I meet a very stange bug that malloc crash. Please help me.
When I call __int_malloc, ar_ptr will never be NULL from source code. But BT result is _int_malloc(av=av@entry=0x0). The first param is NULL. Why?
glic version:2.18
cpu:PowerPC
gdb bt:
#13 _int_malloc (av=av@entry=0x0, bytes=bytes@entry=18) at malloc.c:3300
fb = <optimized out>
pp = <optimized out>
nb = 24
idx = 1
bin = <optimized out>
victim = <optimized out>
size = <optimized out>
victim_index = <optimized out>
remainder = <optimized out>
remainder_size = <optimized out>
block = <optimized out>
bit = <optimized out>
map = <optimized out>
fwd = <optimized out>
bck = <optimized out>
errstr = 0x0
__func__ = "_int_malloc"
#14 0x0fec80cc in __GI___libc_malloc (bytes=18) at malloc.c:2869
ar_ptr = 0x0
victim = <optimized out>
hook = <optimized out>
__func__ = "__libc_malloc"
but glic2.18 source code:
void*
__libc_malloc(size_t bytes)
{
mstate ar_ptr;
void *victim;
void *(*hook) (size_t, const void *)
= force_reg (__malloc_hook);
if (__builtin_expect (hook != NULL, 0))
return (*hook)(bytes, RETURN_ADDRESS (0));
arena_lookup(ar_ptr);
arena_lock(ar_ptr, bytes);
if(!ar_ptr)
return 0;
victim = _int_malloc(ar_ptr, bytes);
if(!victim) {
ar_ptr = arena_get_retry(ar_ptr, bytes);
if (__builtin_expect(ar_ptr != NULL, 1)) {
victim = _int_malloc(ar_ptr, bytes);
(void)mutex_unlock(&ar_ptr->mutex);
}
} else
(void)mutex_unlock(&ar_ptr->mutex);
assert(!victim || chunk_is_mmapped(mem2chunk(victim)) ||
ar_ptr == arena_for_chunk(mem2chunk(victim)));
return victim;
}