No subject

static unsigned __stdcall wtfThreadEntryPoint(void* param)
{
    OwnPtr<ThreadFunctionInvocation> invocation = adoptPtr(static_cast<ThreadFunctionInvocation*>(param));
    invocation->function(invocation->data);

#if !USE(PTHREADS) && OS(WINDOWS)
    // Do the TLS cleanup.
    ThreadSpecificThreadExit();
#endif

    return 0;
}

This code causes a crash.

Here's my understanding of the problem:

The "invocation" object is created at the beginning of the function, and then used in the next line.

After that, ThreadSpecificThreadExit() is called. ThreadSpecificThreadExit() does some cleanup, including freeing the thread heap (or somesuch). The important thing is that it marks the memory occupied by "invocation" as "free", and puts 0x0 pointer into the memory it occupied.

Then the function returns, "invocation" goes out of scope, and its destructor is called. Destructor alters the memory - which, incidentally, alters its contents, and hits exactly the same spot where SLL was storing its data during ThreadSpecificThreadExit(), changing 0x0 to some other value (usually 0x8 or 0xf8, it changes between runs).

Later on WTF::PageHeapAllocator<WTF::TCMalloc_ThreadCache>::New() calls SLL_Next, which gets the (altered) value that was previously stored in the free memory region, and returns it as the new list head.

Later on WTF::PageHeapAllocator<WTF::TCMalloc_ThreadCache>::New() is called again, and this time list head pointer is 0x8. SLL_Next() tries to dereference it and crashes.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.