Comment 1 for bug 654785

This happened with both erlang-base and erlang-base-hipe.

I suspect that value 0x0 is not correct for cand_blk?

This is the code where the segfault happens:
static Block_t *
aobf_get_free_block(Allctr_t *allctr, Uint size,
                    Block_t *cand_blk, Uint cand_size)
{
    BFAllctr_t *bfallctr = (BFAllctr_t *) allctr;
    RBTree_t *x = bfallctr->root;
    RBTree_t *blk = NULL;
    Uint blk_sz;

    ASSERT(!cand_blk || cand_size >= size);

    while (x) {
        blk_sz = BLK_SZ(x);
        if (blk_sz < size) {
            x = x->right;
        }
        else {
            blk = x;
            x = x->left;
        }
    }

    if (!blk)
        return NULL;

#ifdef HARD_DEBUG
    ASSERT(blk == check_tree(bfallctr, size));
#endif

    if (cand_blk) {
        blk_sz = BLK_SZ(blk);
        if (cand_size < blk_sz)
            return NULL; /* cand_blk was better */
        if (cand_size == blk_sz && ((void *) cand_blk) < ((void *) blk))
            return NULL; /* cand_blk was better */
    }

    aobf_unlink_free_block(allctr, (Block_t *) blk);

    return (Block_t *) blk;
}