Re: X11 crash on exit

From: Tim Kientzle <kientzle_at_freebsd.org>
Date: Sun, 14 Mar 2010 00:04:21 -0800
> On Wed, Mar 10, 2010 at 10:40 PM, Tim Kientzle <kientzle_at_freebsd.org> wrote:
>> Trying to get X up and running on my Aspire One netbook
>> and having a couple of problems.  Here's the first:
>>
>> Whenever I exit, the server gets a Signal 11 and crashes ...
>>
>> FreeBSD 9.0-CURRENT r201154M: Tue Dec 29 09:27:29 PST 2009 GENERIC  i386
>>
>> xorg.conf is pretty vanilla except for the two monitors:  1600x1200 external
>> on the VGA connector and 1024x600 LVDS display.  This was autoprobed by the
>> server:
>>
>> Section "Device"
>>        Identifier  "Card0"
>>        Driver      "intel"
>>        VendorName  "Intel Corporation"
>>        BoardName   "Mobile 945GME Express Integrated Graphics Controller"
>>        BusID       "PCI:0:2:0"
>>        Option "monitor-LVDS" "LVDSMonitor"
>>        Option "monitor-VGA" "VGAMonitor"
>> EndSection

Okay, I've updated a bunch of ports and am still seeing the
crash.  I rebuilt the server with debug symbols and finally
got something informative; here's the relevant portion of
the backtrace (frame #10 is the signal 11 delivery).

#11 0x0819e363 in DeliverPropertyEvent (pWin=0x5a5a5a5a, 
value=0xbfbfec0c) at rrproperty.c:34
#12 0x0807015d in TraverseTree (pWin=0x28775f80, func=0x819e340 
<DeliverPropertyEvent>, data=0xbfbfec0c) at window.c:234
#13 0x08070206 in WalkTree (pScreen=0x2871f8c0, func=0x819e340 
<DeliverPropertyEvent>, data=0xbfbfec0c) at window.c:262
#14 0x0819e521 in RRDeliverPropertyEvent (pScreen=0x2871f8c0, 
event=0xbfbfec0c) at rrproperty.c:63
#15 0x0819e5a0 in RRDeleteAllOutputProperties (output=0x28778340) at 
rrproperty.c:81
#16 0x0819d2b7 in RROutputDestroyResource (value=0x28778340, pid=60) at 
rroutput.c:414
#17 0x0806f3d0 in FreeClientResources (client=0x287180c0) at resource.c:807
#18 0x0806f4e3 in FreeAllResources () at resource.c:824
#19 0x0806bbf0 in main (argc=4, argv=0xbfbfed68, envp=0xbfbfed7c) at 
main.c:411

As you can see, the main loop is calling FreeAllResources
at a time when the Window pointed to by WindowTable[0]
has already been freed.  I'm running with MALLOC_OPTIONS=J,
so the Window structure was filled with 'Z' at that time,
leading eventually to this crash when pWin->firstChild was
dereferenced.

I haven't yet tracked down exactly when the window in question
was freed, so I'm not yet sure about the best fix.

My current guess: DeleteWindow in dix/window.c should
search WindowTable[] to see if the window being deleted
is in the window table and remove it if so.  I haven't
looked carefully enough at the code yet to know whether
it suffices to just set the corresponding WindowTable[]
entry to NULL.  I'll try that and let you know.

Cheers,

Tim
Received on Sun Mar 14 2010 - 07:04:22 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:01 UTC