Comment #20 on issue 15577 by jim.roskind: Crash -  
tcmalloc::ThreadCache::Allocate(unsigned int)
http://code.google.com/p/chromium/issues/detail?id=15577

To add to the record of information:

The crash was caused by an attempt to pop (for use in an allocation) a free  
block of
memory from a singly-linked list of blocks held by TCMalloc in the thread  
specific
cache.  Presumably the counter associated with this list indicated that  
there were
still several cached blocks, but the pointer to the next block was not  
valid.

The fact that this happened on the history suggests that very probably the  
freed
block was freed on the history thread previously (it could be that it was  
acquired
from a central cache... but this is less likely).  Assuming that memory on  
the
history thread is mostly malloc'ed/freed by SQLite, then it is likely that  
the block
that was trying to get acquired (a block of about 220 bytes) was previously  
allocated
by the SQLite allocator.

The two causes for corruption of the linked-list include: a) write-to-free  
memory;
and b) duplicate free of the same memory.

However, it is unlikely for a SQL-alloced block to have its header (where  
TC-malloc
would put the linking pointer) modified.  Such allocations write the block  
size (at
sql-alloc time) written into the first 4 bytes of the TCMalloced block, and  
that data
is not changed over the life-time of the SQL use (it is used for SQL  
book-keeping).

The most likely cause is then (I think) a double free of a block of  
SQL-alloced
memory on the history thread.  A second free would attempt to push the  
freed block
onto the head of the free-list while it was already a part of that list  
(oops).  That
would corrupt the list, and cause the counter to be relatively useless.

If we can repro the problem, then perhaps a special build I have that  
detects duplicate free's can be used to isolate the cause.  Another  
suggestion is that we log
all memory allocations, and then go back and see where the corrupt free  
block was
last allocated and freed.

--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings

--~--~---------~--~----~------------~-------~--~----~
Automated mail from issue updates at http://crbug.com/
Subscription options: http://groups.google.com/group/chromium-bugs
-~----------~----~----~----~------~----~------~--~---

Reply via email to