arena_tcache_fill_small can corrupt the tcache
jasone at canonware.com
Wed Nov 13 12:59:00 PST 2013
On Nov 12, 2013, at 11:34 PM, valtteri at rahkonen.fi wrote:
> It seems that there is a thread cache memory in case of memory has run out or process hits to the memory limit. Basically the arena_tcache_fill_small will start to fill the thread cache from the end and if memory allocation fails before all cache entries have been filled the earlier thread cache entries will contain old pointers given already to the program. Now when new allocations are made the memory is given twice causing memory corruption. Also the new memory allocated and placed after tbin->ncached index is leaked.
> There is really simple fix for this i.e. start to fill the tcache from the beginning. Attached patch fixes this problem that way i.e. one liner fix for the issue. I'm not totally sure if you want to use that because this brakes the low region using first that was with the original implementation, but on the other hand this gives first memory that was allocated from existing arenas, so this approach might be better in that sense.
Yikes. As you guessed, I want to fix this by memmove()ing the valid pointers on failure rather than by reversing the insertion order. If you have time to modify your patch, great; otherwise I'll make sure to integrate a fix prior to the next release.
More information about the jemalloc-discuss