Bug 36108

Summary:

Use of released memory

Product:

xorg

Reporter:

Zdenek Kabelac <zdenek.kabelac>

Component:

Server/General

Assignee:

Xorg Project Team <xorg-team>

Status:

RESOLVED FIXED

QA Contact:

Xorg Project Team <xorg-team>

Severity:

normal

Priority:

medium

CC:

tdefeo

Version:

7.6 (2010.12)

Keywords:

patch

Hardware:

x86-64 (AMD64)

OS:

All

Whiteboard:

i915 platform:

i915 features:

Bug Depends on:

Bug Blocks:

44202

Attachments:

Description	Flags
Don't copy stale pointers	none
Don't copy stale pointers	none

Description Zdenek Kabelac 2011-04-10 01:35:28 UTC

Hi

My valgrind test seems to be showing usage of released memory during console switching:

(Unsure which part of Xorg is the real cause - maybe libXfixes ??)
(intel is 8dc99b305a514dcd42c4260698e685a66dc95518  (Apr 4))
xorg-x11-server-Xorg-1.10.0-7.fc15.x86_64
libXfixes-5.0-1.fc16.x86_64


Anyway - here is the valgrind log:

Invalid read of size 1
   at 0x4C28DA2: __GI_strlen (mc_replace_strmem.c:284)
   by 0x69D2595: strdup (strdup.c:42)
   by 0x46455D: XNFstrdup (utils.c:1138)
   by 0x48E08B: xf86DuplicateMode (xf86Modes.c:209)
   by 0x489A15: xf86CrtcSetModeTransform (xf86Crtc.c:275)
   by 0x48A3A0: xf86SetDesiredModes (xf86Crtc.c:2726)
   by 0x8A9E177: I830EnterVT (intel_driver.c:1108)
   by 0x49066E: xf86RandR12EnterVT (xf86RandR12.c:1739)
   by 0x52C640: xf86XVEnterVT (xf86xv.c:1325)
   by 0x804312C: glxDRIEnterVT (glxdri2.c:616)
   by 0x46BE86: xf86Wakeup (xf86Events.c:527)
   by 0x432ABA: WakeupHandler (dixutils.c:419)
 Address 0x784c060 is 0 bytes inside a block of size 32 free'd
   at 0x4C2756E: free (vg_replace_malloc.c:366)
   by 0x44BEAF: FreeResource (resource.c:597)
   b 0x4A9C0E: ProcXFixesDestroyRegion (region.c:318)
   by 0x42EB40: Dispatch (dispatch.c:431)
   by 0x422DC9: main (main.c:287)

Invalid read of size 1
   at 0x4C28DB4: __GI_strlen (mc_replace_strmem.c:284)
   by 0x69D2595: strdup (strdup.c:42)
   by 0x46455D: XNFstrdup (utils.c:1138)
   by 0x48E08B: xf86DuplicateMode (xf86Modes.c:209)
   by 0x489A15: xf86CrtcSetModeTransform (xf86Crtc.c:275)
   by 0x48A3A0: xf86SetDesiredModes (xf86Crtc.c:2726)
   by 0x8A9E177: I830EnterVT (intel_driver.c:1108)
   by 0x49066E: xf86RandR12EnterVT (xf86RandR12.c:1739)
   by 0x52C640: xf86XVEnterVT (xf86xv.c:1325)
   by 0x804312C: glxDRIEnterVT (glxdri2.c:616)
   by 0x46BE86: xf86Wakeup (xf86Events.c:527)
   by 0x432ABA: WakeupHandler (dixutils.c:419)
 Address 0x784c061 is 1 bytes inside a block of size 32 free'd
   at 0x4C2756E: free (vg_replace_malloc.c:366)
   by 0x44BEAF: FreeResource (resource.c:597)
   by 0x4A9C0E: ProcXFixesDestroyRegion (region.c:318)
   by 0x42EB40: Dispatch (dispatch.c:431)
   by 0x422DC9: main (main.c:287)

