aboutsummaryrefslogtreecommitdiffstats
path: root/lib/libmalloc/tests/t3.c
blob: fdbc181e54f7e60ff544efc8a4259b08660784b6 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
/*
Path: utstat!helios.physics.utoronto.ca!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!cs.utexas.edu!rice!sun-spots-request
From: munsell!jwf@uunet.uu.net (Jim Franklin)
Newsgroups: comp.sys.sun
Subject: bug in SUN malloc()
Keywords: Miscellaneous
Message-ID: <4193@brazos.Rice.edu>
Date: 4 Jan 90 13:05:06 GMT
Sender: root@rice.edu
Organization: Sun-Spots
Lines: 95
Approved: Sun-Spots@rice.edu
X-Sun-Spots-Digest: Volume 9, Issue 4, message 10 of 12

There is a bug in SUN's malloc() that causes it to sometimes attempt an
sbrk() to grow the current process, even if there is a free block of the
exact size available.  The bug exists in OS 3.5 and 4.0.3, probably
others.

SUN's malloc() maintains the free list in a cartesian tree.  The malloc()
bug occurs when the root block is exactly equal in size to the requested
allocation + alignment + overhead.

malloc.c (416-427):
>	/-*
>	 * ensure that at least one block is big enough to satisfy
>	 *	the request.
>	 *-/
>
>	if (weight(_root) <= nbytes) {
>		/-*
>		 * the largest block is not enough.
>		 *-/
>		if(!morecore(nbytes))
>			return 0;
>	}

The '<=' should be '<'.

The following 'malloc_bug' program illustrates the bug.  Do a 'pstat -s'
to see how much swap space you have, then run malloc_bug, requesting a
chunk of memory at least 1/2 that size.  E.g.,

jwf@fechner #36 pstat -s
8856k used (2120k text), 648872k free, 2776k wasted, 0k missing
max process allocable = 229360k
avail: 77*8192k 2*4096k 2*2048k 3*1024k 2*512k 3*256k 4*128k 3*64k 2*32k 4*16k 104*1k

jwf@fechner #37 malloc_bug 200000000
malloc_bug: requesting 200000000 bytes
malloc_bug: got 200000000 bytes at 00022fd8
malloc_bug: freeing 200000000 bytes
malloc_bug: requesting 200000000 bytes
malloc_bug: Not enough memory


Jim Franklin, EPPS Inc.,        uunet!atexnet ---\
32 Wiggins Ave.,                harvard!adelie ---+-- munsell!jwf
Bedford, MA 01730               decvax!encore ---/
(617) 276-7827


*/
#include <stdio.h>

main (argc, argv)
int     argc;
char    **argv;
{
	char            *p;
	unsigned int    size;
	int             i;
	extern char     *malloc ();

	if ( argc != 2 ) {
		fprintf (stderr, "usage: malloc_bug <chunk_size>\n");
		exit (-1);
	}
	size = atoi (argv[1]);
					/* malloc our large chunk */

	fprintf (stderr, "malloc_bug: requesting %d bytes\n", size);
	p = malloc (size);
	if ( p == NULL ) {
		perror ("malloc_bug");
		exit (-1);
	}
	fprintf (stderr, "malloc_bug: got %d bytes at %08x\n", size, p);

					/* malloc a bunch of small trash to
					   try to use up any free fragments
					   near the large chunk */
	for ( i = 0; i < 2000; i++ )
		(void) malloc (8);
					/* repeatedly free and malloc the
					   large chunk -- if this fails then
					   malloc is broken ... */
	for (;;) {
		fprintf (stderr, "malloc_bug: freeing %d bytes\n", size);
		free (p);
		fprintf (stderr, "malloc_bug: requesting %d bytes\n", size);
		p = malloc (size);
		if ( p == NULL ) {
			perror ("malloc_bug");
			exit (-1);
		}
		fprintf (stderr, "malloc_bug: got %d bytes at %08x\n", size, p);
	}

} /* main */