Re: fvwm frees invalid pointer
On Tue, Sep 17, 2013 at 10:04:52AM -0400, Dan Espen wrote:
DJust got a very different panic. It may be unrelated
D to the free/malloc problems, but since fvwm was rock stable
D for the last 10 years for me, I'm prone to think that all
D my recent crashes are caused by the same single problem.
D
D (gdb) bt
D #0 0x004daab8 in FlocaleDrawString (dpy=0x804831000,
flf=0x80482f980,
D fws=0x80482aec0, flags=0) at Flocale.c:1983
D ...
D Core saved, I can provide more info.
D
D Starting to look like a memory overlay somewhere.
D In which case valgrind or one of the other memory checkers would be
D more useful.
D
D Do list.
D Print fws, *fws, comb_chars, i.
(gdb) list
1978while(comb_chars[i].c.byte1 != 0
comb_chars[i].c.byte2 != 0)
1979{
1980/* draw composing character on top of
corresponding
1981 real character */
1982FlocaleWinString tmp_fws = *fws;
1983int offset = pixel_pos[comb_chars[i].position];
1984char *buf2;
1985int out_len;
1986curr_len =
FlocaleChar2bOneCharToUtf8(comb_chars[i].c,
1987 buf);
Current language: auto; currently minimal
(gdb) p fws
$1 = (FlocaleWinString *) 0x80482aec0
(gdb) p *fws
$2 = {str = 0x804a0f230 Shells, e_str = 0x804a37850 Shells, str2b = 0x0,
gc = 0x80482f840, colorset = 0x804a13410, win = 18874669, x = 3, y = 33,
len = 0, clip_region = 0x0, flags = {text_rotation = 0, has_colorset = 1,
has_clip_region = 0}}
(gdb) p comb_chars
$3 = (superimpose_char_t *) 0x804a37850
(gdb) p i
$4 = 0
(gdb)
--
Totus tuus, Glebius.
Re: fvwm frees invalid pointer
Gleb Smirnoff gleb...@glebius.int.ru writes:
On Tue, Sep 17, 2013 at 10:04:52AM -0400, Dan Espen wrote:
DJust got a very different panic. It may be unrelated
D to the free/malloc problems, but since fvwm was rock stable
D for the last 10 years for me, I'm prone to think that all
D my recent crashes are caused by the same single problem.
D
D (gdb) bt
D #0 0x004daab8 in FlocaleDrawString (dpy=0x804831000,
flf=0x80482f980,
D fws=0x80482aec0, flags=0) at Flocale.c:1983
D ...
D Core saved, I can provide more info.
D
D Starting to look like a memory overlay somewhere.
D In which case valgrind or one of the other memory checkers would be
D more useful.
D
D Do list.
D Print fws, *fws, comb_chars, i.
(gdb) list
1978while(comb_chars[i].c.byte1 != 0
comb_chars[i].c.byte2 != 0)
1979{
1980/* draw composing character on top of
corresponding
1981 real character */
1982FlocaleWinString tmp_fws = *fws;
1983int offset =
pixel_pos[comb_chars[i].position];
1984char *buf2;
1985int out_len;
1986curr_len =
FlocaleChar2bOneCharToUtf8(comb_chars[i].c,
1987 buf);
Current language: auto; currently minimal
(gdb) p fws
$1 = (FlocaleWinString *) 0x80482aec0
(gdb) p *fws
$2 = {str = 0x804a0f230 Shells, e_str = 0x804a37850 Shells, str2b = 0x0,
gc = 0x80482f840, colorset = 0x804a13410, win = 18874669, x = 3, y = 33,
len = 0, clip_region = 0x0, flags = {text_rotation = 0, has_colorset = 1,
has_clip_region = 0}}
(gdb) p comb_chars
$3 = (superimpose_char_t *) 0x804a37850
(gdb) p i
$4 = 0
(gdb)
p pixel_pos
p *comb_chars
p char_len
--
Dan Espen
Re: fvwm frees invalid pointer
On Tue, Sep 17, 2013 at 10:54:22AM -0400, Dan Espen wrote:
D D Do list.
D D Print fws, *fws, comb_chars, i.
