google-perftools built with clang on FreeBSD 9, causes chromium to crash upon launch

[GoogleCodeExporter]

What steps will reproduce the problem?
1. build google-perftools from ports on FreeBSD 9, using the system clang 
compiler
2. build chromium from ports on FreeBSD 9, using said compiler.
3. Watch as chromium coredumps due to a bad memory access.

What is the expected output? What do you see instead?
Here is the backtrace of the crash
[Switching to Thread 3993400 (LWP 102638/chrome)]
0x0000000803b5389c in (anonymous namespace)::do_malloc () from 
/usr/local/lib/libtcmalloc.so.2
(gdb) bt
#0  0x0000000803b5389c in (anonymous namespace)::do_malloc () from 
/usr/local/lib/libtcmalloc.so.2
#1  0x0000000803b53ce8 in (anonymous namespace)::cpp_alloc () from 
/usr/local/lib/libtcmalloc.so.2
#2  0x0000000803b6744c in tc_calloc () from /usr/local/lib/libtcmalloc.so.2
#3  0x0000000809897582 in pthread_setspecific () from /lib/libthr.so.3
#4  0x0000000803b5b9eb in tcmalloc::ThreadCache::CreateCacheIfNecessary () from 
/usr/local/lib/libtcmalloc.so.2
#5  0x0000000803b538c4 in (anonymous namespace)::do_malloc () from 
/usr/local/lib/libtcmalloc.so.2
#6  0x0000000803b53ce8 in (anonymous namespace)::cpp_alloc () from 
/usr/local/lib/libtcmalloc.so.2
#7  0x0000000803b6744c in tc_calloc () from /usr/local/lib/libtcmalloc.so.2
#8  0x0000000809897582 in pthread_setspecific () from /lib/libthr.so.3
#9  0x0000000000b992a3 in ?? ()
#10 0x0000000000699dd3 in ?? ()
#11 0x0000000000b98aa7 in ?? ()
#12 0x00000008098946e3 in pthread_create () from /lib/libthr.so.3
#13 0x0000000000000000 in ?? ()
Error accessing memory address 0x7fffffbfe000: Bad address.

What version of the product are you using? On what operating system?

Please provide any additional information below.
Upon recompiling the tool set with the base cc (gcc4.2.1), chromium launches 
correctly.  I can provide any information you wish.

Original issue reported on code.google.com by ch...@thesouthernlibertarian.com on 17 Jan 2012 at 5:23

[GoogleCodeExporter]

I thought I knew what was going wrong here -- the recursive call to do_malloc 
-- but I don't.  It looks like we expect such a recursive call and make pains 
to handle it ok (from thread_cache.cc:
  // We call pthread_setspecific() outside the lock because it may              
  // call malloc() recursively.  We check for the recursive call using          
  // the "in_setspecific_" flag so that we can avoid calling                    
  // pthread_setspecific() if we are already inside pthread_setspecific().      
).

So I'd like to understand more about what memory access is failing, and why.  
Can you compile libtcmalloc with CXXFLAGS="-g -O0", and then run chromium in 
gdb?  What line is it crashing on?

Original comment by csilv...@gmail.com on 17 Jan 2012 at 7:08

• Added labels: Priority-Medium, Type-Defect

[GoogleCodeExporter]

It works when it is compiled with debugging and -O0.. ugh. lol

Original comment by brea...@gmail.com on 18 Jan 2012 at 12:36

[GoogleCodeExporter]

Ugh, posted with my other email... Im the originator of the original post..

Original comment by brea...@gmail.com on 18 Jan 2012 at 12:37

[GoogleCodeExporter]

Hmm, I wonder if it's a clang bug.  Does it work when compiled with -O1?  Can 
you re-check explicitly with -O2?

Original comment by csilv...@gmail.com on 18 Jan 2012 at 12:41

[GoogleCodeExporter]

Yes, it works with -O1, but crashes with -O2 -g
(gdb) r
Starting program: /usr/local/bin/chrome 
(no debugging symbols found)...[New LWP 102318]
[New Thread 3880000 (LWP 102318/chrome)]
Xlib:  extension "RANDR" missing on display "localhost:10.0".
[New Thread 396fc00 (LWP 101201/chrome)]

