Bug in chunk allocation

Christopher Ferris cferris at google.com
Mon Jun 8 14:15:53 PDT 2015

Recently, it appears that there was a bug introduced in chunk allocation.
The bug is exposed by this small snippet of code:

  void* mem = malloc(128*1024*1024);
  printf("mem address %p\n", mem);
  void* large_alloc = malloc(0x80000081UL);
  printf("large mem %p\n", large_alloc);

It looks like the bug is in the chunk_recycle code, in this piece of code:

        if (new_addr != NULL) {
                extent_node_t key;
                extent_node_init(&key, arena, new_addr, alloc_size, false);
                node = extent_tree_ad_search(chunks_ad, &key);
        } else {
                node = chunk_first_fit(arena, chunks_szad, chunks_ad,
        if (node == NULL || (new_addr != NULL && extent_node_size_get(node)
            size)) {
                return (NULL);

The problem is that new_addr == NULL, so the size check is not performed.
In my testing, removing the new_addr != NULL check fixes the problem, but I
don't know if that's the correct change.

The first allocation after the free shows the problem, if you try and use
the whole memory allocation it might segfault, or let you scribble all over
someone else's memory.

Christopher Ferris
(cferris at google.com)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jemalloc.net/mailman/jemalloc-discuss/attachments/20150608/e2c735f1/attachment.html>

More information about the jemalloc-discuss mailing list