From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-hacker-return-9026-listarch-libc-hacker=sources.redhat.com@sourceware.org>
Received: (qmail 1397 invoked by alias); 31 Aug 2006 14:55:18 -0000
Received: (qmail 1371 invoked by uid 22791); 31 Aug 2006 14:55:17 -0000
X-Spam-Check-By: sourceware.org
Received: from sunsite.ms.mff.cuni.cz (HELO sunsite.mff.cuni.cz) (195.113.15.26)
    by sourceware.org (qpsmtpd/0.31) with ESMTP; Thu, 31 Aug 2006 14:55:15 +0000
Received: from sunsite.mff.cuni.cz (sunsite.mff.cuni.cz [127.0.0.1])
	by sunsite.mff.cuni.cz (8.13.1/8.13.1) with ESMTP id k7VEtAGl023599;
	Thu, 31 Aug 2006 16:55:10 +0200
Received: (from jj@localhost)
	by sunsite.mff.cuni.cz (8.13.1/8.13.1/Submit) id k7VEtA5m023598;
	Thu, 31 Aug 2006 16:55:10 +0200
Date: Thu, 31 Aug 2006 14:55:00 -0000
From: Jakub Jelinek <jakub@redhat.com>
To: Ulrich Drepper <drepper@redhat.com>
Cc: Glibc hackers <libc-hacker@sources.redhat.com>,
        Andrew Haley <aph@redhat.com>
Subject: [PATCH] Fix another place in _int_malloc which assumed unsorted_chunks is empty
Message-ID: <20060831145509.GP4556@sunsite.mff.cuni.cz>
Reply-To: Jakub Jelinek <jakub@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.1i
Mailing-List: contact libc-hacker-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Subscribe: <mailto:libc-hacker-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-hacker/>
List-Post: <mailto:libc-hacker@sourceware.org>
List-Help: <mailto:libc-hacker-help@sourceware.org>, <http://sourceware.org/ml/#faqs>
Sender: libc-hacker-owner@sourceware.org
X-SW-Source: 2006-08/txt/msg00036.txt.bz2

Hi!

Seems
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/malloc/malloc.c.diff?cvsroot=glibc&r1=1.164&r2=1.165
fixed just one of the two places in _int_malloc which assumed
unsorted_chunks is an empty double-linked list.

This one was seen in jc1, see http://bugzilla.redhat.com/204653

2006-08-31  Jakub Jelinek  <jakub@redhat.com>

	* malloc/malloc.c (_int_malloc): Use full list insert and not
	shortcut which assumes the list is empty for large requests
	too.

--- libc/malloc/malloc.c.jj	2006-08-31 15:31:36.000000000 +0200
+++ libc/malloc/malloc.c	2006-08-31 16:29:30.000000000 +0200
@@ -4230,8 +4230,14 @@ _int_malloc(mstate av, size_t bytes)
         /* Split */
         else {
           remainder = chunk_at_offset(victim, nb);
-          unsorted_chunks(av)->bk = unsorted_chunks(av)->fd = remainder;
-          remainder->bk = remainder->fd = unsorted_chunks(av);
+          /* We cannot assume the unsorted list is empty and therefore
+             have to perform a complete insert here.  */
+	  bck = unsorted_chunks(av);
+	  fwd = bck->fd;
+	  remainder->bk = bck;
+	  remainder->fd = fwd;
+	  bck->fd = remainder;
+	  fwd->bk = remainder;
           set_head(victim, nb | PREV_INUSE |
 		   (av != &main_arena ? NON_MAIN_ARENA : 0));
           set_head(remainder, remainder_size | PREV_INUSE);

	Jakub