From owner-freebsd-current@FreeBSD.ORG Wed Jun 13 16:36:44 2012 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (unknown [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7DAE9106566C; Wed, 13 Jun 2012 16:36:44 +0000 (UTC) (envelope-from jasone@freebsd.org) Received: from canonware.com (10140.x.rootbsd.net [204.109.63.53]) by mx1.freebsd.org (Postfix) with ESMTP id 5BF1D8FC1D; Wed, 13 Jun 2012 16:36:44 +0000 (UTC) Received: from [172.25.16.115] (unknown [173.252.71.3]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by canonware.com (Postfix) with ESMTPSA id C23F72841A; Wed, 13 Jun 2012 09:29:25 -0700 (PDT) Mime-Version: 1.0 (Apple Message framework v1257) Content-Type: text/plain; charset=iso-8859-1 From: Jason Evans In-Reply-To: <201206131131.21059.jhb@freebsd.org> Date: Wed, 13 Jun 2012 09:29:26 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <75692401-890D-4561-8546-E9428F833F52@freebsd.org> References: <201206131131.21059.jhb@freebsd.org> To: John Baldwin X-Mailer: Apple Mail (2.1257) Cc: current@freebsd.org Subject: Re: jemalloc() assumes DSS is aligned X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jun 2012 16:36:44 -0000 On Jun 13, 2012, at 8:31 AM, John Baldwin wrote: > I tracked down a weird bug at work on the older jemalloc in FreeBSD = 8/9 that a=20 > co-worker tripped over. Specifically, if you build the program below = and link=20 > it with gold, the program will have an _end symbol that is on an odd = address=20 > (std::nothrow results in some single-byte symbol being added to the = end of the=20 > BSS). This causes the first arena allocated by jemalloc to use an odd=20= > address, and the rbt_nil structures for that arena's embedded trees = (like=20 > runs_avail) to be allocated on odd addresses. This interferes with = the RB=20 > trees using the low bit to distinguish red vs black. Specifically, = the=20 > program ends up setting the right node of rbt_nil to an incorrect = pointer=20 > value (the low bit gets cleared) resulting in an eventual segfault. = Looking=20 > at phkmalloc, it always applied round_page() to the results from = sbrk(). I=20 > believe that for jemalloc only the very first allocation from the DSS = needs to=20 > check for misalignment, and the patch below does fix the segfault on = FreeBSD=20 > 8. I have a stab at porting the change to jemalloc 3.0.0 in HEAD, but = I'm not=20 > sure if it is quite correct. Also, I only made the DSS align on the = quantum=20 > boundary rather than a page boundary. BTW, I filed a bug with the = binutils=20 > folks as I initially thought this was a gold bug. However, POSIX = doesn't make=20 > any guarantees about the return value of sbrk(), so I think gold is = not=20 > broken. Hi John, Your fix for FreeBSD 7/8/9 looks correct to me. I don't currently have = any development machines running anything but 10-CURRENT, so I'd be = grateful if you could commit the fix, assuming it isn't much trouble for = you. (I'll set up additional development installations if needed.) I don't think this is an issue for HEAD's chunk_alloc_dss(), because = there is logic to always insert enough padding to allocate on chunk = alignment boundaries, and also base_alloc() no longer makes any attempt = to use a partial dss 'chunk'. Thanks, Jason P.S. Sorry about putting off responding to your original email for too = long.=