From owner-freebsd-hackers@FreeBSD.ORG  Thu Oct  6 16:51:15 2011
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 25B9E106564A
	for <hackers@freebsd.org>; Thu,  6 Oct 2011 16:51:15 +0000 (UTC)
	(envelope-from lev@FreeBSD.org)
Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru
	[IPv6:2a01:4f8:131:60a2::2])
	by mx1.freebsd.org (Postfix) with ESMTP id B894B8FC16
	for <hackers@freebsd.org>; Thu,  6 Oct 2011 16:51:14 +0000 (UTC)
Received: from lion.home.serebryakov.spb.ru (unknown
	[IPv6:2001:470:923f:1:b9fd:2f11:cd06:1a6])
	(Authenticated sender: lev@serebryakov.spb.ru)
	by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPA id D48664AC2D
	for <hackers@freebsd.org>; Thu,  6 Oct 2011 20:51:12 +0400 (MSD)
Date: Thu, 6 Oct 2011 20:51:03 +0400
From: Lev Serebryakov <lev@FreeBSD.org>
Organization: FreeBSD
X-Priority: 3 (Normal)
Message-ID: <1034127827.20111006205103@serebryakov.spb.ru>
To: hackers@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=windows-1251
Content-Transfer-Encoding: quoted-printable
Cc: 
Subject: how to debug RB_TREE for memory corruption?
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: lev@FreeBSD.org
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Oct 2011 16:51:15 -0000

Hello, Hackers.

  I'm writing some code, which uses RB_TREE from <sys/tree.h>. At some
momoent, it crashes within REMOVE method with "elm" 0xa5a5a5a5 (I have
malloc() debug options turned on).
  So, it seems, that free()ed element presents somewhere in the tree,
am I right?
  Ok, I add printing of whole tree BEFORE removal call with simple
recursive function. It doesn't crash and doesn't print any invalid pointers!

  How could it happen!? Tree is perfectly valid at line BEFORE
RB_DELETE() call and crashes with bad pointer in this method!

  I could (theoretically!) belive, that my code forget to delete node
from tree in some situations. But in such case tree printing function
will crash (or print "0xa5a5a5a5" pointer) before RB_DELETE crash!

  Any hints how to debug such strange situation?

--=20
// Black Lion AKA Lev Serebryakov <lev@FreeBSD.org>