NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: xsrc/54246: closing retroarch crashes xorg

The following reply was made to PR xsrc/54246; it has been noted by GNATS.

From: coypu%sdf.org@localhost
To: gnats-bugs%netbsd.org@localhost, mrg%netbsd.org@localhost
Cc: 
Subject: Re: xsrc/54246: closing retroarch crashes xorg
Date: Fri, 31 May 2019 17:37:19 +0000

 This is a double free.
 Backtrace:
 [New process 2]
 Core was generated by `X'.
 Program terminated with signal SIGABRT, Aborted.
 #0  0x0000757ce3799a5a in _lwp_kill () from /usr/lib/libc.so.12
 [Current thread is 1 (process 1)]
 (gdb) bt
 #0  0x0000757ce3799a5a in _lwp_kill () from /usr/lib/libc.so.12
 #1  0x0000757ce3799709 in abort () from /usr/lib/libc.so.12
 #2  0x0000000094bafff5 in OsAbort () at /cvs/xsrc/external/mit/xorg-server/dist/os/utils.c:1355
 #3  0x0000000094bab3bf in AbortServer () at /cvs/xsrc/external/mit/xorg-server/dist/os/log.c:879
 #4  0x0000000094bac0ba in FatalError (f=f@entry=0x94c27000 "Caught signal %d (%s). Server aborting\n") at /cvs/xsrc/external/mit/xorg-server/dist/os/log.c:1017
 #5  0x0000000094bb0ba3 in OsSigHandler (signo=11, sip=<optimized out>, unused=<optimized out>) at /cvs/xsrc/external/mit/xorg-server/dist/os/osinit.c:156
 #6  <signal handler called>
 #7  0x0000000094bc2a8b in DrawableGone (glxPriv=0x757ce774ea40, xid=<optimized out>) at /cvs/xsrc/external/mit/xorg-server/dist/glx/glxext.c:133
 #8  0x0000000094a6abca in doFreeResource (res=0x757ce6bccfc0, skip=0) at /cvs/xsrc/external/mit/xorg-server/dist/dix/resource.c:880
 #9  0x0000000094a6b685 in FreeResource (id=6291458, skipDeleteFuncType=skipDeleteFuncType@entry=0) at /cvs/xsrc/external/mit/xorg-server/dist/dix/resource.c:910
 #10 0x0000000094a81480 in ProcDestroyWindow (client=0x757ce7f49c80) at /cvs/xsrc/external/mit/xorg-server/dist/dix/dispatch.c:765
 #11 0x0000000094a86213 in Dispatch () at /cvs/xsrc/external/mit/xorg-server/dist/dix/dispatch.c:478
 #12 0x0000000094a5a7af in dix_main (argc=5, argv=0x7f7fff8f6fc8, envp=<optimized out>) at /cvs/xsrc/external/mit/xorg-server/dist/dix/main.c:276
 #13 0x0000000094a5a34d in ___start ()
 #14 0x00007f7e55c0e978 in ?? () from /usr/libexec/ld.elf_so
 #15 0x0000000000000005 in ?? ()
 
 
 Inspecting in frame 7:
 glxPriv->destroy is 0x5a5a5a... which is what jemalloc debug uses to
 garbage-fill free'd memory.
 
 
 Undoing local diffs fixes it (although retroarch crashes on exit, at
 least X keeps running.)
 
 Index: dist/glx/glxcmds.c
 ===================================================================
 RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/glx/glxcmds.c,v
 retrieving revision 1.11
 diff -u -r1.11 glxcmds.c
 --- dist/glx/glxcmds.c	31 Dec 2018 09:49:59 -0000	1.11
 +++ dist/glx/glxcmds.c	31 May 2019 17:36:09 -0000
 @@ -1137,7 +1137,6 @@
      drawable->pDraw = pDraw;
      drawable->type = type;
      drawable->drawId = drawId;
 -    drawable->otherId = 0;
      drawable->config = config;
      drawable->eventMask = 0;
  
 @@ -1172,10 +1171,8 @@
       * Windows aren't refcounted, so track both the X and the GLX window
       * so we get called regardless of destruction order.
       */
 -    // XXXMRG xorg-server 1.10
 -    if (drawableId != glxDrawableId && (type == GLX_DRAWABLE_WINDOW /*|| type == GLX_DRAWABLE_PIXMAP*/) &&
 +    if (drawableId != glxDrawableId && type == GLX_DRAWABLE_WINDOW &&
          !AddResource(pDraw->id, __glXDrawableRes, pGlxDraw))
 -	/*pGlxDraw->destroy (pGlxDraw);*/
          return BadAlloc;
  
      return Success;
 Index: dist/glx/glxext.c
 ===================================================================
 RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/glx/glxext.c,v
 retrieving revision 1.7
 diff -u -r1.7 glxext.c
 --- dist/glx/glxext.c	31 Dec 2018 09:49:59 -0000	1.7
 +++ dist/glx/glxext.c	31 May 2019 17:36:09 -0000
 @@ -97,15 +97,13 @@
  {
      __GLXcontext *c, *next;
  
 -    if (glxPriv->type == GLX_DRAWABLE_WINDOW || glxPriv->type == GLX_DRAWABLE_PIXMAP) {
 +    if (glxPriv->type == GLX_DRAWABLE_WINDOW) {
          /* If this was created by glXCreateWindow, free the matching resource */
 -        if (glxPriv->otherId) {
 -            XID other = glxPriv->otherId;
 -            glxPriv->otherId = 0;
 -            if (xid == other)
 -                FreeResourceByType(glxPriv->drawId, __glXDrawableRes, TRUE);
 +        if (glxPriv->drawId != glxPriv->pDraw->id) {
 +            if (xid == glxPriv->drawId)
 +                FreeResourceByType(glxPriv->pDraw->id, __glXDrawableRes, TRUE);
              else
 -                FreeResourceByType(other, __glXDrawableRes, TRUE);
 +                FreeResourceByType(glxPriv->drawId, __glXDrawableRes, TRUE);
          }
          /* otherwise this window was implicitly created by MakeCurrent */
      }
Home | Main Index | Thread Index | Old Index