Matthieu Herrb wrote: > Hi, > > using OpenBSD's memory allocator (which has an option to fill free()'d > memory with a specific pattern) I found out that xserver 1.5.3 is > dumping core on exit. > > This is caused by a bad pointer caused by accessing free'd memory in > DeliverPropertyEvent, because when the RRProperties are destroyed, the > associated windows have been free'd already. > > Here's a short debugging session that shows the problem (0xfd is the > value used to fill free()'d regions: > > > Program received signal SIGSEGV, Segmentation fault. > 0x1c1486f7 in DeliverPropertyEvent (pWin=0xdfdfdfdf, value=0xcfbc2400) > at /usr/xenocara/xserver/randr/rrproperty.c:34 > 34 pHead = LookupIDByType(pWin->drawable.id, RREventType); > (gdb) p **WindowTable > $1 = {drawable = {type = 223 'ß', class = 223 'ß', depth = 223 'ß', > bitsPerPixel = 223 'ß', id = 3755991007, x = -8225, y = -8225, > width = 57311, height = 57311, pScreen = 0xdfdfdfdf, > serialNumber = 3755991007}, devPrivates = 0xdfdfdfdf, parent = > 0xdfdfdfdf, > nextSib = 0xdfdfdfdf, prevSib = 0xdfdfdfdf, firstChild = 0xdfdfdfdf, > lastChild = 0xdfdfdfdf, clipList = {extents = {x1 = -8225, y1 = -8225, > x2 = -8225, y2 = -8225}, data = 0xdfdfdfdf}, borderClip = {extents = { > x1 = -8225, y1 = -8225, x2 = -8225, y2 = -8225}, data = 0xdfdfdfdf}, > valdata = 0xdfdfdfdf, winSize = {extents = {x1 = -8225, y1 = -8225, > x2 = -8225, y2 = -8225}, data = 0xdfdfdfdf}, borderSize = {extents = { > x1 = -8225, y1 = -8225, x2 = -8225, y2 = -8225}, data = 0xdfdfdfdf}, > origin = {x = -8225, y = -8225}, borderWidth = 57311, > deliverableEvents = 57311, eventMask = 3755991007, background = { > pixmap = 0xdfdfdfdf, pixel = 3755991007}, border = {pixmap = > 0xdfdfdfdf, > pixel = 3755991007}, backStorage = 0xdfdfdfdf, optional = 0xdfdfdfdf, > backgroundState = 3, borderIsPixel = 1, cursorIsNone = 1, backingStore > = 1, > saveUnder = 1, DIXsaveUnder = 1, bitGravity = 15, winGravity = 13, > overrideRedirect = 1, visibility = 3, mapped = 1, realized = 1, > viewable = 0, dontPropagate = 7, forcedBS = 1, redirectDraw = 3, > forcedBG = 1} > (gdb) bt > #0 0x1c1486f7 in DeliverPropertyEvent (pWin=0xdfdfdfdf, value=0xcfbc2400) > at /usr/xenocara/xserver/randr/rrproperty.c:34 > #1 0x1c025c5c in TraverseTree (pWin=0x879d7900, > func=0x1c1486d0 <DeliverPropertyEvent>, data=0xcfbc2400) > at /usr/xenocara/xserver/dix/window.c:225 > #2 0x1c025d03 in WalkTree (pScreen=0x81310400, > func=0x1c1486d0 <DeliverPropertyEvent>, data=0xcfbc2400) > at /usr/xenocara/xserver/dix/window.c:253 > #3 0x1c148858 in RRDeliverPropertyEvent (pScreen=0x81310400, > event=0xcfbc2400) > at /usr/xenocara/xserver/randr/rrproperty.c:62 > #4 0x1c1488d2 in RRDeleteAllOutputProperties (output=0x88fa2000) > at /usr/xenocara/xserver/randr/rrproperty.c:80 > #5 0x1c147c9f in RROutputDestroyResource (value=0x88fa2000, pid=60) > at /usr/xenocara/xserver/randr/rroutput.c:410 > #6 0x1c025078 in FreeClientResources (client=0x7d3f1400) > at /usr/xenocara/xserver/dix/resource.c:809 > #7 0x1c02515e in FreeAllResources () > at /usr/xenocara/xserver/dix/resource.c:826 > #8 0x1c021acd in main (argc=1, argv=0xcfbc2578, envp=0xcfbc2580) > at /usr/xenocara/xserver/dix/main.c:453 > (gdb) > > > Ideas for fixing that are of course welcome. >
I've added an ErrorF() call to FreeClientResources() to show the same info as the DTrace probe in this function. It confirms that the rootwindow (in the case of a simle server with no client windows) is destroyed before the outputs: FreeClientResources MODE 41 7c0c1f00 FreeClientResources MODE 40 7c0c1e00 FreeClientResources MODE 43 7c0c1a40 FreeClientResources MODE 42 7c0c1b40 FreeClientResources MODE 45 7c0c1d80 FreeClientResources MODE 44 7c0c1b00 FreeClientResources MODE 47 840e9100 FreeClientResources MODE 46 7c0c1ec0 FreeClientResources MODE 49 840e9300 FreeClientResources MODE 48 840e92c0 FreeClientResources MODE 4b 840e94c0 FreeClientResources MODE 4a 840e9140 FreeClientResources MODE 4d 840e9040 FreeClientResources MODE 4c 840e9380 FreeClientResources <unknown> 4f 840e90c0 FreeClientResources MODE 4e 7c0c1c40 FreeClientResources <unknown> 51 80e5ad20 FreeClientResources <unknown> 50 80e5a9e0 FreeClientResources COLORMAP 20 82d64000 FreeClientResources PICTFORMAT 23 7e959000 FreeClientResources PICTFORMAT 24 7e959030 FreeClientResources PICTFORMAT 25 7e959060 FreeClientResources PICTFORMAT 26 7e959090 FreeClientResources PICTFORMAT 27 7e9590c0 FreeClientResources PICTFORMAT 28 7e9590f0 FreeClientResources PICTFORMAT 29 7e959120 FreeClientResources PICTFORMAT 2a 7e959150 FreeClientResources PICTFORMAT 2b 7e959180 FreeClientResources PICTFORMAT 2c 7e9591b0 FreeClientResources PICTFORMAT 2d 7e9591e0 FreeClientResources PICTFORMAT 2e 7e959210 FreeClientResources PICTFORMAT 2f 7e959240 FreeClientResources PICTFORMAT 30 7e959270 FreeClientResources PICTFORMAT 31 7e9592a0 FreeClientResources PICTFORMAT 32 7e9592d0 FreeClientResources PICTFORMAT 33 7e959300 FreeClientResources PICTFORMAT 34 7e959330 FreeClientResources PICTFORMAT 35 7e959360 FreeClientResources PICTFORMAT 36 7e959390 FreeClientResources PICTFORMAT 37 7e9593c0 FreeClientResources FONT 79 7ca23800 FreeClientResources PICTFORMAT 38 7e9593f0 FreeClientResources WINDOW 78 7cdf7e00 FreeClientResources CRTC 39 7c0c1d00 FreeClientResources CURSOR 7b 844fad80 FreeClientResources CRTC 3a 7c0c1f80 FreeClientResources FONT 7a 7ca23400 FreeClientResources OUTPUT 3b 840eb400 FreeClientResources OUTPUT 3c 840eb800 -- Matthieu Herrb _______________________________________________ xorg mailing list xorg@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/xorg