如何解决malloc中的崩溃问题 [英] How to troubleshoot crashes in malloc

问题描述

我有一个大的遗产代码，我继承。它工作正常到现在。突然在一个客户试用，我不能在内部复制，它崩溃在malloc。我认为我需要添加工具例如在malloc我有我自己的malloc存储一些关于每个malloc的元信息。谁做了malloc调用。当它崩溃时，我可以查找元信息，看看发生了什么。我在几年前做了类似的事情，但现在不记得...我相信人们已经提出了更好的想法。非常高兴有输入。

I have a large body of legacy code that I inherited. It has worked fine until now. Suddenly at a customer trial that I cannot reproduce inhouse, it crashes in malloc. I think that I need to add instrumentation e.g on top of malloc I have my own malloc that stores some meta information about each malloc e.g. who has made the malloc call. When it crashes, I can then look up the meta information and see what was happening. I had done something similar years ago but cannot recall it now...I am sure people have come up with better ideas. Will be glad to have inputs.

感谢

推荐答案

请尝试 valgrind 。

好吧，我要假设你的意思是 SIGSEGV （分段错误）在 malloc 中触发。这通常是由堆损坏引起的。堆损坏本身不会导致分段错误，通常是在数组边界外的数组访问的结果。这通常无法接近您调用 malloc 的地方。

Okay, I'm going to have to assume that you mean SIGSEGV (segmentation fault) is firing in malloc. This is usually caused by heap corruption. Heap corruption, that itself does not cause a segmentation fault, is usually the result of an array access outside of the array's bounds. This is usually nowhere near the point where you call malloc.

malloc 存储一个小的头信息在前面的内存块，它返回给你。这个信息通常包含块的大小和指向下一个块的指针。不用说，改变这些都会导致问题。通常，下一个块指针被改变为无效的地址，并且下次调用 malloc 时，它最终会取消引用坏指针和分段错误。或者它不会并且开始将随机存储器解释为堆的一部分。

malloc stores a small header of information "in front of" the memory block that it returns to you. This information usually contains the size of the block and a pointer to the next block. Needless to say, changing either of these will cause problems. Usually, the next-block pointer is changed to an invalid address, and the next time malloc is called, it eventually dereferences the bad pointer and segmentation faults. Or it doesn't and starts interpreting random memory as part of the heap. Eventually its luck runs out.

请注意， free 可能会发生同样的事情，如果块被释放或

Note that free can have the same thing happen, if the block being released or the free block list is messed up.

如何捕获这种错误完全取决于你如何访问 malloc 返回。单个 struct 的 malloc 通常不是问题;它通常会让你的数组 malloc 。使用负（-1或-2）索引通常会给出当前块的块头，并且通过数组末尾的索引可以为您提供下一个块的头。两者都是有效的内存位置，因此不会出现分段错误。

How you catch this kind of error depends entirely on how you access the memory that malloc returns. A malloc of a single struct usually isn't a problem; it's malloc of arrays that usually gets you. Using a negative (-1 or -2) index will usually give you the block header for your current block, and indexing past the array end can give you the header of the next block. Both are valid memory locations, so there will be no segmentation fault.

因此，首先要做的是范围检查。你提到这出现在客户的网站;也许是因为他们正在使用的数据集是更大，或者输入数据已损坏（例如，它说分配100个元素，然后初始化101），或者他们以不同的顺序执行事情（隐藏的错误你的内部测试），或做你还没有测试的东西。没有更多的细节很难说。你应该考虑写一些东西来检查你的输入数据。

So the first thing to try is range checking. You mention that this appeared at the customer's site; maybe it's because the data set they are working with is much larger, or that the input data is corrupt (e.g. it says to allocate 100 elements and then initializes 101), or they are performing things in a different order (which hides the bug in your in-house testing), or doing something you haven't tested. It's hard to say without more specifics. You should consider writing something to sanity check your input data.

这篇关于如何解决malloc中的崩溃问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！