Crash in arenas_cleanup on linux x86-64
Jason Evans
jasone at canonware.com
Wed Mar 28 16:30:37 PDT 2012
On Mar 28, 2012, at 12:42 PM, Mike Hommey wrote:
> I'm getting crashes in Firefox in some cases (only one test suite,
> actually), and on Linux x86-64 only (not Linux x86, not Android ARM, and
> not OSX x86 or x86-64).
> They are a NULL deref in arenas_cleanup, in which the arena variable
> seems to be NULL.
> This happens with current dev branch. I had a hunch that I tested, and
> it turns out commit cd9a134 is broken too and 154829d is not, which
> makes cd9a134 the culprit.
> I haven't looked why, though.
It looks to me like the tsd cleanup handler can be called even if the thread never initialized the tsd for that thread. I think the crash you are seeing would happen if a thread never allocated a small or large object. I'll work on a fix tonight.
Thanks,
Jason
More information about the jemalloc-discuss
mailing list