156, 387, 431, 832, 926, 2801, 4772, 6786, 6787, 6807, 6810, 7003, 9954,
10253, 10278, 11087, 11157, 11214, 12100, 12486, 12986, 13028, 13982,
13985, 14029, 14032, 14120, 14143, 14155, 14547, 14699, 14752, 14876,
- 14910, 15004, 15048, 15089, 15128, 15218, 15268, 15277, 15308, 15362,
- 15374, 15400, 15425, 15427, 15483, 15522, 15531, 15532, 15593, 15601,
- 15608, 15609, 15610, 15632, 15640, 15670, 15672, 15680, 15681, 15723,
- 15734, 15735, 15736, 15748, 15749, 15754, 15760, 15763, 15764, 15797,
- 15799, 15825, 15843, 15844, 15846, 15847, 15849, 15855, 15856, 15857,
- 15859, 15867, 15886, 15887, 15890, 15892, 15893, 15895, 15897, 15901,
- 15905, 15909, 15915, 15917, 15919, 15921, 15923, 15939, 15941, 15948,
- 15963, 15966, 15985, 15988, 15997, 16032, 16034, 16036, 16037, 16038,
- 16041, 16055, 16071, 16072, 16074, 16077, 16078, 16103, 16112, 16143,
- 16144, 16146, 16150, 16151, 16153, 16167, 16172, 16195, 16214, 16245,
- 16356.
+ 14910, 15004, 15048, 15073, 15089, 15128, 15218, 15268, 15277, 15308,
+ 15362, 15374, 15400, 15425, 15427, 15483, 15522, 15531, 15532, 15593,
+ 15601, 15608, 15609, 15610, 15632, 15640, 15670, 15672, 15680, 15681,
+ 15723, 15734, 15735, 15736, 15748, 15749, 15754, 15760, 15763, 15764,
+ 15797, 15799, 15825, 15843, 15844, 15846, 15847, 15849, 15855, 15856,
+ 15857, 15859, 15867, 15886, 15887, 15890, 15892, 15893, 15895, 15897,
+ 15901, 15905, 15909, 15915, 15917, 15919, 15921, 15923, 15939, 15941,
+ 15948, 15963, 15966, 15985, 15988, 15997, 16032, 16034, 16036, 16037,
+ 16038, 16041, 16055, 16071, 16072, 16074, 16077, 16078, 16103, 16112,
+ 16143, 16144, 16146, 16150, 16151, 16153, 16167, 16172, 16195, 16214,
+ 16245, 16356.
* The public headers no longer use __unused nor __block. This change is to
support compiling programs that are derived from BSD sources and use
unsigned int idx = fastbin_index(size);
fb = &fastbin (av, idx);
- mchunkptr fd;
- mchunkptr old = *fb;
+ /* Atomically link P to its fastbin: P->FD = *FB; *FB = P; */
+ mchunkptr old = *fb, old2;
unsigned int old_idx = ~0u;
do
{
- /* Another simple check: make sure the top of the bin is not the
- record we are going to add (i.e., double free). */
+ /* Check that the top of the bin is not the record we are going to add
+ (i.e., double free). */
if (__builtin_expect (old == p, 0))
{
errstr = "double free or corruption (fasttop)";
goto errout;
}
- if (old != NULL)
+ /* Check that size of fastbin chunk at the top is the same as
+ size of the chunk that we are adding. We can dereference OLD
+ only if we have the lock, otherwise it might have already been
+ deallocated. See use of OLD_IDX below for the actual check. */
+ if (have_lock && old != NULL)
old_idx = fastbin_index(chunksize(old));
- p->fd = fd = old;
+ p->fd = old2 = old;
}
- while ((old = catomic_compare_and_exchange_val_rel (fb, p, fd)) != fd);
+ while ((old = catomic_compare_and_exchange_val_rel (fb, p, old2)) != old2);
- if (fd != NULL && __builtin_expect (old_idx != idx, 0))
+ if (have_lock && old != NULL && __builtin_expect (old_idx != idx, 0))
{
errstr = "invalid fastbin entry (free)";
goto errout;