Crash in arenas_cleanup on linux x86-64
jasone at canonware.com
Wed Mar 28 16:52:23 PDT 2012
On Mar 28, 2012, at 4:30 PM, Jason Evans wrote:
> On Mar 28, 2012, at 12:42 PM, Mike Hommey wrote:
>> I'm getting crashes in Firefox in some cases (only one test suite,
>> actually), and on Linux x86-64 only (not Linux x86, not Android ARM, and
>> not OSX x86 or x86-64).
>> They are a NULL deref in arenas_cleanup, in which the arena variable
>> seems to be NULL.
>> This happens with current dev branch. I had a hunch that I tested, and
>> it turns out commit cd9a134 is broken too and 154829d is not, which
>> makes cd9a134 the culprit.
>> I haven't looked why, though.
> It looks to me like the tsd cleanup handler can be called even if the thread never initialized the tsd for that thread. I think the crash you are seeing would happen if a thread never allocated a small or large object. I'll work on a fix tonight.
Actually, after further scrutiny, I don't see how this can happen unless TLS (__thread variable memory) is cleared before pthreads TSD destructors are called. That seems an unlikely explanation though; any other ideas?
More information about the jemalloc-discuss