------- Comment #3 from fche at redhat dot com 2006-11-10 17:43 ------- Some more details. The data value in question comes from an allocation due to dlerror(), performed during __mf_init()'s lookup of inteposed dynamic symbols. Since mudflap is still in __mf_starting_p state, dlerror's calloc() gets redirected to __mf_0fn_calloc, and gets one of the preallocated buffers in .bss.
The problem occurs at main thread shutdown, as caused by pthread_exit(). (An ordinary falling-off-the-end does not trigger this problem.) What happens is that __libc_start_main starts calling funky cleanup functions, including one __nptl_deallocate_tsd, which results in a free() call for that value allocated by dlerror(). But now, libmudflap is in normal non-reentrant state, so this free() is checked, and sure enough is found not to refer to a corresponding checked allocation call. -- http://gcc.gnu.org/bugzilla/show_bug.cgi?id=28578
