desktop-packages team mailing list archive
-
desktop-packages team
-
Mailing list archive
-
Message #136560
[Bug 1224296] Re: X crashes due to freed memory read in damageDestroyPixmap() from sna_early_close_screen() from xf86CrtcCloseScreen()
XMir 1.0 (the old Xorg extension) is now deprecated and is not being
maintained or fixed. It is replaced by the new 'Xmir' binary (package
'xmir') introduced in Ubuntu 15.10 wily.
** Changed in: xorg-server (Ubuntu)
Status: Confirmed => Won't Fix
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to xorg-server in Ubuntu.
https://bugs.launchpad.net/bugs/1224296
Title:
X crashes due to freed memory read in damageDestroyPixmap() from
sna_early_close_screen() from xf86CrtcCloseScreen()
Status in xorg-server package in Ubuntu:
Won't Fix
Bug description:
XMir: DDX memory use after being freed from libmirclient. Though it
looks like bug 1221616 might be the root cause so see that first.
==32480== Invalid read of size 8
==32480== at 0x234D84: damageDestroyPixmap (damage.c:1544)
==32480== by 0xA1C6A3B: sna_early_close_screen (sna_driver.c:762)
==32480== by 0x1CE476: xf86CrtcCloseScreen (xf86Crtc.c:732)
==32480== by 0x1EB64D: CursorCloseScreen (cursor.c:193)
==32480== by 0x2324B5: AnimCurCloseScreen (animcur.c:106)
==32480== by 0x14C636: main (main.c:351)
==32480== Address 0xb98d190 is 16 bytes inside a block of size 296 free'd
==32480== at 0x4C2BADC: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==32480== by 0x8A03F07: __gnu_cxx::new_allocator<std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2> >::deallocate(std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) (new_allocator.h:110)
==32480== by 0x8A03CB0: std::allocator_traits<std::allocator<std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2> > >::deallocate(std::allocator<std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2> >&, std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) (alloc_traits.h:377)
==32480== by 0x8A046A5: std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2>::_M_destroy() (shared_ptr_base.h:417)
==32480== by 0x89E1091: std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() (shared_ptr_base.h:161)
==32480== by 0x89E0EC0: std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() (shared_ptr_base.h:553)
==32480== by 0x89E6711: std::__shared_ptr<MirBufferPackage, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() (shared_ptr_base.h:810)
==32480== by 0x89E6751: std::shared_ptr<MirBufferPackage>::~shared_ptr() (shared_ptr.h:93)
==32480== by 0x8A00490: MirSurface::process_incoming_buffer() (mir_surface.cpp:179)
==32480== by 0x8A00661: MirSurface::new_buffer(void (*)(MirSurface*, void*), void*) (mir_surface.cpp:215)
==32480== by 0x8A04A12: google::protobuf::internal::MethodClosure2<MirSurface, void (*)(MirSurface*, void*), void*>::Run() (common.h:969)
==32480== by 0x8A1E81A: mir::client::rpc::MirSocketRpcChannel::receive_file_descriptors(google::protobuf::Message*, google::protobuf::Closure*) (mir_socket_rpc_channel.cpp:171)
==32480==
==32480== Invalid read of size 4
==32480== at 0x234E03: damageDestroyPixmap (damage.c:1548)
==32480== by 0xA1C6A3B: sna_early_close_screen (sna_driver.c:762)
==32480== by 0x1CE476: xf86CrtcCloseScreen (xf86Crtc.c:732)
==32480== by 0x1EB64D: CursorCloseScreen (cursor.c:193)
==32480== by 0x2324B5: AnimCurCloseScreen (animcur.c:106)
==32480== by 0x14C636: main (main.c:351)
==32480== Address 0xb98d1a8 is 40 bytes inside a block of size 296 free'd
==32480== at 0x4C2BADC: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==32480== by 0x8A03F07: __gnu_cxx::new_allocator<std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2> >::deallocate(std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) (new_allocator.h:110)
==32480== by 0x8A03CB0: std::allocator_traits<std::allocator<std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2> > >::deallocate(std::allocator<std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2> >&, std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) (alloc_traits.h:377)
==32480== by 0x8A046A5: std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2>::_M_destroy() (shared_ptr_base.h:417)
==32480== by 0x89E1091: std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() (shared_ptr_base.h:161)
==32480== by 0x89E0EC0: std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() (shared_ptr_base.h:553)
==32480== by 0x89E6711: std::__shared_ptr<MirBufferPackage, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() (shared_ptr_base.h:810)
==32480== by 0x89E6751: std::shared_ptr<MirBufferPackage>::~shared_ptr() (shared_ptr.h:93)
==32480== by 0x8A00490: MirSurface::process_incoming_buffer() (mir_surface.cpp:179)
==32480== by 0x8A00661: MirSurface::new_buffer(void (*)(MirSurface*, void*), void*) (mir_surface.cpp:215)
==32480== by 0x8A04A12: google::protobuf::internal::MethodClosure2<MirSurface, void (*)(MirSurface*, void*), void*>::Run() (common.h:969)
==32480== by 0x8A1E81A: mir::client::rpc::MirSocketRpcChannel::receive_file_descriptors(google::protobuf::Message*, google::protobuf::Closure*) (mir_socket_rpc_channel.cpp:171)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xorg-server/+bug/1224296/+subscriptions
