Hi!
On Fri, Nov 27, 2009 at 04:11:21PM +0000, SevenMachines wrote:
> muse 0.8.1a-6.3 fails to start on debian sid amd64 with
> $ muse
> muse: malloc.c:3074: sYSMALLOc: Assertion `(old_top == (((mbinptr) (((char *)
> &((av)->bins[((1) - 1) * 2])) - __builtin_offsetof (struct malloc_chunk,
> fd)))) && old_size == 0) || ((unsigned long) (old_size) >= (unsigned
> long)((((__builtin_offsetof (struct malloc_chunk, fd_nextsize))+((2 *
> (sizeof(size_t))) - 1)) & ~((2 * (sizeof(size_t))) - 1))) && ((old_top)->size
> & 0x1) && ((unsigned long)old_end & pagemask) == 0)' failed.
> Aborted
>
> This is verified on debian sid amd64. i386 versions are unnaffected. Attached
> is a debdiff if it is of use of the fix for amd64 builds taken from ubuntu
> lucid, originally from arch
> https://bugs.launchpad.net/ubuntu/+source/muse/+bug/479662
> http://bugs.archlinux.org/task/15466?project=1&order=dateopened&sort=desc&pagenum=8
>
> note, this bug also seems to affect versions of muse up to and including 1.0
> rc3
Thanks for the report. The patch you referred to looks wrong, though, as
consumers can still clobber the pointers of the Pool-internal free list for idx
0 (which apparently isn't used at the moment, but might be in the future). It
probably also suffers from alignment problems on non-Intel archs. The attached
version should be a bit more robust. It works for me on amd64. Can you maybe
give it a stress test as well?
Regards,
Daniel.
#! /bin/sh /usr/share/dpatch/dpatch-run
## 10_64bit_memcorruption_fix.dpatch by Daniel Kobras <kob...@debian.org>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Elements in Pool allocator must be able to accommodate a pointer
## DP: to allow for internal bookkeeping cleverness. Using an element
## DP: granularity of unsigned long instead of int ensures this property.
@DPATCH@
diff -urNad muse-0.8.1a~/muse/memory.cpp muse-0.8.1a/muse/memory.cpp
--- muse-0.8.1a~/muse/memory.cpp 2003-10-27 19:51:22.000000000 +0100
+++ muse-0.8.1a/muse/memory.cpp 2009-12-02 22:07:02.000000000 +0100
@@ -48,7 +48,7 @@
{
// printf("grow memory idx %d\n", idx);
- int esize = (idx+1) * sizeof(int);
+ int esize = (idx+1) * sizeof(unsigned long);
Chunk* n = new Chunk;
n->next = chunks[idx];
diff -urNad muse-0.8.1a~/muse/memory.h muse-0.8.1a/muse/memory.h
--- muse-0.8.1a~/muse/memory.h 2004-06-07 23:46:08.000000000 +0200
+++ muse-0.8.1a/muse/memory.h 2009-12-02 22:09:20.000000000 +0100
@@ -28,8 +28,7 @@
Chunk* next;
char mem[size];
};
-// enum { dimension = 11 };
- enum { dimension = 21 }; // increased for 64 bit architectures
+ enum { dimension = 11 };
Chunk* chunks[dimension];
Verweis* head[dimension];
Pool(Pool&);
@@ -49,7 +48,9 @@
inline void* Pool::alloc(size_t n)
{
- int idx = ((n + sizeof(int) - 1) / sizeof(int)) - 1;
+ if (n == 0)
+ return 0;
+ int idx = ((n + sizeof(unsigned long) - 1) / sizeof(unsigned long)) - 1;
if (idx >= dimension) {
printf("panic: alloc %d\n", n);
exit(-1);
@@ -67,7 +68,9 @@
inline void Pool::free(void* b, size_t n)
{
- int idx = ((n + sizeof(int) - 1) / sizeof(int)) - 1;
+ if (b == 0 || n == 0)
+ return;
+ int idx = ((n + sizeof(unsigned long) - 1) / sizeof(unsigned long)) - 1;
if (idx >= dimension) {
printf("panic: alloc %d\n", n);
exit(-1);
