Bug 178196 - Crash when destroying OpenGL widget
Crash when destroying OpenGL widget
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: xorg-x11 (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Adam Jackson
: Desktop
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-01-18 10:43 EST by Bastien Nocera
Modified: 2008-04-22 15:05 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-22 15:05:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
foo.c (1.10 KB, text/plain)
2006-01-18 10:49 EST, Bastien Nocera
no flags Details
xorg-x11-6.8.2-libGLw-use-system-motif-headers.patch (426 bytes, patch)
2006-05-16 10:12 EDT, Mike A. Harris
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
FreeDesktop.org (Old) 1382 None None None Never

  None (edit)
Description Bastien Nocera 2006-01-18 10:43:16 EST
xorg-x11-libs-6.8.2-1.EL.13.24

The following testcase crashes with a double-free when glwMDrawingAreaWidget is
destroyed.
I'm not 100% sure the problem is with libGLw, or with motif.

Backtrace:
#0  _XmStringCacheFree (caches=0xe055420f) at XmString.c:2749
#1  0x00c4b3d1 in _XmStringEntryFree (entry=0x9c8f24) at XmString.c:5968
#2  0x00c4b47b in XmStringFree (string=0x97bbc88) at XmString.c:6007
#3  0x00c70705 in Destroy (w=0x97bbb48) at Primitive.c:932
#4  0x00126aa7 in _XtCreateHookObj () from /usr/X11R6/lib/libXt.so.6
#5  0x0012694a in _XtCreateHookObj () from /usr/X11R6/lib/libXt.so.6
#6  0x00126e0d in _XtCreateHookObj () from /usr/X11R6/lib/libXt.so.6
#7  0x0012706c in _XtDoPhase2Destroy () from /usr/X11R6/lib/libXt.so.6
#8  0x001271ed in XtDestroyWidget () from /usr/X11R6/lib/libXt.so.6
#9  0x08049065 in create_window (dis=0x97ae480, app_shell=0x97a4a98)
    at foo.c:28
#10 0x08049114 in main (argc=1, argv=0xbfe074d4) at foo.c:50

valgrind says:
==27214== Invalid read of size 1
==27214==    at 0xC4B439: XmStringFree (in /usr/X11R6/lib/libXm.so.3.0.2)
==27214==    by 0xC70704: (within /usr/X11R6/lib/libXm.so.3.0.2)
==27214==    by 0x1B932AA6: (within /usr/X11R6/lib/libXt.so.6.0)
==27214==    by 0x1B932949: (within /usr/X11R6/lib/libXt.so.6.0)
==27214==  Address 0x1BB86BC8 is 0 bytes inside a block of size 32 free'd
==27214==    at 0x1B904EA5: free (vg_replace_malloc.c:153)
==27214==    by 0x1B92921E: XtFree (in /usr/X11R6/lib/libXt.so.6.0)
==27214==    by 0x80498BC: Destroy (in /tmp/foo)
==27214==    by 0x1B932AA6: (within /usr/X11R6/lib/libXt.so.6.0)
==27214==
==27214== Invalid read of size 1
==27214==    at 0xC4B4A8: XmStringFree (in /usr/X11R6/lib/libXm.so.3.0.2)
==27214==    by 0xC70704: (within /usr/X11R6/lib/libXm.so.3.0.2)
==27214==    by 0x1B932AA6: (within /usr/X11R6/lib/libXt.so.6.0)
==27214==    by 0x1B932949: (within /usr/X11R6/lib/libXt.so.6.0)
==27214==  Address 0x1BB86BCB is 3 bytes inside a block of size 32 free'd
==27214==    at 0x1B904EA5: free (vg_replace_malloc.c:153)
==27214==    by 0x1B92921E: XtFree (in /usr/X11R6/lib/libXt.so.6.0)
==27214==    by 0x80498BC: Destroy (in /tmp/foo)
==27214==    by 0x1B932AA6: (within /usr/X11R6/lib/libXt.so.6.0)
==27214==
==27214== Invalid read of size 4
==27214==    at 0xC4B4AC: XmStringFree (in /usr/X11R6/lib/libXm.so.3.0.2)
==27214==    by 0xC70704: (within /usr/X11R6/lib/libXm.so.3.0.2)
==27214==    by 0x1B932AA6: (within /usr/X11R6/lib/libXt.so.6.0)
==27214==    by 0x1B932949: (within /usr/X11R6/lib/libXt.so.6.0)
==27214==  Address 0x1BB86BC8 is 0 bytes inside a block of size 32 free'd
==27214==    at 0x1B904EA5: free (vg_replace_malloc.c:153)
==27214==    by 0x1B92921E: XtFree (in /usr/X11R6/lib/libXt.so.6.0)
==27214==    by 0x80498BC: Destroy (in /tmp/foo)
==27214==    by 0x1B932AA6: (within /usr/X11R6/lib/libXt.so.6.0)
==27214==
==27214== Invalid write of size 4
==27214==    at 0xC4B4C6: XmStringFree (in /usr/X11R6/lib/libXm.so.3.0.2)
==27214==    by 0xC70704: (within /usr/X11R6/lib/libXm.so.3.0.2)
==27214==    by 0x1B932AA6: (within /usr/X11R6/lib/libXt.so.6.0)
==27214==    by 0x1B932949: (within /usr/X11R6/lib/libXt.so.6.0)
==27214==  Address 0x1BB86BC8 is 0 bytes inside a block of size 32 free'd
==27214==    at 0x1B904EA5: free (vg_replace_malloc.c:153)
==27214==    by 0x1B92921E: XtFree (in /usr/X11R6/lib/libXt.so.6.0)
==27214==    by 0x80498BC: Destroy (in /tmp/foo)
==27214==    by 0x1B932AA6: (within /usr/X11R6/lib/libXt.so.6.0)
Comment 1 Bastien Nocera 2006-01-18 10:49:38 EST
Created attachment 123380 [details]
foo.c

