Choosing a provocative debug signature

Back in Windows 95, there was an elusive heap corruption bug in the graphics engine, and after a lot of analysis, the graphics folks were convinced that the corruption was coming from outside their component, and they had a pretty good idea who the corruptor was, but they needed proof.

One of the standard techniques of narrowing down the source of a problem like this is to put a signature value in the object and validating the signature on entry to every function that uses that object as well as on exit. If you find that the signature was valid on entry but is corrupted on exit, then your function corrupted it. Conversely, if it was valid on exit but is invalid on a subsequent entry, then somebody else corrupted it. At least that’s the theory.

The developer who was responsible for investigating the bug decided to use this “signature value” technique. It is often the case that, for throwaway temporary signatures like this, you will use your own initials as the signature value. This is partly egotism but mostly just lack of creativity. But this particular developer had a better idea. Since he had a pretty good idea which component was corrupting the memory, he used not his own initials, but the initials of the developer responsible for the component he thought was the corruptor! That way, when that developer’s component corrupted the signature, it’d just be corrupting his own initials.

Of course, when the developer of the suspect component saw this check-in, he felt kind of insulted. After all, his friend just accused him of corrupting memory.

(Epilogue: It turns out that the graphics folks were right. It was that other component that was corrupting the memory.)

Comments (19)
  1. Andrew Feldstein says:

    Especially when, like mine, your initials are hex digits!

  2. Nathan says:

    Personality types — get offended when there’s a suggestion you did something wrong (and demand proof) or help out and try to find the problem. Not sure I’d wanna work with the offended person on a project..

    [He wasn’t offended, just a little hurt. The two were friends, and both knew it was just teasing. -Raymond]
  3. Bob says:

    Wow. That’s awesome.

  4. Phaeron says:

    Seems to me that a couple of iterations of rand() would have been equally effective while avoiding the ego problem entirely.

    Also, I’ve found that validation in and out of a function has a flaw: it leads to false positives when multiple threads are involved, because the thread that caused the corruption might not exit its function before another thread detects the violation.

    [The output of rand() is harder to spot in a memory dump. And of course you have to check the signature while you hold the object lock. -Raymond]
  5. Mike Weiss says:

    The initials? "R.C." ;)

  6. Blog by Bob says:

    SMACK! Well, not really but funny none the less … <small quote> The developer who was responsible

  7. Barry Leiba says:

    In the Olden Days, we used to use the hex string 0xDEADBEEF.  Very easy to spot in the hex dump.  And if you fill unallocated memory with it, it also tends to make programs crash, when they might otherwise run happily if the stuff were filled with zeros instead.

    [But you don’t want your signature to be the same as somebody else’s. -Raymond]
  8. jon says:

    Not so good for vegetarians though.

  9. Kemp says:

    There’s plenty of common ones out there including the ever popular 0xDEADBEEF (mentioned above) and 0xCAFEBABE. I guess it depends on how much space you need to fill.

  10. Wesha says:

    You forger the (in)famous 0x0BA0BAB0

  11. Hayden says:

    0x0BA0BAB0 has the disadvantage of being even. Bad if you’re coding for a hard-alignment processor (Hitachi SH, ARM?)

    </gaffer mode>

  12. Csaboka says:

    Don’t forget about 0xBAADF00D, the value Windows NT uses for some uninitialized memory. It doesn’t offend vegetarians, either, unlike 0xDEADBEEF :)

  13. cjm says:

    LOL!  I like the CAFEBABE and BAADFOOD examples.

    I personally use a something like ABCD1234 or 12345678 if it is easy to pick a signature out of a memory dump.  If a bug is really annoying me though, I might encode a swearword as a string and print it out at the start and the end of the function.

  14. mccoyn says:

    Those swear words.  We had a developer who had one situation that he just couldn’t deal with, so for the time being he replaced it with a dialog that indicated in the most profane way that something was terribly wrong.  Then, he went ahead and finished the rest of the component.

    The problem was he forgot to check that corner condition and it made it out to a customer who happened apon that condition.

  15. Cooney says:

    Don’t forget about 0xBAADF00D, the value Windows NT uses for some uninitialized memory. It doesn’t offend vegetarians, either, unlike 0xDEADBEEF :)

    Eh, who’d be offended by DEADBEEF in their memory dump? It doesn’t make their computer smell or anything :)

  16. Geoff says:

    On pre OSX Macs the first IIRC 512 bytes of RAM were not used because too many people were writing to it with a null pointer. There was an extension called Even Better Bus Error that would write a signature to memory location 0 and check it on every video vertical retrace. If the signature changed EBBE would generate a bus error and halt the machine. You could catch the error in MacsBug and debug the problem. It was a great tool to check to see if you messed up and had code that wrote to a null pointer.

    People saw that it was a popular extension so they would download and install it. Immediately their machine would start "crashing" with a bus error. The users had no idea what the extension was supposed to do this and sent the developer tons of nasty emails saying that his extension was buggy. Of course it wasn’t.

    IIRC EBBE used DEADBEEF because not only was it easy to see it was also an invalid memory address.

  17. Norman Diamond says:

    The users had no idea what the extension was

    supposed to do this and sent the developer

    tons of nasty emails saying that his extension

    was buggy.

    So even in Mac-land, no good deed goes unpunished.

    This junk has a long history.  Even Charles Babbage was vilified for trying to remove bugs from tables of logarithms.

  18. DriverDude says:

    "There was an extension called Even Better Bus Error…"

    Huh, the "Error" part of the name wasn’t enough to disuade people from trying it?

    Maybe it’s the promise of something "Even Better" that won them over.

    I must say, though, this one cracked me up…


  19. DriverDude says:

    One of the disadvantages of little-endianess is that sigs such as 0xDEADBEEF show up as EF BE AD DE in a byte dump. Or as shorts: BEEF DEAD

    It’s ironic the practice of using 4-char tags makes it easy to see in a dump but harder to read in the source code: you write ‘edud’ in order to find ‘dude’ in a dump. See ExAllocPoolWithTag()

    I sometimes use 0x11111111 because a bunch of skinny 1’s stands out among other fat chars – and obviously because it’s endian-agnostic.

Comments are closed.