Invalid address passed to free: value not allocated

Summary

When using Orbot (on android arm64) with tor-0.4.8.13, Orbot's tor service crashes when starting and stopping because of the following commit: 6feaea8f

Steps to reproduce:

  1. Start Orbot's tor service
  2. Restart Orbot's tor service

What is the current bug behavior?

Abort message: 'Invalid address 0x7f1b6ffb00 passed to free: value not allocated'

What is the expected behavior?

Not crash

Environment

  • tor-0.4.8.13 with Orbot on Android (arm64)
  • Self built

Relevant logs and/or screenshots

10-29 21:26:28.529 22523 22809 F libc    : Invalid address 0x7f1b6ffb00 passed to free: value not allocated
10-29 21:26:28.530 22523 22809 F libc    : Fatal signal 6 (SIGABRT), code -6 in tid 22809 (tor)
10-29 21:26:28.650 22810 22810 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
10-29 21:26:28.651 22810 22810 F DEBUG   : LineageOS Version: '14.1-20241008-NIGHTLY-gts210vewifi'
10-29 21:26:28.651 22810 22810 F DEBUG   : Build fingerprint: 'samsung/gts210vewifixx/gts210vewifi:7.0/NRD90M/T813XXU2BQD3:user/release-keys'
10-29 21:26:28.651 22810 22810 F DEBUG   : Revision: '4'
10-29 21:26:28.651 22810 22810 F DEBUG   : ABI: 'arm64'
10-29 21:26:28.651 22810 22810 F DEBUG   : pid: 22523, tid: 22809, name: tor  >>> org.torproject.android <<<
10-29 21:26:28.651 22810 22810 F DEBUG   : signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
10-29 21:26:28.653 22810 22810 F DEBUG   : Abort message: 'Invalid address 0x7f1b6ffb00 passed to free: value not allocated'
10-29 21:26:28.653 22810 22810 F DEBUG   :     x0   0000000000000000  x1   0000000000005919  x2   0000000000000006  x3   0000000000000008
10-29 21:26:28.653 22810 22810 F DEBUG   :     x4   0000000000000000  x5   0000000000000000  x6   8080808080808080  x7   0000000000000008
10-29 21:26:28.653 22810 22810 F DEBUG   :     x8   0000000000000083  x9   ffffffffffffffdf  x10  0000000000000000  x11  0000000000000001
10-29 21:26:28.654 22810 22810 F DEBUG   :     x12  ffffffffffffffff  x13  0000000000000000  x14  0000000000000000  x15  001f93c8e19712eb
10-29 21:26:28.654 22810 22810 F DEBUG   :     x16  0000007f94637ec8  x17  0000007f945e1828  x18  00000000ffffffff  x19  0000007f215824f8
10-29 21:26:28.654 22810 22810 F DEBUG   :     x20  0000000000000006  x21  0000007f21582450  x22  0000000000000002  x23  0000007f946428c0
10-29 21:26:28.654 22810 22810 F DEBUG   :     x24  0000007f9464292c  x25  88c812ae8a5ad99e  x26  0000007f89f43298  x27  88c812ae8a5ad99e
10-29 21:26:28.654 22810 22810 F DEBUG   :     x28  0000000000000001  x29  0000007f21580ec0  x30  0000007f945decd0
10-29 21:26:28.654 22810 22810 F DEBUG   :     sp   0000007f21580ea0  pc   0000007f945e1830  pstate 0000000060000000
10-29 21:26:28.676 22810 22810 F DEBUG   : 
10-29 21:26:28.676 22810 22810 F DEBUG   : backtrace:
10-29 21:26:28.677 22810 22810 F DEBUG   :     #00 pc 000000000006c830  /system/lib64/libc.so (tgkill+8)
10-29 21:26:28.677 22810 22810 F DEBUG   :     #01 pc 0000000000069ccc  /system/lib64/libc.so (pthread_kill+64)
10-29 21:26:28.677 22810 22810 F DEBUG   :     #02 pc 0000000000023ea0  /system/lib64/libc.so (raise+24)
10-29 21:26:28.677 22810 22810 F DEBUG   :     #03 pc 000000000001c924  /system/lib64/libc.so (abort+52)
10-29 21:26:28.677 22810 22810 F DEBUG   :     #04 pc 0000000000020eac  /system/lib64/libc.so (__libc_fatal+104)
10-29 21:26:28.677 22810 22810 F DEBUG   :     #05 pc 00000000000910f4  /system/lib64/libc.so (ifree+1304)
10-29 21:26:28.677 22810 22810 F DEBUG   :     #06 pc 0000000000091178  /system/lib64/libc.so (je_free+128)
10-29 21:26:28.677 22810 22810 F DEBUG   :     #07 pc 000000000045763c  /data/app/org.torproject.android-1/lib/arm64/libtor.so (offset 0x2de000) (threadpool_free+192)
10-29 21:26:28.677 22810 22810 F DEBUG   :     #08 pc 00000000003a5e40  /data/app/org.torproject.android-1/lib/arm64/libtor.so (offset 0x2de000) (cpuworker_free_all+36)
10-29 21:26:28.677 22810 22810 F DEBUG   :     #09 pc 0000000000410e3c  /data/app/org.torproject.android-1/lib/arm64/libtor.so (offset 0x2de000) (tor_free_all+44)
10-29 21:26:28.677 22810 22810 F DEBUG   :     #10 pc 0000000000410de4  /data/app/org.torproject.android-1/lib/arm64/libtor.so (offset 0x2de000) (tor_cleanup+180)
10-29 21:26:28.677 22810 22810 F DEBUG   :     #11 pc 00000000002e1384  /data/app/org.torproject.android-1/lib/arm64/libtor.so (offset 0x2de000) (tor_run_main+1188)
10-29 21:26:28.677 22810 22810 F DEBUG   :     #12 pc 00000000002dfa48  /data/app/org.torproject.android-1/lib/arm64/libtor.so (offset 0x2de000) (Java_org_torproject_jni_TorService_runMain+36)
10-29 21:26:28.677 22810 22810 F DEBUG   :     #13 pc 0000000000b56220  /data/app/org.torproject.android-1/oat/arm64/base.odex (offset 0xa75000)

Possible fixes