freebsd | FreeBSD 's source with custom patches

I am assuming that produced pthread_key_t instances are bound to a process

There is every reason to think that instances are process-specific, in that if you, say, record the representation of a key in shared memory then it is not meaningful to unrelated processes that happen to map the same shared memory segment.

(hence the opaque word in the man page),

But "opaque" has nothing in particular to do with that. It just means that there are no user-serviceable parts inside. You're meant to use it only as a whole.

and that these become invalid after a fork().

That seems a bit of a jump. I would not expect that at all. fork() creates a nearly exact duplicate of the calling process, subject to a few explicitly enumerated exceptions, which are listed in the manual. Probably the biggest relevant one is that the new process contains only one thread (the one that called fork()). Invalidation of thread-specific data keys is not on the list, nor is the loss of thread-specific data of the one initial thread of the child.

I couldn't find any reference in existing man pages or documentation however.

Exactly so.

HOWEVER, multi-threaded programs generally should not fork, as there is a high risk that the child process is left in an invalid state, such as with mutexes that are locked by threads that do not exist in the child. There are a few special cases, such as forking a child that immediately execs, but for the most part, you should not attempt to mix multithreading with multiprocessing.

This error message...

As pointed out in the comments, (v)snprintf always returns the number of bytes that would have been written (excluding the null terminating byte), even if truncated. This has the effect that providing the function with a size argument of 0 returns the length of the to-be-formatted string.

Using this value, plus the string length of our existing string (if applicable), plus one, we (re)allocate the appropriate amount of memory.

To concatenate, simply print the formatted string at the correct offset.

An example, sans error checking.

The two different systems you are comparing have int types of different sizes, and although your code does not use int explicitly, it is used implicitly by the rules of the C language.

On the AVR, ~0U has the type unsigned int (i.e. uint16_t) and a value of 0xFFFF.

On a normal PC, ~0U has the type unsigned int (i.e. uint32_t) and a value of 0xFFFFFFFF.

Like Tom Karzes said, you should just use ~crc if you want to invert all the bits in the crc variable in a simple, cross-platform way.

There is no need to allocate memory for this task: pass a pointer to a local array along with its size and use strlcat properly:

POSIX awk does not allow physical newlines in string values.

When you use C/BASH string notation like $'a\nb' then any POSIX compliant awk implementation will fail.

Even with gnu-awk, when you enable posix option following error will be returned:

A frequency 1 MHz higher than the maximum frequency of the CPU indicates the Intel(R) Turbo Boost(TM) feature.

The watchpoint handling provided for QEMU's gdbstub is really only intended to work with accesses done by the guest CPU, not for those done by DMA from emulated devices. I'm surprised it hits at all, and not surprised that the behaviour is a bit weird.

If you can repro this on a QEMU setup using purely emulation (ie not KVM, hvf or whpx), then my suggestion for debugging this would be to run QEMU itself in a host gdb, and use the host gdb to set a watchpoint on the host memory that corresponds to the relevant bit of guest memory. Unfortunately that requires some knowledge of QEMU internals to find the host memory, and generally to understand what's going on and relate what QEMU is doing to what the guest execution is.

Supplementary debugging tip: if you can take a 'snapshot' just before the bug is triggered, that gives you a shorter reproduce case which is "load from snapshot and trigger bug" rather than "boot entire guest OS and userspace then trigger bug". More detail in this blog post.

Supplementary debugging tip 2: if you take the "debug QEMU with host gdb" approach, you can use the reverse-debugger rr, which is very handy for memory-corruption bugs, because you can say "now execute backwards to whatever last touched this memory". More info in this post.

Yes, the lifetime of the object that m_owner refers to has already ended and it's destructor call completed when m_owner->cleanup(); is called. The call is therefore UB.