Invalid read of size 8
   at 0x69DADA2: __GI_memcpy (memcpy.S:191)
   by 0x46455D: XNFstrdup (utils.c:1138)
   by 0x48E08B: xf86DuplicateMode (xf86Modes.c:209)
   by 0x489A15: xf86CrtcSetModeTransform (xf86Crtc.c:275)
   by 0x48A3A0: xf86SetDesiredModes (xf86Crtc.c:2726)
   by 0x8A9E177: I830EnterVT (intel_driver.c:1108)
   by 0x49066E: xf86RandR12EnterVT (xf86RandR12.c:1739)
   by 0x52C640: xf86XVEnterVT (xf86xv.c:1325)
   by 0x804312C: glxDRIEnterVT (glxdri2.c:616)
   by 0x46BE86: xf86Wakeup (xf86Events.c:527)
   by 0x432ABA: WakeupHandler (dixutils.c:419)
   by 0x45B708: WaitForSomething (WaitFor.c:235)
 Address 0x784c060 is 0 bytes inside a block of size 32 free'd
   at 0x4C2756E: free (vg_replace_malloc.c:366)
   by 0x44BEAF: FreeResource (resource.c:597)
   by 0x4A9C0E: ProcXFixesDestroyRegion (region.c:318)
   by 0x42EB40: Dispatch (dispatch.c:431)
   by 0x422DC9: main (main.c:287)

Invalid read of size 8
   at 0x69DADA5: __GI_memcpy (memcpy.S:192)
   by 0x46455D: XNFstrdup (utils.c:1138)
   by 0x48E08B: xf86DuplicateMode (xf86Modes.c:209)
   by 0x489A15: xf86CrtcSetModeTransform (xf86Crtc.c:275)
   by 0x48A3A0: xf86SetDesiredModes (xf86Crtc.c:2726)
   by 0x8A9E177: I830EnterVT (intel_driver.c:1108)
   by 0x49066E: xf86RandR12EnterVT (xf86RandR12.c:1739)
   by 0x52C640: xf86XVEnterVT (xf86xv.c:1325)
   by 0x804312C: glxDRIEnterVT (glxdri2.c:616)
   by 0x46BE86: xf86Wakeup (xf86Events.c:527)
   by 0x432ABA: WakeupHandler (dixutils.c:419)
   by 0x45B708: WaitForSomething (WaitFor.c:235)
 Address 0x784c068 is 8 bytes inside a block of size 32 free'd
   at 0x4C2756E: free (vg_replace_malloc.c:366)
   by 0x44BEAF: FreeResource (resource.c:597)
   by 0x4A9C0E: ProcXFixesDestroyRegion (region.c:318)
   by 0x42EB40: Dispatch (dispatch.c:431)
   by 0x422DC9: main (main.c:287)

Invalid read of size 8
   at 0x69DADA9: __GI_memcpy (memcpy.S:193)
   by 0x46455D: XNFstrdup (utils.c:1138)
   by 0x48E08B: xf86DuplicateMode (xf86Modes.c:209)
   by 0x489A15: xf86CrtcSetModeTransform (xf86Crtc.c:275)
   by 0x48A3A0: xf86SetDesiredModes (xf86Crtc.c:2726)
   by 0x8A9E177: I830EnterVT (intel_driver.c:1108)
   by 0x49066E: xf86RandR12EnterVT (xf86RandR12.c:1739)
   by 0x52C640: xf86XVEnterVT (xf86xv.c:1325)
   by 0x804312C: glxDRIEnterVT (glxdri2.c:616)
   by 0x46BE86: xf86Wakeup (xf86Events.c:527)
   by 0x432ABA: WakeupHandler (dixutils.c:419)
   by 0x45B708: WaitForSomething (WaitFor.c:235)
 Address 0x784c070 is 16 bytes inside a block of size 32 free'd
   at 0x4C2756E: free (vg_replace_malloc.c:366)
   by 0x44BEAF: FreeResource (resource.c:597)
   by 0x4A9C0E: ProcXFixesDestroyRegion (region.c:318)
   by 0x42EB40: Dispatch (dispatch.c:431)
   by 0x422DC9: main (main.c:287)

