arena_tcache_fill_small can corrupt the tcache
valtteri at rahkonen.fi
valtteri at rahkonen.fi
Tue Nov 12 23:34:42 PST 2013
Hi,
It seems that there is a thread cache memory in case of memory has run out
or process hits to the memory limit. Basically the arena_tcache_fill_small
will start to fill the thread cache from the end and if memory allocation
fails before all cache entries have been filled the earlier thread cache
entries will contain old pointers given already to the program. Now when
new allocations are made the memory is given twice causing memory
corruption. Also the new memory allocated and placed after tbin->ncached
index is leaked.
There is really simple fix for this i.e. start to fill the tcache from the
beginning. Attached patch fixes this problem that way i.e. one liner fix
for the issue. I'm not totally sure if you want to use that because this
brakes the low region using first that was with the original
implementation, but on the other hand this gives first memory that was
allocated from existing arenas, so this approach might be better in that
sense.
Best regards,
Valtteri
--
Valtteri Rahkonen
valtteri at rahkonen.fi
http://www.rahkonen.fi
+358 40 5077041
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jemalloc.diff
Type: text/x-diff
Size: 499 bytes
Desc:
URL: <http://jemalloc.net/mailman/jemalloc-discuss/attachments/20131113/ea87dc1c/attachment.diff>
More information about the jemalloc-discuss
mailing list