bin/112771: unwrapped magic checks in the malloc code

Fri May 18 22:10:05 UTC 2007

>Number:         112771
>Category:       bin
>Synopsis:       unwrapped magic checks in the malloc code
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri May 18 22:10:03 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 7.0-CURRENT i386
>Organization:
Code Labs
>Environment:
System: FreeBSD XXX 7.0-CURRENT FreeBSD 7.0-CURRENT #25: Fri May 18 17:25:48 MSD 2007     root at XXX:/usr/src/sys/i386/compile/XXX  i386


	
>Description:
Checks for arenas magic are not wrapped with the
'#ifdef MALLOC_DEBUG ... #endif' construct, but the field 'magic'
is defined only for MALLOC_DEBUG.
>How-To-Repeat:
Look at the /usr/src/lib/libc/stdlib/malloc.c (latest revision FreeBSD
tree has now is 1.146).  Search for the '->magic' and see it unwrapped.
Search for the 'struct arena_run_s' and 'struct arena_s' definitions
and see the 'magic' field wrapped with MALLOC_DEBUG.
>Fix:
The following patch wraps all occurences I found:

--- malloc.c.orig	Sat May 19 01:18:31 2007
+++ malloc.c	Sat May 19 01:21:43 2007
@@ -1568,7 +1568,9 @@
 	void *ret;
 	unsigned i, mask, bit, regind;
 
+#ifdef MALLOC_DEBUG
 	assert(run->magic == ARENA_RUN_MAGIC);
+#endif
 	assert(run->regs_minelm < bin->regs_mask_nelms);
 
 	/*
@@ -1659,7 +1661,9 @@
 	};
 	unsigned diff, regind, elm, bit;
 
+#ifdef MALLOC_DEBUG
 	assert(run->magic == ARENA_RUN_MAGIC);
+#endif
 	assert(((sizeof(size_invs)) / sizeof(unsigned)) + 3
 	    >= (SMALL_MAX_DEFAULT >> QUANTUM_2POW_MIN));
 
@@ -2041,7 +2045,9 @@
 {
 	void *ret;
 
+#ifdef MALLOC_DEBUG
 	assert(run->magic == ARENA_RUN_MAGIC);
+#endif
 	assert(run->nfree > 0);
 
 	ret = arena_run_reg_alloc(run, bin);
@@ -2059,7 +2065,9 @@
 	bin->runcur = arena_bin_nonfull_run_get(arena, bin);
 	if (bin->runcur == NULL)
 		return (NULL);
+#ifdef MALLOC_DEBUG
 	assert(bin->runcur->magic == ARENA_RUN_MAGIC);
+#endif
 	assert(bin->runcur->nfree > 0);
 
 	return (arena_bin_malloc_easy(arena, bin, bin->runcur));
@@ -2156,7 +2164,9 @@
 	void *ret;
 
 	assert(arena != NULL);
+#ifdef MALLOC_DEBUG
 	assert(arena->magic == ARENA_MAGIC);
+#endif
 	assert(size != 0);
 	assert(QUANTUM_CEILING(size) <= arena_maxclass);
 
@@ -2359,7 +2369,9 @@
 
 		run = (arena_run_t *)((uintptr_t)chunk + (pageind <<
 		    pagesize_2pow));
+#ifdef MALLOC_DEBUG
 		assert(run->magic == ARENA_RUN_MAGIC);
+#endif
 		ret = run->bin->reg_size;
 	} else
 		ret = mapelm->npages << pagesize_2pow;
@@ -2423,7 +2435,9 @@
 	size_t size;
 
 	assert(arena != NULL);
+#ifdef MALLOC_DEBUG
 	assert(arena->magic == ARENA_MAGIC);
+#endif
 	assert(chunk->arena == arena);
 	assert(ptr != NULL);
 	assert(CHUNK_ADDR2BASE(ptr) != ptr);
@@ -2441,7 +2455,9 @@
 
 		run = (arena_run_t *)((uintptr_t)chunk + (pageind <<
 		    pagesize_2pow));
+#ifdef MALLOC_DEBUG
 		assert(run->magic == ARENA_RUN_MAGIC);
+#endif
 		bin = run->bin;
 		size = bin->reg_size;
 
@@ -2975,7 +2991,9 @@
 	chunk = (arena_chunk_t *)CHUNK_ADDR2BASE(ptr);
 	if (chunk != ptr) {
 		/* Region. */
+#ifdef MALLOC_DEBUG
 		assert(chunk->arena->magic == ARENA_MAGIC);
+#endif
 
 		ret = arena_salloc(ptr);
 	} else {
>Release-Note:
>Audit-Trail:
>Unformatted:
