Comment 9 for bug 663294

The disassembly shows the same behaviour with gcc-snapshot. In malloc_init_hard, arenas_map is initialized with arenas[0] here:

    5626: e8 85 eb ff ff call 41b0 <arenas_extend>
    562b: 8b 83 60 12 00 00 mov 0x1260(%ebx),%eax
    5631: 8b 30 mov (%eax),%esi
    5633: 85 f6 test %esi,%esi
    5635: 0f 84 7b 04 00 00 je 5ab6 <.L517+0x12e>
    563b: 65 a1 00 00 00 00 mov %gs:0x0,%eax
    5641: 81 e8 04 00 00 00 sub $0x4,%eax
    5647: bd 20 00 00 00 mov $0x20,%ebp
    564c: bf ab aa aa aa mov $0xaaaaaaab,%edi
    5651: 89 30 mov %esi,(%eax)

And arenas[0] is initialized here to the return value of base_alloc in arenas_extend:

    4509: 8b 93 60 12 00 00 mov 0x1260(%ebx),%edx
    450f: 8b 44 24 28 mov 0x28(%esp),%eax
    4513: 8d 04 82 lea (%edx,%eax,4),%eax
    4516: 8b 54 24 18 mov 0x18(%esp),%edx
    451a: 89 10 mov %edx,(%eax)

...with base_alloc being called here:

    41e2: e8 59 fe ff ff call 4040 <base_alloc>
    41e7: 85 c0 test %eax,%eax
    41e9: 89 44 24 18 mov %eax,0x18(%esp)

Again, in malloc, this is where pthread_mutex_lock is called (where it locks up);

    741f: 89 3c 24 mov %edi,(%esp)
    7422: e8 2d a0 ff ff call 1454 <pthread_mutex_lock@plt>

...with edi being initialized here:

    7398: 65 a1 00 00 00 00 mov %gs:0x0,%eax
    739e: 90 nop
    739f: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi
    73a3: 8d 2d 00 00 00 00 lea 0x0,%ebp
    73a9: 8b 7c 05 00 mov 0x0(%ebp,%eax,1),%edi
    73ad: 85 ff test %edi,%edi

....which should be the same value as arenas_map, but is being initialized with a value from a memory location which is 4 bytes out