port-sparc: Re: xsrc/15357: stack trashing bug crashing the sparc Xservers

Subject: Re: xsrc/15357: stack trashing bug crashing the sparc Xservers
To: NetBSD Bugs and PR posting List <netbsd-bugs@NetBSD.ORG>
From: Greg A. Woods <woods@weird.com>
List: port-sparc
Date: 03/17/2002 17:22:30
Here's some more confusing results from my attempt to track down this bug.

What follows below is a stack backtrace that appears to be complete,
consistent, and coherent.  It apparently happened as I was typing in an
xterm (though there were of course other windows with possible activity,
such as swisswatch, some xloads, an xclock, etc.).

However it would seem that between two lines of code a local pointer
variable has suddenly changed value (in this case to zero!).  On line
1767 the value of 'grab' must have been non-zero, but on the next line
there's suddenly a SIGSEGV, presumably caused by dereferencing the now
NULL value of 'grab'.

I don't know enough about sparc assembler to look deeper here to be sure
the debugger isn't confused, but I can make available all this info
(including an account on the machine that built the binaries) to anyone
who would like to look at it.

GNU gdb 5.1.1
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "sparc-unknown-netbsdelf1.5W"...

warning: little endian file does not match big endian target.
Core was generated by `XsunMono'.
Program terminated with signal 11, Segmentation fault.
#0  CheckPassiveGrabsOnWindow (pWin=0x3bdf00, device=0x24e600, xE=0xefffeed0, 
    count=1) at events.c:1768
1768            if (device == grab->modifierDevice &&
(gdb) where
#0  CheckPassiveGrabsOnWindow (pWin=0x3bdf00, device=0x24e600, xE=0xefffeed0, 
    count=1) at events.c:1768
#1  0x0001afe8 in CheckDeviceGrabs (device=0x24e600, xE=0xefffeed0, 
    checkFirst=2072576, count=1) at events.c:1885
#2  0x0001b5a4 in CoreProcessKeyboardEvent (xE=0xefffeed0, keybd=0x24e600, 
    count=1) at events.c:2083
#3  0x000e9a14 in XkbHandleActions (dev=0x24e600, kbd=0x24e600, xE=0xefffeed0, 
    count=1) at xkbActions.c:1319
#4  0x000ea124 in XkbProcessKeyboardEvent (xE=0xefffeed0, keybd=0x24e600, 
    count=1) at xkbPrKeyEv.c:160
#5  0x000e21dc in AccessXFilterPressEvent (xE=0xefffeed0, keybd=0x24e600, 
    count=1) at xkbAccessX.c:657
#6  0x000ea18c in ProcessKeyboardEvent (xE=0xefffeed0, keybd=0x24e600, count=1)
    at xkbPrKeyEv.c:188
#7  0x000b7bbc in mieqProcessInputEvents () at mieq.c:182
#8  0x00011038 in ProcessInputEvents () at sunIo.c:70
#9  0x00033124 in Dispatch () at dispatch.c:276
#10 0x00020604 in main (argc=6, argv=0xeffff304) at main.c:400
#11 0x00010238 in ___start ()
(gdb) list
1763
1764            gdev= grab->modifierDevice;
1765            xkbi= gdev->key->xkbInfo;
1766    #endif
1767            tempGrab.modifierDevice = grab->modifierDevice;
1768            if (device == grab->modifierDevice &&
1769                (xE->u.u.type == KeyPress
1770    #ifdef XINPUT
1771                 || xE->u.u.type == DeviceKeyPress
1772    #endif
(gdb) print grab
$1 = 0x0
(gdb) info locals
gdev = 0x24e600
xkbi = 0x256200
grab = 0x0
tempGrab = {next = 0xc, resource = 1760592, device = 0x24e600, 
  window = 0x3bdf00, ownerEvents = 0, keyboardMode = 0, pointerMode = 0, 
  coreGrab = 0, coreMods = 0, type = 2 '\002', modifiersDetail = {exact = 0, 
    pMask = 0x0}, modifierDevice = 0x24e600, detail = {exact = 64, 
    pMask = 0x0}, confineTo = 0x241800, cursor = 0xc2850, eventMask = 0}
dxE = (xEvent *) 0x24e600
(gdb) print xE
$2 = (xEvent *) 0xefffeed0
(gdb) print pWin
$3 = 0x3bdf00
(gdb) print *pWin
$4 = {drawable = {type = 0 '\000', class = 1 '\001', depth = 1 '\001', 
    bitsPerPixel = 1 '\001', id = 109051925, x = 6, y = 27, width = 1072, 
    height = 1249, pScreen = 0x249600, serialNumber = 232557}, 
  parent = 0x3c1000, nextSib = 0x0, prevSib = 0x0, firstChild = 0x3c2400, 
  lastChild = 0x3c2400, clipList = {extents = {x1 = 21, y1 = 27, x2 = 1078, 
      y2 = 1276}, data = 0x0}, borderClip = {extents = {x1 = 6, y1 = 27, 
      x2 = 1078, y2 = 1276}, data = 0x0}, valdata = 0x0, winSize = {extents = {
      x1 = 6, y1 = 27, x2 = 1078, y2 = 1276}, data = 0x0}, borderSize = {
    extents = {x1 = 6, y1 = 27, x2 = 1078, y2 = 1276}, data = 0x0}, origin = {
    x = 0, y = 0}, borderWidth = 0, deliverableEvents = 34061, 
  eventMask = 4228365, background = {pixmap = 0x0, pixel = 0}, border = {
    pixmap = 0x1, pixel = 1}, backStorage = 0x0, optional = 0x7ba900, 
  backgroundState = 2, borderIsPixel = 1, cursorIsNone = 1, backingStore = 0, 
  saveUnder = 0, DIXsaveUnder = 0, bitGravity = 0, winGravity = 1, 
  overrideRedirect = 0, visibility = 0, mapped = 1, realized = 1, 
  viewable = 1, dontPropagate = 0, forcedBS = 0, devPrivates = 0x3bdf84}
(gdb) 

-- 
								Greg A. Woods

+1 416 218-0098;  <gwoods@acm.org>;  <g.a.woods@ieee.org>;  <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>