Bug 36108 - Use of released memory
Summary: Use of released memory
Status: RESOLVED FIXED
Alias: None
Product: xorg
Classification: Unclassified
Component: Server/General (show other bugs)
Version: 7.6 (2010.12)
Hardware: x86-64 (AMD64) All
: medium normal
Assignee: Xorg Project Team
QA Contact: Xorg Project Team
URL:
Whiteboard:
Keywords: patch
: 43988 (view as bug list)
Depends on:
Blocks: xserver-1.13
  Show dependency treegraph
 
Reported: 2011-04-10 01:35 UTC by Zdenek Kabelac
Modified: 2013-02-10 17:44 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:

Attachments
Don't copy stale pointers (5.17 KB, patch)
2012-03-16 04:35 UTC, Chris Wilson 		no flags Details | Splinter Review
Don't copy stale pointers (5.31 KB, patch)
2012-05-29 04:19 UTC, Chris Wilson 		no flags Details | Splinter Review
Show Obsolete (1) View All

Description Zdenek Kabelac 2011-04-10 01:35:28 UTC 
Hi

My valgrind test seems to be showing usage of released memory during console switching:

(Unsure which part of Xorg is the real cause - maybe libXfixes ??)
(intel is 8dc99b305a514dcd42c4260698e685a66dc95518  (Apr 4))
xorg-x11-server-Xorg-1.10.0-7.fc15.x86_64
libXfixes-5.0-1.fc16.x86_64


Anyway - here is the valgrind log:

Invalid read of size 1
   at 0x4C28DA2: __GI_strlen (mc_replace_strmem.c:284)
   by 0x69D2595: strdup (strdup.c:42)
   by 0x46455D: XNFstrdup (utils.c:1138)
   by 0x48E08B: xf86DuplicateMode (xf86Modes.c:209)
   by 0x489A15: xf86CrtcSetModeTransform (xf86Crtc.c:275)
   by 0x48A3A0: xf86SetDesiredModes (xf86Crtc.c:2726)
   by 0x8A9E177: I830EnterVT (intel_driver.c:1108)
   by 0x49066E: xf86RandR12EnterVT (xf86RandR12.c:1739)
   by 0x52C640: xf86XVEnterVT (xf86xv.c:1325)
   by 0x804312C: glxDRIEnterVT (glxdri2.c:616)
   by 0x46BE86: xf86Wakeup (xf86Events.c:527)
   by 0x432ABA: WakeupHandler (dixutils.c:419)
 Address 0x784c060 is 0 bytes inside a block of size 32 free'd
   at 0x4C2756E: free (vg_replace_malloc.c:366)
   by 0x44BEAF: FreeResource (resource.c:597)
   b 0x4A9C0E: ProcXFixesDestroyRegion (region.c:318)
   by 0x42EB40: Dispatch (dispatch.c:431)
   by 0x422DC9: main (main.c:287)

Invalid read of size 1
   at 0x4C28DB4: __GI_strlen (mc_replace_strmem.c:284)
   by 0x69D2595: strdup (strdup.c:42)
   by 0x46455D: XNFstrdup (utils.c:1138)
   by 0x48E08B: xf86DuplicateMode (xf86Modes.c:209)
   by 0x489A15: xf86CrtcSetModeTransform (xf86Crtc.c:275)
   by 0x48A3A0: xf86SetDesiredModes (xf86Crtc.c:2726)
   by 0x8A9E177: I830EnterVT (intel_driver.c:1108)
   by 0x49066E: xf86RandR12EnterVT (xf86RandR12.c:1739)
   by 0x52C640: xf86XVEnterVT (xf86xv.c:1325)
   by 0x804312C: glxDRIEnterVT (glxdri2.c:616)
   by 0x46BE86: xf86Wakeup (xf86Events.c:527)
   by 0x432ABA: WakeupHandler (dixutils.c:419)
 Address 0x784c061 is 1 bytes inside a block of size 32 free'd
   at 0x4C2756E: free (vg_replace_malloc.c:366)
   by 0x44BEAF: FreeResource (resource.c:597)
   by 0x4A9C0E: ProcXFixesDestroyRegion (region.c:318)
   by 0x42EB40: Dispatch (dispatch.c:431)
   by 0x422DC9: main (main.c:287)

