Bug 1569391 - Use of aligned_alloc causes invalid free in libtcmalloc [NEEDINFO]
Summary: Use of aligned_alloc causes invalid free in libtcmalloc
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: gperftools
Version: 7.5
Hardware: All
OS: All
Target Milestone: rc
: ---
Assignee: Paolo Bonzini
QA Contact: Virtualization Bugs
Depends On:
TreeView+ depends on / blocked
Reported: 2018-04-19 08:09 UTC by Kefu Chai
Modified: 2019-12-13 12:09 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-12-13 12:09:57 UTC
Target Upstream Version:
jferlan: needinfo? (pbonzini)

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Ceph Project Bug Tracker 23653 0 None None None 2018-04-19 08:09:25 UTC

Description Kefu Chai 2018-04-19 08:09:26 UTC
Description of problem:

the libtcmalloc shipped does not support aligned_alloc so use of that function falls through to the libc implementation. A subsequent call to free will result in libtcmalloc reporting 'Invalid free'

Version-Release number of selected component (if applicable):


How reproducible:


$ cat<<EOF>tc_aligned_alloc.c
#include <stdlib.h>                                        

int main (int argc, char **argv)                           
    void *p2 = aligned_alloc(1024, 1024*sizeof(p2));       
    return 0;                                              


$ gcc -ggdb tc_aligned_alloc.c -o tc_aligned_alloc -ltcmalloc
$ ./tc_aligned_alloc
src/tcmalloc.cc:284] Attempt to free invalid pointer 0x2bfa400            
$ gdb -q -batch -ex 'run' -ex 'bt' ./tc_aligned_alloc                                                                                                                                                                                         
[Thread debugging using libthread_db enabled]                                                                                                                                                                                               
Using host libthread_db library "/lib64/libthread_db.so.1".                                                                                                                                                                                 
src/tcmalloc.cc:284] Attempt to free invalid pointer 0xf02400                                                                                                                                                                               
Program received signal SIGABRT, Aborted.                                                                                                                                                                                               
0x00007ffff764769b in raise () from /lib64/libc.so.6             
#0  0x00007ffff764769b in raise () from /lib64/libc.so.6                                                                                                    
#1  0x00007ffff76494a0 in abort () from /lib64/libc.so.6   
#2  0x00007ffff7a03a29 in tcmalloc::Log(tcmalloc::LogMode, char const*, int, tcmalloc::LogItem, tcmalloc::LogItem, tcmalloc::LogItem, tcmalloc::LogItem) () from /lib64/libtcmalloc.so.4                                                     
#3  0x00007ffff79f83d9 in (anonymous namespace)::InvalidFree(void*) () from /lib64/libtcmalloc.so.4                                                                                                                                          
#4  0x0000000000400645 in main (argc=1, argv=0x7fffffffdbe8) at tc_aligned_alloc.c:7

Additional info:
When linked to libc there is no issue and valgrind and libasan report no memory issues obviously.

upstream patch: https://github.com/gperftools/gperftools/commit/d406f228

Comment 2 Kefu Chai 2018-04-19 08:11:29 UTC
see also #1494309, which is basically the same issue filed against fedora 26.

Comment 8 Jason Dillaman 2019-05-11 13:38:17 UTC
Under devtoolset-8 compiling in C++17 mode, the 'std::allocator' will automatically call 'aligned_alloc' (via 'operator new(unsigned long, std::align_val_t)') for larger alignments (i.e. cache-line). This results in a crash when the memory is allocated via glibc but freed via tcmalloc.

Comment 10 Paolo Bonzini 2019-12-13 12:09:57 UTC

Note You need to log in before you can comment on or make changes to this bug.