#5 0x8063988 in fprintf (fp=0x8086338, fmt=0x807e475 "%d %.4f sec. %s%s\n") at
/usr/src/lib/libc/../libc/stdio/fprintf.c:70
#6 0x804844f in timeout () at ../netest.c:191
#7 0xbfbfffac in ?? ()
#8 0x806cb88 in malloc (size=28) at /usr/src/lib/libc/../libc/stdlib/malloc.c:1076
#9 0x80676e4 in Balloc (k=1) at /usr/src/lib/libc/../libc/stdlib/strtod.c:386
#10 0x80684e1 in d2b (d=0.17467300593852997, e=0xbfbfef2c, bits=0xbfbfef38) at
/usr/src/lib/libc/../libc/stdlib/strtod.c:1011
#11 0x8069a6e in __dtoa (d=0.17467300593852997, mode=3, ndigits=4,
decpt=0xbfbff1f0, sign=0xbfbfef84, rve=0xbfbfef78, resultp=0xbfbff1dc) at
/usr/src/lib/libc/../libc/stdlib/strtod.c:1930
#12 0x8066c98 in cvt (value=0.17467300593852997, ndigits=4, flags=256,
sign=0xbfbff202 "", decpt=0xbfbff1f0, ch=102, length=0xbfbff1e8,
dtoaresultp=0xbfbff1dc) at /usr/src/lib/libc/../libc/stdio/vfprintf.c:1222
#13 0x80647bd in vfprintf (fp=0x8086338, fmt0=0x807e475 "%d %.4f sec. %s%s\n",
ap=0xbfbff278 "Ìò¿¿àä\a\bN\226\004\b\n") at
/usr/src/lib/libc/../libc/stdio/vfprintf.c:603
#14 0x8063988 in fprintf (fp=0x8086338, fmt=0x807e475 "%d %.4f sec. %s%s\n") at
/usr/src/lib/libc/../libc/stdio/fprintf.c:70
#15 0x804974c in main (argc=10, argv=0xbfbff370) at ../netest.c:191
#16 0x8048135 in _start ()
--
------------ Jin Guojun ----------- v --- j_guojun@lbl.gov ---
Distributed Systems Department http://www.itg.lbl.gov/~jin
M/S 50B-2239 Ph#:(510) 486-7531 Fax: 486-6363
Lawrence Berkeley National Laboratory, Berkeley, CA 94720
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D9B6D58.517BE8A4>