Bug 1569391
| Summary: | Use of aligned_alloc causes invalid free in libtcmalloc | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Kefu Chai <kchai> |
| Component: | gperftools | Assignee: | Paolo Bonzini <pbonzini> |
| Status: | CLOSED WONTFIX | QA Contact: | Virtualization Bugs <virt-bugs> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.5 | CC: | bhubbard, databases-maint, jdillama, kchai, knoel, mrezanin, pbonzini |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | All | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-12-13 12:09:57 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
see also #1494309, which is basically the same issue filed against fedora 26. Under devtoolset-8 compiling in C++17 mode, the 'std::allocator' will automatically call 'aligned_alloc' (via 'operator new(unsigned long, std::align_val_t)') for larger alignments (i.e. cache-line). This results in a crash when the memory is allocated via glibc but freed via tcmalloc. Ok. The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |
Description of problem: the libtcmalloc shipped does not support aligned_alloc so use of that function falls through to the libc implementation. A subsequent call to free will result in libtcmalloc reporting 'Invalid free' Version-Release number of selected component (if applicable): gperftools-libs-2.6.1-1.el7.x86_64 How reproducible: 100% $ cat<<EOF>tc_aligned_alloc.c #include <stdlib.h> int main (int argc, char **argv) { void *p2 = aligned_alloc(1024, 1024*sizeof(p2)); free(p2); return 0; } EOF $ gcc -ggdb tc_aligned_alloc.c -o tc_aligned_alloc -ltcmalloc $ ./tc_aligned_alloc src/tcmalloc.cc:284] Attempt to free invalid pointer 0x2bfa400 Aborted $ gdb -q -batch -ex 'run' -ex 'bt' ./tc_aligned_alloc [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". src/tcmalloc.cc:284] Attempt to free invalid pointer 0xf02400 Program received signal SIGABRT, Aborted. 0x00007ffff764769b in raise () from /lib64/libc.so.6 #0 0x00007ffff764769b in raise () from /lib64/libc.so.6 #1 0x00007ffff76494a0 in abort () from /lib64/libc.so.6 #2 0x00007ffff7a03a29 in tcmalloc::Log(tcmalloc::LogMode, char const*, int, tcmalloc::LogItem, tcmalloc::LogItem, tcmalloc::LogItem, tcmalloc::LogItem) () from /lib64/libtcmalloc.so.4 #3 0x00007ffff79f83d9 in (anonymous namespace)::InvalidFree(void*) () from /lib64/libtcmalloc.so.4 #4 0x0000000000400645 in main (argc=1, argv=0x7fffffffdbe8) at tc_aligned_alloc.c:7 Additional info: When linked to libc there is no issue and valgrind and libasan report no memory issues obviously. upstream patch: https://github.com/gperftools/gperftools/commit/d406f228