D
D (gdb) list
D 1978while(comb_chars[i].c.byte1 != 0
comb_chars[i].c.byte2 != 0)
D 1979{
D 1980/* draw composing character on top of
corresponding
D 1981 real character */
D 1982FlocaleWinString tmp_fws = *fws;
D 1983int offset =
pixel_pos[comb_chars[i].position];
D 1984char *buf2;
D 1985int out_len;
D 1986curr_len =
FlocaleChar2bOneCharToUtf8(comb_chars[i].c,
D 1987 buf);
D Current language: auto; currently minimal
D (gdb) p fws
D $1 = (FlocaleWinString *) 0x80482aec0
D (gdb) p *fws
D $2 = {str = 0x804a0f230 Shells, e_str = 0x804a37850 Shells, str2b =
0x0,
Dgc = 0x80482f840, colorset = 0x804a13410, win = 18874669, x = 3, y = 33,
Dlen = 0, clip_region = 0x0, flags = {text_rotation = 0, has_colorset =
1,
D has_clip_region = 0}}
D (gdb) p comb_chars
D $3 = (superimpose_char_t *) 0x804a37850
D (gdb) p i
D $4 = 0
D (gdb)
D
D p pixel_pos
D p *comb_chars
D p char_len
(gdb) p pixel_pos
$1 = (int *) 0x804a48420
(gdb) p *comb_chars
$2 = {position = 1818585171, c = {byte1 = 108 'l', byte2 = 115 's'}}
(gdb) p char_len
$3 = 6
--
Totus tuus, Glebius.
Re: fvwm frees invalid pointer
Gleb Smirnoff gleb...@glebius.int.ru writes:
On Tue, Sep 17, 2013 at 10:54:22AM -0400, Dan Espen wrote:
D D Do list.
D D Print fws, *fws, comb_chars, i.
D
D (gdb) list
D 1978while(comb_chars[i].c.byte1 != 0
comb_chars[i].c.byte2 != 0)
D 1979{
D 1980/* draw composing character on top of
corresponding
D 1981 real character */
D 1982FlocaleWinString tmp_fws = *fws;
D 1983int offset =
pixel_pos[comb_chars[i].position];
D 1984char *buf2;
D 1985int out_len;
D 1986curr_len =
FlocaleChar2bOneCharToUtf8(comb_chars[i].c,
D 1987
buf);
D Current language: auto; currently minimal
D (gdb) p fws
D $1 = (FlocaleWinString *) 0x80482aec0
D (gdb) p *fws
D $2 = {str = 0x804a0f230 Shells, e_str = 0x804a37850 Shells, str2b =
0x0,
Dgc = 0x80482f840, colorset = 0x804a13410, win = 18874669, x = 3, y =
33,
Dlen = 0, clip_region = 0x0, flags = {text_rotation = 0, has_colorset =
1,
D has_clip_region = 0}}
D (gdb) p comb_chars
D $3 = (superimpose_char_t *) 0x804a37850
D (gdb) p i
D $4 = 0
D (gdb)
D
D p pixel_pos
D p *comb_chars
D p char_len
(gdb) p pixel_pos
$1 = (int *) 0x804a48420
(gdb) p *comb_chars
$2 = {position = 1818585171, c = {byte1 = 108 'l', byte2 = 115 's'}}
(gdb) p char_len
$3 = 6
p *pixel_pos
--
Dan Espen
Re: fvwm frees invalid pointer
On Tue, Sep 17, 2013 at 11:55:01AM -0400, Dan Espen wrote:
D On Tue, Sep 17, 2013 at 10:54:22AM -0400, Dan Espen wrote:
D D D Do list.
D D D Print fws, *fws, comb_chars, i.
D D
D D (gdb) list
D D 1978while(comb_chars[i].c.byte1 != 0
comb_chars[i].c.byte2 != 0)
D D 1979{
D D 1980/* draw composing character on top of
corresponding
D D 1981 real character */
D D 1982FlocaleWinString tmp_fws = *fws;
D D 1983int offset =
pixel_pos[comb_chars[i].position];
D D 1984char *buf2;
D D 1985int out_len;
D D 1986curr_len =
FlocaleChar2bOneCharToUtf8(comb_chars[i].c,
D D 1987
buf);
D D Current language: auto; currently minimal
D D (gdb) p fws
D D $1 = (FlocaleWinString *) 0x80482aec0
D D (gdb) p *fws
D D $2 = {str = 0x804a0f230 Shells, e_str = 0x804a37850 Shells, str2b
= 0x0,
D Dgc = 0x80482f840, colorset = 0x804a13410, win = 18874669, x = 3, y
= 33,
D Dlen = 0, clip_region = 0x0, flags = {text_rotation = 0,
has_colorset = 1,
D D has_clip_region = 0}}
D D (gdb) p comb_chars
D D $3 = (superimpose_char_t *) 0x804a37850
D D (gdb) p i
D D $4 = 0
D D (gdb)
D D
D D p pixel_pos
D D p *comb_chars
D D p char_len
D
D (gdb) p pixel_pos
D $1 = (int *) 0x804a48420
D (gdb) p *comb_chars
D $2 = {position = 1818585171, c = {byte1 = 108 'l', byte2 = 115 's'}}
D (gdb) p char_len
D $3 = 6
D
D p *pixel_pos
(gdb) p *pixel_pos
$1 = 0
--
Totus tuus, Glebius.