Invalid read of size 8
   at 0x69DADAD: __GI_memcpy (memcpy.S:194)
   by 0x46455D: XNFstrdup (utils.c:1138)
   by 0x48E08B: xf86DuplicateMode (xf86Modes.c:209)
   by 0x489A15: xf86CrtcSetModeTransform (xf86Crtc.c:275)
   by 0x48A3A0: xf86SetDesiredModes (xf86Crtc.c:2726)
   by 0x8A9E177: I830EnterVT (intel_driver.c:1108)
   by 0x49066E: xf86RandR12EnterVT (xf86RandR12.c:1739)
   by 0x52C640: xf86XVEnterVT (xf86xv.c:1325)
   by 0x804312C: glxDRIEnterVT (glxdri2.c:616)
   by 0x46BE86: xf86Wakeup (xf86Events.c:527)
   by 0x432ABA: WakeupHandler (dixutils.c:419)
   by 0x45B708: WaitForSomething (WaitFor.c:235)
 Address 0x784c078 is 24 bytes inside a block of size 32 free'd
   at 0x4C2756E: free (vg_replace_malloc.c:366)
   by 0x44BEAF: FreeResource (resource.c:597)
   by 0x4A9C0E: ProcXFixesDestroyRegion (region.c:318)
   by 0x42EB40: Dispatch (dispatch.c:431)
   by 0x422DC9: main (main.c:287)

Invalid read of size 1
   at 0x69DACDE: __GI_memcpy (memcpy.S:66)
   by 0x46455D: XNFstrdup (utils.c:1138)
   by 0x48E08B: xf86DuplicateMode (xf86Modes.c:209)
   by 0x489A15: xf86CrtcSetModeTransform (xf86Crtc.c:275)
   by 0x48A3A0: xf86SetDesiredModes (xf86Crtc.c:2726)
   by 0x8A9E177: I830EnterVT (intel_driver.c:1108)
   by 0x49066E: xf86RandR12EnterVT (xf86RandR12.c:1739)
   by 0x52C640: xf86XVEnterVT (xf86xv.c:1325)
   by 0x804312C: glxDRIEnterVT (glxdri2.c:616)
   by 0x46BE86: xf86Wakeup (xf86Events.c:527)
   by 0x432ABA: WakeupHandler (dixutils.c:419)
   by 0x45B708: WaitForSomething (WaitFor.c:235)
 Address 0x784c080 is 0 bytes after a block of size 32 free'd
   at 0x4C2756E: free (vg_replace_malloc.c:366)
   by 0x44BEAF: FreeResource (resource.c:597)
   by 0x4A9C0E: ProcXFixesDestroyRegion (region.c:318)
   by 0x42EB40: Dispatch (dispatch.c:431)
   by 0x422DC9: main (main.c:287)

Invalid read of size 1
   at 0x4C28FB0: strncpy (mc_replace_strmem.c:339)
   by 0x8A9C100: intel_crtc_set_mode_major (intel_display.c:322)
   by 0x489B18: xf86CrtcSetModeTransform (xf86Crtc.c:302)
   by 0x48A3A0: xf86SetDesiredModes (xf86Crtc.c:2726)
   by 0x8A9E177: I830EnterVT (intel_driver.c:1108)
   by 0x49066E: xf86RandR12EnterVT (xf86RandR12.c:1739)
   by 0x52C640: xf86XVEnterVT (xf86xv.c:1325)
   by 0x804312C: glxDRIEnterVT (glxdri2.c:616)
   by 0x46BE86: xf86Wakeup (xf86Events.c:527)
   by 0x432ABA: WakeupHandler (dixutils.c:419)
   by 0x45B708: WaitForSomething (WaitFor.c:235)
   by 0x42E8D9: Dispatch (dispatch.c:367)
 Address 0x784c060 is 0 bytes inside a block of size 32 free'd
   at 0x4C2756E: free (vg_replace_malloc.c:366)
   by 0x44BEAF: FreeResource (resource.c:597)
   by 0x4A9C0E: ProcXFixesDestroyRegion (region.c:318)
   by 0x42EB40: Dispatch (dispatch.c:431)
   by 0x422DC9: main (main.c:287)

