I am investigating what problems can bt detected with MALLOC_OPTIONS.
SEGV occurs even if MALLOC_OPTIONS=G is not specified. Normally, the
areas allocated by malloc() are not contiguous. However, after many
malloc() operations and not free() these areas, contiguous areas may
be allocated. I guessed that MALLOC_OPTIONS=G would be effective in
this case, is this correct?
The above estimates are based on the following research:
I investigated MALLOC_OPTIONS=G using the following program.
$ cat main.c
#include <err.h>
#include <stdio.h>
#include <stdlib.h>
int
main(int argc, char *argv[])
{
size_t size;
char *buf;
size = atoi(argv[1]);
if ((buf = malloc(size)) == NULL)
err(1, "malloc(%zu) failed", size);
buf[size] = 1; /* Writes outside the range allocated by malloc */
free(buf);
return (0);
}
$ cc main.c
$ MALLOC_OPTIONS=G ./a.out 4096
zsh: segmentation fault (core dumped) MALLOC_OPTIONS=G ./a.out 4096
The program occurred SEGV. Because, malloc() allocates the requested
size + MALLOC_PAGESIZE area using mmap() as below, and the makes the
extra MALLOC_PAGESIZE allocated area to be unreadble and unwritable
using mprotect().
p = mmap(NULL, size + MALLOC_PAGESIZE, ...);
mprotect(p + size, MALLOC_PAGESIZE, PROT_NONE);
However, SEGV occurs even if not specify MALLOC_OPTIONS=G.
$ ./a.out 4096
zsh: segmentation fault (core dumped) ./a.out 4096
Because, malloc() allocates the requested size as below:
p = mmap(NULL, size, ...);
Of course, can not read and write to area that exceeded size.
--
ASOU Masato
