arena_tcache_fill_small can corrupt the tcache
valtteri at rahkonen.fi
valtteri at rahkonen.fi
Wed Nov 13 00:29:57 PST 2013
On Wed, 13 Nov 2013, valtteri at rahkonen.fi wrote:
> Hi,
>
> It seems that there is a thread cache memory in case of memory has run out or
> process hits to the memory limit. Basically the arena_tcache_fill_small will
> start to fill the thread cache from the end and if memory allocation fails
> before all cache entries have been filled the earlier thread cache entries
> will contain old pointers given already to the program. Now when new
> allocations are made the memory is given twice causing memory corruption.
> Also the new memory allocated and placed after tbin->ncached index is leaked.
>
> There is really simple fix for this i.e. start to fill the tcache from the
> beginning. Attached patch fixes this problem that way i.e. one liner fix for
> the issue. I'm not totally sure if you want to use that because this brakes
> the low region using first that was with the original implementation, but on
> the other hand this gives first memory that was allocated from existing
> arenas, so this approach might be better in that sense.
>
> Best regards,
> Valtteri
>
>
It seems that my fix is revert for the
https://github.com/jemalloc/jemalloc/commit/9c43c13a35220c10d97a886616899189daceb359
commit.
Best regrads,
Valtteri
--
Valtteri Rahkonen
valtteri at rahkonen.fi
http://www.rahkonen.fi
+358 40 5077041
More information about the jemalloc-discuss
mailing list