[PATCH 3/3] Improve zone support for OSX
Jason Evans
jasone at canonware.com
Thu Apr 5 10:52:07 PDT 2012
On Apr 5, 2012, at 2:45 AM, Mike Hommey wrote:
> On Tue, Mar 20, 2012 at 01:18:13PM -0400, Justin Lebar wrote:
>> On Tue, Mar 20, 2012 at 1:10 PM, Mike Hommey <mh+jemalloc at glandium.org> wrote:
>>> On Tue, Mar 20, 2012 at 01:04:54PM -0400, Justin Lebar wrote:
>>>> btw, I'm skeptical of the value of supporting OSX 10.5, because 10.5
>>>> occasionally passes invalid pointers to ozone_size [1].
>>>>
>>>> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=694335
>>>
>>> For one, not all jemalloc users are going to have the problem, which is
>>> limited to some APIs.
>>
>> True, but we of course don't know the full set of circumstances under
>> which OSX will pass an invalid pointer.
>>
>>> Also, AIUI, the current jemalloc code does the right thing for the
>>> ozone_size, which is not the case in the old jemalloc fork we use in
>>> Firefox, so depending on what is done with the result of ozone_size,
>>> it might be okay.
>>
>> What's the difference in behavior?
>>
>>> BTW, I guess you wanted to point to
>>> https://bugzilla.mozilla.org/show_bug.cgi?id=702250#c30
>>
>> Yes, thanks. And my analysis there is that 10.5 tries to free the
>> internal pointer. I'd be impressed if jemalloc handled this
>> correctly! (And even more impressed if it worked in general, for
>> non-huge allocations too. :)
>
> From my trivial testing, it actually works for allocations > (1 << 15).
>
> That is:
> char *ptr = malloc((1 << 15) + 1); free(ptr + 32);
> does free the pointer, while
> char *ptr = malloc(1 << 15); free(ptr + 32);
> doesn't.
>
> Neither crash (which is better than the crash we get with our fork :) )
>
> Jason, how actually safe is jemalloc now, when trying to free a pointer
> inside an allocation it gave out?
There are assertions that catch attempts to free interior pointers for small allocations, but as far as I know, freeing interior pointers for small allocations will otherwise work. Freeing interior pointers for large and huge allocations will always cause some sort of metadata corruption. I expect that both of your test cases are actually causing corruption. Do you have assertions enabled? I think (hope) there are assertions that will fail in both cases.
Thanks,
Jason
More information about the jemalloc-discuss
mailing list