Program received signal SIGBUS, Bus error.
[Switching to Thread 396fc00 (LWP 101201/chrome)]
0x0000000803b5389c in do_malloc (size=4096) at thread_cache.h:371
371         return threadlocal_heap_;
Current language:  auto; currently c++
(gdb) bt
#0  0x0000000803b5389c in do_malloc (size=4096) at thread_cache.h:371
#1  0x0000000803b53ce8 in cpp_alloc (size=4096, nothrow=true) at 
tcmalloc.cc:1287
#2  0x0000000803b6744c in tc_calloc (n=Variable "n" is not available.
) at tcmalloc.cc:946
#3  0x0000000809897582 in pthread_setspecific () from /lib/libthr.so.3
#4  0x0000000803b5b9eb in tcmalloc::ThreadCache::CreateCacheIfNecessary () at 
thread_cache.cc:377
#5  0x0000000803b538c4 in do_malloc (size=4096) at thread_cache.h:384
#6  0x0000000803b53ce8 in cpp_alloc (size=4096, nothrow=true) at 
tcmalloc.cc:1287
#7  0x0000000803b6744c in tc_calloc (n=Variable "n" is not available.
) at tcmalloc.cc:946
#8  0x0000000809897582 in pthread_setspecific () from /lib/libthr.so.3
#9  0x0000000000b992a3 in ?? ()
#10 0x0000000000699dd3 in ?? ()
#11 0x0000000000b98aa7 in ?? ()
#12 0x00000008098946e3 in pthread_create () from /lib/libthr.so.3
#13 0x0000000000000000 in ?? ()
Error accessing memory address 0x7fffffbfe000: Bad address.

Original comment by brea...@gmail.com on 18 Jan 2012 at 3:38

[GoogleCodeExporter]

Hmm, I wonder if this is a compiler bug, then.  It's hard to tell -- could be 
anything.  It's hard to debug programs compiled with -O2, sadly.  What happens 
if you put a breakpoint at or near 371 and single-step from there?  Where is 
the crashing happen?  You may need to disassemble the code, or do other extreme 
measures to figure out what's actually crashing.

Original comment by csilv...@gmail.com on 18 Jan 2012 at 11:18

[GoogleCodeExporter]

I think that's a little above my ability, so I guess we're just stuck 
here at the moment.

Chuck

Original comment by ch...@thesouthernlibertarian.com on 18 Jan 2012 at 11:50

[GoogleCodeExporter]

OK, try this: run under -O2 -g, and when it crashes with SIGBUS in gdb, type 
'disassemble', and post the output.  Maybe that will tell us something.

Original comment by csilv...@gmail.com on 26 Jan 2012 at 1:10

[GoogleCodeExporter]

(gdb) r
Starting program: /usr/local/bin/chrome
(no debugging symbols found)...[New LWP 108673]
[New Thread 3882000 (LWP 108673/chrome)]
Xlib:  extension "RANDR" missing on display "localhost:10.0".
[New Thread 3971c00 (LWP 108316/chrome)]

