Bug 22045 - free memory deref in damage on server exit
Summary: free memory deref in damage on server exit
Alias: None
Product: xorg
Classification: Unclassified
Component: Driver/other (show other bugs)
Version: 7.4 (2008.09)
Hardware: All OpenBSD
: high major
Assignee: Xorg Project Team
QA Contact: Xorg Project Team
Depends on:
Blocks: xorg-7.5
  Show dependency treegraph
Reported: 2009-06-02 16:47 UTC by Matthieu Herrb
Modified: 2009-09-13 13:26 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Description Matthieu Herrb 2009-06-02 16:47:43 UTC
On OpenBSD, with malloc flag set to put '0xdf' on every free'd memory chunk, Xserver 1.6 aborts on the exit path because of a free memory access in shadow. 


Program received signal SIGBUS, Bus error.
0x001e5bc0 in damageRemoveDamage (pPrev=0xdfdfdfdf, pDamage=0x2b2fd380)
    at damage.c:1697
1697        while (*pPrev)
(gdb) p pPrev
$1 = (DamagePtr *) 0xdfdfdfdf
(gdb) bt
#0  0x001e5bc0 in damageRemoveDamage (pPrev=0xdfdfdfdf, pDamage=0x2b2fd380)
    at damage.c:1697
#1  0x001e67f8 in DamageUnregister (pDrawable=0x2dc86640, pDamage=0x2b2fd380)
    at damage.c:2001
#2  0x28ee8988 in shadowRemove (pScreen=0x26f57400, pPixmap=0x2dc86640)
    at shadow.c:219
#3  0x28ee84c0 in shadowCloseScreen (i=0, pScreen=0x26f57400) at shadow.c:103
#4  0x0012f024 in miDCCloseScreen (index=0, pScreen=0x26f57400)
    at midispcur.c:175
#5  0x00140380 in miPointerCloseScreen (index=0, pScreen=0x26f57400)
    at mipointer.c:161
#6  0x0014a0b8 in miSpriteCloseScreen (i=0, pScreen=0x26f57400)
    at misprite.c:320
#7  0x000bd418 in CMapCloseScreen (i=0, pScreen=0x26f57400) at xf86cmap.c:230
#8  0x275ca1b4 in WsfbCloseScreen ()
   from /usr/X11R6/lib/modules/drivers/wsfb_drv.so
#9  0x000b80dc in VidModeClose (i=0, pScreen=0x26f57400) at xf86VidMode.c:116
#10 0x00187220 in CursorCloseScreen (index=0, pScreen=0x26f57400)
    at cursor.c:186
#11 0x001db614 in AnimCurCloseScreen (index=0, pScreen=0x26f57400)
    at animcur.c:136
#12 0x0017d9f8 in compCloseScreen (index=0, pScreen=0x26f57400)
    at compinit.c:84
#13 0x22113c74 in glxCloseScreen (index=0, pScreen=0x26f57400)
    at glxscreens.c:217
#14 0x0002a244 in main (argc=3, argv=0xbfffc120, envp=0xbfffc130) at main.c:429
Comment 1 Daniel Stone 2009-08-31 17:28:02 UTC
looks like -wsfb is missing a shadowRemove() in CloseScreen; this will cause a leak on regen anyway.
Comment 2 Matthieu Herrb 2009-09-13 13:26:42 UTC
That was it. 
Fixed in commit 872c691cbad253e4670a98349395b650677269cd

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.