Ubuntu

Comment 12 for bug 663294

Here is the output of objdump -d firefox-4.0-bin with gcc4.4 and -pie

The major difference is with how pthread_mutex_lock is called in malloc:

    937d: 8b 4d e4 mov -0x1c(%ebp),%ecx
    9380: 89 0c 24 mov %ecx,(%esp)
    9383: e8 28 7f ff ff call 12b0 <pthread_mutex_lock@plt>

....the value loaded on to the stack comes from earlier, here:

    92f8: 65 a1 00 00 00 00 mov %gs:0x0,%eax
    92fe: 81 e8 04 00 00 00 sub $0x4,%eax
    9304: 8b 00 mov (%eax),%eax
    9306: 85 c0 test %eax,%eax
    9308: 89 45 e4 mov %eax,-0x1c(%ebp)

...note that the lea instruction has been replaced with a sub, and now loads the contents of the correct address in to eax