From owner-freebsd-current@FreeBSD.ORG Sat Sep 6 17:24:44 2008 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 98247106568E; Sat, 6 Sep 2008 17:24:44 +0000 (UTC) (envelope-from jasone@FreeBSD.org) Received: from canonware.com (canonware.com [64.183.146.166]) by mx1.freebsd.org (Postfix) with ESMTP id 6AA0C8FC15; Sat, 6 Sep 2008 17:24:44 +0000 (UTC) (envelope-from jasone@FreeBSD.org) Received: from [192.168.168.201] (unknown [192.168.168.201]) by canonware.com (Postfix) with ESMTP id D70E61298C0; Sat, 6 Sep 2008 10:00:41 -0700 (PDT) Message-ID: <48C2B6EB.5000608@FreeBSD.org> Date: Sat, 06 Sep 2008 09:59:23 -0700 From: Jason Evans User-Agent: Thunderbird 2.0.0.16 (X11/20080724) MIME-Version: 1.0 To: Jille Timmermans References: <48C15AEA.4070704@quis.cx> In-Reply-To: <48C15AEA.4070704@quis.cx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD Current , David Xu Subject: Re: Segmentation fault in malloc_usable_size() (libc) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Sep 2008 17:24:44 -0000 Jille Timmermans wrote: > I switched over to current a fews days ago. > And I ran into a bug (file attached, log pasted): The stack trace you got is totally bogus, but the problem is real. This crash is due to recent changes in malloc that use TLS for thread-specific caching. The problem is that malloc is being used after a thread has effectively exited. #0 0x00000008007c7b35 in arena_malloc (arena=0x500a98, size=80, zero=true) at /usr/src/lib/libc/stdlib/malloc.c:3223 #1 0x00000008007caf4b in calloc (num=1, size=80) at /usr/src/lib/libc/stdlib/malloc.c:3395 #2 0x0000000800649c94 in mutex_init (mutex=0x8009785c0, mutex_attr=Variable "mutex_attr" is not available. ) at /usr/src/lib/libthr/thread/thr_mutex.c:144 #3 0x0000000800649f41 in init_static (thread=0x608e40, mutex=0x8009785c0) at /usr/src/lib/libthr/thread/thr_mutex.c:188 #4 0x000000080064ab31 in __pthread_mutex_lock (mutex=0x8009785c0) at /usr/src/lib/libthr/thread/thr_mutex.c:445 #5 0x000000080081c63c in __cxa_finalize (dso=0x0) at /usr/src/lib/libc/stdlib/atexit.c:161 #6 0x00000008007ccbe7 in exit (status=0) at /usr/src/lib/libc/stdlib/exit.c:67 #7 0x000000080064e5c6 in _pthread_exit (status=Variable "status" is not available. ) at /usr/src/lib/libthr/thread/thr_exit.c:109 #8 0x0000000800646219 in thread_start (curthread=0x608e40) at /usr/src/lib/libthr/thread/thr_create.c:288 #9 0x0000000000000000 in ?? () The call to _malloc_thread_cleanup() in _pthread_exit() I added at /usr/src/lib/libthr/thread/thr_exit.c:100 is too early in the case that _thread_active_threads is decremented to 0 below. I don't know off the top of my head what the best fix is (i.e. where the _malloc_thread_cleanup() call is really safe); perhaps David Xu has a suggestion. Thanks, Jason