BUG/MEDIUM: memory: fix freeing logic in pool_gc2()

There's a long-standing bug in pool_gc2(). It tries to protect the pool
against releasing of too many entries but the formula is wrong as it
compares allocated to minavail instead of (allocated-used) to minavail.
Under memory contention, it ends up releasing more than what is granted
by minavail and causes trouble to the dynamic buffer allocator.

This bug is in fact major by itself, but since minavail has never been
used till now, there is no impact at least in mainline. A backport to
1.5 is desired anyway in case any future backport or out-of-tree patch
relies on this.

diff --git a/src/memory.c b/src/memory.c
index 1e62259cbcfaa1c7773420bb6d2c451134169084..fcd7679314f2ca9df997dd9887e9130a20a6c47c 100644 (file)
--- a/src/memory.c
+++ b/src/memory.c
@@ -142,8 +142,7 @@ void pool_gc2()
                //qfprintf(stderr, "Flushing pool %s\n", entry->name);
                next = entry->free_list;
                while (next &&
-                      entry->allocated > entry->minavail &&
-                      entry->allocated > entry->used) {
+                      (int)(entry->allocated - entry->used) > (int)entry->minavail) {
                        temp = next;
                        next = *(void **)temp;
                        entry->allocated--;