Comment #8 on issue 17027 by j...@chromium.org: Crash - tcmalloc::ThreadCache::FreeList::PopRange(int,void * *,void * *) http://code.google.com/p/chromium/issues/detail?id=17027
Another scenario for the bug (see items a-e above) other than an "typical" free memory write is the following: The pointer contained in each "block" of free memory is part of the user's memory after a block is allocated. As a result, if an item is (somehow) allocated, but remains in some free list, then the singly-linked-list structure could be corrupted. To have the above happen, one simple way is to have a double free. The first free would typically put the data item into a free list. A double free could cause the item to either be put into a free-list a second time, or put it into a free list after it was allocated to a new user's malloc. The duplicate placement could be in another thread's free-list cache, or in the current thread's free-list cache, inducing a circular linking. Each of these has consequences involving corruption of the heap, and could result in the stack dump shown in this bug. I've been adding code that watches for duplicate frees, by painting memory with unique text when the blocks are in the heap. Originally I was seeing problems, but current builds are no longer manifesting the problems :-(. Perhaps some related fixes have inadvertently helped this issue... but I need to watch crash dumps to see if this is getting resolved more generally (at all?). -- You received this message because you are listed in the owner or CC fields of this issue, or because you starred this issue. You may adjust your issue notification preferences at: http://code.google.com/hosting/settings --~--~---------~--~----~------------~-------~--~----~ Automated mail from issue updates at http://crbug.com/ Subscription options: http://groups.google.com/group/chromium-bugs -~----------~----~----~----~------~----~------~--~---