apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Blair Zajac <bl...@orcaware.com>
Subject [PATCH] apr_pools.c patch for bounds checking compiler
Date Wed, 31 Jul 2002 21:30:59 GMT
I'm using the bounds checking gcc 3.1.1 to check for memory issues
in Apache and Subversion.  This patch to gcc compiles the code with
extra checks for illegal memory accesses, invalid pointers, etc and
runs a lot faster than valgrind.  See

    http://web.inter.nl.net/hcc/Haj.Ten.Brugge/

There's a core dump from the bounds checking compiler when running
httpd -l with today's HEAD

% /opt/i386-linux/installed/apache-2.0-cvs-2002073101/bin/httpd -l
Bounds Checking GCC v gcc-3.1.1-3.1 Copyright (C) 1995 Richard W.M. Jones
Bounds Checking comes with ABSOLUTELY NO WARRANTY. For details see file
`COPYING' that should have come with the source to this program.
Bounds Checking is free software, and you are welcome to redistribute it
under certain conditions. See the file `COPYING' for details.
For more information, set GCC_BOUNDS_OPTS to `-help'
apr_pools.c:617:Bounds error: NULL or ILLEGAL pointer used in <, >, <= or >= of
pointers.
apr_pools.c:617:  Left pointer value: ILLEGAL
apr_pools.c:617:  Right pointer value: 0x81a0000
Abort (core dumped)

This is at

APR_DECLARE(void *) apr_palloc(apr_pool_t *pool, apr_size_t size)
...
    size = APR_ALIGN_DEFAULT(size);
    active = pool->active;

    /* If the active node has enough bytes left, use it. */
    endp = active->first_avail + size;
    if (endp < active->endp) {

The bounds checking httpd checks if

    endp = active->first_avail + size

is a valid pointer into the buffer and sets endp to (void *)-1 if it
is not and then core dumps on the "if (endp < active->endp)" test.


endp may be set to -1 because endp points past the end of the memory
buffer (past active->endp) and hence is not a valid pointer according
to the ISO standard.

The patch changes the test to

    if (size <= active->endp - active->first_avail) {

and only computes active->first_avail + size if the pointer will be
valid.

The only question is if the <= should be a <.

Even without this issue, should the test "if (endp < active->endp)" be
"if (endp <= active->endp)"?  Otherwise there may be wasted memory in
this buffer?

Best,
Blair

-- 
Blair Zajac <blair@orcaware.com>
Web and OS performance plots - http://www.orcaware.com/orca/
Mime
View raw message