David Coppa dcoppa at gmail.com
Wed Mar 10 02:55:39 PST 2010

Hi all,

There's a problem with dock windows under i3.

These type of windows have xcb_get_property_value_length(reply) = 0,
while all other windows have 72.

This causes a floating-point exception in the
xcb_get_wm_size_hints_from_reply function, making i3 crash.

This is reproducible by launching:

$ while true ; do date && sleep 1 ; done | dzen2 -dock -ta r

This command always makes i3 crash under OpenBSD 4.7 (OpenBSD -current),
which is my test system, but I had occasional crashes under linux too
(up-to-date Arch Linux).

I suggest this patch:

diff --git a/icccm/icccm.c b/icccm/icccm.c
index 0206e4b..b86f4e1 100644
--- a/icccm/icccm.c
+++ b/icccm/icccm.c
@@ -441,7 +441,7 @@ xcb_get_wm_size_hints_from_reply(xcb_size_hints_t *hints, xcb_get_property_reply
   uint32_t flags;
-  if(!reply)
+  if(!reply || xcb_get_property_value_length(reply) == 0)
     return 0;
   int length = xcb_get_property_value_length(reply) / (reply->format / 8);

I'd like to have some feedback on this...
Please have also a look at the following gdb backtrace:

Core was generated by `i3'.
Program terminated with signal 8, Arithmetic exception.


#0  0x0f5635a4 in xcb_get_wm_size_hints_from_reply (hints=0xcfbc8070, 
    reply=0x8593fc20) at /usr/xenocara/dist/xcb-util/icccm/icccm.c:442
442	  length = xcb_get_property_value_length(reply) / (reply->format / 8);
(gdb) bt
#0  0x0f5635a4 in xcb_get_wm_size_hints_from_reply (hints=0xcfbc8070, 
    reply=0x8593fc20) at /usr/xenocara/dist/xcb-util/icccm/icccm.c:442
#1  0x1c00e236 in handle_normal_hints (data=0x0, conn=0x7c847000, 
    state=0 '\0', window=8388613, name=40, reply=0x8593fc20)
    at src/handlers.c:844
#2  0x0fb0dbe4 in call_handler (c=0x7c847000, state=0 '\0', window=8388613, 
    atom=40, h=0x8593f188)
    at /usr/xenocara/dist/xcb-util/property/property.c:63
#3  0x0fb0dc6a in xcb_property_changed (prophs=0xcfbc8374, state=0 '\0', 
    window=8388613, atom=40)
    at /usr/xenocara/dist/xcb-util/property/property.c:79
#4  0x1c012d25 in manage_window (prophs=0xcfbc8374, conn=0x7c847000, 
    window=8388613, cookie={sequence = 261}, needs_to_be_mapped=false)
    at src/manage.c:108
#5  0x1c00ca5d in handle_map_request (prophs=0xcfbc8374, conn=0x7c847000, 
    event=0x854616c0) at src/handlers.c:290
#6  0x0c228129 in xcb_event_handle (evenths=0x3c010f40, event=0x854616c0)
    at /usr/xenocara/dist/xcb-util/event/event.c:77
#7  0x1c011299 in xcb_check_cb (loop=0x874ebc00, w=0x8593fd20, revents=32768)
    at src/mainx.c:111
#8  0x02ee95f4 in ev_invoke_pending () from /usr/local/lib/libev.so.0.0
#9  0x02ee9b89 in ev_loop () from /usr/local/lib/libev.so.0.0
#10 0x1c01293d in main (argc=1, argv=0xcfbc8430, env=0xcfbc8438)
    at src/mainx.c:479

David Coppa

