I believe I am seeing this bug in-action on Ubuntu 12.04.3 AMD64. I have some gdb backtrace info pasted below. I am surprised glibc malloc has been broken for more than 1 year. I will definitely avoid it in the future, but it also shows the potential for future instability at the OS-level:
##t 3 crash SIGSEGV #0 malloc_consolidate (av=0x7fa89c000020) at malloc.c:4272 #1 0x00007fa8d08ceb89 in malloc_consolidate (av=0x7fa89c000020) at malloc.c:4247 #2 _int_free (av=0x7fa89c000020, p=<optimized out>, have_lock=0) at malloc.c:4178 #3 0x000000000041a8f8 in __gnu_cxx::new_allocator<unsigned long>::deallocate ( this=0x7fa89c000ae8, __p=0x7fa89c068bc0) at /usr/include/c++/4.6/ext/new_allocator.h:98 #4 0x000000000041a484 in std::_Deque_base<unsigned long, std::allocator<unsigned long> >::_M_deallocate_node (this=0x7fa89c000ae8, __p=0x7fa89c068bc0) at /usr/include/c++/4.6/bits/stl_deque.h:531 ##f 0 ##p *av *av = {mutex = 1, flags = 3, fastbinsY = {0x0, 0x7fa89c182920, 0x7fa89c15ed80, 0x0, 0x7fa89c16b170, 0x7fa89c05aa80, 0x7fa89c185340, 0x0, 0x0, 0x0}, top = 0x7fa89c18bb30, last_remainder = 0x7fa89c141170, bins = { 0x7fa89c141170, ...}, binmap = {262428, 8, 1, 2}, next = 0x7fa8b0000020, next_free = 0x0, system_mem = 1634304, max_system_mem = 1634304} ##t 2 #0 sYSMALLOc (av=<optimized out>, nb=528) at malloc.c:2756 #1 _int_malloc (av=<optimized out>, bytes=512) at malloc.c:3924 #2 0x00007fa8d08d1f95 in __GI___libc_malloc (bytes=512) at malloc.c:2924 #3 0x00007fa8d01cfd8b in j__udyLAllocJLL5 () from /usr/lib/libJudy.so.1 #4 0x00007fa8d01cc9ae in ?? () from /usr/lib/libJudy.so.1 #5 0x00007fa8d01ca3ee in ?? () from /usr/lib/libJudy.so.1 #6 0x00007fa8d01ca3ee in ?? () from /usr/lib/libJudy.so.1 #7 0x00007fa8d01ca3ee in ?? () from /usr/lib/libJudy.so.1 #8 0x00007fa8d01cd83f in JudyLIns () from /usr/lib/libJudy.so.1 The malloc.c line numbers look erroneous based on my examination of the source code from http://packages.ubuntu.com/precise/libc6 . Unfortunately, that must just be a problem with the libc6-dbg package data. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1020210 Title: Race condition using ATOMIC_FASTBINS in _int_free causes crash or heap corruption To manage notifications about this bug go to: https://bugs.launchpad.net/eglibc/+bug/1020210/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs