[Wayland-bugs] [Bug 67231] weston_release_seat() double frees focus_state

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Wed Jul 24 09:57:38 PDT 2013 

https://bugs.freedesktop.org/show_bug.cgi?id=67231

--- Comment #4 from Mariusz Ceier <mceier+freedesktop at gmail.com> ---
Created attachment 82945
  --> https://bugs.freedesktop.org/attachment.cgi?id=82945&action=edit
GDB script for printing arguments of rdp_peer_context_free

Applied both patches, and they didn't solve the problem.
rdp_peer_context_free is called only once, below are the values of arguments
passed, and contents of context:

client = 0x6435c0 context = 0x693970

$1 = {_p = {instance = 0x0, peer = 0x6435c0, paddingA = {0 <repeats 14 times>},
argc = 0, argv = 0x0, pubSub = 0x0, paddingB = {
      0 <repeats 13 times>}, rdp = 0x6436e0, gdi = 0x0, rail = 0x0, cache =
0x0, channels = 0x0, graphics = 0x0, input = 0x65be40, 
    update = 0x65bf00, settings = 0x649920, paddingC = {0 <repeats 23 times>},
paddingD = {0 <repeats 32 times>}, paddingE = {
      0 <repeats 32 times>}}, rdpCompositor = 0x6404a0, events = {0x6a9710, 0x0
<repeats 31 times>}, rfx_context = 0x694010, 
  encode_stream = 0x6953b0, rfx_rects = 0x0, nsc_context = 0x6952e0, item =
{flags = 3, peer = 0x6435c0, seat = {
      base_resource_list = {prev = 0x6ad910, next = 0x71fc30}, global =
0x6a5400, pointer = 0x6bc360, keyboard = 0x6af6a0, 
      touch = 0x0, output = 0x0, destroy_signal = {listener_list = {prev =
0x6db2a8, next = 0x6a5480}}, compositor = 0x6404a0, 
      link = {prev = 0x640600, next = 0x640600}, modifier_state = (unknown: 0),
saved_kbd_focus = 0x0, saved_kbd_focus_listener = {
        link = {prev = 0x0, next = 0x0}, notify = 0x0}, drag_resource_list =
{prev = 0x6ad970, next = 0x71fc90}, 
      selection_serial = 0, selection_data_source = 0x0,
selection_data_source_listener = {link = {prev = 0x0, next = 0x0}, 
        notify = 0x0}, selection_signal = {listener_list = {prev = 0x6a5468,
next = 0x6a5468}}, num_tp = 0, led_update = 0x0, 
      xkb_info = {keymap = 0x6ae570, keymap_fd = 36, keymap_size = 45099, 
        keymap_area = 0x7ffff7fb4000 "xkb_keymap {\nxkb_keycodes
\"evdev+aliases(qwerty)\" {\n\tminimum = 8;\n\tmaximum = 255;\n\t<ESC>", ' '
<repeats 16 times>, "= 9;\n\t<AE01>", ' ' <repeats 15 times>, "=
10;\n\t<AE02>", ' ' <repeats 15 times>, "= 11;\n\t<AE03>", ' ' <repeats 15
times>, "= 12;\n\t<AE04>"..., shift_mod = 0, caps_mod = 1, ctrl_mod = 2,
alt_mod = 3, mod2_mod = 4, mod3_mod = 5, 
        super_mod = 6, mod5_mod = 7, num_led = 1, caps_led = 0, scroll_led =
2}, xkb_state = {state = 0x6ca580, 
        leds = (unknown: 0)}, input_method = 0x6a54b0, seat_name = 0x6a5440
"rdp:25:127.0.0.1"}, link = {prev = 0x641e90, 
      next = 0x641e90}}}


Attached gdb script prints these values when rdp_peer_context_free is called
("gdb -x gdbscript" to use it).

valgrind backtrace with applied patches:

==7008== Invalid read of size 8
==7008==    at 0x419D5D: unbind_input_method (text-backend.c:743)
==7008==    by 0x4E3AA8D: destroy_resource (wayland-server.c:434)
==7008==    by 0x4E407B9: for_each_helper (wayland-util.c:353)
==7008==    by 0x4E407F5: wl_map_for_each (wayland-util.c:359)
==7008==    by 0x4E3ADA5: wl_client_destroy (wayland-server.c:574)
==7008==    by 0x41A2BC: text_backend_notifier_destroy (text-backend.c:931)
==7008==    by 0x408EA8: wl_signal_emit (wayland-server.h:171)
==7008==    by 0x410361: main (compositor.c:3379)
==7008==  Address 0x8825a30 is 112 bytes inside a block of size 120 free'd
==7008==    at 0x4C2AF7C: free (vg_replace_malloc.c:446)
==7008==    by 0x419EE5: input_method_notifier_destroy (text-backend.c:797)
==7008==    by 0x41047C: wl_signal_emit (wayland-server.h:171)
==7008==    by 0x413AE8: weston_seat_release (input.c:1552)
==7008==    by 0x88343B3: rdp_peer_context_free (compositor-rdp.c:603)
==7008==    by 0x883445D: rdp_client_activity (compositor-rdp.c:622)
==7008==    by 0x4E3C967: wl_event_source_fd_dispatch (event-loop.c:86)
==7008==    by 0x4E3D318: wl_event_loop_dispatch (event-loop.c:421)
==7008==    by 0x4E3B615: wl_display_run (wayland-server.c:836)
==7008==    by 0x410340: main (compositor.c:3373)
==7008==
==7008== Invalid write of size 8
==7008==    at 0x419D69: unbind_input_method (text-backend.c:745)
==7008==    by 0x4E3AA8D: destroy_resource (wayland-server.c:434)
==7008==    by 0x4E407B9: for_each_helper (wayland-util.c:353)
==7008==    by 0x4E407F5: wl_map_for_each (wayland-util.c:359)
==7008==    by 0x4E3ADA5: wl_client_destroy (wayland-server.c:574)
==7008==    by 0x41A2BC: text_backend_notifier_destroy (text-backend.c:931)
==7008==    by 0x408EA8: wl_signal_emit (wayland-server.h:171)
==7008==    by 0x410361: main (compositor.c:3379)
==7008==  Address 0x88259c0 is 0 bytes inside a block of size 120 free'd
==7008==    at 0x4C2AF7C: free (vg_replace_malloc.c:446)
==7008==    by 0x419EE5: input_method_notifier_destroy (text-backend.c:797)
==7008==    by 0x41047C: wl_signal_emit (wayland-server.h:171)
==7008==    by 0x413AE8: weston_seat_release (input.c:1552)
==7008==    by 0x88343B3: rdp_peer_context_free (compositor-rdp.c:603)
==7008==    by 0x883445D: rdp_client_activity (compositor-rdp.c:622)
==7008==    by 0x4E3C967: wl_event_source_fd_dispatch (event-loop.c:86)
==7008==    by 0x4E3D318: wl_event_loop_dispatch (event-loop.c:421)
==7008==    by 0x4E3B615: wl_display_run (wayland-server.c:836)
==7008==    by 0x410340: main (compositor.c:3373)
==7008==

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/wayland-bugs/attachments/20130724/a5987240/attachment.html>

More information about the Wayland-bugs mailing list