Invalid read of size 8
   at 0x69DADA2: __GI_memcpy (memcpy.S:191)
   by 0x46455D: XNFstrdup (utils.c:1138)
   by 0x48E08B: xf86DuplicateMode (xf86Modes.c:209)
   by 0x489A15: xf86CrtcSetModeTransform (xf86Crtc.c:275)
   by 0x48A3A0: xf86SetDesiredModes (xf86Crtc.c:2726)
   by 0x8A9E177: I830EnterVT (intel_driver.c:1108)
   by 0x49066E: xf86RandR12EnterVT (xf86RandR12.c:1739)
   by 0x52C640: xf86XVEnterVT (xf86xv.c:1325)
   by 0x804312C: glxDRIEnterVT (glxdri2.c:616)
   by 0x46BE86: xf86Wakeup (xf86Events.c:527)
   by 0x432ABA: WakeupHandler (dixutils.c:419)
   by 0x45B708: WaitForSomething (WaitFor.c:235)
 Address 0x784c060 is 0 bytes inside a block of size 32 free'd
   at 0x4C2756E: free (vg_replace_malloc.c:366)
   by 0x44BEAF: FreeResource (resource.c:597)
   by 0x4A9C0E: ProcXFixesDestroyRegion (region.c:318)
   by 0x42EB40: Dispatch (dispatch.c:431)
   by 0x422DC9: main (main.c:287)

Invalid read of size 8
   at 0x69DADA5: __GI_memcpy (memcpy.S:192)
   by 0x46455D: XNFstrdup (utils.c:1138)
   by 0x48E08B: xf86DuplicateMode (xf86Modes.c:209)
   by 0x489A15: xf86CrtcSetModeTransform (xf86Crtc.c:275)
   by 0x48A3A0: xf86SetDesiredModes (xf86Crtc.c:2726)
   by 0x8A9E177: I830EnterVT (intel_driver.c:1108)
   by 0x49066E: xf86RandR12EnterVT (xf86RandR12.c:1739)
   by 0x52C640: xf86XVEnterVT (xf86xv.c:1325)
   by 0x804312C: glxDRIEnterVT (glxdri2.c:616)
   by 0x46BE86: xf86Wakeup (xf86Events.c:527)
   by 0x432ABA: WakeupHandler (dixutils.c:419)
   by 0x45B708: WaitForSomething (WaitFor.c:235)
 Address 0x784c068 is 8 bytes inside a block of size 32 free'd
   at 0x4C2756E: free (vg_replace_malloc.c:366)
   by 0x44BEAF: FreeResource (resource.c:597)
   by 0x4A9C0E: ProcXFixesDestroyRegion (region.c:318)
   by 0x42EB40: Dispatch (dispatch.c:431)
   by 0x422DC9: main (main.c:287)

Invalid read of size 8
   at 0x69DADA9: __GI_memcpy (memcpy.S:193)
   by 0x46455D: XNFstrdup (utils.c:1138)
   by 0x48E08B: xf86DuplicateMode (xf86Modes.c:209)
   by 0x489A15: xf86CrtcSetModeTransform (xf86Crtc.c:275)
   by 0x48A3A0: xf86SetDesiredModes (xf86Crtc.c:2726)
   by 0x8A9E177: I830EnterVT (intel_driver.c:1108)
   by 0x49066E: xf86RandR12EnterVT (xf86RandR12.c:1739)
   by 0x52C640: xf86XVEnterVT (xf86xv.c:1325)
   by 0x804312C: glxDRIEnterVT (glxdri2.c:616)
   by 0x46BE86: xf86Wakeup (xf86Events.c:527)
   by 0x432ABA: WakeupHandler (dixutils.c:419)
   by 0x45B708: WaitForSomething (WaitFor.c:235)
 Address 0x784c070 is 16 bytes inside a block of size 32 free'd
   at 0x4C2756E: free (vg_replace_malloc.c:366)
   by 0x44BEAF: FreeResource (resource.c:597)
   by 0x4A9C0E: ProcXFixesDestroyRegion (region.c:318)
   by 0x42EB40: Dispatch (dispatch.c:431)
   by 0x422DC9: main (main.c:287)

