While trying to track down the reason for intermittent mozilla browser
crashes <URL:https://bugzilla.mozilla.org/show_bug.cgi?id=287558>,
I found a bug in Solaris' (s10 / snv_22) XCloseIM() implementation. It passes
pointers from freed memory blocks to XFree().
% cat xopenim.c
/*
* gcc -o xopenim xopenim.c -lX11
*
* env LD_PRELOAD=libumem.so UMEM_DEBUG=default xopenim
*/
#include <stdio.h>
#include <locale.h>
#include <X11/Xlib.h>
int
main(int argc, char **argv)
{
Display *dpy;
XIM xim;
setlocale(LC_ALL, "en_US");
dpy = XOpenDisplay(argv[1] ? argv[1] : ":0");
if (dpy == NULL) {
fprintf(stderr, "Can't open display\n");
exit(1);
}
xim = XOpenIM(dpy, NULL, NULL, NULL);
if (xim == 0) {
fprintf(stderr, "XOpenIM failed\n");
exit(1);
}
XCloseIM(xim);
}
% gcc -o xopenim xopenim.c -lX11
% env LD_PRELOAD=libumem.so UMEM_DEBUG=default xopenim
Segmentation fault (core dumped)
% mdb xopenim core
Loading modules: [ libumem.so.1 libc.so.1 ld.so.1 ]
> <eip/i
xiiimp.so.2`SWITCH_CloseIM+0xfe:pushl 0x4(%eax)
> <eax=X
deadbeef
> <eip,10/ia
xiiimp.so.2`SWITCH_CloseIM+0xfe:pushl 0x4(%eax)
xiiimp.so.2`SWITCH_CloseIM+0x101:
call -0xc345 <PLT=libX11.so.4`XFree>
xiiimp.so.2`SWITCH_CloseIM+0x106: addl $0x4,%esp
xiiimp.so.2`SWITCH_CloseIM+0x109: movl 0x48(%esi),%eax
xiiimp.so.2`SWITCH_CloseIM+0x10c: pushl 0x70(%eax)
xiiimp.so.2`SWITCH_CloseIM+0x10f:
call -0xc353 <PLT=libX11.so.4`XFree>
xiiimp.so.2`SWITCH_CloseIM+0x114: addl $0x4,%esp
xiiimp.so.2`SWITCH_CloseIM+0x117: pushl 0x68(%esi)
xiiimp.so.2`SWITCH_CloseIM+0x11a:
call -0xc35e <PLT=libX11.so.4`XFree>
xiiimp.so.2`SWITCH_CloseIM+0x11f: addl $0x4,%esp
xiiimp.so.2`SWITCH_CloseIM+0x122: movl $0x0,0x68(%esi)
xiiimp.so.2`SWITCH_CloseIM+0x129: movl $0x1,%eax
xiiimp.so.2`SWITCH_CloseIM+0x12e: popl %edi
xiiimp.so.2`SWITCH_CloseIM+0x12f: popl %esi
xiiimp.so.2`SWITCH_CloseIM+0x130: popl %ebx
xiiimp.so.2`SWITCH_CloseIM+0x131: movl %ebp,%esp
xiiimp.so.2`SWITCH_CloseIM+0x133:
This message posted from opensolaris.org
