Comment #7 on issue 17027 by j...@chromium.org: Crash - tcmalloc::ThreadCache::FreeList::PopRange(int,void * *,void * *) http://code.google.com/p/chromium/issues/detail?id=17027
The specific stack trace at the top of this bug relates to the following scenario: a) Thread tries to free memory. b) TC malloc decides too much of this size has been freed into local thread cache. c) TC malloc looks to release a group of blocks to the central cache. d) TC malloc tries to pop a list of N blocks (via PopRange()) from the thread's free list cache. e) The walk down the singly-linked-list of free blocks, each containing a pointer to the next, found an errant pointer (and caused a segv). The most logical reason for this would be that there was a free-memory-write into a freed block, that clobbered the linked-list-pointer at the start of the block. The cause of this heap corruption is probably a fair distance away from the stack trace (and I've REALLY studied this stack trace recently). As a result, I'd have to call this non-reproducible heap corruption. I doubt I'll make further progress on this until I can repro it using some new heap checking tools. I'll leave this bug open as my central bug to reference with any patches related to this class of problem. -- You received this message because you are listed in the owner or CC fields of this issue, or because you starred this issue. You may adjust your issue notification preferences at: http://code.google.com/hosting/settings --~--~---------~--~----~------------~-------~--~----~ Automated mail from issue updates at http://crbug.com/ Subscription options: http://groups.google.com/group/chromium-bugs -~----------~----~----~----~------~----~------~--~---