arena cache being reused

Christopher Ferris cferris at google.com
Wed Jul 8 15:42:53 PDT 2015


Using the current version of the dev jemalloc, I found a case where
jemalloc reuses a previously freed pointer. Specifically, the arena cache
pointer can get freed, but reused.

This can happen when a thread is ending and the key destroy functions are
being called. If the jemalloc key destroy function is called, the arena
cache is destroyed. But if another key destroy function is called which
allocates memory, the old arena cache pointer can be reused, and have the
arena pointers written to it.

I think the fix is to change the arenas_cache_cleanup function to:

void
arenas_cache_cleanup(tsd_t *tsd)
{
        arena_t **arenas_cache;

        arenas_cache = tsd_arenas_cache_get(tsd);
        if (arenas_cache != NULL) {
                bool *arenas_cache_bypassp =
tsd_arenas_cache_bypassp_get(tsd);
                *arenas_cache_bypassp = true;
                tsd_arenas_cache_set(tsd, NULL);
                a0dalloc(arenas_cache);
        }
}

I believe the bypass has to be set so that another arena cache is not
allocated since that memory would be leaked since there is not going to be
another call to the arenas_cache_cleanup function. I think this is the only
possible way something could be reused when an allocation is made after the
jemalloc key destroy function is called, but I might have missed something.

This might be particular to the fact that my config uses pthread_key_create
for the tsd data, but it might apply to other configs.

Does this solution seem reasonable?

Christopher
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jemalloc.net/mailman/jemalloc-discuss/attachments/20150708/ae728284/attachment-0001.html>


More information about the jemalloc-discuss mailing list