Jeremy Uejio's Blog

Difference between deadbeef and baddcafe

No, this is not a posting about food poisoning at a restaurant.

It's about my experience with libumem.  libumem is a very useful and fast preload library for detecting memory corruption and memory leaks. I was working on a bug where the Xserver crashes, but only under libumem. The stack trace showed that a particular function was being called with the first argument equal to "deadbeef".  Something like:

(dbx) where
=>[1] SizeDeviceInfo(0xdeadbeef, 0xffbfed44, 0xffbfed40, 0x1f, 0x58, 0x52d1c8), at 0xff0ee260
  [2] ProcXListInputDevices(0xda1188, 0x1, 0xffbfed44, 0xdeadbeef, 0xff102000, 0xffbfed40), at 0xff0ee0f8

Well, actually it is 0xdeadbeef.  This is a special constant that libumem uses.  I thought it was for an uninitialized variable and kept looking for that in the code, but I couldn't find it. But, after reading the manpage for umem_debug(3MALLOC) it turns out that the constant for uninitialized variables is "baddcafe". "deadbeef" is used to show that a chunk of memory has been freed. So, basically I was trying to access freed memory.  So, it was just a matter of stepping thru the code and looking to see where the memory got freed.

It turns out that the bug was that a data structure was being freed and then a field of that structure was being accessed.  Something like:

free(dev);
...
newdev = dev->next;

So, I just fixed it to do:

...
newdev = dev->next;
free(dev);

(The code was a bit more complicated than that...)

D'oh!  Fortunately, not much was happening in the "..." so the code only crashes under libumem or other memory checkers.  But, if more code was added in that section, there could be some strange behavior that would be really hard to track down.

Here's a link to someone else's experience with libumem and accessing freed memory.  I should really blog more about using mdb and libumem one of these days...

Posted at 09:37AM Jun 05, 2008 by uejio in Sun  |  Comments[3]