http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60830
--- Comment #29 from Bernd Edlinger <bernd.edlinger at hotmail dot de> --- Hmm, that is really strange. the crash happens in __gcc_deregister_frame. just break at this function and step. The first call is GetModuleHandle (LIBGCC_SONAME) which returns NULL, so the weak default __deregister_frame_info is used. BUT the address is wrong by 0x10. 00401170 <___gcc_deregister_frame>: 401170: 55 push %ebp 401171: 89 e5 mov %esp,%ebp 401173: 83 ec 18 sub $0x18,%esp 401176: c7 04 24 20 71 47 00 movl $0x477120,(%esp) 40117d: ff 15 50 b4 4c 00 call *0x4cb450 401183: 83 ec 04 sub $0x4,%esp 401186: 85 c0 test %eax,%eax 401188: ba 10 25 47 00 mov $0x472510,%edx 40118d: 74 16 je 4011a5 <___gcc_deregister_frame+0x35> 40118f: c7 44 24 04 67 71 47 movl $0x477167,0x4(%esp) 401196: 00 401197: 89 04 24 mov %eax,(%esp) 40119a: ff 15 54 b4 4c 00 call *0x4cb454 4011a0: 83 ec 08 sub $0x8,%esp 4011a3: 89 c2 mov %eax,%edx 4011a5: 85 d2 test %edx,%edx 4011a7: 74 09 je 4011b2 <___gcc_deregister_frame+0x42> 4011a9: c7 04 24 38 b0 4b 00 movl $0x4bb038,(%esp) 4011b0: ff d2 call *%edx => this call goes to 0x472510 instead of 0x472520. .... 4724ff: e8 fc 01 00 00 call 472700 <_free> 472504: 8b 44 24 1c mov 0x1c(%esp),%eax 472508: 83 c4 28 add $0x28,%esp 47250b: 5b pop %ebx 47250c: c3 ret 47250d: 89 d0 mov %edx,%eax 47250f: ba e4 ac 4c 00 mov $0x4cace4,%edx 472514: eb a6 jmp 4724bc <___deregister_frame_info_bases+0x6c> 472516: 8d 76 00 lea 0x0(%esi),%esi 472519: 8d bc 27 00 00 00 00 lea 0x0(%edi,%eiz,1),%edi 00472520 <___deregister_frame_info>: 472520: e9 2b ff ff ff jmp 472450 <___deregister_frame_info_bases> 472525: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi 472529: 8d bc 27 00 00 00 00 lea 0x0(%edi,%eiz,1),%edi
