xserver 1.5.3: DeliverPropertyEvent() accessing unallocated memory

Matthieu Herrb matthieu.herrb at laas.fr
Tue Nov 18 15:04:53 PST 2008 

Matthieu Herrb wrote:
> Hi,
> 
> using OpenBSD's memory allocator (which has an option to fill free()'d
> memory with a specific pattern) I found out that xserver 1.5.3 is
> dumping core on exit.
> 
> This is caused by a bad pointer caused by accessing free'd memory in
> DeliverPropertyEvent, because when the RRProperties are destroyed, the
> associated windows have been free'd already.
> 
> Here's a short debugging session that shows the problem (0xfd is the
> value used to fill free()'d regions:
> 
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x1c1486f7 in DeliverPropertyEvent (pWin=0xdfdfdfdf, value=0xcfbc2400)
>     at /usr/xenocara/xserver/randr/rrproperty.c:34
> 34          pHead = LookupIDByType(pWin->drawable.id, RREventType);
> (gdb) p **WindowTable
> $1 = {drawable = {type = 223 'ß', class = 223 'ß', depth = 223 'ß',
>     bitsPerPixel = 223 'ß', id = 3755991007, x = -8225, y = -8225,
>     width = 57311, height = 57311, pScreen = 0xdfdfdfdf,
>     serialNumber = 3755991007}, devPrivates = 0xdfdfdfdf, parent =
> 0xdfdfdfdf,
>   nextSib = 0xdfdfdfdf, prevSib = 0xdfdfdfdf, firstChild = 0xdfdfdfdf,
>   lastChild = 0xdfdfdfdf, clipList = {extents = {x1 = -8225, y1 = -8225,
>       x2 = -8225, y2 = -8225}, data = 0xdfdfdfdf}, borderClip = {extents = {
>       x1 = -8225, y1 = -8225, x2 = -8225, y2 = -8225}, data = 0xdfdfdfdf},
>   valdata = 0xdfdfdfdf, winSize = {extents = {x1 = -8225, y1 = -8225,
>       x2 = -8225, y2 = -8225}, data = 0xdfdfdfdf}, borderSize = {extents = {
>       x1 = -8225, y1 = -8225, x2 = -8225, y2 = -8225}, data = 0xdfdfdfdf},
>   origin = {x = -8225, y = -8225}, borderWidth = 57311,
>   deliverableEvents = 57311, eventMask = 3755991007, background = {
>     pixmap = 0xdfdfdfdf, pixel = 3755991007}, border = {pixmap =
> 0xdfdfdfdf,
>     pixel = 3755991007}, backStorage = 0xdfdfdfdf, optional = 0xdfdfdfdf,
>   backgroundState = 3, borderIsPixel = 1, cursorIsNone = 1, backingStore
> = 1,
>   saveUnder = 1, DIXsaveUnder = 1, bitGravity = 15, winGravity = 13,
>   overrideRedirect = 1, visibility = 3, mapped = 1, realized = 1,
>   viewable = 0, dontPropagate = 7, forcedBS = 1, redirectDraw = 3,
>   forcedBG = 1}
> (gdb) bt
> #0  0x1c1486f7 in DeliverPropertyEvent (pWin=0xdfdfdfdf, value=0xcfbc2400)
>     at /usr/xenocara/xserver/randr/rrproperty.c:34
> #1  0x1c025c5c in TraverseTree (pWin=0x879d7900,
>     func=0x1c1486d0 <DeliverPropertyEvent>, data=0xcfbc2400)
>     at /usr/xenocara/xserver/dix/window.c:225
> #2  0x1c025d03 in WalkTree (pScreen=0x81310400,
>     func=0x1c1486d0 <DeliverPropertyEvent>, data=0xcfbc2400)
>     at /usr/xenocara/xserver/dix/window.c:253
> #3  0x1c148858 in RRDeliverPropertyEvent (pScreen=0x81310400,
> event=0xcfbc2400)
>     at /usr/xenocara/xserver/randr/rrproperty.c:62
> #4  0x1c1488d2 in RRDeleteAllOutputProperties (output=0x88fa2000)
>     at /usr/xenocara/xserver/randr/rrproperty.c:80
> #5  0x1c147c9f in RROutputDestroyResource (value=0x88fa2000, pid=60)
>     at /usr/xenocara/xserver/randr/rroutput.c:410
> #6  0x1c025078 in FreeClientResources (client=0x7d3f1400)
>     at /usr/xenocara/xserver/dix/resource.c:809
> #7  0x1c02515e in FreeAllResources ()
>     at /usr/xenocara/xserver/dix/resource.c:826
> #8  0x1c021acd in main (argc=1, argv=0xcfbc2578, envp=0xcfbc2580)
>     at /usr/xenocara/xserver/dix/main.c:453
> (gdb)
> 
> 
> Ideas for fixing that are of course welcome.
> 