Program received signal SIGBUS, Bus error.
[Switching to Thread 3971c00 (LWP 108316/chrome)]
0x0000000803b5489c in do_malloc (size=4096) at thread_cache.h:371
371     thread_cache.h: No such file or directory.
         in thread_cache.h
Current language:  auto; currently c++
(gdb) disassemble
Dump of assembler code for function do_malloc:
0x0000000803b54860 <do_malloc+0>:       push   %rbp
0x0000000803b54861 <do_malloc+1>:       mov    %rsp,%rbp
0x0000000803b54864 <do_malloc+4>:       push   %r15
0x0000000803b54866 <do_malloc+6>:       push   %r14
0x0000000803b54868 <do_malloc+8>:       push   %r12
0x0000000803b5486a <do_malloc+10>:      push   %rbx
0x0000000803b5486b <do_malloc+11>:      sub    $0x500,%rsp
0x0000000803b54872 <do_malloc+18>:      mov    %rdi,%r14
0x0000000803b54875 <do_malloc+21>:      mov    0x21c03c(%rip),%rax 
   # 0x803d708b8 <.got+720>
0x0000000803b5487c <do_malloc+28>:      testb  $0x1,(%rax)
0x0000000803b5487f <do_malloc+31>:      jne    0x803b54888 <do_malloc+40>
0x0000000803b54881 <do_malloc+33>:      callq  0x803b5386c 
<_ZN8tcmalloc11ThreadCache10InitModuleEv@plt>
0x0000000803b54886 <do_malloc+38>:      jmp    0x803b548bf <do_malloc+95>
0x0000000803b54888 <do_malloc+40>:      mov    0x21bef9(%rip),%rax 
   # 0x803d70788 <.got+416>
0x0000000803b5488f <do_malloc+47>:      testb  $0x1,(%rax)
0x0000000803b54892 <do_malloc+50>:      je     0x803b548a9 <do_malloc+73>
0x0000000803b54894 <do_malloc+52>:      lea    0x21bf24(%rip),%rdi 
   # 0x803d707c0 <.got+472>
0x0000000803b5489c <do_malloc+60>:      callq  0x803b53afc 
<__tls_get_addr@plt>
0x0000000803b548a4 <do_malloc+68>:      mov    (%rax),%rbx
0x0000000803b548a7 <do_malloc+71>:      jmp    0x803b548ba <do_malloc+90>
0x0000000803b548a9 <do_malloc+73>:      mov    0x21bf58(%rip),%rax 
   # 0x803d70808 <.got+544>
0x0000000803b548b0 <do_malloc+80>:      mov    (%rax),%edi
0x0000000803b548b2 <do_malloc+82>:      callq  0x803b539ec 
<_Z29perftools_pthread_getspecifici@plt>
0x0000000803b548b7 <do_malloc+87>:      mov    %rax,%rbx
0x0000000803b548ba <do_malloc+90>:      test   %rbx,%rbx
0x0000000803b548bd <do_malloc+93>:      jne    0x803b548c7 <do_malloc+103>
0x0000000803b548bf <do_malloc+95>:      callq  0x803b536bc 
<_ZN8tcmalloc11ThreadCache22CreateCacheIfNecessaryEv@plt>
0x0000000803b548c4 <do_malloc+100>:     mov    %rax,%rbx
0x0000000803b548c7 <do_malloc+103>:     cmp    $0x40000,%r14
0x0000000803b548ce <do_malloc+110>:     ja     0x803b54981 <do_malloc+289>
0x0000000803b548d4 <do_malloc+116>:     mov    $0x3c7f,%ecx
0x0000000803b548d9 <do_malloc+121>:     cmp    $0x400,%r14d
0x0000000803b548e0 <do_malloc+128>:     mov    $0x7,%eax
0x0000000803b548e5 <do_malloc+133>:     cmovg  %ecx,%eax
0x0000000803b548e8 <do_malloc+136>:     setg   %cl
0x0000000803b548eb <do_malloc+139>:     add    %r14d,%eax
---Type <return> to continue, or q <return> to quit---
0x0000000803b548ee <do_malloc+142>:     shl    $0x2,%cl
0x0000000803b548f1 <do_malloc+145>:     movzbl %cl,%ecx
0x0000000803b548f4 <do_malloc+148>:     or     $0x3,%ecx
0x0000000803b548f7 <do_malloc+151>:     mov    0x21bcf2(%rip),%rdx 
   # 0x803d705f0 <.got+8>
0x0000000803b548fe <do_malloc+158>:     mov    0x21bff3(%rip),%rsi 
   # 0x803d708f8 <.got+784>
0x0000000803b54905 <do_malloc+165>:     sar    %cl,%eax
0x0000000803b54907 <do_malloc+167>:     cmpq   $0x0,(%rsi)
0x0000000803b5490b <do_malloc+171>:     movslq %eax,%rax
0x0000000803b5490e <do_malloc+174>:     movzbl 0x158(%rdx,%rax,1),%esi
0x0000000803b54916 <do_malloc+182>:     mov    0x9d8(%rdx,%rsi,8),%r14
0x0000000803b5491e <do_malloc+190>:     jle    0x803b54937 <do_malloc+215>
