oneTBB icon indicating copy to clipboard operation
oneTBB copied to clipboard
verified publisher icon oneapi-src

Double freeing memory: Infinity loop in Block::privatizePublicFreeList()

Open AndbGame opened this issue 7 months ago • 4 comments

Summary

Infinity loop in cycle https://github.com/uxlfoundation/oneTBB/blob/45587e94dfb6dfe00220c5f520020a5bc745e92f/src/tbbmalloc/frontend.cpp#L1480

Version

2022.1.0

Environment

  • I9-13900
  • Windows 11

Steps To Reproduce

Random. maybe thread race?

Image

AndbGame avatar May 25 '25 22:05 AndbGame

maybe not related to TBB

AndbGame avatar Jun 02 '25 13:06 AndbGame

It was reproduced, but a more detailed analysis is required.

    struct TestStruct
    {
        int val = 10;
    };
    TestStruct* test = nullptr;
    std::thread t0, t1, t2;

        t0 = std::thread([&test] {
            test = (TestStruct*)scalable_aligned_malloc(sizeof(TestStruct), 16);
        });
        t0.join();

        t1 = std::thread([&test] {
            scalable_aligned_free(test);
        });
        t2 = std::thread([&test] {
            scalable_aligned_free(test);
        });
        t1.detach();
        t2.detach();

It's not completely clear to me yet, but it seems to be somehow related to scalable_aligned_free to same pointer twice in different threads. Infinity loop not in this example, but later in unknown place but looks with 100% chanсe

(perhaps the problem is not critical, because the situation as a whole is incorrect, and apparently I need to use scalable_msize() before free)

AndbGame avatar Jun 02 '25 21:06 AndbGame

Double freeing memory is an error.

https://owasp.org/www-community/vulnerabilities/Doubly_freeing_memory

phprus avatar Jun 03 '25 06:06 phprus

Double freeing memory is an error.

https://owasp.org/www-community/vulnerabilities/Doubly_freeing_memory

agree, but also - will be nice have fail safe logic on such error :)

AndbGame avatar Jun 03 '25 08:06 AndbGame