I was looking at the crash reported at [1]. Processing the stackdump gives:

> 0x000000018006ff23    signal_exit                                exceptions.cc:1234
> 0x00000001800713ea    _cygtls::call_signal_handler()             exceptions.cc:1490
> 0x0000000180121d04    sig_send(_pinfo*, siginfo_t&, _cygtls*)    sigproc.cc:714
> 0x000000018011ee5e    _pinfo::kill(siginfo_t&)                   signal.cc:252
> 0x000000018011f32b    kill0                                      signal.cc:303
> 0x000000018011f4fc    raise                                      signal.cc:289
> 0x000000018011f7bf    abort                                      signal.cc:376
> 0x00000001801528c5    dlfree                                     malloc.cc:4762
> 0x00000001800c52b3    free                                       sync.h:36
> 0x000000018011ae5b    ??                                         sigfe.s:43

Which is not entirely helpful.

We can see that an abort signal is being raised inside free, but the 
stacktrace stops at _sigbe, because unwinding that frame requires 
special measures.

Presumably run has some invalid heap use going on, but annoyingly the 
stackdump stops short of identifying the problem line.

Attached is a patch which teaches stack_info::walk() how to unwind these 
frames on x86_64.

Also attached is a small testcase, which currently produces a similar 
stackdump truncated at _sigbe, or with my patch applied:

> 0x0000000180070238    signal_exit                                exceptions.cc:1321
> 0x000000018007172a    _cygtls::call_signal_handler()             exceptions.cc:1578
> 0x0000000180127e2f    sig_send(_pinfo*, siginfo_t&, _cygtls*)    sigproc.cc:714
> 0x0000000180124fb0    _pinfo::kill(siginfo_t&)                   signal.cc:252
> 0x0000000180125479    kill0                                      signal.cc:303
> 0x000000018012564c    raise                                      signal.cc:289
> 0x000000018012590f    abort                                      signal.cc:376
> 0x000000018015969a    dlfree                                     malloc.cc:4717
> 0x00000001800ca103    free                                       sync.h:36
> 0x0000000180120f5b    ?? (_sigbe)                                sigfe.s:54
> 0x0000000100401119    foo                                        malloc-corruption-abort.c:11
> 0x000000010040113b    sighandler                                 malloc-corruption-abort.c:17
> 0x000000018007172a    _cygtls::call_signal_handler()             exceptions.cc:1578
> 0x0000000180121078    ?? (sigdelayed)                            sigfe.s:144
> 0x0000000100401174    main                                       malloc-corruption-abort.c:32

The x86 unwinder could probably benefit from something similar, but it 
seems to be able to do a slightly better job of escaping from _sigbe, I 
guess due to the frame pointer.

[1] https://cygwin.com/ml/cygwin/2015-03/msg00117.html