On Sat, Oct 27, 2012 at 10:12 PM, David Miller <da...@davemloft.net> wrote: > From: David Miller <da...@davemloft.net> > Date: Sun, 28 Oct 2012 00:31:27 -0400 (EDT) > >> The size is 24, and my patch definitely makes the crashes go away. >> >> It seems like a vector is being used for a mixed set of objects. >> I'll try to figure out how that is happening. > > Ok, the problem seems to have to do with releases. > > The releases place vector memory chunks into a global pool. > > So a memory chunk from a vector used for one type of object, > can be sucked into and used by another vector. > > But the alignment requirements are different, so we can > obtain a chunk from the freelist that was being used for > a vector of 4-byte aligned objects. > > The crash sequences are always of the form: > > vec_release(0xffb37ac8) base+size(0xf0199008) amount(312) > ... > vec_grow(0xffb37ac8:24) from 0x975168, ret=0xf01754cc [size(24):alc(360)] > > That size alignment done by backtrace_alloc() has no influence upon > this issue. Since chunks are released from wherever the vector's > allocation point was at the time of the release. > > In fact I bet that alignment in backtrace_alloc() never triggers when > it is invoked from backtrace_vector_grow().
Thanks for tracking it down.
This patch should fix it. Bootstrapped and ran libbacktrace testsuite
on x86_64-unknown-linux-gnu. Committed to mainline.
Ian
2012-10-29 Ian Lance Taylor <i...@google.com>
* mmap.c (backtrace_vector_release): Make sure freed block is
aligned on 8-byte boundary.
foo.patch
Description: Binary data