I've added an ErrorF() call to FreeClientResources() to show the same
info as the DTrace probe in this function. It confirms that the
rootwindow (in the case of a simle server with no client windows) is
destroyed before the outputs:

FreeClientResources MODE 41 7c0c1f00
FreeClientResources MODE 40 7c0c1e00
FreeClientResources MODE 43 7c0c1a40
FreeClientResources MODE 42 7c0c1b40
FreeClientResources MODE 45 7c0c1d80
FreeClientResources MODE 44 7c0c1b00
FreeClientResources MODE 47 840e9100
FreeClientResources MODE 46 7c0c1ec0
FreeClientResources MODE 49 840e9300
FreeClientResources MODE 48 840e92c0
FreeClientResources MODE 4b 840e94c0
FreeClientResources MODE 4a 840e9140
FreeClientResources MODE 4d 840e9040
FreeClientResources MODE 4c 840e9380
FreeClientResources <unknown> 4f 840e90c0
FreeClientResources MODE 4e 7c0c1c40
FreeClientResources <unknown> 51 80e5ad20
FreeClientResources <unknown> 50 80e5a9e0
FreeClientResources COLORMAP 20 82d64000
FreeClientResources PICTFORMAT 23 7e959000
FreeClientResources PICTFORMAT 24 7e959030
FreeClientResources PICTFORMAT 25 7e959060
FreeClientResources PICTFORMAT 26 7e959090
FreeClientResources PICTFORMAT 27 7e9590c0
FreeClientResources PICTFORMAT 28 7e9590f0
FreeClientResources PICTFORMAT 29 7e959120
FreeClientResources PICTFORMAT 2a 7e959150
FreeClientResources PICTFORMAT 2b 7e959180
FreeClientResources PICTFORMAT 2c 7e9591b0
FreeClientResources PICTFORMAT 2d 7e9591e0
FreeClientResources PICTFORMAT 2e 7e959210
FreeClientResources PICTFORMAT 2f 7e959240
FreeClientResources PICTFORMAT 30 7e959270
FreeClientResources PICTFORMAT 31 7e9592a0
FreeClientResources PICTFORMAT 32 7e9592d0
FreeClientResources PICTFORMAT 33 7e959300
FreeClientResources PICTFORMAT 34 7e959330
FreeClientResources PICTFORMAT 35 7e959360
FreeClientResources PICTFORMAT 36 7e959390
FreeClientResources PICTFORMAT 37 7e9593c0
FreeClientResources FONT 79 7ca23800
FreeClientResources PICTFORMAT 38 7e9593f0
FreeClientResources WINDOW 78 7cdf7e00
FreeClientResources CRTC 39 7c0c1d00
FreeClientResources CURSOR 7b 844fad80
FreeClientResources CRTC 3a 7c0c1f80
FreeClientResources FONT 7a 7ca23400
FreeClientResources OUTPUT 3b 840eb400
FreeClientResources OUTPUT 3c 840eb800


-- 
Matthieu Herrb

More information about the xorg mailing list