diff options
| author | jar@chromium.org <jar@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-10-05 22:22:27 +0000 |
|---|---|---|
| committer | jar@chromium.org <jar@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-10-05 22:22:27 +0000 |
| commit | ad2c964cc2e571b499ee778b4edb582527ecf0d2 (patch) | |
| tree | c749fae5922f17773c157deafa9fda67f4bb83a1 /third_party | |
| parent | fe6e57cdfa4af1a194f2e35ffa32b6c09c184ed8 (diff) | |
| download | chromium_src-ad2c964cc2e571b499ee778b4edb582527ecf0d2.zip chromium_src-ad2c964cc2e571b499ee778b4edb582527ecf0d2.tar.gz chromium_src-ad2c964cc2e571b499ee778b4edb582527ecf0d2.tar.bz2 | |
Catch some "easy to spot" double frees in TCMalloc
This will only work when the double frees happen to be
close enough in time, and both happen on the same thread...
...but it should have almost zero cost to do the check.
r=jschuh
BUG=75921
Review URL: http://codereview.chromium.org/8000001
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@104188 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'third_party')
| -rw-r--r-- | third_party/tcmalloc/chromium/src/free_list.cc | 12 | ||||
| -rw-r--r-- | third_party/tcmalloc/chromium/src/free_list.h | 7 |
2 files changed, 17 insertions, 2 deletions
diff --git a/third_party/tcmalloc/chromium/src/free_list.cc b/third_party/tcmalloc/chromium/src/free_list.cc index 26243c6..12f9b96 100644 --- a/third_party/tcmalloc/chromium/src/free_list.cc +++ b/third_party/tcmalloc/chromium/src/free_list.cc @@ -62,12 +62,20 @@ #ifdef TCMALLOC_USE_DOUBLYLINKED_FREELIST #include <stddef.h> -#include "internal_logging.h" //for ASSERT +#include "free_list.h" +// TODO(jar): We should use C++ rather than a macro here. #define MEMORY_CHECK(v1, v2) \ if (v1 != v2) CRASH("Memory corruption detected.\n") namespace { +void EnsureNonLoop(void* node, void* next) { + // We only have time to do minimal checking. We don't traverse the list, but + // only look for an immediate loop (cycle back to ourself). + if (node != next) return; + CRASH("Circular loop in list detected: %p\n", next); +} + // Returns value of the |previous| pointer w/out running a sanity // check. inline void *FL_Previous_No_Check(void *t) { @@ -88,10 +96,12 @@ void *FL_Previous(void *t) { } inline void FL_SetPrevious(void *t, void *n) { + EnsureNonLoop(t, n); reinterpret_cast<void**>(t)[1] = n; } inline void FL_SetNext(void *t, void *n) { + EnsureNonLoop(t, n); reinterpret_cast<void**>(t)[0] = n; } diff --git a/third_party/tcmalloc/chromium/src/free_list.h b/third_party/tcmalloc/chromium/src/free_list.h index e5b9bfd..2b29052 100644 --- a/third_party/tcmalloc/chromium/src/free_list.h +++ b/third_party/tcmalloc/chromium/src/free_list.h @@ -40,6 +40,7 @@ #define TCMALLOC_FREE_LIST_H_ #include <stddef.h> +#include "internal_logging.h" // For CRASH() macro. #include "linked_list.h" namespace tcmalloc { @@ -69,7 +70,11 @@ inline void FL_Init(void *t) { } inline void FL_Push(void **list, void *element) { - SLL_Push(list,element); + if(*list != element) { + SLL_Push(list,element); + return; + } + CRASH("Double Free of %p detected", element); } inline void *FL_Pop(void **list) { |