Bug#485833: openoffice.org: segfaults on exit: _XFreeExtData - FreeEData.c:39

[Florian Kulzer <florian.kulzer+debian@icfo.es>]

Hi Julien,

The bug is still present if I downgrade libx11-6 to the version that is
currently in Lenny and Etch (2:1.0.3-7).

Today I upgraded to the newer OOo packages (1:2.4.1-2) that became
available on my mirror. I still see the crash on exit unless I disable
KDE integration (again with both the newest and the older version of
libx11-6).

Here is another gdb session excerpt (openoffice.org-kde 1:2.4.1-2,
libx11-6 2:1.1.4-2), in which I try to provide the additional
information that you asked for:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffbe4295780 (LWP 25896)]
_XFreeExtData (extension=0x33100000010) at ../../src/FreeEData.c:39

On Thu, Jun 12, 2008 at 04:23:06 +0200, Julien Cristau wrote:
>     34  int
>     35  _XFreeExtData (XExtData *extension)
>     36  {
>     37          XExtData *temp;
>     38          while (extension) {
>     39                  if (extension->free_private) 
>     40                      (*extension->free_private)(extension);
>     41                  else Xfree ((char *)extension->private_data);
>     42                  temp = extension->next;
>     43                  Xfree ((char *)extension);
>     44                  extension = temp;
>     45          }
>     46          return 0;
>     47  }
> 
> Looks like the extension structure is fucked up (actually the extension
> pointer itself looks strange, so maybe it's the display structure that's
> corrupted somehow).  Can you type 'p *extension' at the gdb prompt at
> this point?

(gdb) p *extension
Cannot access memory at address 0x33100000010
(gdb) frame 1
#1  0x00007ffbe06952a4 in _XFreeDisplayStructure (dpy=0x6a71e0) at ../../src/OpenDis.c:860

>    856          if (dpy->pixmap_format) {
>    857              register int i;
>    858  
>    859              for (i = 0; i < dpy->nformats; i++)
>    860                _XFreeExtData (dpy->pixmap_format[i].ext_data);
>    861              Xfree ((char *)dpy->pixmap_format);
>    862              }
> 
> Would be nice to print *dpy here.

(gdb) print *dpy
$1 = {ext_data = 0x0, free_funcs = 0x6a7ed0, fd = 9, conn_checker = 0, proto_major_version = 11,
  proto_minor_version = 0, vendor = 0x6ae150 "The X.Org Foundation", resource_base = 50331648,
  resource_mask = 2097151, resource_id = 0, resource_shift = 0, resource_alloc = 0x7ffbe06ad870 <_XAllocID>,
  byte_order = 0, bitmap_unit = 32, bitmap_pad = 32, bitmap_bit_order = 0, nformats = 7, pixmap_format = 0x6ae170,
  vnumber = 11, release = 10400090, head = 0xd50ac0, tail = 0xd509e0, qlen = 2, last_request_read = 13098,
  request = 13098, last_req = 0x7ffbe096a83c "", buffer = 0x6aa140 "+\a\001", bufptr = 0x6aa140 "+\a\001",
  bufmax = 0x6ae140 "", max_request_size = 65535, db = 0x6b1330, synchandler = 0, display_name = 0x69c240 ":0.0",
  default_screen = 0, nscreens = 1, screens = 0x6ae220, motion_buffer = 256, flags = 130, min_keycode = 8,
  max_keycode = 255, keysyms = 0x0, modifiermap = 0x0, keysyms_per_keycode = 0,
  xdefaults = 0x6b2040 "*Box.background:\t#d2d2d2\n*Box.foreground:\t#000000\n*Button.activeBackground:\t#d2d2d2\n*Button.activeForeground:\t#000000\n*Button.background:\t#d2d2d2\n*Button.foreground:\t#000000\n*Button.highlightBackgroun"..., scratch_buffer = 0x13aab90 "\034", scratch_length = 8, ext_number = 10, ext_procs = 0x0, event_vec = {
    0x7ffbe06a5630 <_XUnknownWireEvent>, 0x7ffbe06a5630 <_XUnknownWireEvent>,
    0x7ffbe06a6680 <_XWireToEvent> <repeats 33 times>, 0x7ffbe06a5630 <_XUnknownWireEvent> <repeats 30 times>,
    0x7ffbe0d98f80 <wire_to_event>, 0x7ffbe0d98f80 <wire_to_event>,
    0x7ffbe06a5630 <_XUnknownWireEvent> <repeats 11 times>, 0x7ffbd98ca830 <repeats 16 times>,
    0x7ffbe06fe660 <wire_to_event>, 0x7ffbe06a5630 <_XUnknownWireEvent>, 0x7ffbe429ffb0, 0x7ffbe429ffb0,
    0x7ffbd96bf1a0, 0x7ffbd96bf1a0, 0x7ffbe06a5630 <_XUnknownWireEvent> <repeats 28 times>}, wire_vec = {
    0x7ffbe06a5640 <_XUnknownNativeEvent>, 0x7ffbe06a5640 <_XUnknownNativeEvent>, 0 <repeats 16 times>,
    0x7ffbe0684ca0 <_XEventToWire>, 0 <repeats 14 times>, 0x7ffbe0684ca0 <_XEventToWire>, 0,
    0x7ffbe06a5640 <_XUnknownNativeEvent> <repeats 30 times>, 0x7ffbe0d98db0 <event_to_wire>,
    0x7ffbe0d98db0 <event_to_wire>, 0x7ffbe06a5640 <_XUnknownNativeEvent> <repeats 11 times>,
    0x7ffbd98c6bd0 <_XiEventToWire> <repeats 16 times>, 0x7ffbe06a5640 <_XUnknownNativeEvent>,
    0x7ffbe06a5640 <_XUnknownNativeEvent>, 0x7ffbe429fef0, 0x7ffbe429fef0, 0x7ffbd96befe0, 0x7ffbd96befe0,
    0x7ffbe06a5640 <_XUnknownNativeEvent> <repeats 28 times>}, lock_meaning = 0, lock = 0x0, async_handlers = 0x0,
  bigreq_size = 4194303, lock_fns = 0x6a7f30, idlist_alloc = 0x7ffbe06ae4b0 <_XAllocIDs>, key_bindings = 0x0,
  cursor_font = 50331674, atoms = 0x6b1770, mode_switch = 0, num_lock = 0, context_db = 0x0, error_vec = 0x0, cms = {
    defaultCCCs = 0x0, clientCmaps = 0x0, perVisualIntensityMaps = 0x0}, im_filters = 0x0, qfree = 0xd50900,
  next_event_serial_num = 1330, flushes = 0x0, im_fd_info = 0x0, im_fd_length = 0, conn_watchers = 0x0,
  watcher_count = 0, filedes = 0x6a7ea0 "\t", savedsynchandler = 0, resource_max = 2097146, xcmisc_opcode = 0,
  xkb_info = 0x6ae8d0, trans_conn = 0x0, xcb = 0x69c1a0}
(gdb) continue
Continuing.
[Thread 0x43a80950 (LWP 25900) exited]

Program exited with code 01.

Thanks,
  Florian