[opensuse-factory] corrupted pointer? 0xaaaaaaaaaaaaaaaa
Hi developers, xfce4-power-manager is crashing on me sometimes during/after suspend. It rightfully dies when dereferencing battery->priv->type where battery->priv is: (gdb) print battery->priv $2 = (XfpmBatteryPrivate *) 0xaaaaaaaaaaaaaaaa (gdb) print battery->priv->type Cannot access memory at address 0xaaaaaaaaaaaaaae2 The gory details are in bug 707127. My question is: does this 0xaaaaaaaaaaaaaaaa ring a bell for somebody? Is this some magic value or does libnotify use this for something? Thanks for any hint, Stefan -- Stefan Seyfried "Dispatch war rocket Ajax to bring back his body!" -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Am Montag, 25. Juli 2011 schrieb Stefan Seyfried:
Hi developers,
xfce4-power-manager is crashing on me sometimes during/after suspend.
It rightfully dies when dereferencing battery->priv->type where battery->priv is:
(gdb) print battery->priv $2 = (XfpmBatteryPrivate *) 0xaaaaaaaaaaaaaaaa (gdb) print battery->priv->type Cannot access memory at address 0xaaaaaaaaaaaaaae2
The gory details are in bug 707127.
My question is: does this 0xaaaaaaaaaaaaaaaa ring a bell for somebody? Is this some magic value or does libnotify use this for something?
Yes, that's the magic value of $MALLOC_PERTURB_ in factory. This is what glibc sets freed memory to. So someone freed your battery's priv, but it still has a pointer to it. Greetings, Stephan -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Mon, Jul 25, 2011 at 10:03:09AM +0200, Stephan Kulow wrote:
Am Montag, 25. Juli 2011 schrieb Stefan Seyfried:
Hi developers,
xfce4-power-manager is crashing on me sometimes during/after suspend.
It rightfully dies when dereferencing battery->priv->type where battery->priv is:
(gdb) print battery->priv $2 = (XfpmBatteryPrivate *) 0xaaaaaaaaaaaaaaaa (gdb) print battery->priv->type Cannot access memory at address 0xaaaaaaaaaaaaaae2
The gory details are in bug 707127.
My question is: does this 0xaaaaaaaaaaaaaaaa ring a bell for somebody? Is this some magic value or does libnotify use this for something?
Yes, that's the magic value of $MALLOC_PERTURB_ in factory. This is what glibc sets freed memory to. So someone freed your battery's priv, but it still has a pointer to it.
Actually someone freed "battery", so battery->priv is 0xaaaaaaaaaaaaaaaaaa. ;) Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Am Mon, 25 Jul 2011 10:05:20 +0200 schrieb Marcus Meissner <meissner@suse.de>:
On Mon, Jul 25, 2011 at 10:03:09AM +0200, Stephan Kulow wrote:
Yes, that's the magic value of $MALLOC_PERTURB_ in factory. This is what glibc sets freed memory to. So someone freed your battery's priv, but it still has a pointer to it.
Actually someone freed "battery", so battery->priv is 0xaaaaaaaaaaaaaaaaaa. ;)
Cool, thanks. I'm now running it under valgrind instead of gdb, this will hopefully tell us where the memory is freed. -- Stefan Seyfried "Dispatch war rocket Ajax to bring back his body!" -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
El 25/07/11 04:29, Stefan Seyfried escribió:
Am Mon, 25 Jul 2011 10:05:20 +0200 schrieb Marcus Meissner <meissner@suse.de>:
On Mon, Jul 25, 2011 at 10:03:09AM +0200, Stephan Kulow wrote:
Yes, that's the magic value of $MALLOC_PERTURB_ in factory. This is what glibc sets freed memory to. So someone freed your battery's priv, but it still has a pointer to it.
Actually someone freed "battery", so battery->priv is 0xaaaaaaaaaaaaaaaaaa. ;)
Cool, thanks. I'm now running it under valgrind instead of gdb, this will hopefully tell us where the memory is freed.
Having glibc "screaming in pain" :-) is pretty nice.. I have looked the source code of the package but cannot find *where the %$%" battery is getting freed. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Am Mon, 25 Jul 2011 15:20:42 -0400 schrieb Cristian Rodríguez <crrodriguez@opensuse.org>:
El 25/07/11 04:29, Stefan Seyfried escribió:
Cool, thanks. I'm now running it under valgrind instead of gdb, this will hopefully tell us where the memory is freed.
Having glibc "screaming in pain" :-) is pretty nice.. I have looked the source code of the package but cannot find *where the %$%" battery is getting freed.
Maybe it is some libnotify magic or something like that. I'm actually suspecting a change in a third party library since xfce4-power-manager code did not change for months and only recently started crashing (I'm always on FACTORY, so always with MALLOC_PERTURB and friends) We'll see what valgrind has to say about the issue. I screwed up the first attempt because I did not redirect output in a file and have only 5000 lines of scrollback in my terminal - which was not enough :-) -- Stefan Seyfried "Dispatch war rocket Ajax to bring back his body!" -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Mon, Jul 25, 2011 at 09:39:53PM +0200, Stefan Seyfried wrote:
Am Mon, 25 Jul 2011 15:20:42 -0400 schrieb Cristian Rodríguez <crrodriguez@opensuse.org>:
El 25/07/11 04:29, Stefan Seyfried escribió:
Cool, thanks. I'm now running it under valgrind instead of gdb, this will hopefully tell us where the memory is freed.
Having glibc "screaming in pain" :-) is pretty nice.. I have looked the source code of the package but cannot find *where the %$%" battery is getting freed.
Maybe it is some libnotify magic or something like that.
I'm actually suspecting a change in a third party library since xfce4-power-manager code did not change for months and only recently started crashing (I'm always on FACTORY, so always with MALLOC_PERTURB and friends)
We'll see what valgrind has to say about the issue. I screwed up the first attempt because I did not redirect output in a file and have only 5000 lines of scrollback in my terminal - which was not enough :-)
Actually 0xaaaaaaaaaaaaaa is probably not MALLOC_PERTURB_, but just uninitialized or overwritten memory. Check if it ever gets initialized? But valgrind should spot that too. Ciao, MArfcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
participants (4)
-
Cristian Rodríguez -
Marcus Meissner -
Stefan Seyfried -
Stephan Kulow