#2 Pointers to arenas may become invalid after realloc()ing g_arenas

[KaperX]

Function alloc_ca_arena() in heap_ptmalloc.cpp uses realloc() to alloc arenas in array g_arenas. realloc() may change the address of g_arenas, therefore changes all addresses of arenas.

[Michael Yan]

realloc() is used here to expand buffer as new arena is discovered. However, the function will copy the old arena data into the new allocated buffer.

[KaperX]

The old arena data will be copied into the new allocated buffer, but the pointers to the old arena data won't be updated accordingly.

For exapmle:

heap1->mArena = alloc_ca_arena(...);
heap2->mArena = alloc_ca_arena(...); // if realloc() is called here, heap1->mArena 
                                     // may become invalid because it still points
                                     // to the old arena data.

I encountered this problem when analyzing a core dump with 92 arenas.

The core analyzer was killed by a segment fault while accessing the content referenced by
a heap->mArena.

Then I changed the initial value of g_arena_buf_sz to 128 instead of 32, to avoid realloc()ing again, and the segment fault didn't happen again.

[Michael Yan]

I see what the problem is. However, function alloc_ca_arena() is called only when arenas are built at startup. The code doesn't have stale pointer to previously created arenas. (I don't see any in file heap_ptmalloc.cpp) Is the code example added by you? or could you point me where the break is?