diff options
| author | Kevin Svetlitski <svetlitski@meta.com> | 2023-05-09 09:37:01 -0700 |
|---|---|---|
| committer | Qi Wang <interwq@gmail.com> | 2023-05-09 10:55:44 -0700 |
| commit | 12311fe6c37720225a3e8b5798e7051d153d29c1 (patch) | |
| tree | cff854d31b58f318cc22ca0d9cd5a85cdadd0336 | |
| parent | 70344a2d38eb71a162ea19d1a4fee8f0d168588b (diff) | |
| download | jemalloc-12311fe6c37720225a3e8b5798e7051d153d29c1.tar.gz | |
Fix segfault in `extent_try_coalesce_impl`
Static analysis flagged this. `extent_record` was passing `NULL` as the
value for `coalesced` to `extent_try_coalesce`, which in turn passes
that argument to `extent_try_coalesce_impl`, where it is written to
without checking if it is `NULL`. I can confirm from reviewing the
fleetwide coredump data that this was in fact being hit in production.
| -rw-r--r-- | src/extent.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/extent.c b/src/extent.c index 3374dd58..fdcd0afb 100644 --- a/src/extent.c +++ b/src/extent.c @@ -822,6 +822,7 @@ static edata_t * extent_try_coalesce_impl(tsdn_t *tsdn, pac_t *pac, ehooks_t *ehooks, ecache_t *ecache, edata_t *edata, bool *coalesced) { assert(!edata_guarded_get(edata)); + assert(coalesced != NULL); /* * We avoid checking / locking inactive neighbors for large size * classes, since they are eagerly coalesced on deallocation which can @@ -928,8 +929,9 @@ extent_record(tsdn_t *tsdn, pac_t *pac, ehooks_t *ehooks, ecache_t *ecache, goto label_skip_coalesce; } if (!ecache->delay_coalesce) { + bool coalesced_unused; edata = extent_try_coalesce(tsdn, pac, ehooks, ecache, edata, - NULL); + &coalesced_unused); } else if (edata_size_get(edata) >= SC_LARGE_MINCLASS) { assert(ecache == &pac->ecache_dirty); /* Always coalesce large extents eagerly. */ |