0x0000000803b54920 <do_malloc+192>:     mov    0x20(%rbx),%rax
0x0000000803b54924 <do_malloc+196>:     lea    0x20(%rbx),%r15
0x0000000803b54928 <do_malloc+200>:     cmp    %r14,%rax
0x0000000803b5492b <do_malloc+203>:     jb     0x803b54c39 <do_malloc+985>
0x0000000803b54931 <do_malloc+209>:     sub    %r14,%rax
0x0000000803b54934 <do_malloc+212>:     mov    %rax,(%r15)
0x0000000803b54937 <do_malloc+215>:     lea    (%rsi,%rsi,2),%rax
0x0000000803b5493b <do_malloc+219>:     cmpq   $0x0,0x30(%rbx,%rax,8)
0x0000000803b54941 <do_malloc+225>:     jne    0x803b54953 <do_malloc+243>
0x0000000803b54943 <do_malloc+227>:     mov    %rbx,%rdi
0x0000000803b54946 <do_malloc+230>:     mov    %r14,%rdx
0x0000000803b54949 <do_malloc+233>:     callq  0x803b5390c 
<_ZN8tcmalloc11ThreadCache21FetchFromCentralCacheEmm@plt>
0x0000000803b5494e <do_malloc+238>:     jmpq   0x803b54c4c <do_malloc+1004>
0x0000000803b54953 <do_malloc+243>:     sub    %r14,0x10(%rbx)
0x0000000803b54957 <do_malloc+247>:     mov    0x38(%rbx,%rax,8),%ecx
0x0000000803b5495b <do_malloc+251>:     dec    %ecx
0x0000000803b5495d <do_malloc+253>:     mov    %ecx,0x38(%rbx,%rax,8)
0x0000000803b54961 <do_malloc+257>:     cmp    0x3c(%rbx,%rax,8),%ecx
0x0000000803b54965 <do_malloc+261>:     jae    0x803b5496e <do_malloc+270>
0x0000000803b54967 <do_malloc+263>:     lea    0x3c(%rbx,%rax,8),%rdx
0x0000000803b5496c <do_malloc+268>:     mov    %ecx,(%rdx)
0x0000000803b5496e <do_malloc+270>:     lea    0x30(%rbx,%rax,8),%rax
0x0000000803b54973 <do_malloc+275>:     mov    (%rax),%r15
0x0000000803b54976 <do_malloc+278>:     mov    (%r15),%rcx
0x0000000803b54979 <do_malloc+281>:     mov    %rcx,(%rax)
0x0000000803b5497c <do_malloc+284>:     jmpq   0x803b54c4f <do_malloc+1007>
---Type <return> to continue, or q <return> to quit---
0x0000000803b54981 <do_malloc+289>:     mov    %r14,%r12
0x0000000803b54984 <do_malloc+292>:     shr    $0xd,%r12
0x0000000803b54988 <do_malloc+296>:     and    $0x1fff,%r14
0x0000000803b5498f <do_malloc+303>:     cmp    $0x1,%r14
0x0000000803b54993 <do_malloc+307>:     sbb    $0xffffffffffffffff,%r12
0x0000000803b54997 <do_malloc+311>:     mov    %r12,%r14
0x0000000803b5499a <do_malloc+314>:     shl    $0xd,%r14
0x0000000803b5499e <do_malloc+318>:     mov    0x21bf53(%rip),%rax 
   # 0x803d708f8 <.got+784>
0x0000000803b549a5 <do_malloc+325>:     cmpq   $0x0,(%rax)
0x0000000803b549a9 <do_malloc+329>:     jle    0x803b549c2 <do_malloc+354>
0x0000000803b549ab <do_malloc+331>:     mov    0x20(%rbx),%rax
0x0000000803b549af <do_malloc+335>:     add    $0x20,%rbx
0x0000000803b549b3 <do_malloc+339>:     cmp    %r14,%rax
0x0000000803b549b6 <do_malloc+342>:     jb     0x803b54a82 <do_malloc+546>
0x0000000803b549bc <do_malloc+348>:     sub    %r14,%rax
0x0000000803b549bf <do_malloc+351>:     mov    %rax,(%rbx)
0x0000000803b549c2 <do_malloc+354>:     mov    $0x1,%ecx
0x0000000803b549c7 <do_malloc+359>:     mov    0x21bf02(%rip),%rdx 
   # 0x803d708d0 <.got+744>
0x0000000803b549ce <do_malloc+366>:     xor    %eax,%eax
0x0000000803b549d0 <do_malloc+368>:     lock cmpxchg %ecx,(%rdx)
0x0000000803b549d4 <do_malloc+372>:     mov    0x21bd05(%rip),%rcx 
   # 0x803d706e0 <.got+248>
0x0000000803b549db <do_malloc+379>:     testb  $0x1,(%rcx)
0x0000000803b549de <do_malloc+382>:     je     0x803b549e3 <do_malloc+387>
0x0000000803b549e0 <do_malloc+384>:     lfence
0x0000000803b549e3 <do_malloc+387>:     test   %eax,%eax
0x0000000803b549e5 <do_malloc+389>:     je     0x803b549f3 <do_malloc+403>
0x0000000803b549e7 <do_malloc+391>:     mov    0x21bee2(%rip),%rdi 
