xserver crash on exit in CloseDownDevices and SrvXkbFreeGeomRows

Backtrace:
0: X(xf86SigHandler+0x7e) [0x80c780e]
1: [0xb7f75420]
2: X(Xfree+0x21) [0x81b88f1]
3: X [0x81aa7c0]
4: X [0x81aa85c]
5: X [0x81aa29d]
6: X(SrvXkbFreeGeomRows+0x49) [0x81aa409]
7: X [0x81aa451]
8: X [0x81aa29d]
9: X(SrvXkbFreeGeomSections+0x49) [0x81aa3b9]
10: X(SrvXkbFreeGeometry+0xdf) [0x81aaacf]
11: X(SrvXkbFreeKeyboard+0xc1) [0x81a8ca1]
12: X(XkbFreeInfo+0xdf) [0x8196c1f]
13: X [0x8085a1f]
14: X(CloseDownDevices+0x29) [0x8085e79]
15: X(main+0x4be) [0x807474e]
16: /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0) [0xb7cff450]
17: X(FontFileCompleteXLFD+0x201) [0x8073a91]

Fatal server error:
Caught signal 11. Server aborting

Looks like it is crashing in Xkb. Do you have any other keyboards you could test with, to see if it occurs with them as well? Or test that keyboard with a different computer running Ubuntu Hardy? Perhaps it is something particular to that model of keyboard.

Also, please install the debug packages for X server, and get a full backtrace (see https://wiki.ubuntu.com/DebuggingXorg for directions).

(gdb) cont
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0xb7d8f39c in free () from /lib/tls/i686/cmov/libc.so.6
(gdb) backtrace full
#0 0xb7d8f39c in free () from /lib/tls/i686/cmov/libc.so.6
No symbol table info available.
#1 0x081b88f1 in Xfree (ptr=0x1180002) at ../../os/utils.c:1466
No locals.
#2 0x081aa7c0 in _XkbFreeGeomLeafElems (freeAll=<value optimized out>,
    first=<value optimized out>, count=17, num_inout=0x82652bc, sz_inout=0x82652be,
    elems=0x82652c4, elem_sz=8) at ../../xkb/XKBGAlloc.c:62
No locals.
#3 0x081aa85c in _XkbClearRow (row_in=0x0) at ../../xkb/XKBGAlloc.c:342
No locals.
#4 0x081aa29d in _XkbFreeGeomNonLeafElems (freeAll=1, first=0, count=4, num_inout=0x8264fc8,
    sz_inout=0x8264fce, elems=0x8264fd4, elem_sz=24, freeFunc=0x81aa820 <_XkbClearRow>)
    at ../../xkb/XKBGAlloc.c:119
        i = 2
        ptr = 0x82652b8 "])"
#5 0x081aa409 in SrvXkbFreeGeomRows (section=0x8264fb8, first=0, count=4, freeAll=1)
    at ../../xkb/XKBGAlloc.c:349
No locals.
#6 0x081aa451 in _XkbClearSection (section_in=0x8264fb8 "�") at ../../xkb/XKBGAlloc.c:363
No locals.
#7 0x081aa29d in _XkbFreeGeomNonLeafElems (freeAll=1, first=0, count=7, num_inout=0x82643e6,
    sz_inout=0x82643da, elems=0x82643f8, elem_sz=48, freeFunc=0x81aa410 <_XkbClearSection>)
    at ../../xkb/XKBGAlloc.c:119
        i = 3
        ptr = 0x8264fb8 "�"
#8 0x081aa3b9 in SrvXkbFreeGeomSections (geom=0x82643c0, first=0, count=7, freeAll=1)
    at ../../xkb/XKBGAlloc.c:374
---Type <return> to continue, or q <return> to quit---
No locals.
#9 0x081aaacf in SrvXkbFreeGeometry (geom=0x82643c0, which=63, freeMap=1)
    at ../../xkb/XKBGAlloc.c:443
No locals.
#10 0x081a8ca1 in SrvXkbFreeKeyboard (xkb=0x8279528, which=127, freeAll=1)
    at ../../xkb/XKBAlloc.c:328
No locals.
#11 0x08196c1f in XkbFreeInfo (xkbi=0x827a550) at ../../xkb/xkbInit.c:820
No locals.
#12 0x08085a1f in CloseDevice (dev=0x8260258) at ../../dix/devices.c:530
        k = <value optimized out>
        knext = <value optimized out>
        p = <value optimized out>
        pnext = <value optimized out>
        i = <value optimized out>
        inext = <value optimized out>
        s = <value optimized out>
        snext = <value optimized out>
        b = <value optimized out>
        bnext = <value optimized out>
        l = <value optimized out>
        lnext = <value optimized out>
#13 0x08085e79 in CloseDownDevices () at ../../dix/devices.c:626
        dev = (DeviceIntPtr) 0x1180002
        next = (DeviceIntPtr) 0x8261408
#14 0x0807474e in main (argc=8, argv=0xbf9c9f74, envp=Cannot access memory at address 0x19
) at ../../dix/main.c:472
        pScreen = <value optimized out>
---Type <return> to continue, or q <return> to quit---
        i = <value optimized out>
        error = 136163204
        xauthfile = <value optimized out>
        alwaysCheckForInput = {0, 1}

I tested with another usb kb and X does not crash on exit, So this seems related to xkb and the microsoft comfort curved usb keyboard 2000,

Pascal, excellent, thanks for getting the backtrace and testing with another keyboard, this has really narrowed down the issue.

So, looking at the backtrace I see what's going on:

_XkbFreeGeomNonLeafElems(...) {
   ...
    if (freeFunc) {
        ptr= *elems;
        ptr+= first*elem_sz;
        for (i=0;i<count;i++) {
            (*freeFunc)(ptr);
            ptr+= elem_sz;
        }
    }

ptr is not checked for being NULL, and is getting passed to freeFunc() (a function pointer to _XkbClearRow):

#3 0x081aa85c in _XkbClearRow (row_in=0x0) at ../../xkb/XKBGAlloc.c:342

Then _XkbClearRow tries dereferencing the NULL pointer:

static void
_XkbClearRow(char *row_in)
{
XkbRowPtr row= (XkbRowPtr)row_in;

    if (row->keys!=NULL)
        XkbFreeGeomKeys(row,0,row->num_keys,True);
    return;
}

I bet that call should be something like:

    if (row && row->keys!=NULL)

The code doesn't seem to be fixed in current git either, near as I can tell. We can forward this upstream.

(Actually this is an xserver bug, not -intel)

Pascal, I've forwarded the bug report to Xorg; could you also please subscribe to the bug report there? Upstream may wish for you to run additional tests, or may have additional questions.

https://bugs.freedesktop.org/show_bug.cgi?id=15250

This might be related to bug #184651

Pascal, please test the latest updates in Hardy and report back if you still have this issue or not.

problem fixed, thanks.