[regression] Memory used after free() in DecorWindow::computeShadowRegion() [decor.cpp:167,172]

Bug #943116 reported by Daniel van Vugt on 2012-02-29
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Compiz Core
Critical
Daniel van Vugt
compiz (Ubuntu)
Undecided
Daniel van Vugt

Bug Description

Valgrind is reporting multiple invalid memory reads in decor.cpp lines 167 and 172.

Related branches

Daniel van Vugt (vanvugt) wrote :
summary: - Memory used after free() in DecorWindow::computeShadowRegion()
- [decor.cpp:167,172]
+ [regression] Memory used after free() in
+ DecorWindow::computeShadowRegion() [decor.cpp:167,172]
Changed in compiz-core:
status: Triaged → In Progress
Sam Spilsbury (smspillaz) wrote :

Ah, we'll just need to Instantiate CompRegionRef as a non-temporary.

Sam Spilsbury (smspillaz) wrote :

Probably a good idea to make CompRegionRef take a CompRect & or CompRegion & to prevent stuff like this from happening in the future.

Daniel van Vugt (vanvugt) wrote :

The bug has nothing to do with CompRegionRef. It keeps happening even after I removed all CompRegionRefs and made them CompRegions. The actual problem appears to be invalid data in screen->clientList ().

==11855== Invalid read of size 8
==11855== at 0x4E7D6D0: CompWindow::state() (window.cpp:5622)
==11855== by 0xAD77647: DecorWindow::computeShadowRegion() (decor.cpp:167)
==11855== by 0xAD7B4F0: DecorWindow::update(bool) (decor.cpp:1550)
==11855== by 0xAD7F1E6: DecorWindow::windowNotify(CompWindowNotify) (decor.cpp:2255)
==11855== by 0x4E78A42: CompWindow::windowNotify(CompWindowNotify) (window.cpp:2658)
==11855== by 0x4E89472: PrivateWindow::unreparent() (window.cpp:7254)
==11855== by 0x4E896F1: CompWindow::~CompWindow() (window.cpp:6486)
==11855== by 0x4E89C48: CompWindow::~CompWindow() (window.cpp:6573)
==11855== by 0x4E67253: CompScreenImpl::~CompScreenImpl() (screen.cpp:4965)
==11855== by 0x4E67408: CompScreenImpl::~CompScreenImpl() (screen.cpp:4971)
==11855== by 0x402CD2: CompManager::fini() (main.cpp:214)
==11855== by 0x4029B5: main (main.cpp:239)
==11855== Address 0xded5d60 is 176 bytes inside a block of size 184 free'd
==11855== at 0x4C27FF2: operator delete(void*) (vg_replace_malloc.c:387)
==11855== by 0x4E67253: CompScreenImpl::~CompScreenImpl() (screen.cpp:4965)
==11855== by 0x4E67408: CompScreenImpl::~CompScreenImpl() (screen.cpp:4971)
==11855== by 0x402CD2: CompManager::fini() (main.cpp:214)
==11855== by 0x4029B5: main (main.cpp:239)
==11855==
==11855== Invalid read of size 1
==11855== at 0xAD77648: DecorWindow::computeShadowRegion() (decor.cpp:167)
==11855== by 0xAD7B4F0: DecorWindow::update(bool) (decor.cpp:1550)
==11855== by 0xAD7F1E6: DecorWindow::windowNotify(CompWindowNotify) (decor.cpp:2255)
==11855== by 0x4E78A42: CompWindow::windowNotify(CompWindowNotify) (window.cpp:2658)
==11855== by 0x4E89472: PrivateWindow::unreparent() (window.cpp:7254)
==11855== by 0x4E896F1: CompWindow::~CompWindow() (window.cpp:6486)
==11855== by 0x4E89C48: CompWindow::~CompWindow() (window.cpp:6573)
==11855== by 0x4E67253: CompScreenImpl::~CompScreenImpl() (screen.cpp:4965)
==11855== by 0x4E67408: CompScreenImpl::~CompScreenImpl() (screen.cpp:4971)
==11855== by 0x402CD2: CompManager::fini() (main.cpp:214)
==11855== by 0x4029B5: main (main.cpp:239)
==11855== Address 0xdc98988 is 552 bytes inside a block of size 1,024 free'd
==11855== at 0x4C27FF2: operator delete(void*) (vg_replace_malloc.c:387)
==11855== by 0x4E89955: CompWindow::~CompWindow() (window.cpp:6572)
==11855== by 0x4E89C48: CompWindow::~CompWindow() (window.cpp:6573)
==11855== by 0x4E67253: CompScreenImpl::~CompScreenImpl() (screen.cpp:4965)
==11855== by 0x4E67408: CompScreenImpl::~CompScreenImpl() (screen.cpp:4971)
==11855== by 0x402CD2: CompManager::fini() (main.cpp:214)
==11855== by 0x4029B5: main (main.cpp:239)
==11855==