   # 0x803d708d0 <.got+744>
0x0000000803b549ee <do_malloc+398>:     callq  0x803b5419c 
<_ZN8SpinLock8SlowLockEv@plt>
0x0000000803b549f3 <do_malloc+403>:     mov    0x21be16(%rip),%rdi 
   # 0x803d70810 <.got+552>
0x0000000803b549fa <do_malloc+410>:     mov    %r12,%rsi
0x0000000803b549fd <do_malloc+413>:     callq  0x803b53b6c 
<_ZN8tcmalloc8PageHeap3NewEm@plt>
0x0000000803b54a02 <do_malloc+418>:     xor    %r15d,%r15d
0x0000000803b54a05 <do_malloc+421>:     test   %rax,%rax
0x0000000803b54a08 <do_malloc+424>:     je     0x803b54a2a <do_malloc+458>
0x0000000803b54a0a <do_malloc+426>:     mov    (%rax),%rdx
0x0000000803b54a0d <do_malloc+429>:     mov    %rdx,%rcx
0x0000000803b54a10 <do_malloc+432>:     shl    $0x7,%rcx
---Type <return> to continue, or q <return> to quit---
0x0000000803b54a14 <do_malloc+436>:     movzwl %dx,%edx
0x0000000803b54a17 <do_malloc+439>:     mov    0x21bdf2(%rip),%rsi 
   # 0x803d70810 <.got+552>
0x0000000803b54a1e <do_malloc+446>:     mov    %rcx,0x10(%rsi,%rdx,8)
0x0000000803b54a23 <do_malloc+451>:     mov    (%rax),%r15
0x0000000803b54a26 <do_malloc+454>:     shl    $0xd,%r15
0x0000000803b54a2a <do_malloc+458>:     mov    0x21c927(%rip),%rax 
   # 0x803d71358 <_ZN12_GLOBAL__N_1L21large_alloc_thresholdE>
0x0000000803b54a31 <do_malloc+465>:     xor    %bl,%bl
0x0000000803b54a33 <do_malloc+467>:     test   %rax,%rax
0x0000000803b54a36 <do_malloc+470>:     jle    0x803b54a73 <do_malloc+531>
0x0000000803b54a38 <do_malloc+472>:     mov    %rax,%rcx
0x0000000803b54a3b <do_malloc+475>:     sar    $0xd,%rcx
0x0000000803b54a3f <do_malloc+479>:     cmp    %r12,%rcx
0x0000000803b54a42 <do_malloc+482>:     ja     0x803b54a73 <do_malloc+531>
0x0000000803b54a44 <do_malloc+484>:     mov    %rax,%rcx
0x0000000803b54a47 <do_malloc+487>:     sar    $0x3f,%rcx
0x0000000803b54a4b <do_malloc+491>:     shr    $0x3d,%rcx
0x0000000803b54a4f <do_malloc+495>:     add    %rax,%rcx
0x0000000803b54a52 <do_malloc+498>:     sar    $0x3,%rcx
0x0000000803b54a56 <do_malloc+502>:     add    %rax,%rcx
0x0000000803b54a59 <do_malloc+505>:     mov    $0x1,%bl
0x0000000803b54a5b <do_malloc+507>:     mov    $0x200000000,%rax
0x0000000803b54a65 <do_malloc+517>:     cmp    %rax,%rcx
0x0000000803b54a68 <do_malloc+520>:     cmovge %rax,%rcx
0x0000000803b54a6c <do_malloc+524>:     mov    %rcx,0x21c8e5(%rip) 
   # 0x803d71358 <_ZN12_GLOBAL__N_1L21large_alloc_thresholdE>
0x0000000803b54a73 <do_malloc+531>:     mov    0x21be56(%rip),%rax 
   # 0x803d708d0 <.got+744>
0x0000000803b54a7a <do_malloc+538>:     movslq (%rax),%rsi
0x0000000803b54a7d <do_malloc+541>:     jmpq   0x803b54b1c <do_malloc+700>
0x0000000803b54a82 <do_malloc+546>:     mov    %rbx,%rdi
0x0000000803b54a85 <do_malloc+549>:     callq  0x803b5385c 
<_ZN8tcmalloc7Sampler21PickNextSamplingPointEv@plt>
0x0000000803b54a8a <do_malloc+554>:     mov    %rax,(%rbx)
0x0000000803b54a8d <do_malloc+557>:     mov    %r14,%rdi
0x0000000803b54a90 <do_malloc+560>:     callq  0x803b55b40 
<DoSampledAllocation>
0x0000000803b54a95 <do_malloc+565>:     mov    %rax,%r15
0x0000000803b54a98 <do_malloc+568>:     mov    $0x1,%ecx
0x0000000803b54a9d <do_malloc+573>:     mov    0x21be2c(%rip),%rdx 
   # 0x803d708d0 <.got+744>
0x0000000803b54aa4 <do_malloc+580>:     xor    %eax,%eax
0x0000000803b54aa6 <do_malloc+582>:     lock cmpxchg %ecx,(%rdx)
---Type <return> to continue, or q <return> to quit---
0x0000000803b54aaa <do_malloc+586>:     mov    0x21bc2f(%rip),%rcx 
   # 0x803d706e0 <.got+248>
0x0000000803b54ab1 <do_malloc+593>:     testb  $0x1,(%rcx)
0x0000000803b54ab4 <do_malloc+596>:     je     0x803b54ab9 <do_malloc+601>
