** Summary changed:
- Freed memory read in damageDestroyPixmap() from sna_early_close_screen() from
xf86CrtcCloseScreen()
+ X crashes due to freed memory read in damageDestroyPixmap() from
sna_early_close_screen() from xf86CrtcCloseScreen()
** Also affects: xorg-server (Ubuntu)
Importance: Undecided
Status: New
** Changed in: xorg-server (Ubuntu)
Importance: Undecided => Critical
** Changed in: xmir
Status: New => Confirmed
** Changed in: xorg-server (Ubuntu)
Status: New => Confirmed
** Description changed:
- XMir: DDX memory use after being freed from libmirclient ...
+ XMir: DDX memory use after being freed from libmirclient. Though it
+ looks like bug 1221616 might be the root cause so see that first.
==32480== Invalid read of size 8
==32480== at 0x234D84: damageDestroyPixmap (damage.c:1544)
==32480== by 0xA1C6A3B: sna_early_close_screen (sna_driver.c:762)
==32480== by 0x1CE476: xf86CrtcCloseScreen (xf86Crtc.c:732)
==32480== by 0x1EB64D: CursorCloseScreen (cursor.c:193)
==32480== by 0x2324B5: AnimCurCloseScreen (animcur.c:106)
==32480== by 0x14C636: main (main.c:351)
==32480== Address 0xb98d190 is 16 bytes inside a block of size 296 free'd
==32480== at 0x4C2BADC: operator delete(void*) (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==32480== by 0x8A03F07:
__gnu_cxx::new_allocator<std::_Sp_counted_ptr_inplace<MirBufferPackage,
std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2>
>::deallocate(std::_Sp_counted_ptr_inplace<MirBufferPackage,
std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2>*, unsigned long)
(new_allocator.h:110)
==32480== by 0x8A03CB0:
std::allocator_traits<std::allocator<std::_Sp_counted_ptr_inplace<MirBufferPackage,
std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2> >
>::deallocate(std::allocator<std::_Sp_counted_ptr_inplace<MirBufferPackage,
std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2> >&,
std::_Sp_counted_ptr_inplace<MirBufferPackage,
std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2>*, unsigned long)
(alloc_traits.h:377)
==32480== by 0x8A046A5: std::_Sp_counted_ptr_inplace<MirBufferPackage,
std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2>::_M_destroy()
(shared_ptr_base.h:417)
==32480== by 0x89E1091:
std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release()
(shared_ptr_base.h:161)
==32480== by 0x89E0EC0:
std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count()
(shared_ptr_base.h:553)
==32480== by 0x89E6711: std::__shared_ptr<MirBufferPackage,
(__gnu_cxx::_Lock_policy)2>::~__shared_ptr() (shared_ptr_base.h:810)
==32480== by 0x89E6751: std::shared_ptr<MirBufferPackage>::~shared_ptr()
(shared_ptr.h:93)
==32480== by 0x8A00490: MirSurface::process_incoming_buffer()
(mir_surface.cpp:179)
==32480== by 0x8A00661: MirSurface::new_buffer(void (*)(MirSurface*,
void*), void*) (mir_surface.cpp:215)
==32480== by 0x8A04A12:
google::protobuf::internal::MethodClosure2<MirSurface, void (*)(MirSurface*,
void*), void*>::Run() (common.h:969)
==32480== by 0x8A1E81A:
mir::client::rpc::MirSocketRpcChannel::receive_file_descriptors(google::protobuf::Message*,
google::protobuf::Closure*) (mir_socket_rpc_channel.cpp:171)
- ==32480==
+ ==32480==
==32480== Invalid read of size 4
==32480== at 0x234E03: damageDestroyPixmap (damage.c:1548)
==32480== by 0xA1C6A3B: sna_early_close_screen (sna_driver.c:762)
==32480== by 0x1CE476: xf86CrtcCloseScreen (xf86Crtc.c:732)
==32480== by 0x1EB64D: CursorCloseScreen (cursor.c:193)
==32480== by 0x2324B5: AnimCurCloseScreen (animcur.c:106)
==32480== by 0x14C636: main (main.c:351)
==32480== Address 0xb98d1a8 is 40 bytes inside a block of size 296 free'd
==32480== at 0x4C2BADC: operator delete(void*) (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==32480== by 0x8A03F07:
__gnu_cxx::new_allocator<std::_Sp_counted_ptr_inplace<MirBufferPackage,
std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2>
>::deallocate(std::_Sp_counted_ptr_inplace<MirBufferPackage,
std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2>*, unsigned long)
(new_allocator.h:110)
==32480== by 0x8A03CB0:
std::allocator_traits<std::allocator<std::_Sp_counted_ptr_inplace<MirBufferPackage,
std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2> >
>::deallocate(std::allocator<std::_Sp_counted_ptr_inplace<MirBufferPackage,
std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2> >&,
std::_Sp_counted_ptr_inplace<MirBufferPackage,
std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2>*, unsigned long)
(alloc_traits.h:377)
==32480== by 0x8A046A5: std::_Sp_counted_ptr_inplace<MirBufferPackage,
std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2>::_M_destroy()
(shared_ptr_base.h:417)
==32480== by 0x89E1091:
std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release()
(shared_ptr_base.h:161)
==32480== by 0x89E0EC0:
std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count()
(shared_ptr_base.h:553)
==32480== by 0x89E6711: std::__shared_ptr<MirBufferPackage,
(__gnu_cxx::_Lock_policy)2>::~__shared_ptr() (shared_ptr_base.h:810)
==32480== by 0x89E6751: std::shared_ptr<MirBufferPackage>::~shared_ptr()
(shared_ptr.h:93)
==32480== by 0x8A00490: MirSurface::process_incoming_buffer()
(mir_surface.cpp:179)
==32480== by 0x8A00661: MirSurface::new_buffer(void (*)(MirSurface*,
void*), void*) (mir_surface.cpp:215)
==32480== by 0x8A04A12:
google::protobuf::internal::MethodClosure2<MirSurface, void (*)(MirSurface*,
void*), void*>::Run() (common.h:969)
==32480== by 0x8A1E81A:
mir::client::rpc::MirSocketRpcChannel::receive_file_descriptors(google::protobuf::Message*,
google::protobuf::Closure*) (mir_socket_rpc_channel.cpp:171)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1224296
Title:
X crashes due to freed memory read in damageDestroyPixmap() from
sna_early_close_screen() from xf86CrtcCloseScreen()
To manage notifications about this bug go to:
https://bugs.launchpad.net/xmir/+bug/1224296/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
