aboutsummaryrefslogtreecommitdiff
path: root/ChangeLog
diff options
context:
space:
mode:
authorFlorian Weimer <fweimer@redhat.com>2016-08-02 12:24:50 +0200
committerFlorian Weimer <fweimer@redhat.com>2016-08-02 12:24:50 +0200
commitf88aab5d508c13ae4a88124e65773d7d827cd47b (patch)
treedb6305cf81cd9437647f8313781cfa42e7e0894f /ChangeLog
parentb74d259fe793499134eb743222cd8dd7c74a31ce (diff)
downloadglibc-f88aab5d508c13ae4a88124e65773d7d827cd47b.tar
glibc-f88aab5d508c13ae4a88124e65773d7d827cd47b.tar.gz
glibc-f88aab5d508c13ae4a88124e65773d7d827cd47b.tar.bz2
glibc-f88aab5d508c13ae4a88124e65773d7d827cd47b.zip
malloc: Preserve arena free list/thread count invariant [BZ #20370]
It is necessary to preserve the invariant that if an arena is on the free list, it has thread attach count zero. Otherwise, when arena_thread_freeres sees the zero attach count, it will add it, and without the invariant, an arena could get pushed to the list twice, resulting in a cycle. One possible execution trace looks like this: Thread 1 examines free list and observes it as empty. Thread 2 exits and adds its arena to the free list, with attached_threads == 0). Thread 1 selects this arena in reused_arena (not from the free list). Thread 1 increments attached_threads and attaches itself. (The arena remains on the free list.) Thread 1 exits, decrements attached_threads, and adds the arena to the free list. The final step creates a cycle in the usual way (by overwriting the next_free member with the former list head, while there is another list item pointing to the arena structure). tst-malloc-thread-exit exhibits this issue, but it was only visible with a debugger because the incorrect fix in bug 19243 removed the assert from get_free_list.
Diffstat (limited to 'ChangeLog')
-rw-r--r--ChangeLog8
1 files changed, 8 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index 1df6ca8fc4..c8ea74031a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2016-08-02 Florian Weimer <fweimer@redhat.com>
+
+ [BZ #20370]
+ * malloc/arena.c (get_free_list): Update comment. Assert that
+ arenas on the free list have no attached threads.
+ (remove_from_free_list): New function.
+ (reused_arena): Call it.
+
2016-08-02 Aurelien Jarno <aurelien@aurel32.net>
* sysdeps/alpha/fpu/s_ceil.c (__ceil): Add argument with itself