On Fri, Jul 07, 2017 at 08:52:42AM +0200, Otto Moerbeek wrote: > I think I found it: requested size is not recorded for malloc(0), > bp->offset is not initialized in that case. Other code is carefull not to > use ->offset for size == 0.
This also fixes /usr/src/regress/lib/libc/malloc/malloc0test: .../malloc0test$ MALLOC_OPTIONS=C make cc -O2 -pipe -MD -MP -c /usr/src/regress/lib/libc/malloc/malloc0test/malloc0test.c cc -o malloc0test malloc0test.o ./malloc0test Hangs forever. Install new libc: .../malloc0test$ MALLOC_OPTIONS=C make cc -o malloc0test malloc0test.o ./malloc0test count = 100000 Passes immediately. bluhm > Index: malloc.c > =================================================================== > RCS file: /cvs/src/lib/libc/stdlib/malloc.c,v > retrieving revision 1.226 > diff -u -p -r1.226 malloc.c > --- malloc.c 19 Jun 2017 03:06:26 -0000 1.226 > +++ malloc.c 7 Jul 2017 06:51:30 -0000 > @@ -1013,7 +1013,7 @@ malloc_bytes(struct dir_info *d, size_t > /* Adjust to the real offset of that chunk */ > k += (lp - bp->bits) * MALLOC_BITS; > > - if (mopts.chunk_canaries) > + if (mopts.chunk_canaries && size > 0) > bp->bits[bp->offset + k] = size; > > k <<= bp->shift;
