Bug 65265 - Possible Double Memory Deallocation in XCreateFontSet, omGeneric.c, line 1147
Possible Double Memory Deallocation in XCreateFontSet, omGeneric.c, line 1147
Status: CLOSED DUPLICATE of bug 127247
Product: Red Hat Linux
Classification: Retired
Component: XFree86 (Show other bugs)
7.3
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Mike A. Harris
David Lawrence
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-05-21 02:30 EDT by Redhat Systems Administrator
Modified: 2007-04-18 12:42 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-02-21 13:48:56 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Overview of Bug, Test Program, and Traceback information (3.93 KB, text/plain)
2002-05-21 02:34 EDT, Redhat Systems Administrator
no flags Details

  None (edit)
Description Redhat Systems Administrator 2002-05-21 02:30:54 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.0.0-10; Linux)

Description of problem:
When xdmcp is used with WRQ's ReflectionX XServer version 7.10, the KDE kdm fails to appear. The GNOME gdm will work, and launch a KDE based session, but the konsole application crashes. Examination of the corresponding source code reveals the following code fragment             for(i = 0 ; i < vrotate_num ; i++) {                 if(vrotate[i].xlfd_name)                     Xfree(vrotate[i].xlfd_name);             }  Commenting out the  Xfree(vrotate[i].xlfd_name); code, and retesting fixes the problem. At a guess, I would the item being freeded has already been deallocated or is part of another object that cannot be deallocated. More details available in attachment.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.Set up Reflections X session on PC to Linux 7.3 host 
2.run konsole, and await KDE crashhandler. Does not take long ( less than 1 minute
 

Actual Results:  KDE Crashhandler invoked with the following traceback:
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...[New Thread 1024 (LWP 1513)]
                                                                                0x420b4769 in wait4 () from /lib/i686/libc.so.6
#0  0x420b4769 in wait4 () from /lib/i686/libc.so.6                             #1  0x4213030c in __DTOR_END__ () from /lib/i686/libc.so.6
#2  0x40ed2ca3 in waitpid () from /lib/i686/libpthread.so.0                     #3  0x4062d8d2 in KCrash::defaultCrashHandler ()
   from /usr/lib/libkdecore-gcc2.96.so.4                                        #4  0x40ed0f75 in pthread_sighandler () from /lib/i686/libpthread.so.0
#5  <signal handler called>                                                     #6  0x40ecf0c7 in pthread_mutex_lock () from /lib/i686/libpthread.so.0
#7  0x4207ac18 in free () from /lib/i686/libc.so.6                              #8  0x406bae75 in free () from /usr/lib/libkdecore-gcc2.96.so.4
#9  0x4125bce5 in parse_vw (oc=0x81584d0, font_set=0x8158538,                       name_list=0x8158680, count=1) at omGeneric.c:1147
#10 0x4125c03c in parse_fontname (oc=0x81584d0) at omGeneric.c:1241             #11 0x4125c5f3 in create_fontset (oc=0x81584d0) at omGeneric.c:1410
#12 0x4125cbf9 in create_oc (om=0x81583b0, args=0x81584c0, num_args=1)              at omGeneric.c:1707
#13 0x40df0aee in XCreateOC (om=0x81583b0) at OCWrap.c:50                       #14 0x40defe3c in XCreateFontSet (dpy=0x8096c18,
    base_font_name_list=0x40c6ee84 "-*-fixed-*--14-*",                              missing_charset_list=0xbfffef84, missing_charset_count=0xbfffef88,


Expected Results:  Konsole should have launched with no problems.

Additional info:

Examination of the corresponding source code reveals the following code fragment
     for(i = 0 ; i < vrotate_num ; i++) {
                if(vrotate[i].xlfd_name)
                    Xfree(vrotate[i].xlfd_name);
            }

Commenting out the  Xfree(vrotate[i].xlfd_name); code, and retesting fixes the problem. At a guess, I would the item being freeded has already been deallocated or is part of another object that cannot be deallocated.
Comment 1 Redhat Systems Administrator 2002-05-21 02:34:36 EDT
Created attachment 58066 [details]
Overview of Bug, Test Program, and Traceback information
Comment 2 Mike A. Harris 2002-05-21 03:19:10 EDT
We'll need to come up with a way of reproducing this without requiring
the special X server.  I'm also going to report this upstream to
the XFree86 project to exercise the debugging is parallelizeable theory.

Thanks for the report, data, and sample application, etc.
Comment 3 Mike A. Harris 2004-07-05 18:11:45 EDT

*** This bug has been marked as a duplicate of 127247 ***
Comment 4 Red Hat Bugzilla 2006-02-21 13:48:56 EST
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.