Hi,
It seems that there is a thread cache memory in case of memory has run out
or process hits to the memory limit. Basically the arena_tcache_fill_small
will start to fill the thread cache from the end and if memory allocation
fails before all cache entries have been filled the earlier thread cache
entries will contain old pointers given already to the program. Now when
new allocations are made the memory is given twice causing memory
corruption. Also the new memory allocated and placed after tbin->ncached
index is leaked.
There is really simple fix for this i.e. start to fill the tcache from the
beginning. Attached patch fixes this problem that way i.e. one liner fix
for the issue. I'm not totally sure if you want to use that because this
brakes the low region using first that was with the original
implementation, but on the other hand this gives first memory that was
allocated from existing arenas, so this approach might be better in that
sense.
Best regards,
Valtteri
--
Valtteri Rahkonen
[email protected]
http://www.rahkonen.fi
+358 40 5077041
diff --git a/src/arena.c b/src/arena.c
index 145de86..aad1a02 100644
--- a/src/arena.c
+++ b/src/arena.c
@@ -1402,8 +1402,7 @@ arena_tcache_fill_small(arena_t *arena, tcache_bin_t *tbin, size_t binind,
arena_alloc_junk_small(ptr, &arena_bin_info[binind],
true);
}
- /* Insert such that low regions get used first. */
- tbin->avail[nfill - 1 - i] = ptr;
+ tbin->avail[i] = ptr;
}
if (config_stats) {
bin->stats.allocated += i * arena_bin_info[binind].reg_size;
_______________________________________________
jemalloc-discuss mailing list
[email protected]
http://www.canonware.com/mailman/listinfo/jemalloc-discuss
