xserver 1.5.3: DeliverPropertyEvent() accessing unallocated memory

Tue Nov 18 14:55:40 PST 2008

Hi,

using OpenBSD's memory allocator (which has an option to fill free()'d
memory with a specific pattern) I found out that xserver 1.5.3 is
dumping core on exit.

This is caused by a bad pointer caused by accessing free'd memory in
DeliverPropertyEvent, because when the RRProperties are destroyed, the
associated windows have been free'd already.

Here's a short debugging session that shows the problem (0xfd is the
value used to fill free()'d regions:

Program received signal SIGSEGV, Segmentation fault.
0x1c1486f7 in DeliverPropertyEvent (pWin=0xdfdfdfdf, value=0xcfbc2400)
    at /usr/xenocara/xserver/randr/rrproperty.c:34
34          pHead = LookupIDByType(pWin->drawable.id, RREventType);
(gdb) p **WindowTable
$1 = {drawable = {type = 223 'ß', class = 223 'ß', depth = 223 'ß',
    bitsPerPixel = 223 'ß', id = 3755991007, x = -8225, y = -8225,
    width = 57311, height = 57311, pScreen = 0xdfdfdfdf,
    serialNumber = 3755991007}, devPrivates = 0xdfdfdfdf, parent =
0xdfdfdfdf,
  nextSib = 0xdfdfdfdf, prevSib = 0xdfdfdfdf, firstChild = 0xdfdfdfdf,
  lastChild = 0xdfdfdfdf, clipList = {extents = {x1 = -8225, y1 = -8225,
      x2 = -8225, y2 = -8225}, data = 0xdfdfdfdf}, borderClip = {extents = {
      x1 = -8225, y1 = -8225, x2 = -8225, y2 = -8225}, data = 0xdfdfdfdf},
  valdata = 0xdfdfdfdf, winSize = {extents = {x1 = -8225, y1 = -8225,
      x2 = -8225, y2 = -8225}, data = 0xdfdfdfdf}, borderSize = {extents = {
      x1 = -8225, y1 = -8225, x2 = -8225, y2 = -8225}, data = 0xdfdfdfdf},
  origin = {x = -8225, y = -8225}, borderWidth = 57311,
  deliverableEvents = 57311, eventMask = 3755991007, background = {
    pixmap = 0xdfdfdfdf, pixel = 3755991007}, border = {pixmap =
0xdfdfdfdf,
    pixel = 3755991007}, backStorage = 0xdfdfdfdf, optional = 0xdfdfdfdf,
  backgroundState = 3, borderIsPixel = 1, cursorIsNone = 1, backingStore
= 1,
  saveUnder = 1, DIXsaveUnder = 1, bitGravity = 15, winGravity = 13,
  overrideRedirect = 1, visibility = 3, mapped = 1, realized = 1,
  viewable = 0, dontPropagate = 7, forcedBS = 1, redirectDraw = 3,
  forcedBG = 1}
(gdb) bt
#0  0x1c1486f7 in DeliverPropertyEvent (pWin=0xdfdfdfdf, value=0xcfbc2400)
    at /usr/xenocara/xserver/randr/rrproperty.c:34
#1  0x1c025c5c in TraverseTree (pWin=0x879d7900,
    func=0x1c1486d0 <DeliverPropertyEvent>, data=0xcfbc2400)
    at /usr/xenocara/xserver/dix/window.c:225
#2  0x1c025d03 in WalkTree (pScreen=0x81310400,
    func=0x1c1486d0 <DeliverPropertyEvent>, data=0xcfbc2400)
    at /usr/xenocara/xserver/dix/window.c:253
#3  0x1c148858 in RRDeliverPropertyEvent (pScreen=0x81310400,
event=0xcfbc2400)
    at /usr/xenocara/xserver/randr/rrproperty.c:62
#4  0x1c1488d2 in RRDeleteAllOutputProperties (output=0x88fa2000)
    at /usr/xenocara/xserver/randr/rrproperty.c:80
#5  0x1c147c9f in RROutputDestroyResource (value=0x88fa2000, pid=60)
    at /usr/xenocara/xserver/randr/rroutput.c:410
#6  0x1c025078 in FreeClientResources (client=0x7d3f1400)
    at /usr/xenocara/xserver/dix/resource.c:809
#7  0x1c02515e in FreeAllResources ()
    at /usr/xenocara/xserver/dix/resource.c:826
#8  0x1c021acd in main (argc=1, argv=0xcfbc2578, envp=0xcfbc2580)
    at /usr/xenocara/xserver/dix/main.c:453
(gdb)

Ideas for fixing that are of course welcome.

-- 
Matthieu Herrb