[Gc] Segfault in GC_mark_from

Boehm, Hans hans.boehm at hp.com
Mon Oct 27 15:24:31 PST 2008


Great catch!

There's a similar issue in GC_generic_malloc_inner_ignore_off_page, though that may not cause any problems.  GC_generic_malloc also looks to me like it might break "typed" allocation, which is presumably what you've been seeing.

I put a patch in my tree, which I plan to check in after a small amount of additional testing.

Hans

> -----Original Message-----
> From: gc-bounces at napali.hpl.hp.com
> [mailto:gc-bounces at napali.hpl.hp.com] On Behalf Of Klaus Treichel
> Sent: Monday, October 27, 2008 12:38 PM
> To: Boehm-gc
> Subject: Re: Re[6]: [Gc] Segfault in GC_mark_from
>
> Hi,
>
> i've found an inconsistency between
> GC_malloc_explicitly_typed and GC_generic_malloc.
>
> The sizes of the blocks should be allocated in sizes of
> multiple granules according to the docs.
>
> That's changed in GC_malloc_explicitly_typed. In
> GC_generic_malloc the size for large blocks is still rounded
> to words. (Line 166 in malloc.c).
>
> I changed this line from
>         lw = ROUNDED_UP_WORDS(lb);
> to
>         lw = GRANULES_TO_WORDS(ROUNDED_UP_GRANULES(lb));
>
> The problem is that lw is used to clear portions of the
> memory allocated while holding the lock that might be used
> for type descriptors.
> Rounding to size of word can cause lw being one word too
> small resulting that the location of the type descripror is
> not cleared while holding the lock. This can result in false
> memory being used as type descriptor if a collection starts
> before the block is really cleared.
>
> My testcase is running for a while now without segfaulting
> but i'll let it run for some time to be sure.
>
> Klaus
>



More information about the Gc mailing list