Re: fvwm frees invalid pointer
I'm prone to think that all my recent crashes are caused by the same single problem. Playing the binary search game suggests an issue came in sometime between 2.6.3 and 2.6.4. Then again, my reproduction procedure is a little shaky, so that might be a bad datapoint. Valgrind has been exceptionally unhelpful for me, except to say that the same pointer was freed twice. Based on my binary search, right now I'm eying a change in events.c between 2.6.3 and 2.6.4. Jonathan
Re: fvwm frees invalid pointer
Schaaf, Jonathan P (GE Healthcare) jonathan.p.sch...@ge.com writes: Sorry, I've tried just setting LC_TYPE to ru_RU.UTF-8. That doesn't seem to be sufficient to cause the problem. Any more hint's would be helpful. My reproduction procedure involves more superstition than science, so it's probably less than helpful. I can't get it to work myself when I move to a different computer, and can't find any identifiable settings that should have an impact: set LC_CTYPE, start the gimp, open a .jpg file, use save as to save to a new filename, accept the compression settings, select file- close, then file-quit. If that doesn't work the first time... save yourself some time and don't try again. If it does work, it seems to repeat almost every time. I haven't figured out what's going on yet, but here are my observations so far: (1) The LC_CTYPE environment variable is causing gimp/firefox/whatever to use names that are localized, which creates a name_list in Flocale.c. This means that the LC_CTYPE variable does NOT need to be set when launching FVWM. (2) Just before the crash, I see two completely different functions causing the same name_list to be freed. a) The first to free is within EWMH_WMName(), when it calls free_window_names(fw, True, False). This ultimately frees fw-name.name_list. b) The second free is within destroy_icon(), when it calls free_window_names(fw, False, True). This ultimately frees fw-icon_name.name_list. 3) For reasons I do not yet understand, in the crash situation fw-icon_name and fw-name of a different window have an identical name_list. When the second free of the list happens, fvwm crashes. I'll keep tinkering with this in my spare time, and I'll see what I can figure out. There's a bit of a mess in there, but every free should be accompanied by a setting of the pointer to the freed item being set to NULL or in some cases Untitled. As long as the areas are checked before free, everything should be okay. There's also the case where name and name_list represent the same object. That's why we see this in Flocale.c: if (ptext-name != NULL ptext-name != *ptext-name_list) XFree(ptext-name); name and name_list represent the same thing so it only wants to free one of them. Like I say, a bit of a mess. But I need to be able to create the problem before making a fix. So far I'm unable to even get into the code, but I'm American and hopeless with foreign languages. I did get Russian in my title bars, but no tracing of the area with the abend. If this is inconsistent, efence might help. It will report problems even when it doesn't crash. -- Dan Espen
Re: fvwm frees invalid pointer
