libx11 crash (possible PATCH attached)

Peter Clifton pcjc2 at cam.ac.uk
Thu Oct 14 06:30:38 PDT 2010 

Hi,

I ran across a repeatable crash in libx11 when dealing with some broken
OpenGL code I was writing. Unfortunately, I've forgotten how to repeat
the crash (as it was related to some obscure buggy scenario in my GL
setup).

What I did note was the location / cause, and a patch which got me past
the crash. I don't know if the patch is "correct" though.

This was against the Ubuntu xorg-edgers package of:
libx11-1.3.4+git20100720.554da76e


diff -u xcb_io.c.old xcb_io.c
--- xcb_io.c.old	2010-10-14 14:23:44.456669003 +0100
+++ xcb_io.c	2010-10-14 14:24:45.642061004 +0100
@@ -559,7 +559,7 @@
 		ConditionBroadcast(dpy, dpy->xcb->reply_notify);
 		assert(XLIB_SEQUENCE_COMPARE(req->sequence, <=, dpy->request));
 		dpy->last_request_read = req->sequence;
-		if(!response)
+		if(!response && (req != current))
 			dequeue_pending_request(dpy, req);
 
 		if(req == current)


Basically, the bug was that "req" was equal to "current", and as
response was NULL, the response was dequeued, freeing the memory in
current.

After the loop, a check was made for "if(event_sequence ==
current->sequence)", which dereferenced the free'd "current" response,
and caused a crash.

I don't know if not dequeuing the current response is the correct fix,
or whether some logic should be applied to skip further processing in
this case.

I thought I'd pass on the investigation and my possible fix to those who
know more about this, and hopefully it will help improve libx11's
resilience. I'm fairly sure the situation I hit was a corner case
though, as I've never seen libx11 crash like this before, only in the
case where I has a problem with my GL code.

Please note that I don't have any way to reproduce this crash any more,
so won't be of any use testing patches for it.

-- 
Peter Clifton

Electrical Engineering Division,
Engineering Department,
University of Cambridge,
9, JJ Thomson Avenue,
Cambridge
CB3 0FA

Tel: +44 (0)7729 980173 - (No signal in the lab!)
Tel: +44 (0)1223 748328 - (Shared lab phone, ask for me)

More information about the xorg-devel mailing list