[26247] in Athena Bugs
linux 9.3.16: electricfence
daemon@ATHENA.MIT.EDU (Ken Raeburn)
Tue Dec 14 20:59:37 2004
Message-Id: <200412150158.iBF1wgA0031489@all-in-one.mit.edu>
To: bugs@mit.edu
Date: Tue, 14 Dec 2004 20:58:42 -0500
From: Ken Raeburn <raeburn@mit.edu>
Errors-To: bugs-bounces@mit.edu
System name: all-in-one.mit.edu
Type and version: i686 9.3.16
Display type: Matrox Graphics, Inc. MGA G400 AGP (rev 85)
Shell: /bin/athena/tcsh
Window manager: vtwm.gamma
What were you trying to do?
Run a test program under electric fence, using
"env EF_PROTECT_FREE=1 LD_PRELOAD=libefence.so ./eftest"
This is the ElectricFence-2.2.2-15 package.
#include <stdlib.h>
#define POOL_SIZE 1024
int *pool[POOL_SIZE] = { 0 };
int xxx;
int main()
{
int *p;
int allocidx = 0, freeidx = 0;
while (1) {
if ((allocidx + 1) % POOL_SIZE == freeidx) {
/* Make sure allocated block is still readable!
Under electric fence with EF_PROTECT_FREE=1, *boom*. */
xxx += *pool[freeidx];
free(pool[freeidx]);
pool[freeidx] = 0;
if (++freeidx == POOL_SIZE) freeidx = 0;
}
p = malloc(sizeof(int));
if (p == 0) { perror("malloc"); exit(1); }
*p = 1;
pool[allocidx] = p;
if (++allocidx == POOL_SIZE) allocidx = 0;
}
}
What's wrong:
Program go boom.
It gets a segfault in the "xxx +=" line, using an address from
the pool that's near the start of the allocation space that
efence is using, usually something like 0x40411ffc or
0x40400ffc. At this point, freeidx is somewhere in the middle
of the pool, and the counter xxx (if it's reliable) indicates
that the program has made several loops through the entire
pool.
It usually happens within the first 5-10 seconds of running
the program. Short runs with pool sizes of 128 and 512 didn't
show the problem, though maybe I just needed to wait longer.
What should have happened:
Shouldn't have crashed.
AFAICT this program should be just fine, so long as a
reasonable number of pages are free. If pages aren't
available, then malloc should've failed, or at least the
"*p=1" assignment should've crashed. (I checked the
disassembly, the store hasn't been optimized away.) A page
previously written to and not freed shouldn't randomly
disappear.
Please describe any relevant documentation references:
efence(3)
