Bug 638553
| Summary: | Destroying a torn-off menu with a submenu mapped causes a crash in OpenMotif | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Olivier Fourdan <ofourdan> | ||||||
| Component: | openmotif | Assignee: | Thomas Woerner <twoerner> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Filip Holec <fholec> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | urgent | ||||||||
| Version: | 5.5 | CC: | fholec, kem, pknirsch, plyons, psplicha, rbinkhor | ||||||
| Target Milestone: | rc | Keywords: | Patch, Reopened, ZStream | ||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: |
Previously, a check that would limit removing a callback to valid windows while the focus is reset was missing in the code. Consequently, destroying a torn-off menu with a submenu mapped caused the application to terminate unexpectedly. With this update, the underlying source code has been modified to ensure that the focus is reset for valid windows only and destroying a torn-off menu with a submenu mapped now works as expected.
|
Story Points: | --- | ||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2013-10-01 00:33:41 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 712073 | ||||||||
| Attachments: |
|
||||||||
|
Description
Olivier Fourdan
2010-09-29 10:34:16 UTC
Created attachment 450442 [details]
Reproducer program provided by our customer
This is the reproducer code as provided by our customer.
Created attachment 450443 [details]
Proposed patch - needs review
The backtrace shows that the crash occurs while removing the existing callbacks:
The backtrace varies, but the common code path includes:
Program terminated with signal 11, Segmentation fault.
#0 0x000000321fc1399c in FetchInternalList (widget=0xfbe5860, name=<value optimized out>) at Callback.c:92
92 if (quark == (*offsets)->xrm_name) {
(gdb) bt
#0 0x000000321fc1399c in FetchInternalList (widget=0xfbe5860, name=<value optimized out>) at Callback.c:92
#1 0x000000321fc14312 in XtRemoveCallback (widget=0xfbe5860, name=0x606599 "destroyCallback",
callback=0x321e1823f0 <InvalidateOldFocus>, closure=0xfc095d8) at Callback.c:322
#2 0x000000321e185437 in _XmMenuFocus (w=0xfc273c0, operation=<value optimized out>, _time=1319101) at RCMenu.c:1084
#3 0x000000321e0dadf1 in PopupSharedMenuShell (cbwid=0xfc27020, smwid=0xfc27750, event=0x0) at MenuShell.c:1249
#4 0x000000321e08d05c in Popup (cb=0xfc27020, event=0x0, doCascade=<value optimized out>) at CascadeB.c:1824
#5 _XmCascadingPopup (cb=0xfc27020, event=0x0, doCascade=<value optimized out>) at CascadeB.c:1641
#6 0x000000321fc2dc77 in DoOtherSources (app=0xfbb40e0) at NextEvent.c:1142
#7 0x000000321fc2ddc3 in XtAppNextEvent (app=0xfbb40e0, event=0x7fffdeb59ba0) at NextEvent.c:1234
#8 0x000000321fc20d6d in XtAppMainLoop (app=0xfbb40e0) at Event.c:1548
#9 0x0000000000400d63 in main (argc=1, argv=0x7fffdeb59dc8) at tear_off_menu.c:63
(gdb) f 1
#1 0x000000321fc14312 in XtRemoveCallback (widget=0xfbe5860, name=0x606599 "destroyCallback",
callback=0x321e1823f0 <InvalidateOldFocus>, closure=0xfc095d8) at Callback.c:322
322 callbacks = FetchInternalList(widget, name);
(gdb) p *widget
$1 = {core = {self = 0xfbe5ab0, widget_class = 0x300af52a38, parent = 0xfbd4840, xrm_name = 835, being_destroyed = 1 '\001',
destroy_callbacks = 0xfc1a3b0, constraints = 0x0, x = 203, y = 102, width = 34, height = 130, border_width = 0,
managed = 0 '\000', sensitive = 1 '\001', ancestor_sensitive = 1 '\001', event_table = 0xfbfc130, tm = {translations = 0x0,
proc_table = 0x0, current_state = 0x0, lastEventTime = 0}, accelerators = 0x0, border_pixel = 0, border_pixmap = 2,
popup_list = 0x0, num_popups = 0, name = 0xfbcc4d2 "", screen = 0xfbb7b60, colormap = 32, window = 77594731, depth = 24,
background_pixel = 12895428, background_pixmap = 2, visible = 1 '\001', mapped_when_managed = 1 '\001'}}
(gdb) f 2
#2 0x000000321e185437 in _XmMenuFocus (w=0xfc273c0, operation=<value optimized out>, _time=1319101) at RCMenu.c:1084
1084 XtRemoveCallback(mst->RC_menuFocus.oldWidget,
in frame #2, we see that XtRemoveCallback() is called on the so called "oldWidget" and that widget has its "being_destroyed" field set.
The proposed patch here just adds an additional check for oldWidget->core.being_destroyed and does not do the XtRemoveCallback() if set.
Although that patch seems to fix the issue, it would require additional review.
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. This request was erroneously denied for the current release of Red Hat Enterprise Linux. The error has been fixed and this request has been re-proposed for the current release. Created attachment 496196 [details]
Upstream patch
Fix that has been committed to upstream CVS.
Development Management has reviewed and declined this request. You may appeal this decision by reopening this request. Accidentally closed, reopening. Sorry for the error. Thanks & regards, Phil
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Previously, a check that would limit removing a callback to valid windows while the focus is reset was missing in the code. Consequently, destroying a torn-off menu with a submenu mapped caused the application to terminate unexpectedly. With this update, the underlying source code has been modified to ensure that the focus is reset for valid windows only and destroying a torn-off menu with a submenu mapped now works as expected.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1355.html |