apr-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 48620] New: Bucket split overwriting existing buckets - leading to memory corruption and crash
Date Tue, 26 Jan 2010 14:46:32 GMT

           Summary: Bucket split overwriting existing buckets - leading to
                    memory corruption and crash
           Product: APR
           Version: 1.3.9
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: normal
          Priority: P2
         Component: APR-util
        AssignedTo: bugs@apr.apache.org
        ReportedBy: maggarwal@gmail.com

Created an attachment (id=24889)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=24889)
Source code for replicating the crash

A C code is attached that reproduces a crash that we have observed.

Essentially, a single bucket allocator is used to create two buckets. The two
buckets are repeatedly split. In each iteration only the last bucket in the
chain (for both buckets) is retained, others are destroyed.

At some point, we observe that the split overwrites some memory area belonging
to an existing buffer leading to memory corruption.

The crash can be avoided by using a separate allocator for splitting t1 and t2
buckets. Our understanding was that a single allocator should do the job.

Key steps 

1. create a memory pool
2. create a bucket allocator

3. create two heap buckets (t1, t2)

for i=1:40

split t1 = t1, second_part
split second_part = second_part, third_part

destroy(t1), destroy(second_part)

set t1 = second_part

split t2 = t2, second_part

t2 = second_part


Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org

View raw message