From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20051018 Fedora/1.7.12-2 Description of problem: *** glibc detected *** ./a.out: double free or corruption (fasttop): 0x09c2b020 *** ======= Backtrace: ========= /lib/libc.so.6[0x4208e0] /lib/libc.so.6(__libc_free+0x79)[0x420fa2] /usr/lib/libX11.so.6(XPolygonRegion+0xc38)[0x553953] ./a.out[0x8048464] /lib/libc.so.6(__libc_start_main+0xdf)[0x3d262f] ./a.out[0x80483a1] ======= Memory map: ======== 003a0000-003b9000 r-xp 00000000 03:02 3688599 /lib/ld-2.3.90.so 003b9000-003ba000 r-xp 00018000 03:02 3688599 /lib/ld-2.3.90.so 003ba000-003bb000 rwxp 00019000 03:02 3688599 /lib/ld-2.3.90.so 003bd000-004e3000 r-xp 00000000 03:02 3688603 /lib/libc-2.3.90.so 004e3000-004e5000 r-xp 00125000 03:02 3688603 /lib/libc-2.3.90.so 004e5000-004e7000 rwxp 00127000 03:02 3688603 /lib/libc-2.3.90.so 004e7000-004e9000 rwxp 004e7000 00:00 0 00512000-00514000 r-xp 00000000 03:02 3688645 /lib/libdl-2.3.90.so 00514000-00515000 r-xp 00001000 03:02 3688645 /lib/libdl-2.3.90.so 00515000-00516000 rwxp 00002000 03:02 3688645 /lib/libdl-2.3.90.so 00518000-0051a000 r-xp 00000000 03:02 1943506 /usr/lib/libXau.so.6.0.0 0051a000-0051b000 rwxp 00001000 03:02 1943506 /usr/lib/libXau.so.6.0.0 0051d000-00521000 r-xp 00000000 03:02 1943637 /usr/lib/libXdmcp.so.6.0.0 00521000-00523000 rwxp 00003000 03:02 1943637 /usr/lib/libXdmcp.so.6.0.0 00525000-0061a000 r-xp 00000000 03:02 1947356 /usr/lib/libX11.so.6.2.0 0061a000-0061e000 rwxp 000f5000 03:02 1947356 /usr/lib/libX11.so.6.2.0 0061e000-0061f000 rwxp 0061e000 00:00 0 0088f000-00898000 r-xp 00000000 03:02 3688649 /lib/libgcc_s-4.0.2-20051109.so.1 00898000-00899000 rwxp 00009000 03:02 3688649 /lib/libgcc_s-4.0.2-20051109.so.1 00cb2000-00cb3000 r-xp 00cb2000 00:00 0 [vdso] 08048000-08049000 r-xp 00000000 03:02 1328092 /tmp/newooo/a.out 08049000-0804a000 rw-p 00000000 03:02 1328092 /tmp/newooo/a.out 09c2b000-09c4c000 rw-p 09c2b000 00:00 0 [heap] b7e00000-b7e21000 rw-p b7e00000 00:00 0 b7e21000-b7f00000 ---p b7e21000 00:00 0 b7f07000-b7f09000 rw-p b7f07000 00:00 0 b7f1f000-b7f20000 rw-p b7f1f000 00:00 0 bfc0b000-bfc20000 rw-p bfc0b000 00:00 0 [stack] Aborted Version-Release number of selected component (if applicable): libX11-0.99.3-3 How reproducible: Always Steps to Reproduce: 1. gcc testme.c -lX11 2. ./a.out Actual Results: crash Expected Results: no crash Additional info: affects OOo impress, ok in FC-4
Created attachment 121295 [details] sample program
*** Bug 173799 has been marked as a duplicate of this bug. ***
ooo backtrace for reference #6 0x00553953 in XPolygonRegion () from /usr/lib/libX11.so.6 #7 0x00e71e7e in X11SalGraphics::drawPolyPolygon (this=0x52b2530, nPoly=4, pPoints=0xbf9d4220, pPtAry=0xbf9d41a0) at /usr/src/debug/SRC680_m141/vcl/unx/source/gdi/salgdi.cxx:843 #8 0x03c6e29b in SalGraphics::DrawPolyPolygon (this=0x52b2530, nPoly=4, pPoints=0xbf9d4220, pPtAry=0xbf9d41a0, pOutDev=0x52c35d0) at /usr/src/debug/SRC680_m141/vcl/source/gdi/salgdilayout.cxx:347 #9 0x03c069e1 in OutputDevice::ImplDrawPolyPolygon (this=0x52c35d0, nPoly=4, rPolyPoly=@0xbf9d42c8) at /usr/src/debug/SRC680_m141/vcl/source/gdi/outdev.cxx:344 #10 0x03c092b2 in OutputDevice::DrawPolyPolygon (this=0x52c35d0, rPolyPoly=@0xbf9d465c) at /usr/src/debug/SRC680_m141/vcl/source/gdi/outdev.cxx:2467 #11 0x087895f2 in XOutputDevice::ImpDrawFillPolyPolygon (this=0x539fe60, rPolyPoly=@0xbf9d465c, bRect=0 '\0', bPrinter=0 '\0') at /usr/src/debug/SRC680_m141/svx/source/xoutdev/_ximp.cxx:138 #12 0x08789eba in XOutputDevice::DrawFillPolyPolygon (this=0x539fe60, rPolyPoly=@0xbf9d465c, bRect=0 '\0') at /usr/src/debug/SRC680_m141/svx/source/xoutdev/_ximp.cxx:119 #13 0x08763908 in XOutputDevice::DrawXPolyPolygon (this=0x539fe60, rXPolyPoly=@0x3478574) at /usr/src/debug/SRC680_m141/svx/source/xoutdev/xout.cxx:365 #14 0x0855a709 in SdrPathObj::DoPaintObject (this=0x34784b0, rXOut=@0x539fe60, rInfoRec=@0x332f370) at /usr/src/debug/SRC680_m141/svx/source/svdraw/svdopath.cxx:411 #15 0x08522d37 in sdr::contact::ViewContactOfSdrObj::PaintObject (this=0x34799e0, rDisplayInfo=@0xbf9d4c30, rPaintRectangle=@0xbf9d4784, rAssociatedVOC=@0x5421620) at /usr/src/debug/SRC680_m141/svx/source/sdr/contact/viewcontactofsdrobj.cxx:260 #16 0x08528c79 in sdr::contact::ViewObjectContact::PaintObject (this=0x5421620, rDisplayInfo=@0xbf9d4c30) at /usr/src/debug/SRC680_m141/svx/source/sdr/contact/viewobjectcontact.cxx:288 #17 0xb6f8f6bb in sd::ViewRedirector::PaintObject (this=0xbf9d4d98, rOriginal=@0x5421620, rDisplayInfo=@0xbf9d4c30) at /usr/src/debug/SRC680_m141/sd/source/ui/view/sdview.cxx:454 #18 0x08528d8d in sdr::contact::ViewObjectContact::PaintObjectHierarchy (this=0x5421620, rDisplayInfo=@0xbf9d4c30) at /usr/src/debug/SRC680_m141/svx/source/sdr/contact/viewobjectcontact.cxx:367 #19 0x08528e26 in sdr::contact::ViewObjectContact::PaintDrawHierarchy (this=0x54214c8, rDisplayInfo=@0xbf9d4c30) at /usr/src/debug/SRC680_m141/svx/source/sdr/contact/viewobjectcontact.cxx:326
Please report to X.Org bugzilla, http://bugs.freedesktop.org in "xorg" component, and mark it as blocking bug 1690 the release blocker. Final freeze for RC3 is soon, so this will flag it for investigation for X11R7. After you file, please paste the upstream URL here for tracking. TIA
*** Bug 175409 has been marked as a duplicate of this bug. ***
https://bugs.freedesktop.org/show_bug.cgi?id=5125
This was fixed in X11R7.0 release already, indicated in upstream report: ------- Additional comment #3 from Kevin E. Martin on 2005-12-10 02:30 [reply] ------- Thanks Caolan! The sample code helped me track down the problem -- it turned out to be that Xlib requires not only malloc(0) return a valid pointer, but also realloc(ptr,0) return a valid pointer. However, most systems treat realloc(ptr,0) as free(ptr). I fixed it by updating the macro to set the MALLOC_0_RETURNS_NULL define.