178196 – Crash when destroying OpenGL widget

Bug 178196 - Crash when destroying OpenGL widget

Summary: Crash when destroying OpenGL widget

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	xorg-x11
Sub Component:
Version:	4.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Adam Jackson
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-01-18 15:43 UTC by Bastien Nocera
Modified:	2008-04-22 19:05 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-04-22 19:05:55 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
foo.c (1.10 KB, text/plain) 2006-01-18 15:49 UTC, Bastien Nocera	no flags	Details
xorg-x11-6.8.2-libGLw-use-system-motif-headers.patch (426 bytes, patch) 2006-05-16 14:12 UTC, Mike A. Harris	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
FreeDesktop.org (Old)	1382	0	None	None	None	Never

Description Bastien Nocera 2006-01-18 15:43:16 UTC

xorg-x11-libs-6.8.2-1.EL.13.24

The following testcase crashes with a double-free when glwMDrawingAreaWidget is
destroyed.
I'm not 100% sure the problem is with libGLw, or with motif.

Backtrace:
#0  _XmStringCacheFree (caches=0xe055420f) at XmString.c:2749
#1  0x00c4b3d1 in _XmStringEntryFree (entry=0x9c8f24) at XmString.c:5968
#2  0x00c4b47b in XmStringFree (string=0x97bbc88) at XmString.c:6007
#3  0x00c70705 in Destroy (w=0x97bbb48) at Primitive.c:932
#4  0x00126aa7 in _XtCreateHookObj () from /usr/X11R6/lib/libXt.so.6
#5  0x0012694a in _XtCreateHookObj () from /usr/X11R6/lib/libXt.so.6
#6  0x00126e0d in _XtCreateHookObj () from /usr/X11R6/lib/libXt.so.6
#7  0x0012706c in _XtDoPhase2Destroy () from /usr/X11R6/lib/libXt.so.6
#8  0x001271ed in XtDestroyWidget () from /usr/X11R6/lib/libXt.so.6
#9  0x08049065 in create_window (dis=0x97ae480, app_shell=0x97a4a98)
    at foo.c:28
#10 0x08049114 in main (argc=1, argv=0xbfe074d4) at foo.c:50

valgrind says:
==27214== Invalid read of size 1
==27214==    at 0xC4B439: XmStringFree (in /usr/X11R6/lib/libXm.so.3.0.2)
==27214==    by 0xC70704: (within /usr/X11R6/lib/libXm.so.3.0.2)
==27214==    by 0x1B932AA6: (within /usr/X11R6/lib/libXt.so.6.0)
==27214==    by 0x1B932949: (within /usr/X11R6/lib/libXt.so.6.0)
==27214==  Address 0x1BB86BC8 is 0 bytes inside a block of size 32 free'd
==27214==    at 0x1B904EA5: free (vg_replace_malloc.c:153)
==27214==    by 0x1B92921E: XtFree (in /usr/X11R6/lib/libXt.so.6.0)
==27214==    by 0x80498BC: Destroy (in /tmp/foo)
==27214==    by 0x1B932AA6: (within /usr/X11R6/lib/libXt.so.6.0)
==27214==
==27214== Invalid read of size 1
==27214==    at 0xC4B4A8: XmStringFree (in /usr/X11R6/lib/libXm.so.3.0.2)
==27214==    by 0xC70704: (within /usr/X11R6/lib/libXm.so.3.0.2)
==27214==    by 0x1B932AA6: (within /usr/X11R6/lib/libXt.so.6.0)
==27214==    by 0x1B932949: (within /usr/X11R6/lib/libXt.so.6.0)
==27214==  Address 0x1BB86BCB is 3 bytes inside a block of size 32 free'd
==27214==    at 0x1B904EA5: free (vg_replace_malloc.c:153)
==27214==    by 0x1B92921E: XtFree (in /usr/X11R6/lib/libXt.so.6.0)
==27214==    by 0x80498BC: Destroy (in /tmp/foo)
==27214==    by 0x1B932AA6: (within /usr/X11R6/lib/libXt.so.6.0)
==27214==
==27214== Invalid read of size 4
==27214==    at 0xC4B4AC: XmStringFree (in /usr/X11R6/lib/libXm.so.3.0.2)
==27214==    by 0xC70704: (within /usr/X11R6/lib/libXm.so.3.0.2)
==27214==    by 0x1B932AA6: (within /usr/X11R6/lib/libXt.so.6.0)
==27214==    by 0x1B932949: (within /usr/X11R6/lib/libXt.so.6.0)
==27214==  Address 0x1BB86BC8 is 0 bytes inside a block of size 32 free'd
==27214==    at 0x1B904EA5: free (vg_replace_malloc.c:153)
==27214==    by 0x1B92921E: XtFree (in /usr/X11R6/lib/libXt.so.6.0)
==27214==    by 0x80498BC: Destroy (in /tmp/foo)
==27214==    by 0x1B932AA6: (within /usr/X11R6/lib/libXt.so.6.0)
==27214==
==27214== Invalid write of size 4
==27214==    at 0xC4B4C6: XmStringFree (in /usr/X11R6/lib/libXm.so.3.0.2)
==27214==    by 0xC70704: (within /usr/X11R6/lib/libXm.so.3.0.2)
==27214==    by 0x1B932AA6: (within /usr/X11R6/lib/libXt.so.6.0)
==27214==    by 0x1B932949: (within /usr/X11R6/lib/libXt.so.6.0)
==27214==  Address 0x1BB86BC8 is 0 bytes inside a block of size 32 free'd
==27214==    at 0x1B904EA5: free (vg_replace_malloc.c:153)
==27214==    by 0x1B92921E: XtFree (in /usr/X11R6/lib/libXt.so.6.0)
==27214==    by 0x80498BC: Destroy (in /tmp/foo)
==27214==    by 0x1B932AA6: (within /usr/X11R6/lib/libXt.so.6.0)

