[uClibc]BUG: malloc
Robert Daniels
RobertD at vantagecontrols.com
Fri Aug 16 22:54:39 UTC 2002
I found a bug in the new malloc for uClibc(0.9.14). If a previously
allocated block of memory is freed twice, there is the possibility of
confusion. The following is sample code that demonstrates one aspect of the
problem which results in a circularly linked free list:
#include <stdio.h>
#define MALLOC_SIZE 120
int main(int argc, char *argv[])
{
void * p1 = (void *)malloc( MALLOC_SIZE );
void * p2 = (void *)malloc( MALLOC_SIZE );
void * p3 = (void *)malloc( MALLOC_SIZE );
free( p2 );
free( p1 );
free( p2 );
free( p3 );
return 0;
}
The result is that on the second time freeing p2, you run an infinite loop
in __heap_free() because the first free area gets linked to itself - a nifty
side-effect of having the heap_free_area struct located at the end of the
free area.
The following is a patch that checks for this situation:
*** heap_free.c.old Fri Aug 16 16:42:15 2002
--- heap_free.c Fri Aug 16 16:42:48 2002
***************
*** 82,87 ****
--- 82,92 ----
goto done;
}
+ else if ((mem >= fa_mem) && (mem < HEAP_FREE_AREA_END (fa)))
+ {
+ /* MEM falls within FA - already considered freed so do nothing.
*/
+ goto done;
+ }
}
/* Make MEM into a new free-list entry. */
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.busybox.net/pipermail/uclibc/attachments/20020816/aecc9ee1/attachment-0001.htm
More information about the uClibc
mailing list