4

我想先在我的 PC 上测试 mcheck 功能以检测 malloc 合并错误。这样,我确信这将有助于找出嵌入式 Linux 机器上的类似崩溃。不幸的是,崩溃至少需要 3-4 天。因此,我正在寻找一个示例程序,它会产生类似的崩溃,如下所示。

 Program terminated with signal 6, Aborted.
#0  0x2c73ebb8 in __syscall_kill (pid=900, sig=6) at kill.c:15
15  static inline _syscall2(int, __syscall_kill, __kernel_pid_t, pid,
int, sig);
Current language:  auto; currently c
#0  0x2c73ebb8 in __syscall_kill (pid=900, sig=6) at kill.c:15
    __res = 716485696
    __err = 16
#1  0x2c73eb5c in kill (pid=900, sig=6) at kill.c:19
No locals.
#2  0x2aafb2e0 in pthread_kill (thread=900, signo=6) at signals.c:73
    handle = (pthread_handle) 0x2ab3f2e0
    pid = 900
#3  0x2aafbbb8 in raise (sig=6) at signals.c:241
    retcode = 6
#4  0x2c730a5c in abort () at abort.c:94
    sigset = {__val = {32, 0 <repeats 31 times>}}
#5  0x2c738054 in __malloc_consolidate (av=0x2c798860) at free.c:227
    fb = (mfastbinptr *) 0x2c798864
    maxfb = (mfastbinptr *) 0x2c798880
    p = (mchunkptr) 0x2c798894
    nextp = (mchunkptr) 0x4a2b2948
    unsorted_bin = (mchunkptr) 0x2c798894
    first_unsorted = (mchunkptr) 0x4a22f7e0
    nextchunk = (mchunkptr) 0x2c798894
    size = 0
    nextsize = 0
    prevsize = 0
    nextinuse = 1
    bck = (mchunkptr) 0x4a2b2948
    fwd = (mchunkptr) 0x4a2b2948
#6  0x2c735ff0 in __malloc_inner (bytes=300) at malloc.c:912
    av = (mstate) 0x2c798860
    nb = 304
    idx = 32
    bin = (mbinptr) 0x2ac0dab4
    fb = (mfastbinptr *) 0x2ae11e50
    victim = (mchunkptr) 0x2ac0d9a4
    size = 719396432
    victim_index = 718311332
    remainder = (mchunkptr) 0x49759b58
    remainder_size = 40000
    block = 719396432
    bit = 718500504
    map = 719396432
    fwd = (mchunkptr) 0x1
    bck = (mchunkptr) 0x4a2164ac
    sysmem = (void *) 0x4975c9ac
#7  0x2c736c18 in malloc (bytes=300) at malloc.c:1172
4

4 回答 4

3

那是因为你的程序破坏了 libc malloc/free 使用的内存管理的数据结构。malloc/free 在用户程序空间中有自己的数据居民,以跟踪不同块大小的已分配/释放空间列表。不知何故,您的程序可能存在缓冲区溢出或不安全的随机访问,从而修改了内存管理的数据或指针。并且在您的程序调用 malloc/free 的时间点,它使用了错误的地址并导致 segfault 或中止。

运行 valgrind 非常慢。也许您可以尝试 setenv MALLOC_CHECK_ to 1 并运行您的程序以首先查看任何诊断消息。

于 2013-09-20T04:13:38.137 回答
1

Is this what you are asking for?

#include <stdio.h>
#include <stdlib.h>

int main(int argc, char **argv)
{
    int *num = malloc(sizeof(int));
    int *num2 = num;
    free(num);
    free(num2);
    printf("End\n");
    return 0;
}
于 2013-09-20T03:46:40.093 回答
0

例如,如果您创建一个名为 *txt 且大小为 100 字符的堆。

char *txt = malloc(100*sizeof(char));

然后错误地将较小的变量重新分配给该指针:

char a;
txt = a;

然后尝试将正常文本分配到故障堆中;

strcpy ("text",txt);

可能是您需要跟踪变量(指针)并检查每次重新分配。

于 2013-09-21T16:13:47.303 回答
0 
#include <stdio.h>
#include <stdlib.h>

int main(int argc, char **argv)
{
    int *num1 = malloc(sizeof(int));
    int *num2 = malloc(sizeof(int));
    int *num3 = malloc(sizeof(int));
    int *num4 = malloc(sizeof(int));
    int *num5 = malloc(sizeof(int));

    free(num1);
    free(num3);
    free(num4);
    free(num2);
    free(num5);
    printf("End\n");
    return 0;
}
于 2013-09-20T15:54:13.940 回答