Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#15258 closed bug (fixed)

memory allocator do not handle out of memory correctly

Reported by: X512 Owned by: nobody
Priority: normal Milestone: R1/beta2
Component: System/libroot.so Version: R1/Development
Keywords: Cc:
Blocked By: Blocking: #15320
Platform: All

Description

This is hrev53380 32bit gcc2hybrid.

Process crashes inside internal code of memory allocator when no memory avalible. According Debugger "BPrivate::rpmalloc::_memory_span_set_new_active" is called with "span" argument = NULL and it dereferenced in "assert(span->span_count == 1);" causing crash.

Attachments (5)

MemAlloc.c (131 bytes ) - added by X512 5 years ago.
Test program
MemAlloc-19823-debug-17-08-2019-05-58-39.report (36.3 KB ) - added by X512 5 years ago.
Debug report
0001-fix-rpmalloc-crash-when-no-more-memory.patch (958 bytes ) - added by X512 5 years ago.
patch
0001-fix-rpmalloc-crash-when-no-more-memory-large-alloc-s.patch (909 bytes ) - added by X512 5 years ago.
patch for large allocations
MemAllocFree.cpp (492 bytes ) - added by X512 5 years ago.
memory free test

Download all attachments as: .zip

Change History (11)

by X512, 5 years ago

Attachment: MemAlloc.c added

Test program

by X512, 5 years ago

Attachment: MemAlloc-19823-debug-17-08-2019-05-58-39.report added

Debug report

comment:1 by X512, 5 years ago

It look like rpmalloc bug, not Haiku. I investigate rpmalloc souces a bit and found that if virtual memory allocation fail "_memory_heap_extract_new_span" in "_memory_allocate_from_heap_fallback" function returns NULL and null span is passed in _memory_span_set_new_active that do not support null span and crash by null pointer dereference.

by X512, 5 years ago

Attachment: 0001-fix-rpmalloc-crash-when-no-more-memory.patch added

patch

by X512, 5 years ago

Attachment: 0001-fix-rpmalloc-crash-when-no-more-memory-large-alloc-s.patch added

patch for large allocations

comment:2 by X512, 5 years ago

I also found that if a lot of memory allocated rpmalloc crash when freeing memory. Crash occurs in "_memory_span_release_to_cache" function, "assert(heap_class->partial_span != span);" line.

by X512, 5 years ago

Attachment: MemAllocFree.cpp added

memory free test

comment:3 by diver, 5 years ago

Maybe it's better to move this issue over to https://github.com/mjansson/rpmalloc ?

comment:4 by waddlesplash, 5 years ago

Resolution: fixed
Status: newclosed

Fixed in hrev53384 with a slightly different coding style, and submitted upstream as https://github.com/mjansson/rpmalloc/pull/115. Thanks!

comment:5 by waddlesplash, 5 years ago

Blocking: 15320 added

comment:6 by nielx, 5 years ago

Milestone: UnscheduledR1/beta2

Assign tickets with status=closed and resolution=fixed within the R1/beta2 development window to the R1/beta2 Milestone

Note: See TracTickets for help on using tickets.