0x0000000803b54ab6 <do_malloc+598>:     lfence
0x0000000803b54ab9 <do_malloc+601>:     test   %eax,%eax
0x0000000803b54abb <do_malloc+603>:     je     0x803b54ac9 <do_malloc+617>
0x0000000803b54abd <do_malloc+605>:     mov    0x21be0c(%rip),%rdi 
   # 0x803d708d0 <.got+744>
0x0000000803b54ac4 <do_malloc+612>:     callq  0x803b5419c 
<_ZN8SpinLock8SlowLockEv@plt>
0x0000000803b54ac9 <do_malloc+617>:     mov    0x21c888(%rip),%rax 
   # 0x803d71358 <_ZN12_GLOBAL__N_1L21large_alloc_thresholdE>
0x0000000803b54ad0 <do_malloc+624>:     xor    %bl,%bl
0x0000000803b54ad2 <do_malloc+626>:     test   %rax,%rax
0x0000000803b54ad5 <do_malloc+629>:     jle    0x803b54b12 <do_malloc+690>
0x0000000803b54ad7 <do_malloc+631>:     mov    %rax,%rcx
0x0000000803b54ada <do_malloc+634>:     sar    $0xd,%rcx
0x0000000803b54ade <do_malloc+638>:     cmp    %r12,%rcx
0x0000000803b54ae1 <do_malloc+641>:     ja     0x803b54b12 <do_malloc+690>
0x0000000803b54ae3 <do_malloc+643>:     mov    %rax,%rcx
0x0000000803b54ae6 <do_malloc+646>:     sar    $0x3f,%rcx
0x0000000803b54aea <do_malloc+650>:     shr    $0x3d,%rcx
0x0000000803b54aee <do_malloc+654>:     add    %rax,%rcx
0x0000000803b54af1 <do_malloc+657>:     sar    $0x3,%rcx
0x0000000803b54af5 <do_malloc+661>:     add    %rax,%rcx
0x0000000803b54af8 <do_malloc+664>:     mov    $0x1,%bl
0x0000000803b54afa <do_malloc+666>:     mov    $0x200000000,%rax
0x0000000803b54b04 <do_malloc+676>:     cmp    %rax,%rcx
0x0000000803b54b07 <do_malloc+679>:     cmovge %rax,%rcx
0x0000000803b54b0b <do_malloc+683>:     mov    %rcx,0x21c846(%rip) 
   # 0x803d71358 <_ZN12_GLOBAL__N_1L21large_alloc_thresholdE>
0x0000000803b54b12 <do_malloc+690>:     mov    0x21bdb7(%rip),%rax 
   # 0x803d708d0 <.got+744>
0x0000000803b54b19 <do_malloc+697>:     movslq (%rax),%rsi
0x0000000803b54b1c <do_malloc+700>:     movl   $0x0,(%rax)
0x0000000803b54b22 <do_malloc+706>:     cmp    $0x1,%rsi
0x0000000803b54b26 <do_malloc+710>:     je     0x803b54b34 <do_malloc+724>
0x0000000803b54b28 <do_malloc+712>:     mov    0x21bda1(%rip),%rdi 
   # 0x803d708d0 <.got+744>
0x0000000803b54b2f <do_malloc+719>:     callq  0x803b5435c 
<_ZN8SpinLock10SlowUnlockEm@plt>
0x0000000803b54b34 <do_malloc+724>:     test   %bl,%bl
0x0000000803b54b36 <do_malloc+726>:     je     0x803b54c4f <do_malloc+1007>
0x0000000803b54b3c <do_malloc+732>:     lea    -0x118(%rbp),%rdi
---Type <return> to continue, or q <return> to quit---
0x0000000803b54b43 <do_malloc+739>:     mov    $0x1f,%esi
0x0000000803b54b48 <do_malloc+744>:     mov    $0x1,%edx
0x0000000803b54b4d <do_malloc+749>:     callq  0x803b5398c 
<_Z13GetStackTracePPvii@plt>
0x0000000803b54b52 <do_malloc+754>:     movslq %eax,%rax
0x0000000803b54b55 <do_malloc+757>:     mov    %rax,-0x120(%rbp)
0x0000000803b54b5c <do_malloc+764>:     lea    -0x510(%rbp),%rax
0x0000000803b54b63 <do_malloc+771>:     mov    %rax,-0x520(%rbp)
0x0000000803b54b6a <do_malloc+778>:     movl   $0x3e8,-0x518(%rbp)
0x0000000803b54b74 <do_malloc+788>:     movb   $0x0,-0x510(%rbp)
0x0000000803b54b7b <do_malloc+795>:     lea    -0x520(%rbp),%rdi
0x0000000803b54b82 <do_malloc+802>:     lea    0x14565(%rip),%rsi 
  # 0x803b690ee <.rodata+1966>
0x0000000803b54b89 <do_malloc+809>:     mov    %r14,%rdx
0x0000000803b54b8c <do_malloc+812>:     mov    %r15,%rcx
0x0000000803b54b8f <do_malloc+815>:     xor    %al,%al
0x0000000803b54b91 <do_malloc+817>:     callq  0x803b53b0c 
<_ZN16TCMalloc_Printer6printfEPKcz@plt>
0x0000000803b54b96 <do_malloc+822>:     cmpq   $0x0,-0x120(%rbp)
0x0000000803b54b9e <do_malloc+830>:     je     0x803b54bd1 <do_malloc+881>