Invalid read of size 1
   at 0x4C28FC8: strncpy (mc_replace_strmem.c:339)
   by 0x8A9C100: intel_crtc_set_mode_major (intel_display.c:322)
   by 0x489B18: xf86CrtcSetModeTransform (xf86Crtc.c:302)
   by 0x48A3A0: xf86SetDesiredModes (xf86Crtc.c:2726)
   by 0x8A9E177: I830EnterVT (intel_driver.c:1108)
   by 0x49066E: xf86RandR12EnterVT (xf86RandR12.c:1739)
   by 0x52C640: xf86XVEnterVT (xf86xv.c:1325)
   by 0x804312C: glxDRIEnterVT (glxdri2.c:616)
   by 0x46BE86: xf86Wakeup (xf86Events.c:527)
   by 0x432ABA: WakeupHandler (dixutils.c:419)
   by 0x45B708: WaitForSomething (WaitFor.c:235)
   by 0x42E8D9: Dispatch (dispatch.c:367)
 Address 0x784c061 is 1 bytes inside a block of size 32 free'd
   at 0x4C2756E: free (vg_replace_malloc.c:366)
   by 0x44BEAF: FreeResource (resource.c:597)
   by 0x4A9C0E: ProcXFixesDestroyRegion (region.c:318)
   by 0x42EB40: Dispatch (dispatch.c:431)
   by 0x422DC9: main (main.c:287)

Comment 1 Alan Coopersmith 2011-04-10 09:59:54 UTC

(In reply to comment #0)
> (Unsure which part of Xorg is the real cause - maybe libXfixes ??)

libXfixes is the client side library, not used in the X server.
ProcXFixes* is in the core X server source code.

Comment 2 Chris Wilson 2012-03-16 04:35:36 UTC

Created attachment 58548 [details] [review]
Don't copy stale pointers

Comment 3 Chris Wilson 2012-05-29 04:19:49 UTC

Created attachment 62203 [details] [review]
Don't copy stale pointers

Comment 4 Zdenek Kabelac 2012-06-24 13:19:03 UTC

Any release date of Xorg with this bugfix ?

Currently still present within: 

xorg-x11-server-Xorg-1.12.2-3.fc18.x86_64

Comment 5 Alan Coopersmith 2012-06-24 13:56:21 UTC

(In reply to comment #4)
> Any release date of Xorg with this bugfix ?

Not until after it gets checked into git master, which doesn't seem to
have happened yet.    That's likely to happen sooner if the patch gets
mailed to xorg-devel than if you wait for someone to sweep through
bugzilla looking for patches that aren't applied yet to send to xorg-devel
themselves.

http://www.x.org/wiki/Development/Documentation/SubmittingPatches

Comment 6 Chris Wilson 2012-06-25 03:13:57 UTC

Latest version of the patch:

http://lists.x.org/archives/xorg-devel/2012-June/031873.html
msg-id:4FE32FF5.7030201@canonical.com

Comment 7 Alan Coopersmith 2013-02-10 17:28:15 UTC

That patch was accepted to git master in July:
http://cgit.freedesktop.org/xorg/xserver/commit/?id=deb08658e2a6b1647a7213a316c6f3019bcdce48

Comment 8 Alan Coopersmith 2013-02-10 17:44:40 UTC

*** Bug 43988 has been marked as a duplicate of this bug. ***

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.