Gleb Smirnoff gleb...@glebius.int.ru writes: Configuration Information [Automatically generated, do not change]: uname: FreeBSD think.nginx.com 10.0-CURRENT FreeBSD 10.0-CURRENT #11 r254323: Wed Aug 14 17:08:51 MSK 2013 gleb...@think.nginx.com:/usr/obj/usr/src/head/sys/THINKPAD_X1 amd64 compiler flags: cc -Wall -Wno-implicit-int -g -I/usr/local/include FVWM Version: 2.6.5 FVWM_MODULEDIR: /usr/local/libexec/fvwm/2.6.5 FVWM_DATADIR: /usr/local/share/fvwm FVWM_USERDIR: /home/glebius/.fvwm Description: Fvwm crashes in free() in libc couple of times per day. Crashes are different, and call path can involve different libraries, but the problem is always in free(). Here is an example: (gdb) bt #0 __free (ptr=0x796b6369745321) at arena.h:504 #1 0x000800bc02a7 in XFreeStringList (list=0x804a18c08) at TextToStr.c:113 #2 0x004de0a3 in FlocaleFreeNameProperty (ptext=0x804a05010) at Flocale.c:2358 Sorry, I've tried just setting LC_TYPE to ru_RU.UTF-8. That doesn't seem to be sufficient to cause the problem. Any more hint's would be helpful. If you know how to use gdb, a print of ptext might be helpful. -- Dan Espen
Re: fvwm frees invalid pointer
Repeat-By: I am not sure, but the problem seems to appear after I have switched my locale from ru_RU.KOI8-R to ru_RU.UTF-8. I can reproduce this problem using GIMP (which also changes the titlebar content after you save the file). I agree that the locale seems to have something to do with the issue -- I wasn't able to reproduce the issue until I set the LC_CTYPE variable. In addition to Russian, using ja_JP.UTF-8 also causes the issue. Jonathan
fvwm frees invalid pointer
Configuration Information [Automatically generated, do not change]:
uname: FreeBSD think.nginx.com 10.0-CURRENT FreeBSD 10.0-CURRENT #11 r254323:
Wed Aug 14 17:08:51 MSK 2013
gleb...@think.nginx.com:/usr/obj/usr/src/head/sys/THINKPAD_X1 amd64
compiler flags: cc -Wall -Wno-implicit-int -g -I/usr/local/include
FVWM Version: 2.6.5
FVWM_MODULEDIR: /usr/local/libexec/fvwm/2.6.5
FVWM_DATADIR: /usr/local/share/fvwm
FVWM_USERDIR: /home/glebius/.fvwm
Description:
Fvwm crashes in free() in libc couple of times per day. Crashes
are different, and call path can involve different libraries,
but the problem is always in free().
Here is an example:
(gdb) bt
#0 __free (ptr=0x796b6369745321) at arena.h:504
#1 0x000800bc02a7 in XFreeStringList (list=0x804a18c08) at TextToStr.c:113
#2 0x004de0a3 in FlocaleFreeNameProperty (ptext=0x804a05010)
at Flocale.c:2358
#3 0x00465f57 in free_window_names (fw=0x804a05000, nukename=0,
nukeicon=1) at add_window.c:3171
#4 0x004d4005 in EWMH_WMIconName (fw=0x804a05000, ev=0x73cb28,
style=0x0, any=0) at ewmh_names.c:175
#5 0x004abd6f in EWMH_ProcessPropertyNotify (exc=0x80482b300)
at ewmh_events.c:1620
#6 0x004468ea in HandlePropertyNotify (ea=0x7fffd488)
at events.c:3628
#7 0x0044777f in dispatch_event (e=0x7fffd4c0) at events.c:4135
#8 0x004481a1 in HandleEvents () at events.c:4179
#9 0x00477293 in main (argc=2, argv=0x7fffdbf0) at fvwm.c:2591
Current language: auto; currently minimal
(gdb) fr 1
#1 0x000800bc02a7 in XFreeStringList (list=0x804a18c08) at TextToStr.c:113
113 if (list[0]) Xfree (list[0]);
(gdb) p list[0]
$1 = 0x796b6369745321 Address 0x796b6369745321 out of bounds
(gdb) fr 2
#2 0x004de0a3 in FlocaleFreeNameProperty (ptext=0x804a05010)
at Flocale.c:2358
2358XFreeStringList(ptext-name_list);
(gdb) p ptext-name_list
$2 = (char **) 0x804a18c08
(gdb) p *ptext-name_list
$3 = 0x796b6369745321 Address 0x796b6369745321 out of bounds
(gdb) fr 3
#3 0x00465f57 in free_window_names (fw=0x804a05000, nukename=0,
nukeicon=1) at add_window.c:3171
3171
FlocaleFreeNameProperty((fw-icon_name));
(gdb) p fw-icon_name
$4 = {
name = 0x804a29500 Шо�\201�\201е�\200 зимой на оживленной
п�\200иго�\200одной �\202�\200а�\201�\201е - С�\202�\200ани�\206а 26 - Mozilla
Firefox, name_list = 0x804a18c08}
(gdb) p fw-icon_name-name_list
$5 = (char **) 0x804a18c08
(gdb) p *fw-icon_name-name_list
$6 = 0x796b6369745321 Address 0x796b6369745321 out of bounds
The above crash happened when I closed a tab in Firefox and window
title changed.
Repeat-By:
I am not sure, but the problem seems to appear after I have
switched my locale from ru_RU.KOI8-R to ru_RU.UTF-8.
Fix:
Not known.
