** No longer affects: xmir ** Tags added: xmir
-- You received this bug notification because you are a member of Desktop Packages, which is subscribed to xorg-server in Ubuntu. https://bugs.launchpad.net/bugs/1224296 Title: X crashes due to freed memory read in damageDestroyPixmap() from sna_early_close_screen() from xf86CrtcCloseScreen() Status in xorg-server package in Ubuntu: Confirmed Bug description: XMir: DDX memory use after being freed from libmirclient. Though it looks like bug 1221616 might be the root cause so see that first. ==32480== Invalid read of size 8 ==32480== at 0x234D84: damageDestroyPixmap (damage.c:1544) ==32480== by 0xA1C6A3B: sna_early_close_screen (sna_driver.c:762) ==32480== by 0x1CE476: xf86CrtcCloseScreen (xf86Crtc.c:732) ==32480== by 0x1EB64D: CursorCloseScreen (cursor.c:193) ==32480== by 0x2324B5: AnimCurCloseScreen (animcur.c:106) ==32480== by 0x14C636: main (main.c:351) ==32480== Address 0xb98d190 is 16 bytes inside a block of size 296 free'd ==32480== at 0x4C2BADC: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==32480== by 0x8A03F07: __gnu_cxx::new_allocator<std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2> >::deallocate(std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) (new_allocator.h:110) ==32480== by 0x8A03CB0: std::allocator_traits<std::allocator<std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2> > >::deallocate(std::allocator<std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2> >&, std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) (alloc_traits.h:377) ==32480== by 0x8A046A5: std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2>::_M_destroy() (shared_ptr_base.h:417) ==32480== by 0x89E1091: std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() (shared_ptr_base.h:161) ==32480== by 0x89E0EC0: std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() (shared_ptr_base.h:553) ==32480== by 0x89E6711: std::__shared_ptr<MirBufferPackage, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() (shared_ptr_base.h:810) ==32480== by 0x89E6751: std::shared_ptr<MirBufferPackage>::~shared_ptr() (shared_ptr.h:93) ==32480== by 0x8A00490: MirSurface::process_incoming_buffer() (mir_surface.cpp:179) ==32480== by 0x8A00661: MirSurface::new_buffer(void (*)(MirSurface*, void*), void*) (mir_surface.cpp:215) ==32480== by 0x8A04A12: google::protobuf::internal::MethodClosure2<MirSurface, void (*)(MirSurface*, void*), void*>::Run() (common.h:969) ==32480== by 0x8A1E81A: mir::client::rpc::MirSocketRpcChannel::receive_file_descriptors(google::protobuf::Message*, google::protobuf::Closure*) (mir_socket_rpc_channel.cpp:171) ==32480== ==32480== Invalid read of size 4 ==32480== at 0x234E03: damageDestroyPixmap (damage.c:1548) ==32480== by 0xA1C6A3B: sna_early_close_screen (sna_driver.c:762) ==32480== by 0x1CE476: xf86CrtcCloseScreen (xf86Crtc.c:732) ==32480== by 0x1EB64D: CursorCloseScreen (cursor.c:193) ==32480== by 0x2324B5: AnimCurCloseScreen (animcur.c:106) ==32480== by 0x14C636: main (main.c:351) ==32480== Address 0xb98d1a8 is 40 bytes inside a block of size 296 free'd ==32480== at 0x4C2BADC: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==32480== by 0x8A03F07: __gnu_cxx::new_allocator<std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2> >::deallocate(std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) (new_allocator.h:110) ==32480== by 0x8A03CB0: std::allocator_traits<std::allocator<std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2> > >::deallocate(std::allocator<std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2> >&, std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) (alloc_traits.h:377) ==32480== by 0x8A046A5: std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2>::_M_destroy() (shared_ptr_base.h:417) ==32480== by 0x89E1091: std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() (shared_ptr_base.h:161) ==32480== by 0x89E0EC0: std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() (shared_ptr_base.h:553) ==32480== by 0x89E6711: std::__shared_ptr<MirBufferPackage, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() (shared_ptr_base.h:810) ==32480== by 0x89E6751: std::shared_ptr<MirBufferPackage>::~shared_ptr() (shared_ptr.h:93) ==32480== by 0x8A00490: MirSurface::process_incoming_buffer() (mir_surface.cpp:179) ==32480== by 0x8A00661: MirSurface::new_buffer(void (*)(MirSurface*, void*), void*) (mir_surface.cpp:215) ==32480== by 0x8A04A12: google::protobuf::internal::MethodClosure2<MirSurface, void (*)(MirSurface*, void*), void*>::Run() (common.h:969) ==32480== by 0x8A1E81A: mir::client::rpc::MirSocketRpcChannel::receive_file_descriptors(google::protobuf::Message*, google::protobuf::Closure*) (mir_socket_rpc_channel.cpp:171) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xorg-server/+bug/1224296/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