Invalid read of size 8
   at 0x69DADAD: __GI_memcpy (memcpy.S:194)
   by 0x46455D: XNFstrdup (utils.c:1138)
   by 0x48E08B: xf86DuplicateMode (xf86Modes.c:209)
   by 0x489A15: xf86CrtcSetModeTransform (xf86Crtc.c:275)
   by 0x48A3A0: xf86SetDesiredModes (xf86Crtc.c:2726)
   by 0x8A9E177: I830EnterVT (intel_driver.c:1108)
   by 0x49066E: xf86RandR12EnterVT (xf86RandR12.c:1739)
   by 0x52C640: xf86XVEnterVT (xf86xv.c:1325)
   by 0x804312C: glxDRIEnterVT (glxdri2.c:616)
   by 0x46BE86: xf86Wakeup (xf86Events.c:527)
   by 0x432ABA: WakeupHandler (dixutils.c:419)
   by 0x45B708: WaitForSomething (WaitFor.c:235)
 Address 0x784c078 is 24 bytes inside a block of size 32 free'd
   at 0x4C2756E: free (vg_replace_malloc.c:366)
   by 0x44BEAF: FreeResource (resource.c:597)
   by 0x4A9C0E: ProcXFixesDestroyRegion (region.c:318)
   by 0x42EB40: Dispatch (dispatch.c:431)
   by 0x422DC9: main (main.c:287)

Invalid read of size 1
   at 0x69DACDE: __GI_memcpy (memcpy.S:66)
   by 0x46455D: XNFstrdup (utils.c:1138)
   by 0x48E08B: xf86DuplicateMode (xf86Modes.c:209)
   by 0x489A15: xf86CrtcSetModeTransform (xf86Crtc.c:275)
   by 0x48A3A0: xf86SetDesiredModes (xf86Crtc.c:2726)
   by 0x8A9E177: I830EnterVT (intel_driver.c:1108)
   by 0x49066E: xf86RandR12EnterVT (xf86RandR12.c:1739)
   by 0x52C640: xf86XVEnterVT (xf86xv.c:1325)
   by 0x804312C: glxDRIEnterVT (glxdri2.c:616)
   by 0x46BE86: xf86Wakeup (xf86Events.c:527)
   by 0x432ABA: WakeupHandler (dixutils.c:419)
   by 0x45B708: WaitForSomething (WaitFor.c:235)
 Address 0x784c080 is 0 bytes after a block of size 32 free'd
   at 0x4C2756E: free (vg_replace_malloc.c:366)
   by 0x44BEAF: FreeResource (resource.c:597)
   by 0x4A9C0E: ProcXFixesDestroyRegion (region.c:318)
   by 0x42EB40: Dispatch (dispatch.c:431)
   by 0x422DC9: main (main.c:287)

Invalid read of size 1
   at 0x4C28FB0: strncpy (mc_replace_strmem.c:339)
   by 0x8A9C100: intel_crtc_set_mode_major (intel_display.c:322)
   by 0x489B18: xf86CrtcSetModeTransform (xf86Crtc.c:302)
   by 0x48A3A0: xf86SetDesiredModes (xf86Crtc.c:2726)
   by 0x8A9E177: I830EnterVT (intel_driver.c:1108)
   by 0x49066E: xf86RandR12EnterVT (xf86RandR12.c:1739)
   by 0x52C640: xf86XVEnterVT (xf86xv.c:1325)
   by 0x804312C: glxDRIEnterVT (glxdri2.c:616)
   by 0x46BE86: xf86Wakeup (xf86Events.c:527)
   by 0x432ABA: WakeupHandler (dixutils.c:419)
   by 0x45B708: WaitForSomething (WaitFor.c:235)
   by 0x42E8D9: Dispatch (dispatch.c:367)
 Address 0x784c060 is 0 bytes inside a block of size 32 free'd
   at 0x4C2756E: free (vg_replace_malloc.c:366)
   by 0x44BEAF: FreeResource (resource.c:597)
   by 0x4A9C0E: ProcXFixesDestroyRegion (region.c:318)
   by 0x42EB40: Dispatch (dispatch.c:431)
   by 0x422DC9: main (main.c:287)