0x0000000803b54ba0 <do_malloc+832>:     xor    %ebx,%ebx
0x0000000803b54ba2 <do_malloc+834>:     lea    -0x520(%rbp),%r14
0x0000000803b54ba9 <do_malloc+841>:     lea    0x14edb(%rip),%r12 
  # 0x803b69a8b <_ZTS19DefaultSysAllocator+1531>
0x0000000803b54bb0 <do_malloc+848>:     mov    -0x118(%rbp,%rbx,8),%rdx
0x0000000803b54bb8 <do_malloc+856>:     mov    %r14,%rdi
0x0000000803b54bbb <do_malloc+859>:     mov    %r12,%rsi
0x0000000803b54bbe <do_malloc+862>:     xor    %al,%al
0x0000000803b54bc0 <do_malloc+864>:     callq  0x803b53b0c 
<_ZN16TCMalloc_Printer6printfEPKcz@plt>
0x0000000803b54bc5 <do_malloc+869>:     inc    %rbx
0x0000000803b54bc8 <do_malloc+872>:     cmp    -0x120(%rbp),%rbx
0x0000000803b54bcf <do_malloc+879>:     jb     0x803b54bb0 <do_malloc+848>
0x0000000803b54bd1 <do_malloc+881>:     lea    -0x520(%rbp),%rdi
0x0000000803b54bd8 <do_malloc+888>:     lea    0x15c8e(%rip),%rsi 
  # 0x803b6a86d <_ZL14kProfileHeader+521>
0x0000000803b54bdf <do_malloc+895>:     xor    %al,%al
0x0000000803b54be1 <do_malloc+897>:     callq  0x803b53b0c 
<_ZN16TCMalloc_Printer6printfEPKcz@plt>
0x0000000803b54be6 <do_malloc+902>:     lea    -0x510(%rbp),%rbx
0x0000000803b54bed <do_malloc+909>:     mov    %rbx,%rdi
0x0000000803b54bf0 <do_malloc+912>:     callq  0x803b53b2c <strlen@plt>
0x0000000803b54bf5 <do_malloc+917>:     mov    $0x2,%edi
0x0000000803b54bfa <do_malloc+922>:     mov    %rbx,%rsi
---Type <return> to continue, or q <return> to quit---
0x0000000803b54bfd <do_malloc+925>:     mov    %rax,%rdx
0x0000000803b54c00 <do_malloc+928>:     callq  0x803b5426c <write@plt>
0x0000000803b54c05 <do_malloc+933>:     jmp    0x803b54c4f <do_malloc+1007>
0x0000000803b54c07 <do_malloc+935>:     mov    %rax,%rbx
0x0000000803b54c0a <do_malloc+938>:     mov    0x21bcbf(%rip),%rax 
   # 0x803d708d0 <.got+744>
0x0000000803b54c11 <do_malloc+945>:     movslq (%rax),%rsi
0x0000000803b54c14 <do_malloc+948>:     movl   $0x0,(%rax)
0x0000000803b54c1a <do_malloc+954>:     cmp    $0x1,%rsi
0x0000000803b54c1e <do_malloc+958>:     je     0x803b54c2c <do_malloc+972>
0x0000000803b54c20 <do_malloc+960>:     mov    0x21bca9(%rip),%rdi 
   # 0x803d708d0 <.got+744>
0x0000000803b54c27 <do_malloc+967>:     callq  0x803b5435c 
<_ZN8SpinLock10SlowUnlockEm@plt>
0x0000000803b54c2c <do_malloc+972>:     mov    %rbx,%rdi
0x0000000803b54c2f <do_malloc+975>:     callq  0x803b542cc 
<_Unwind_Resume@plt>
0x0000000803b54c34 <do_malloc+980>:     callq  0x803b53cbc 
<_ZSt9terminatev@plt>
0x0000000803b54c39 <do_malloc+985>:     mov    %r15,%rdi
0x0000000803b54c3c <do_malloc+988>:     callq  0x803b5385c 
<_ZN8tcmalloc7Sampler21PickNextSamplingPointEv@plt>
0x0000000803b54c41 <do_malloc+993>:     mov    %rax,(%r15)
0x0000000803b54c44 <do_malloc+996>:     mov    %r14,%rdi
0x0000000803b54c47 <do_malloc+999>:     callq  0x803b55b40 
<DoSampledAllocation>
0x0000000803b54c4c <do_malloc+1004>:    mov    %rax,%r15
0x0000000803b54c4f <do_malloc+1007>:    test   %r15,%r15
0x0000000803b54c52 <do_malloc+1010>:    jne    0x803b54c5f <do_malloc+1023>
0x0000000803b54c54 <do_malloc+1012>:    callq  0x803b53f2c <__error@plt>
0x0000000803b54c59 <do_malloc+1017>:    movl   $0xc,(%rax)
0x0000000803b54c5f <do_malloc+1023>:    mov    %r15,%rax
0x0000000803b54c62 <do_malloc+1026>:    add    $0x500,%rsp
0x0000000803b54c69 <do_malloc+1033>:    pop    %rbx
0x0000000803b54c6a <do_malloc+1034>:    pop    %r12
0x0000000803b54c6c <do_malloc+1036>:    pop    %r14
0x0000000803b54c6e <do_malloc+1038>:    pop    %r15
0x0000000803b54c70 <do_malloc+1040>:    pop    %rbp
0x0000000803b54c71 <do_malloc+1041>:    retq

