[9fans] pool curalloc bug

[9fans] pool curalloc bug

[mischief]

does anyone care to take a stab at figuring out why mainmem->curalloc underflows? here's a c program to reproduce.

#include <u.h>
#include <libc.h>

/*

8c curalloc.c
8l curalloc.8
p=`{8.out >[2=1] | awk '{ print $2 }' | tr -d : }
echo '*mainmem' | acid -lpool $p

-> curalloc	4294967016

*/

void
domalloc(int n)
{
	int i;
	void **a;

	a = mallocz(n * sizeof(void*), 1);

	for(i = 0; i < n; i++){
		a[i] = malloc(1024*1024*5);
	}

	for(i = 0; i < n; i++){
		free(a[i]);
	}

	free(a);
}

void
main(int argc, char *argv[])
{
	ARGBEGIN{
	}ARGEND

	domalloc(2);
	abort();
}

Re: [9fans] pool curalloc bug

[mischief]

cinap_lenrek has fixed this in 9front revision dd392df17488. the bug seems present in 9atom and labs too, though.

Re: [9fans] pool curalloc bug

[erik quanstrom]

On Wed Feb 25 18:40:39 PST 2015, mischief@9.offblast.org wrote:
> does anyone care to take a stab at figuring out why mainmem->curalloc underflows? here's a c program to reproduce.
>

i can't replicate this on amd64/9atom

; 6.curalloc
6.curalloc 786: suicide: sys: trap: fault read addr=0x0 pc=0x202761
acid; stk()
abort()+0x0 /sys/src/libc/9sys/abort.c:6
main(argv=0xfedfff80,argc=0x0)+0x54 /usr/quanstro/curalloc.c:41
_main+0x40 /sys/src/libc/amd64/main9.s:15
; 6c -a curalloc.c>curalloc.acid
; acid -l curalloc.acid 786
/proc/786/text:amd64 plan 9 executable
/sys/lib/acid/port
/sys/lib/acid/amd64
acid; (Pool)mainmem
	name	0x00400248
	maxsize	0
	cursize	1072693248
	curfree	16
	curalloc	0			<---
	minarena	0
	quantum	1076101120
	minblock	1852399981
	freeroot	0x00000000
	arenalist	0xfaf0f1fe
	alloc	0x00000000
	merge	0x00000000
	move	0xfedffef8
	flags	32
	nfree	0
	lastcompact	2106590
	lock	0x00000023
	unlock	0x002024de
	print	0x00000025
	panic	0x00201f75
	logstack	0x0000002b
	private	0x002024de

- erik

Re: [9fans] pool curalloc bug

[cinap_lenrek]

the values make no sense because mainmem is a pointer to a pool,
not the pool itself. use *mainmem or sbrkmem.

--
cinap

Re: [9fans] pool curalloc bug

[cinap_lenrek]

the problem with curalloc was the following:

poolallocl() allocates, trims, and then adds the resulting
block size to curalloc. and poolfreel() subtracts the blocksize
from curalloc. so far so good. problem is when we try to merge
arenas, the last block in the bottom arena is extended up to
the start of the top arena to encompass the space between,
and then it is trimmed back to its old *data* size. depending
on the size of the gab, the free data might be accounted for in the
Btail datasize or it might get its own free block if it is
big enougth. in the first case, the block size would'v been
increased (we got some extra space at the end) but this was not
accounted for in curalloc. so poolfreel() will subtract a bigger
value than was added to curalloc, hence the underflow.

the fix is to account for the changed block size in curalloc when
merging arenas.

curalloc is also not properly maintained in poolallocalign(),
but thats not in the testcase.

--
cinap