Archive for March, 2006

How to use libumem to find a bad free call

Thursday, March 23rd, 2006

I have not seen any good simple tutorials on how to use libumem for debugging.  (Unless you also want to learn how to use mdb).  So I wrote a simple example.

% more t.c

#include 
#include 
int main()
{
    int i;
    free(&i);
    i = 10;
    char * p = (char *) malloc(1000);
}

This program has a bug, and it might crash or it might not. It might crash right away, or it might crash after running longer (if it had more code after the bug). Using libumem with default options, will cause more basic assertion checking.

% cc -g t.c
% a.out
% # notice no crash
% LD_PRELOAD=/lib/libumem.so ./a.out
Abort (core dumped)
% dbx -c 'where;quit' - core
Corefile specified executable: "/home/quenelle/./a.out"
Reading a.out
core file header read successfully
Reading ld.so.1
Reading libumem.so.1
Reading libc.so.1
Reading libc_psr.so.1
program terminated by signal ABRT (Abort)
0xff2c0f90: __lwp_kill+0x0008:  bcc,a,pt  %icc,__lwp_kill+0x18  ! 0xff2c0fa0
Current function is main
    8       free(&i);
  [1] __lwp_kill(0x0, 0x6, 0x0, 0x0, 0x0, 0x0), at 0xff2c0f90
  [2] raise(0x6, 0x0, 0x20f90, 0xff36b7cc, 0xff38a000, 0xff38abc4), at 0xff25fd78
  [3] umem_do_abort(0x4, 0xffbfe6c0, 0x6, 0x20ecc, 0xff37680c, 0x0), at 0xff3690fc
  [4] umem_err_recoverable(0xff377818, 0xa, 0x20dc4, 0xff38a6fc, 0xff38d0d0, 0xff377823), at 0xff3692a0
  [5] process_free(0xffbfe9d8, 0x1, 0x0, 0x3e3a1000, 0x1ee5c, 0x20c28), at 0xff36b2b0
=>[6] main(), line 8 in "t.c"

Abort (core dumped)

This trick can often be used to find the place where your malloc/free bug happened.  There are some environment variables you can use to control the behavior of libumem. You can read more about them in the umem_debug man page.  You can also find out more about libumem by reading the various white papers that are available.  You do a google search on “libumem” or “libumem solaris” to find out more.