mempool: fix corruption with almost-page-sized objects

When we free the last object in a page, we free the page itself, removing it from the pool's page list. However, pages with no free objects are not present on the free page list, causing corruption. The only condition this can happen is if there is exactly one object on a page; so it's simultaneously the last allocated and the last freed object.

mempool: fix corruption with almost-page-sized objects
b29b68d6 · Avi Kivity · 44c7e726 · b29b68d6
Commit b29b68d6 authored 12 years ago by Avi Kivity
--- a/mempool.cc
+++ b/mempool.cc
@@ -86,7 +86,9 @@ void pool::free(void* object)
    auto obj = static_cast<free_object*>(object);
    auto header = to_header(obj);
    if (!--header->nalloc) {
-        _free.erase(_free.iterator_to(*header));
+        if (header->local_free) {
+            _free.erase(_free.iterator_to(*header));
+        }
        // FIXME: add hysteresis
        free_page(header);
    } else {