From: David Miller <da...@davemloft.net> Date: Sun, 28 Oct 2012 00:31:27 -0400 (EDT)
> The size is 24, and my patch definitely makes the crashes go away. > > It seems like a vector is being used for a mixed set of objects. > I'll try to figure out how that is happening. Ok, the problem seems to have to do with releases. The releases place vector memory chunks into a global pool. So a memory chunk from a vector used for one type of object, can be sucked into and used by another vector. But the alignment requirements are different, so we can obtain a chunk from the freelist that was being used for a vector of 4-byte aligned objects. The crash sequences are always of the form: vec_release(0xffb37ac8) base+size(0xf0199008) amount(312) ... vec_grow(0xffb37ac8:24) from 0x975168, ret=0xf01754cc [size(24):alc(360)] That size alignment done by backtrace_alloc() has no influence upon this issue. Since chunks are released from wherever the vector's allocation point was at the time of the release. In fact I bet that alignment in backtrace_alloc() never triggers when it is invoked from backtrace_vector_grow().
