Re: Medit crash

From: Luis Pedro Passos Carvalho (lpcarvalho@SONAE.PT)
Date: 11/28/97


----------
| On Thu, 27 Nov 1997, George wrote:
| > On Thu, 27 Nov 1997, Rasmus Ronlev wrote:

<snip>

|
| As it is now, the memory wrapper I've created does not detect any parts of
| the mud code freeing parts more than once, or segments of or parts of
| other segments being freed wrongly, or twice or some such thing that would
| corrupt the memory, and specifically the mob_proto and mob_index...
|

That I can believe.

| Is it not correct, that some part of the mud-code would have to FREE some
| part of the mob_proto or mob_index for the error to occur in the lines:
|
| free(mob_proto)
| free(mob_index)
|
| In the medit.c file ? I mean if the free() call makes the segmentation
| fault, would that not mean, that what is being freed has already been
| freed ? Or, that part of what is being freed has already been freed ?
|

Well, that's where you're wrong. Another thing that can cause your MUD to
crash is writing out of an array.

The dynamic memory you allocate is stored in a linked list, as well as your
freed memory. In the beginning of each malloc'ed block there is an header,
that indicates the size of the block, and the next block in the list.
When you free a block, it runs through the list and updates it in order to
reflect the change.

In order for the implementation of free and malloc to be fast, no error checking
is done, so it usually considers that the header is imediatey before the place
you indicate.
No suppose the following scenario.

main() {
  char *a,*b;

  a=malloc(100);
  b=malloc(100);

//  At this point you have two memory blocks following each other
//
//       |header of a|data of a|header of b|data of b|
//
//  In some cases, the implementation of the list is reversed, therefore
// you have:
//
//       |header of b|data of b|header of a|data of a|
//

  a[100]='0xff';

//  You've just written to the header of the block b, thus currupting the list
//  Freeing the memory will now cause the program to crash.

  free(a);  // Everything is fine here
  free(b);  // Ooops. The code will crash
}

Notice that the code, using a memory wrapper will not detect any problem. The only
problem is that the memory list is corrupted due to an assignment.

BTW, this doesn't occur in all OS's. it greatly depends on the implementation of
malloc and free.

I hope I made myself understandable, and not a raving lunatic.

--
Luis Pedro Passos de Carvalho
lpcarvalho@sonae.pt
lpassos@mail.telepac.pt


     +------------------------------------------------------------+
     | Ensure that you have read the CircleMUD Mailing List FAQ:  |
     | http://democracy.queensu.ca/~fletcher/Circle/list-faq.html |
     +------------------------------------------------------------+



This archive was generated by hypermail 2b30 : 12/08/00 PST