This same testcase works fine on rawhide.
Comment 2 Bastien Nocera 2006-01-18 11:03:14 EST
same as bug #132160 (but for RHEL4)
Upstream bug at:
https://bugs.freedesktop.org/show_bug.cgi?id=1382
Comment 9 Mike A. Harris 2006-05-16 10:12:46 EDT
Created attachment 129195 [details]
xorg-x11-6.8.2-libGLw-use-system-motif-headers.patch

Proposed solution.
Comment 12 Søren Sandmann Pedersen 2007-01-08 17:35:29 EST
Added Mike's patch and a BuildRequires on openmotif-devel.
Comment 15 Søren Sandmann Pedersen 2007-02-28 13:31:49 EST
Maybe some combination of -lGL, -lXm or -lXt?
Comment 16 Suzanne Hillman 2007-03-01 12:50:52 EST
Ok, noticed lovely gcc line in the source, and can now compile. But I see seg
faults both before and after upgrading to the errata files
(xorg-x11-6.8.2-1.EL.13.55). And nothing else happens. What _should_ I be seeing?
Comment 18 Bastien Nocera 2007-03-01 12:54:02 EST
You need to update the -devel package, and recompile your application, IIRC.
Comment 19 Suzanne Hillman 2007-03-01 15:34:49 EST
Bastien - 

I updated all the packages, including xorg-x11-devel, and did recompile the
foo.c file. It still seg faults when run. I even made sure and removed the
previously compiled file just in case the expected behavior was not the actual
behaior.
Comment 22 Søren Sandmann Pedersen 2007-03-01 18:30:13 EST
I wonder if the libGLw build still picks up the cutted-and-pasted headers. They
are still there; maybe we should patch them away so the build will break if they
are included.
Comment 24 Adam Jackson 2007-04-11 15:57:16 EDT
Moving to 4.6
Comment 25 Adam Jackson 2007-07-31 13:45:24 EDT
So, I tried a build where I nuked all the Motif headers from xc/lib/GLw/GLwXm/,
and got this:

GLwM1DrawA.c:49:22: GLwXm/Xm.h: No such file or directory
GLwM1DrawA.c:50:30: GLwXm/PrimitiveP.h: No such file or directory
[ and lots more ]

So the reason it didn't work was that GLw was asking for its own copy of the
headers explicitly!  Yay monolith.  Trying again with a build with the openmotif
headers symlinked across.
Comment 27 Suzanne Yeghiayan 2007-09-17 16:09:57 EDT
This request was previously evaluated by Red Hat Product Management
for inclusion in the current Red Hat Enterprise Linux release, but
Red Hat was unable to resolve it in time.  This request will be
reviewed for a future Red Hat Enterprise Linux release.
Comment 28 RHEL Product and Program Management 2007-11-28 23:26:22 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Note You need to log in before you can comment on or make changes to this bug.