On Fri, Jul 07, 2017 at 04:27:30AM +0200, Ingo Schwarze wrote:
> The end of the problem is that in malloc_bytes(), malloc.c line 981,
> the code enters the double for loop with a bp having the inconvenient
> property that in bp->bits, all sixteen entries are 0, causing the
> inner for loop to spin indefinitely.
>
> I must admit, though, that i have no idea what that means, and where
> the problem starts leading to that ugly end: i clearly underestimated
> the difficulty of reading malloc.c ... :-o
>
> But maybe that rings a bell for somebody else.
I guess that would be me ;)
WHat happens is the struct chunk_info says: there are chunks free, but
the bitmap itself says: no more.
I can reproduce, but I do not understand it yet. Will do some more
investigation,
-Otto
>
>
> Carlin Bingham wrote on Fri, Jul 07, 2017 at 12:31:27PM +1200:
>
> >> Synopsis: when canaries are enabled `malloc(0)' sometimes hangs
> >> Category: system
> >> Environment:
> > System : OpenBSD 6.1
> > Details : OpenBSD 6.1-current (GENERIC.MP) #88: Wed Jul 5 23:16:11
> > MDT 2017
> >
> > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> >
> > Architecture: OpenBSD.amd64
> > Machine : amd64
> >> Description:
> > If malloc canaries are enabled in malloc.conf or MALLOC_OPTIONS
> > a call to malloc(3) with a size of 0 sometimes never returns.
> >> How-To-Repeat:
> > Call `malloc(0)' enough and it should eventually happen.
> >
> > In the wild, VLC seems to hang consistently at startup from
> > this.
> >
> > Synthetic example:
> >
> > $ cat stall.c && cc -o stall stall.c
> > #include <stdio.h>
> > #include <stdlib.h>
> >
> > int
> > main()
> > {
> > int i;
> >
> > printf("start\n");
> > for (i = 0; i < 5000000; i++) {
> > malloc(0);
> > }
> > printf("done\n");
> > }
> >
> > $ time ./stall
> >
> > start
> > done
> > 0m00.36s real 0m00.30s user 0m00.05s system
> >
> > $ MALLOC_OPTIONS="C" time ./stall
> > start
> > ^CCommand terminated abnormally.
> > 91.27 real 91.27 user 0.00 sys
