Re: cwm crashes on Linux when combining grouponly/movetogroup
Ted Unangst ted.unan...@gmail.com writes: On Sun, 13 Feb 2011, Christian Neukirchen wrote: Catching up on this bug, which has hit some other users I know now as well. For some reason cc-stackingorder is bigger than gc-highstack (which is 0 in above use case), thus the assignment writes to a negative address relative to winlist. I can reproduce that on OpenBSD 4.8/cwm HEAD as easiest fix is to apply a liberal dose of the big hammer: Index: group.c === RCS file: /cvs/xenocara/app/cwm/group.c,v retrieving revision 1.48 diff -u group.c --- group.c 25 Sep 2010 20:01:27 - 1.48 +++ group.c 13 Feb 2011 02:07:37 - @@ -108,6 +108,11 @@ u_inti; int lastempty = -1; + gc-highstack = 0; + TAILQ_FOREACH(cc, gc-clients, group_entry) { + if (cc-stackingorder gc-highstack) + gc-highstack = cc-stackingorder; + } winlist = (Window *) xcalloc(sizeof(*winlist), (gc-highstack + 1)); /* That seems to fix it, thanks. -- Christian Neukirchen chneukirc...@gmail.com http://chneukirchen.org
Re: cwm crashes on Linux when combining grouponly/movetogroup
Catching up on this bug, which has hit some other users I know now as well. Christian Neukirchen chneukirc...@gmail.com writes: I found this key sequence to crash cwm on Linux in CVS HEAD: Minimal .cwmrc: bind C-i grouponly2 bind CS-i movetogroup2 Run cwm, open a window (say xterm), press C-i, press CS-i, press C-i. cwm crashes on Linux with this backtrace: #0 0x76027595 in raise () from /lib/libc.so.6 #1 0x76028a16 in abort () from /lib/libc.so.6 #2 0x760612cb in ?? () from /lib/libc.so.6 #3 0x76066676 in ?? () from /lib/libc.so.6 #4 0x00408a72 in group_show (sc=0x625d80, gc=0x625f38) at group.c:135 #5 0x00408e76 in group_only (sc=0x625d80, idx=4) at group.c:302 #6 0x004084e7 in xev_handle_keypress (ee=0x7fffde00) at xevents.c:335 #7 0x004087dd in xev_loop () at xevents.c:446 #8 0x00403969 in main (argc=value optimized out, argv=value optimized out) at calmwm.c:92 Analyzing group_show, I found out: winlist = (Window *) xcalloc(sizeof(*winlist), (gc-highstack + 1)); ... TAILQ_FOREACH(cc, gc-clients, group_entry) { winlist[gc-highstack - cc-stackingorder] = cc-win; client_unhide(cc); } For some reason cc-stackingorder is bigger than gc-highstack (which is 0 in above use case), thus the assignment writes to a negative address relative to winlist. I can reproduce that on OpenBSD 4.8/cwm HEAD as well, it just doesn't crash there because the heap corruption goes undetected. I hope this helps debugging, I don't fully understand the code yet. Breakpoint 1, group_show (sc=0x624e70, gc=0x624f98) at group.c:118 118 winlist[gc-highstack - cc-stackingorder] = cc-win; (gdb) p gc-highstack $5 = 0 (gdb) p cc-stackingorder $6 = 1 -- Christian Neukirchen chneukirc...@gmail.com http://chneukirchen.org
Re: cwm crashes on Linux when combining grouponly/movetogroup
On Sun, 13 Feb 2011, Christian Neukirchen wrote: Catching up on this bug, which has hit some other users I know now as well. For some reason cc-stackingorder is bigger than gc-highstack (which is 0 in above use case), thus the assignment writes to a negative address relative to winlist. I can reproduce that on OpenBSD 4.8/cwm HEAD as easiest fix is to apply a liberal dose of the big hammer: Index: group.c === RCS file: /cvs/xenocara/app/cwm/group.c,v retrieving revision 1.48 diff -u group.c --- group.c 25 Sep 2010 20:01:27 - 1.48 +++ group.c 13 Feb 2011 02:07:37 - @@ -108,6 +108,11 @@ u_inti; int lastempty = -1; + gc-highstack = 0; + TAILQ_FOREACH(cc, gc-clients, group_entry) { + if (cc-stackingorder gc-highstack) + gc-highstack = cc-stackingorder; + } winlist = (Window *) xcalloc(sizeof(*winlist), (gc-highstack + 1)); /*