On Wed, 13 Nov 2013, Jason Evans wrote:
On Nov 12, 2013, at 11:34 PM, [email protected] wrote:
It seems that there is a thread cache memory in case of memory has run
out or process hits to the memory limit. Basically the
arena_tcache_fill_small will start to fill the thread cache from the
end and if memory allocation fails before all cache entries have been
filled the earlier thread cache entries will contain old pointers given
already to the program. Now when new allocations are made the memory is
given twice causing memory corruption. Also the new memory allocated
and placed after tbin->ncached index is leaked.
There is really simple fix for this i.e. start to fill the tcache from
the beginning. Attached patch fixes this problem that way i.e. one
liner fix for the issue. I'm not totally sure if you want to use that
because this brakes the low region using first that was with the
original implementation, but on the other hand this gives first memory
that was allocated from existing arenas, so this approach might be
better in that sense.
Yikes. As you guessed, I want to fix this by memmove()ing the valid pointers
on failure rather than by reversing the insertion order. If you have time to
modify your patch, great; otherwise I'll make sure to integrate a fix prior to
the next release.
Thanks,
Jason
Hi Jason,
Sure, changed the patch to move the filled cache to the beginning of the
thread cache.
Best regards,
Valtteri
--
Valtteri Rahkonen
[email protected]
http://www.rahkonen.fi
+358 40 5077041
diff --git a/src/arena.c b/src/arena.c
index 145de86..c07ca4b 100644
--- a/src/arena.c
+++ b/src/arena.c
@@ -1413,6 +1413,10 @@ arena_tcache_fill_small(arena_t *arena, tcache_bin_t *tbin, size_t binind,
tbin->tstats.nrequests = 0;
}
malloc_mutex_unlock(&bin->lock);
+ if (i && i < nfill) {
+ memmove(tbin->avail, &tbin->avail[nfill - i],
+ i * sizeof(void *));
+ }
tbin->ncached = i;
}
_______________________________________________
jemalloc-discuss mailing list
[email protected]
http://www.canonware.com/mailman/listinfo/jemalloc-discuss