Original comment by ch...@thesouthernlibertarian.com on 26 Jan 2012 at 2:42

[GoogleCodeExporter]

0x0000000803b54894 <do_malloc+52>:      lea    0x21bf24(%rip),%rdi 
0x0000000803b5489c <do_malloc+60>:      callq  0x803b53afc 

Looks like one of two things:

1. A compiler bug based on where it is crashing.
2. Some form of corruption based on the fact that it rears it's head when 
optimization is increased.

If you can run again and when it crashes run:

    gdb> info reg

Also, I am curious about what symbol 0x803b53afc represents:

    gdb> info sym 0x803b53afc

As well as what the offst of %rip:

    gdb> disass $rip + 0x21bf24

-Dave

Original comment by chapp...@gmail.com on 2 Mar 2012 at 6:48

[GoogleCodeExporter]

Just pinging for an update.

Original comment by chapp...@gmail.com on 21 Apr 2012 at 6:33

[GoogleCodeExporter]

I can reproduce this.  Here is my dump plus the info you requested.  Please see 
the attached file for the full comment as it was too long to post in this text 
box.

Thanks,

Marcus

Original comment by marcuslr...@gmail.com on 25 Apr 2012 at 9:24

Attachments:

• full_comment.txt

[GoogleCodeExporter]

Original comment by chapp...@gmail.com on 4 May 2012 at 5:28

[GoogleCodeExporter]

Original comment by chapp...@gmail.com on 4 May 2012 at 5:41

• Changed state: Accepted

[GoogleCodeExporter]

Could potentially be an issue with the pthread implementation you are using? 
Seems to be crashing while accessing thread local storage.

Original comment by chapp...@gmail.com on 28 Oct 2012 at 2:38

[GoogleCodeExporter]

chromium-35.0.1916.153_3 on FreeBSD-10 works fine with perftools-2.2.1 with 
LD_PRELOAD.

Original comment by yuriv...@gmail.com on 21 Aug 2014 at 7:56

[GoogleCodeExporter]

closing then. Weirdly chromium has a fork of gperftools inside and doesn't need 
preloading of malloc. Possibly even on bsd.

Original comment by alkondratenko on 21 Aug 2014 at 7:40

• Changed state: CannotReproduce