diff options
| author | Zack Weinberg <zackw@panix.com> | 2017-06-08 15:39:03 -0400 |
|---|---|---|
| committer | Zack Weinberg <zackw@panix.com> | 2017-06-08 15:39:03 -0400 |
| commit | 5046dbb4a7eba5eccfd258f92f4735c9ffc8d069 (patch) | |
| tree | 4470480d904b65cf14ca524f96f79eca818c3eaf /REORG.TODO/malloc/mallocbug.c | |
| parent | 199fc19d3aaaf57944ef036e15904febe877fc93 (diff) | |
| download | glibc-zack/build-layout-experiment.zip glibc-zack/build-layout-experiment.tar.gz glibc-zack/build-layout-experiment.tar.bz2 | |
Prepare for radical source tree reorganization.zack/build-layout-experiment
All top-level files and directories are moved into a temporary storage
directory, REORG.TODO, except for files that will certainly still
exist in their current form at top level when we're done (COPYING,
COPYING.LIB, LICENSES, NEWS, README), all old ChangeLog files (which
are moved to the new directory OldChangeLogs, instead), and the
generated file INSTALL (which is just deleted; in the new order, there
will be no generated files checked into version control).
Diffstat (limited to 'REORG.TODO/malloc/mallocbug.c')
| -rw-r--r-- | REORG.TODO/malloc/mallocbug.c | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/REORG.TODO/malloc/mallocbug.c b/REORG.TODO/malloc/mallocbug.c new file mode 100644 index 0000000..7d19b6f --- /dev/null +++ b/REORG.TODO/malloc/mallocbug.c @@ -0,0 +1,70 @@ +/* Reproduce a GNU malloc bug. */ +#include <malloc.h> +#include <stdio.h> +#include <string.h> + +#define size_t unsigned int + +/* Defined as global variables to avoid warnings about unused variables. */ +char *dummy0; +char *dummy1; +char *fill_info_table1; + + +int +main (int argc, char *argv[]) +{ + char *over_top; + size_t over_top_size = 0x3000; + char *over_top_dup; + size_t over_top_dup_size = 0x7000; + char *x; + size_t i; + + /* Here's what memory is supposed to look like (hex): + size contents + 3000 original_info_table, later fill_info_table1 + 3fa000 dummy0 + 3fa000 dummy1 + 6000 info_table_2 + 3000 over_top + + */ + /* mem: original_info_table */ + dummy0 = malloc (0x3fa000); + /* mem: original_info_table, dummy0 */ + dummy1 = malloc (0x3fa000); + /* mem: free, dummy0, dummy1, info_table_2 */ + fill_info_table1 = malloc (0x3000); + /* mem: fill_info_table1, dummy0, dummy1, info_table_2 */ + + x = malloc (0x1000); + free (x); + /* mem: fill_info_table1, dummy0, dummy1, info_table_2, freexx */ + + /* This is what loses; info_table_2 and freexx get combined unbeknownst + to mmalloc, and mmalloc puts over_top in a section of memory which + is on the free list as part of another block (where info_table_2 had + been). */ + over_top = malloc (over_top_size); + over_top_dup = malloc (over_top_dup_size); + memset (over_top, 0, over_top_size); + memset (over_top_dup, 1, over_top_dup_size); + + for (i = 0; i < over_top_size; ++i) + if (over_top[i] != 0) + { + printf ("FAIL: malloc expands info table\n"); + return 0; + } + + for (i = 0; i < over_top_dup_size; ++i) + if (over_top_dup[i] != 1) + { + printf ("FAIL: malloc expands info table\n"); + return 0; + } + + printf ("PASS: malloc expands info table\n"); + return 0; +} |