Daniel van Vugt (vanvugt) wrote :

Fix committed into lp:compiz-core at revision 3030

Changed in compiz-core:
status: In Progress → Fix Committed
Changed in compiz-core:
status: Fix Committed → Fix Released
Daniel van Vugt (vanvugt) wrote :

This bug was fixed in the package compiz - 1:0.9.7.0+bzr3035-0ubuntu1

---------------
compiz (1:0.9.7.0+bzr3035-0ubuntu1) precise; urgency=low

  [ Łukasz 'sil2100' Zemczak ]
  * New upstream snapshot:
    - Fix gtk-window-decorator crash upon demaximizing a window (LP: #930071)
    - Fix core keybindings (LP: #930412)
    - Fixes compiz crash with SIGSEGV on shutdown (LP: #931283)
    - Plugins can't tell the difference between a key-tap and modifier
      key-release (LP: #925293)
    - compiz-core r3001 (and 3002) ftbfs (LP: #933226)
    - Semi-maximized windows have no shadow or frame (LP: #924736)
    - Untranslated strings in gtk-window-decorator (LP: #780505)
    - Initialize the _NET_WM_STATE_FOCUSED (LP: #932087)
    - [regression] Customized shortcuts don't work (LP: #931927)
    - Window stacking problem (LP: #936675)
    - Quickly demaximized windows can receive maximized window decorations if
      they were initially maximized (LP: #936778)
    - Maximized windows do not get shadows at all (LP: #936774)
    - [regression] Launcher, top panel and keyboard un-responsive after using
      any Super-x shortcut (LP: #934058)
    - No draggable border if mutter isn't installed (LP: #936781)
    - Fix compiz crash with SIGSEGV in XDefineCursor() (LP: #936487)
    - Fixes memory leak at DecorWindow::updateSwitcher() (LP: #940115)
    - Unresolved symbols in plugins cause compiz to exit (LP: #938478)
    - Fix compiz spending about 51% of its CPU time in CompRegion
      construction/destruction (LP: #940139)
    - Fix Conditional jump or move depends on uninitialised value(s) in
      decor_match_pixmap (LP: #940066)
    - Fix 'show desktop' behaviour (LP: #871801)
    - Tweak algorithm used to cast shadows on maximized windows (LP: #936784)
    - "Svg" and "Png" should be "SVG and "PNG" (LP: #942890)
    - Fix invalid memory usage after free() in DecorWindow (LP: #943116)
    - Fix alt + F10 (LP: #943223)
  * Removed cherry-picked patches
  * debian/patches/fix_944631.patch:
    - Always replay the keyboard if something was grabbed and didn't trigger
      an action and don't trigger actions which aren't added accidentally
      (LP: #943612) (LP: #944631)
  * debian/patches/fix_923683.patch:
    - Backports a patch which prevents the shift race condition

  [ Didier Roche ]
  * debian/patches/fix_alt_pressing.patch:
    - Patch from ddv to fix all the regressions with the alt key fix and other
      (LP: #943851, #945373)
    - Fix Quicklist are not showing if right-clicking a launcher icon in Expo
      mode if triggered by Super + S (LP: #944979)
  * debian/patches/fix_806255.patch:
    - Unity/compiz intercepts keystrokes from grabbed windows (LP: #806255)
  * debian/patches/fix_943194.patch:
    - second part for the alt key fix (LP: #943194)
  * debian/patches/additional_alt_tapping_fix.patch:
    - again another alt tapping related fix for some regressions from the
      previous branch. Taken from "tapping-panacea" upstream branch.
 -- Didier Roche <email address hidden> Mon, 12 Mar 2012 10:22:10 +0100

Changed in compiz (Ubuntu):
status: New → Fix Released
assignee: nobody → Daniel van Vugt (vanvugt)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments