Serious bug in arenas_extend_ctl
Mike Hommey
mh+jemalloc at glandium.org
Mon Nov 26 03:15:44 PST 2012
On Mon, Nov 26, 2012 at 12:09:01PM +0100, Mike Hommey wrote:
> Hi,
>
> Version 3.2 fails to build on windows, which thankfully made me spot
> this horrible bug in ctl.c:
>
> 1502 READ(ctl_stats.narenas - 1, unsigned);
>
> This expands to:
> (...) memcpy(oldp, (void *)&ctl_stats.narenas - 1, copylen); (...)
>
> Which obviously doesn't do the right thing on other platforms.
This small patch would avoid such mistakes to go unnoticed:
--- a/src/ctl.c
+++ b/src/ctl.c
@@ -960,7 +960,7 @@ ctl_postfork_child(void)
if (*oldlenp != sizeof(t)) { \
size_t copylen = (sizeof(t) <= *oldlenp) \
? sizeof(t) : *oldlenp; \
- memcpy(oldp, (void *)&v, copylen); \
+ memcpy(oldp, (void *)&(v), copylen); \
ret = EINVAL; \
goto label_return; \
} else \
And this should fix the issue itself:
--- a/src/ctl.c
+++ b/src/ctl.c
@@ -1499,7 +1499,8 @@ arenas_extend_ctl(const size_t *mib, size_t miblen, void *oldp, size_t *oldlenp,
ret = EAGAIN;
goto label_return;
}
- READ(ctl_stats.narenas - 1, unsigned);
+ unsigned n = ctl_stats.narenas - 1;
+ READ(n, unsigned);
ret = 0;
label_return:
More information about the jemalloc-discuss
mailing list