This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug malloc/20370] malloc: Arena free list management is still racy (incorrect fix in bug 19243)
- From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Thu, 04 Aug 2016 10:29:26 +0000
- Subject: [Bug malloc/20370] malloc: Arena free list management is still racy (incorrect fix in bug 19243)
- Auto-submitted: auto-generated
- References: <bug-20370-131@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=20370
--- Comment #6 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, release/2.22/master has been updated
via b2c32b05c698b421081e1f9319603341956f2887 (commit)
from 4b59550eadd3692e4d327363328a41aa5da89af1 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b2c32b05c698b421081e1f9319603341956f2887
commit b2c32b05c698b421081e1f9319603341956f2887
Author: Florian Weimer <fweimer@redhat.com>
Date: Tue Aug 2 12:24:50 2016 +0200
malloc: Preserve arena free list/thread count invariant [BZ #20370]
It is necessary to preserve the invariant that if an arena is
on the free list, it has thread attach count zero. Otherwise,
when arena_thread_freeres sees the zero attach count, it will
add it, and without the invariant, an arena could get pushed
to the list twice, resulting in a cycle.
One possible execution trace looks like this:
Thread 1 examines free list and observes it as empty.
Thread 2 exits and adds its arena to the free list,
with attached_threads == 0).
Thread 1 selects this arena in reused_arena (not from the free list).
Thread 1 increments attached_threads and attaches itself.
(The arena remains on the free list.)
Thread 1 exits, decrements attached_threads,
and adds the arena to the free list.
The final step creates a cycle in the usual way (by overwriting the
next_free member with the former list head, while there is another
list item pointing to the arena structure).
tst-malloc-thread-exit exhibits this issue, but it was only visible
with a debugger because the incorrect fix in bug 19243 removed
the assert from get_free_list.
(cherry picked from commit f88aab5d508c13ae4a88124e65773d7d827cd47b)
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 8 ++++++++
malloc/arena.c | 41 ++++++++++++++++++++++++++++++++++++-----
2 files changed, 44 insertions(+), 5 deletions(-)
--
You are receiving this mail because:
You are on the CC list for the bug.