Comment 1 Bastien Nocera 2006-01-18 15:49:38 UTC

Created attachment 123380 [details]
foo.c

This same testcase works fine on rawhide.

Comment 2 Bastien Nocera 2006-01-18 16:03:14 UTC

same as bug #132160 (but for RHEL4)
Upstream bug at:
https://bugs.freedesktop.org/show_bug.cgi?id=1382

Comment 9 Mike A. Harris 2006-05-16 14:12:46 UTC

Created attachment 129195 [details]
xorg-x11-6.8.2-libGLw-use-system-motif-headers.patch

Proposed solution.

Comment 12 Søren Sandmann Pedersen 2007-01-08 22:35:29 UTC

Added Mike's patch and a BuildRequires on openmotif-devel.

Comment 15 Søren Sandmann Pedersen 2007-02-28 18:31:49 UTC

Maybe some combination of -lGL, -lXm or -lXt?

Comment 16 Suzanne Hillman 2007-03-01 17:50:52 UTC

Ok, noticed lovely gcc line in the source, and can now compile. But I see seg
faults both before and after upgrading to the errata files
(xorg-x11-6.8.2-1.EL.13.55). And nothing else happens. What _should_ I be seeing?

Comment 18 Bastien Nocera 2007-03-01 17:54:02 UTC

You need to update the -devel package, and recompile your application, IIRC.

Comment 19 Suzanne Hillman 2007-03-01 20:34:49 UTC

Bastien - 

I updated all the packages, including xorg-x11-devel, and did recompile the
foo.c file. It still seg faults when run. I even made sure and removed the
previously compiled file just in case the expected behavior was not the actual
behaior.

Comment 22 Søren Sandmann Pedersen 2007-03-01 23:30:13 UTC

I wonder if the libGLw build still picks up the cutted-and-pasted headers. They
are still there; maybe we should patch them away so the build will break if they
are included.

Comment 24 Adam Jackson 2007-04-11 19:57:16 UTC

Moving to 4.6

Comment 25 Adam Jackson 2007-07-31 17:45:24 UTC

So, I tried a build where I nuked all the Motif headers from xc/lib/GLw/GLwXm/,
and got this:

GLwM1DrawA.c:49:22: GLwXm/Xm.h: No such file or directory
GLwM1DrawA.c:50:30: GLwXm/PrimitiveP.h: No such file or directory
[ and lots more ]

So the reason it didn't work was that GLw was asking for its own copy of the
headers explicitly!  Yay monolith.  Trying again with a build with the openmotif
headers symlinked across.

Comment 27 Suzanne Logcher 2007-09-17 20:09:57 UTC

This request was previously evaluated by Red Hat Product Management
for inclusion in the current Red Hat Enterprise Linux release, but
Red Hat was unable to resolve it in time.  This request will be
reviewed for a future Red Hat Enterprise Linux release.

Comment 28 RHEL Program Management 2007-11-29 04:26:22 UTC

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Note You need to log in before you can comment on or make changes to this bug.