malloc: fix large tcache code to check for exact size match

The tcache is used for allocation only if an exact match is found. In the
large tcache code added in commit cbfd7988107b, we currently extract a
chunk of size greater than or equal to the size we need, but don't check
strict equality. This patch fixes that behaviour.

Reviewed-by: Wilco Dijkstra  <Wilco.Dijkstra@arm.com>

diff --git a/malloc/malloc.c b/malloc/malloc.c
index 3db0f65f37d4ef62e28c92b9c3160d76893d4687..1cdeb084376cee497d4857961f245412a52d0d17 100644 (file)
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3268,7 +3268,8 @@ tcache_get (size_t tc_idx)
 }
 
 static __always_inline tcache_entry **
-tcache_location_large (size_t nb, size_t tc_idx, bool *mangled)
+tcache_location_large (size_t nb, size_t tc_idx,
+                      bool *mangled, tcache_entry **demangled_ptr)
 {
   tcache_entry **tep = &(tcache->entries[tc_idx]);
   tcache_entry *te = *tep;
@@ -3280,6 +3281,7 @@ tcache_location_large (size_t nb, size_t tc_idx, bool *mangled)
       *mangled = true;
     }
 
+  *demangled_ptr = te;
   return tep;
 }
 
@@ -3288,7 +3290,8 @@ tcache_put_large (mchunkptr chunk, size_t tc_idx)
 {
   tcache_entry **entry;
   bool mangled = false;
-  entry = tcache_location_large (chunksize (chunk), tc_idx, &mangled);
+  tcache_entry *te;
+  entry = tcache_location_large (chunksize (chunk), tc_idx, &mangled, &te);
 
   return tcache_put_n (chunk, tc_idx, entry, mangled);
 }
@@ -3298,10 +3301,10 @@ tcache_get_large (size_t tc_idx, size_t nb)
 {
   tcache_entry **entry;
   bool mangled = false;
-  entry = tcache_location_large (nb, tc_idx, &mangled);
+  tcache_entry *te;
+  entry = tcache_location_large (nb, tc_idx, &mangled, &te);
 
-  if ((mangled && REVEAL_PTR (*entry) == NULL)
-      || (!mangled && *entry == NULL))
+  if (te == NULL || nb != chunksize (mem2chunk (te)))
     return NULL;
 
   return tcache_get_n (tc_idx, entry, mangled);