This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug malloc/19243] reused_arena can pick an arena on the free list, leading to an assertion failure and reference count corruption
- From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Tue, 02 Aug 2016 10:41:12 +0000
- Subject: [Bug malloc/19243] reused_arena can pick an arena on the free list, leading to an assertion failure and reference count corruption
- Auto-submitted: auto-generated
- References: <bug-19243-131@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=19243
--- Comment #14 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, master has been updated
via f88aab5d508c13ae4a88124e65773d7d827cd47b (commit)
from b74d259fe793499134eb743222cd8dd7c74a31ce (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f88aab5d508c13ae4a88124e65773d7d827cd47b
commit f88aab5d508c13ae4a88124e65773d7d827cd47b
Author: Florian Weimer <fweimer@redhat.com>
Date: Tue Aug 2 12:24:50 2016 +0200
malloc: Preserve arena free list/thread count invariant [BZ #20370]
It is necessary to preserve the invariant that if an arena is
on the free list, it has thread attach count zero. Otherwise,
when arena_thread_freeres sees the zero attach count, it will
add it, and without the invariant, an arena could get pushed
to the list twice, resulting in a cycle.
One possible execution trace looks like this:
Thread 1 examines free list and observes it as empty.
Thread 2 exits and adds its arena to the free list,
with attached_threads == 0).
Thread 1 selects this arena in reused_arena (not from the free list).
Thread 1 increments attached_threads and attaches itself.
(The arena remains on the free list.)
Thread 1 exits, decrements attached_threads,
and adds the arena to the free list.
The final step creates a cycle in the usual way (by overwriting the
next_free member with the former list head, while there is another
list item pointing to the arena structure).
tst-malloc-thread-exit exhibits this issue, but it was only visible
with a debugger because the incorrect fix in bug 19243 removed
the assert from get_free_list.
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 8 ++++++++
malloc/arena.c | 41 ++++++++++++++++++++++++++++++++++++-----
2 files changed, 44 insertions(+), 5 deletions(-)
--
You are receiving this mail because:
You are on the CC list for the bug.