Difference between deadbeef and baddcafe

No, this is not a posting about food poisoning at a restaurant.

It's about my experience with libumem.  libumem is a very useful and fast preload library for detecting memory corruption and memory leaks. I was working on a bug where the Xserver crashes, but only under libumem. The stack trace showed that a particular function was being called with the first argument equal to "deadbeef".  Something like:

(dbx) where
=>[1] SizeDeviceInfo(0xdeadbeef, 0xffbfed44, 0xffbfed40, 0x1f, 0x58, 0x52d1c8), at 0xff0ee260
  [2] ProcXListInputDevices(0xda1188, 0x1, 0xffbfed44, 0xdeadbeef, 0xff102000, 0xffbfed40), at 0xff0ee0f8

Well, actually it is 0xdeadbeef.  This is a special constant that libumem uses.  I thought it was for an uninitialized variable and kept looking for that in the code, but I couldn't find it. But, after reading the manpage for umem_debug(3MALLOC) it turns out that the constant for uninitialized variables is "baddcafe". "deadbeef" is used to show that a chunk of memory has been freed. So, basically I was trying to access freed memory.  So, it was just a matter of stepping thru the code and looking to see where the memory got freed.

It turns out that the bug was that a data structure was being freed and then a field of that structure was being accessed.  Something like:

free(dev);
...
newdev = dev->next;


So, I just fixed it to do:

...
newdev = dev->next;
free(dev);


(The code was a bit more complicated than that...)

D'oh!  Fortunately, not much was happening in the "..." so the code only crashes under libumem or other memory checkers.  But, if more code was added in that section, there could be some strange behavior that would be really hard to track down.

Here's a link to someone else's experience with libumem and accessing freed memory.  I should really blog more about using mdb and libumem one of these days...

Comments:

Indeed, yes you should.

I finally understand what $deadbeef and $badcafe mean, and all thanks to your post!

Thank you!

Posted by UX-admin on June 05, 2008 at 04:25 AM PDT #

You're welcome!

And there's not much out there which documents the ::umem\* dcmds so I should write what I know (which is very little). Everyone is so into dtrace that they forget that libumem and watchmalloc even exist. Infact, it's pretty hard to use dtrace to debug memory trashing.

Posted by Jeremy on June 05, 2008 at 06:17 AM PDT #

"If wishes were horses, beggars would ride", so the old saying, I know, but I really wish that there was a comprehensive tutorial which combined the contents of the modular debugger and assembler guides (both on docs.sun.com).

That'd be just great. Otherwise, one must fight with both i86pc and sparc assemblers, on top of being proficient with using mdb.

Can one say, "thrice the trouble"?

Posted by UX-admin on June 05, 2008 at 08:08 PM PDT #

Post a Comment:
Comments are closed for this entry.
About

uejio

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today