On Nov 12, 2013, at 11:34 PM, [email protected] wrote: > It seems that there is a thread cache memory in case of memory has run out or > process hits to the memory limit. Basically the arena_tcache_fill_small will > start to fill the thread cache from the end and if memory allocation fails > before all cache entries have been filled the earlier thread cache entries > will contain old pointers given already to the program. Now when new > allocations are made the memory is given twice causing memory corruption. > Also the new memory allocated and placed after tbin->ncached index is leaked. > > There is really simple fix for this i.e. start to fill the tcache from the > beginning. Attached patch fixes this problem that way i.e. one liner fix for > the issue. I'm not totally sure if you want to use that because this brakes > the low region using first that was with the original implementation, but on > the other hand this gives first memory that was allocated from existing > arenas, so this approach might be better in that sense.
Yikes. As you guessed, I want to fix this by memmove()ing the valid pointers on failure rather than by reversing the insertion order. If you have time to modify your patch, great; otherwise I'll make sure to integrate a fix prior to the next release. Thanks, Jason _______________________________________________ jemalloc-discuss mailing list [email protected] http://www.canonware.com/mailman/listinfo/jemalloc-discuss
