*** glibc detected *** mainwindow: malloc(): smallbin double linked list corrupted: 0x01a73ab8 ***
来源:互联网 发布:红妍肌活精华露 知乎 编辑:程序博客网 时间:2024/05/18 03:08
1.先看看在glibc malloc的实现机制
/*
This struct declaration is misleading (but accurate and necessary).
It declares a "view" into memory allowing access to necessary
fields at known offsets from a given base. See explanation below.
*/
struct malloc_chunk {
INTERNAL_SIZE_T prev_size; /* Size of previous chunk (if free). */
INTERNAL_SIZE_T size; /* Size in bytes, including overhead. */
struct malloc_chunk* fd; /* double links -- used only if free. point to the next node*/
struct malloc_chunk* bk; /* point to the pre node */
/* Only used for large blocks: pointer to next larger size. */
struct malloc_chunk* fd_nextsize; /* double links -- used only if free. */
struct malloc_chunk* bk_nextsize;
};
/*
malloc_chunk details:
(The following includes lightly edited explanations by Colin Plumb.)
Chunks of memory are maintained using a `boundary tag' method as
described in e.g., Knuth or Standish. (See the paper by Paul
Wilson ftp://ftp.cs.utexas.edu/pub/garbage/allocsrv.ps for a
survey of such techniques.) Sizes of free chunks are stored both
in the front of each chunk and at the end. This makes
consolidating fragmented chunks into bigger chunks very fast. The
size fields also hold bits representing whether chunks are free or
in use.
An allocated chunk looks like this:
chunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Size of previous chunk, if allocated | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Size of chunk, in bytes |M|P|
mem-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| User data starts here... .
. .
. (malloc_usable_size() bytes) .
. |
nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Size of chunk |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Where "chunk" is the front of the chunk for the purpose of most of
the malloc code, but "mem" is the pointer that is returned to the
user. "Nextchunk" is the beginning of the next contiguous chunk.
Chunks always begin on even word boundries, so the mem portion
(which is returned to the user) is also on an even word boundary, and
thus at least double-word aligned.
Free chunks are stored in circular doubly-linked lists, and look like this:
chunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Size of previous chunk |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
`head:' | Size of chunk, in bytes |P|
mem-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Forward pointer to next chunk in list |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Back pointer to previous chunk in list |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Unused space (may be 0 bytes long) .
. .
. |
nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
`foot:' | Size of chunk, in bytes |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The P (PREV_INUSE) bit, stored in the unused low-order bit of the
chunk size (which is always a multiple of two words), is an in-use
bit for the *previous* chunk. If that bit is *clear*, then the
word before the current chunk size contains the previous chunk
size, and can be used to find the front of the previous chunk.
The very first chunk allocated always has this bit set,
preventing access to non-existent (or non-owned) memory. If
prev_inuse is set for any given chunk, then you CANNOT determine
the size of the previous chunk, and might even get a memory
addressing fault when trying to do so.
Note that the `foot' of the current chunk is actually represented
as the prev_size of the NEXT chunk. This makes it easier to
deal with alignments etc but can be very confusing when trying
to extend or adapt this code.
The two exceptions to all this are
1. The special chunk `top' doesn't bother using the
trailing size field since there is no next contiguous chunk
that would have to index off it. After initialization, `top'
is forced to always exist. If it would become less than
MINSIZE bytes long, it is replenished.
2. Chunks allocated via mmap, which have the second-lowest-order
bit M (IS_MMAPPED) set in their size fields. Because they are
allocated one-by-one, each must contain its own trailing size field.
*/
2. 出错信息在glibc2.11位置
bck = victim->bk;
if (__builtin_expect (bck->fd != victim, 0))
{
errstr = "malloc(): smallbin double linked list corrupted";
goto errout;
}
3.结论
victim->bk || bck->fd 指针损坏导致,也就是堆双向链表损坏。当然也不能排除glibc的bug
最好实现自己的内存管理器
- *** glibc detected *** mainwindow: malloc(): smallbin double linked list corrupted: 0x01a73ab8 ***
- 关于linux系统下使用QT出现glibc detected....smallbin double linked list corrupted错误
- smallbin double linked list corrupted
- *** glibc detected *** /home/app: corrupted double-linked list: 0x08b08918 ***
- 段错误:smallbin double linked list corrupted
- 对*** glibc detected *** ./avdecc_ctl: corrupted double-linked list: 0xb520072的问题的解决
- glibc detected *** corrupted double-linked list:错误的原因有如下三种可能
- *** glibc detected *** double free ....
- *** glibc detected *** double free ....
- *** glibc detected *** double free ....
- *** glibc detected *** ./Simple_Sound_Recording: free(): corrupted unsorted chunks: 0x0001c8a0 ***
- rviz segmentation fault / corrupted double-linked list错误
- UNIX(1)FILE之corrupted double-linked list
- *** glibc detected *** malloc(): memory corruption
- *** glibc detected *** malloc(): memory corruption
- *** glibc detected *** malloc(): memory corruption
- *** glibc detected *** double free or corruption: 0x0937d008 *** 错误
- *** glibc detected *** double free or corruption: 0x0937d008 *** 错误
- C#开发之自定义控件的简单使用
- android 应用socket 实例
- 加载位图
- 几种排序以及其时间复杂度
- VC 6.0 快捷键添加/取消注释
- *** glibc detected *** mainwindow: malloc(): smallbin double linked list corrupted: 0x01a73ab8 ***
- JAVA网络编程之UDP通信演示
- Delphi中巧妙利用RES文件
- Openwrt开发-英原文
- 使用ibatis时让控制台打印sql文的方法
- 防止phpddos攻击
- HDU 1535 Invitation Cards(多源点到单点最短路)
- MongoDB安装
- 正则表达式学习--RegexBuddy工具的使用(一)