From 53149ab71530388694e1e5e39537e3ec26fbb3df Mon Sep 17 00:00:00 2001
From: Dylan Conway <dylan.conway567@gmail.com>
Date: Fri, 22 May 2026 07:08:41 +0000
Subject: [PATCH] guard theap->tld NULL deref in reclaim path and _mi_subproc

---
 src/free.c | 2 +-
 src/init.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/free.c b/src/free.c
index e78754567..ed7792e9c 100644
--- a/src/free.c
+++ b/src/free.c
@@ -339,7 +339,7 @@ static mi_decl_noinline bool mi_abandoned_page_try_reclaim(mi_page_t* page, long
 
   // get our theap 
   mi_theap_t* const theap = _mi_page_associated_theap_peek(page);
-  if (theap==NULL || !theap->allow_page_reclaim) return false;
+  if (theap==NULL || theap->tld==NULL || !theap->allow_page_reclaim) return false;
   
   // todo: cache `is_in_threadpool` and `exclusive_arena` directly in the theap for performance?
   // set max_reclaim limit
diff --git a/src/init.c b/src/init.c
index 20ac158fa..434a25358 100644
--- a/src/init.c
+++ b/src/init.c
@@ -432,7 +432,7 @@ mi_subproc_t* _mi_subproc(void) {
   //       on such systems we can check for this with the _mi_prim_get_default_theap as those are protected (by being
   //       stored in a TLS slot for example)
   mi_theap_t* theap = _mi_theap_default();
-  if (theap == NULL) {
+  if (theap == NULL || theap->tld == NULL) {
     return _mi_subproc_main();
   }
   else {