Fix crash in pthread_tsd_cleanup on macOS ARM64 (#1177)

austenstone · austenstone · commit 8fecc4bb122d · 2025-11-26T17:15:17.000-05:00
Complete the NULL handling fix from commit 515047b by also checking for NULL page entries in the 2-level page map lookup. The issue occurs on macOS ARM64 during pthread TSD (thread-specific data) cleanup when thread_local C++ objects are destroyed. During this late cleanup phase, the TLS for mimalloc may already be invalidated, causing _mi_checked_ptr_page to return NULL for valid pointers. Commit 515047b ('improve free on macos') changed the sub==NULL case to return _mi_page_empty instead of NULL, but missed the case where sub[sub_idx] is NULL. This commit adds the same NULL check for the page entry itself. Includes a regression test that reproduces the crash scenario.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -767,6 +767,18 @@ if (MI_BUILD_TESTS)
       add_test(NAME test-stress-dynamic COMMAND ${CMAKE_COMMAND} -E env MIMALLOC_VERBOSE=1 ${LD_PRELOAD}=$<TARGET_FILE:mimalloc> $<TARGET_FILE:mimalloc-test-stress-dynamic>)
     endif()
   endif()
+
+  # issue 1177: test thread_local cleanup on macOS
+  add_executable(test-issue-1177 test/test-issue-1177.cpp)
+  target_compile_definitions(test-issue-1177 PRIVATE ${mi_defines})
+  target_compile_options(test-issue-1177 PRIVATE ${mi_cflags})
+  target_include_directories(test-issue-1177 PRIVATE include)
+  if(MI_BUILD_SHARED)
+    target_link_libraries(test-issue-1177 PRIVATE mimalloc ${mi_libraries})
+  elseif(MI_BUILD_STATIC)
+    target_link_libraries(test-issue-1177 PRIVATE mimalloc-static ${mi_libraries})
+  endif()
+  add_test(NAME test-issue-1177 COMMAND test-issue-1177)
 endif()
 
 # -----------------------------------------------------------------------------
diff --git a/include/mimalloc/internal.h b/include/mimalloc/internal.h
@@ -578,7 +578,9 @@ static inline mi_page_t* _mi_checked_ptr_page(const void* p) {
   const size_t idx = _mi_page_map_index(p, &sub_idx);
   mi_submap_t const sub = _mi_page_map[idx];
   if mi_unlikely(sub == NULL) return (mi_page_t*)&_mi_page_empty;
-  return sub[sub_idx];
+  mi_page_t* const page = sub[sub_idx];
+  if mi_unlikely(page == NULL) return (mi_page_t*)&_mi_page_empty;
+  return page;
 }
 
 #endif
diff --git a/test/test-issue-1177.cpp b/test/test-issue-1177.cpp
@@ -0,0 +1,12 @@
+#include <thread>
+#include <cstdlib>
+
+thread_local void* s_ptr = malloc(1);
+
+int main()
+{
+  std::thread thread([]() { free(s_ptr); });
+  thread.join();
+  free(s_ptr);
+  return 0;
+}