Invalid read of size 1
   at 0x4C28FC8: strncpy (mc_replace_strmem.c:339)
   by 0x8A9C100: intel_crtc_set_mode_major (intel_display.c:322)
   by 0x489B18: xf86CrtcSetModeTransform (xf86Crtc.c:302)
   by 0x48A3A0: xf86SetDesiredModes (xf86Crtc.c:2726)
   by 0x8A9E177: I830EnterVT (intel_driver.c:1108)
   by 0x49066E: xf86RandR12EnterVT (xf86RandR12.c:1739)
   by 0x52C640: xf86XVEnterVT (xf86xv.c:1325)
   by 0x804312C: glxDRIEnterVT (glxdri2.c:616)
   by 0x46BE86: xf86Wakeup (xf86Events.c:527)
   by 0x432ABA: WakeupHandler (dixutils.c:419)
   by 0x45B708: WaitForSomething (WaitFor.c:235)
   by 0x42E8D9: Dispatch (dispatch.c:367)
 Address 0x784c061 is 1 bytes inside a block of size 32 free'd
   at 0x4C2756E: free (vg_replace_malloc.c:366)
   by 0x44BEAF: FreeResource (resource.c:597)
   by 0x4A9C0E: ProcXFixesDestroyRegion (region.c:318)
   by 0x42EB40: Dispatch (dispatch.c:431)
   by 0x422DC9: main (main.c:287)
Comment 1 Alan Coopersmith 2011-04-10 09:59:54 UTC 
(In reply to comment #0)
> (Unsure which part of Xorg is the real cause - maybe libXfixes ??)

libXfixes is the client side library, not used in the X server.
ProcXFixes* is in the core X server source code.
Comment 2 Chris Wilson 2012-03-16 04:35:36 UTC 
Created attachment 58548 [details] [review]
Don't copy stale pointers
Comment 3 Chris Wilson 2012-05-29 04:19:49 UTC 
Created attachment 62203 [details] [review]
Don't copy stale pointers
Comment 4 Zdenek Kabelac 2012-06-24 13:19:03 UTC 
Any release date of Xorg with this bugfix ?

Currently still present within: 

xorg-x11-server-Xorg-1.12.2-3.fc18.x86_64
Comment 5 Alan Coopersmith 2012-06-24 13:56:21 UTC 
(In reply to comment #4)
> Any release date of Xorg with this bugfix ?

Not until after it gets checked into git master, which doesn't seem to
have happened yet.    That's likely to happen sooner if the patch gets
mailed to xorg-devel than if you wait for someone to sweep through
bugzilla looking for patches that aren't applied yet to send to xorg-devel
themselves.

http://www.x.org/wiki/Development/Documentation/SubmittingPatches
Comment 6 Chris Wilson 2012-06-25 03:13:57 UTC 
Latest version of the patch:

http://lists.x.org/archives/xorg-devel/2012-June/031873.html
msg-id:4FE32FF5.7030201@canonical.com
Comment 7 Alan Coopersmith 2013-02-10 17:28:15 UTC 
That patch was accepted to git master in July:
http://cgit.freedesktop.org/xorg/xserver/commit/?id=deb08658e2a6b1647a7213a316c6f3019bcdce48
Comment 8 Alan Coopersmith 2013-02-10 17:44:40 UTC 
*** Bug 43988 has been marked as a duplicate of this bug. ***

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.