Re: cwm crashes on Linux when combining grouponly/movetogroup
Ted Unangst ted.unan...@gmail.com writes:
On Sun, 13 Feb 2011, Christian Neukirchen wrote:
Catching up on this bug, which has hit some other users I know now as well.
For some reason cc-stackingorder is bigger than gc-highstack (which is
0 in above use case), thus the assignment writes to a negative address
relative to winlist. I can reproduce that on OpenBSD 4.8/cwm HEAD as
easiest fix is to apply a liberal dose of the big hammer:
Index: group.c
===
RCS file: /cvs/xenocara/app/cwm/group.c,v
retrieving revision 1.48
diff -u group.c
--- group.c 25 Sep 2010 20:01:27 - 1.48
+++ group.c 13 Feb 2011 02:07:37 -
@@ -108,6 +108,11 @@
u_inti;
int lastempty = -1;
+ gc-highstack = 0;
+ TAILQ_FOREACH(cc, gc-clients, group_entry) {
+ if (cc-stackingorder gc-highstack)
+ gc-highstack = cc-stackingorder;
+ }
winlist = (Window *) xcalloc(sizeof(*winlist), (gc-highstack + 1));
/*
That seems to fix it, thanks.
--
Christian Neukirchen chneukirc...@gmail.com http://chneukirchen.org
Re: cwm crashes on Linux when combining grouponly/movetogroup
Catching up on this bug, which has hit some other users I know now as well.
Christian Neukirchen chneukirc...@gmail.com writes:
I found this key sequence to crash cwm on Linux in CVS HEAD:
Minimal .cwmrc:
bind C-i grouponly2
bind CS-i movetogroup2
Run cwm, open a window (say xterm), press C-i, press CS-i, press C-i.
cwm crashes on Linux with this backtrace:
#0 0x76027595 in raise () from /lib/libc.so.6
#1 0x76028a16 in abort () from /lib/libc.so.6
#2 0x760612cb in ?? () from /lib/libc.so.6
#3 0x76066676 in ?? () from /lib/libc.so.6
#4 0x00408a72 in group_show (sc=0x625d80, gc=0x625f38) at
group.c:135
#5 0x00408e76 in group_only (sc=0x625d80, idx=4) at group.c:302
#6 0x004084e7 in xev_handle_keypress (ee=0x7fffde00)
at xevents.c:335
#7 0x004087dd in xev_loop () at xevents.c:446
#8 0x00403969 in main (argc=value optimized out,
argv=value optimized out) at calmwm.c:92
Analyzing group_show, I found out:
winlist = (Window *) xcalloc(sizeof(*winlist), (gc-highstack + 1));
...
TAILQ_FOREACH(cc, gc-clients, group_entry) {
winlist[gc-highstack - cc-stackingorder] = cc-win;
client_unhide(cc);
}
For some reason cc-stackingorder is bigger than gc-highstack (which is
0 in above use case), thus the assignment writes to a negative address
relative to winlist. I can reproduce that on OpenBSD 4.8/cwm HEAD as
well, it just doesn't crash there because the heap corruption goes
undetected.
I hope this helps debugging, I don't fully understand the code yet.
Breakpoint 1, group_show (sc=0x624e70, gc=0x624f98) at group.c:118
118 winlist[gc-highstack - cc-stackingorder] = cc-win;
(gdb) p gc-highstack
$5 = 0
(gdb) p cc-stackingorder
$6 = 1
--
Christian Neukirchen chneukirc...@gmail.com http://chneukirchen.org
Re: cwm crashes on Linux when combining grouponly/movetogroup
On Sun, 13 Feb 2011, Christian Neukirchen wrote:
Catching up on this bug, which has hit some other users I know now as well.
For some reason cc-stackingorder is bigger than gc-highstack (which is
0 in above use case), thus the assignment writes to a negative address
relative to winlist. I can reproduce that on OpenBSD 4.8/cwm HEAD as
easiest fix is to apply a liberal dose of the big hammer:
Index: group.c
===
RCS file: /cvs/xenocara/app/cwm/group.c,v
retrieving revision 1.48
diff -u group.c
--- group.c 25 Sep 2010 20:01:27 - 1.48
+++ group.c 13 Feb 2011 02:07:37 -
@@ -108,6 +108,11 @@
u_inti;
int lastempty = -1;
+ gc-highstack = 0;
+ TAILQ_FOREACH(cc, gc-clients, group_entry) {
+ if (cc-stackingorder gc-highstack)
+ gc-highstack = cc-stackingorder;
+ }
winlist = (Window *) xcalloc(sizeof(*winlist), (gc-highstack + 1));
/*
