Closed Bug 431743 Opened 15 years ago Closed 15 years ago

Upstream jemalloc fixes

Categories

(Core :: Memory Allocator, defect)

Product:
Core
Component:
Memory Allocator
Platform:
All
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jasone, Assigned: jasone)

Details

Attachments

(1 file, 1 obsolete file)

Upstream jemalloc fixes
1.83 KB, patch
benjamin
: review+
Details | Diff | Splinter Review 
malloc() uses unsigned integers to represent allocation size, but sbrk() uses a signed increment argument, thus limiting the maximum allocation size possible via sbrk().  Since sbrk() interprets a negative increment as a data storage segment (DSS) shrink, failing to detect this overflow case can cause crashes.
Assignee: jasone → nobody
Status: ASSIGNED → NEW
Component: OS Integration → jemalloc
Product: Firefox → Core
QA Contact: os.integration → jemalloc
Status: NEW → ASSIGNED
Assignee: nobody → jasone
Status: ASSIGNED → NEW
Attached patch Avoid sbrk() overflow (obsolete) — Splinter Review 
Check for integer overflow before calling sbrk(2), since it uses a
signed increment argument, but the size is an unsigned integer.
Summary: Avoid sbrk() overflow → Upstream jemalloc fixes
This patch fixes three problems:

1) sbrk() overflow for huge allocations.
2) Deadlock for base (internal) allocations in OOM case.
3) Incorrect bitmap vector initialization for small allocation runs.
Attachment #319058 - Attachment is obsolete: true
Attachment #324469 - Flags: review?(benjamin)
Attachment #324469 - Flags: review?(benjamin) → review+
changeset:   15456:38972d94e631
user:        Jason Evans <jasone@canonware.com>
date:        Fri Jun 20 10:29:43 2008 -0700
summary:     Bug 431743: Upstream jemalloc fixes, r=benjamin
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.