This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug malloc/19243] reused_arena can pick an arena on the free list, leading to an assertion failure and reference count corruption


https://sourceware.org/bugzilla/show_bug.cgi?id=19243

--- Comment #14 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  f88aab5d508c13ae4a88124e65773d7d827cd47b (commit)
      from  b74d259fe793499134eb743222cd8dd7c74a31ce (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f88aab5d508c13ae4a88124e65773d7d827cd47b

commit f88aab5d508c13ae4a88124e65773d7d827cd47b
Author: Florian Weimer <fweimer@redhat.com>
Date:   Tue Aug 2 12:24:50 2016 +0200

    malloc: Preserve arena free list/thread count invariant [BZ #20370]

    It is necessary to preserve the invariant that if an arena is
    on the free list, it has thread attach count zero.  Otherwise,
    when arena_thread_freeres sees the zero attach count, it will
    add it, and without the invariant, an arena could get pushed
    to the list twice, resulting in a cycle.

    One possible execution trace looks like this:

    Thread 1 examines free list and observes it as empty.
    Thread 2 exits and adds its arena to the free list,
      with attached_threads == 0).
    Thread 1 selects this arena in reused_arena (not from the free list).
    Thread 1 increments attached_threads and attaches itself.
      (The arena remains on the free list.)
    Thread 1 exits, decrements attached_threads,
      and adds the arena to the free list.

    The final step creates a cycle in the usual way (by overwriting the
    next_free member with the former list head, while there is another
    list item pointing to the arena structure).

    tst-malloc-thread-exit exhibits this issue, but it was only visible
    with a debugger because the incorrect fix in bug 19243 removed
    the assert from get_free_list.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog      |    8 ++++++++
 malloc/arena.c |   41 ++++++++++++++++++++++++++++++++++++-----
 2 files changed, 44 insertions(+), 5 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]