User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:14.0) Gecko/20100101 Firefox/14.0.1 Build ID: 20120713134347 Steps to reproduce: See http://hg.mozilla.org/mozilla-central/file/eb201b1e55fd/mozglue/linker/Mappable.cpp#l251. To me this looks like a bug: the munmap call will unmap a region of memory based off 'this' (which could in fact be very, very far away from 'this' because the pointer arithmetic is based on _MappableBuffer-sized chunks), instead of from 'buf' (which was the original allocation). Actual results: The result is likely to be nothing in the majority of cases, or a random difficult-to-pin-down crash when some other component finds a small page-sized hole in its memory. The latter is what triggered an investigation using ptrace, which found the random munmap call to be the culprit. Expected results: 'this' should be changed to 'buf'.
_MappableBuffer inherits from MappedPtr, which has an operator + doing the right thing. Kind of ugly, but this code will eventually go away with bug 725231
Odd. I was definitely seeing an invalid ("wild") non-aligned `munmap` call in ptrace coming from Mozilla. Maybe it was something else. Maybe it'll go away when that code is removed; otherwise I'll do some more digging and submit a new bug.