Static CompRegion destruction causes memory corruption at compiz exit

Bug #1750619 reported by Marco Trevisan (Treviño) on 2018-02-20
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
compiz (Ubuntu)
High
Marco Trevisan (Treviño)
Xenial
Undecided
Unassigned

Bug Description

[ Impact ]

Unity could crash when closed with some memory corruption error

[ Test case ]

Run unity, loging in and out multiple times, you should get no crash report or /var/lib/crash file mentioning compiz.

[ Regression potential ]

Really none, the change could only cause compilation issues, not really anything for the user changed.

---------

Valgrind is a good friend here...

==30842== Memcheck, a memory error detector
==30842== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==30842== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==30842== Command: ./test-decorations-input-mixer
==30842==
Gtk-Message: 12:17:20.414: Failed to load module "canberra-gtk-module"
Gtk-Message: 12:17:20.483: Failed to load module "unity-gtk-module"
Gtk-Message: 12:17:22.584: Failed to load module "canberra-gtk-module"
Gtk-Message: 12:17:22.699: Failed to load module "canberra-gtk-module"
m_GLCtx = glXCreateContext(m_X11Display, m_X11VisualInfo, 0, GL_TRUE);
WARN 2018-02-20 12:17:37 xim.controller XIMController.cpp:103 IBus natively supported.
Cleaning up window 178257923
curThreadState = 0x15b427e0
DispatchCurrentUnref, currents are 1
DEstroying context 0x1f2687e0
m_GLCtx = NULL;
==30842== Invalid read of size 8
==30842== at 0x68EA1E4: XDestroyRegion (in /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0)
==30842== by 0x4130A16: CompRegion::~CompRegion() (region.cpp:113)
==30842== by 0x8A8F239: __cxa_finalize (cxa_finalize.c:56)
==30842== by 0x76D6B02: ??? (in /tmp/NUX_INSTALL/lib/libcompiz_core.so.0.9.13.1)
==30842== by 0x4011219: _dl_fini (dl-fini.c:235)
==30842== by 0x8A8EEBF: __run_exit_handlers (exit.c:83)
==30842== by 0x8A8EF19: exit (exit.c:105)
==30842== by 0x8A741C7: (below main) (libc-start.c:342)
==30842== Address 0x15943e10 is 16 bytes inside a block of size 32 free'd
==30842== at 0x4C30D3B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==30842== by 0x68EA1F4: XDestroyRegion (in /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0)
==30842== by 0x4130A16: CompRegion::~CompRegion() (region.cpp:113)
==30842== by 0x8A8F239: __cxa_finalize (cxa_finalize.c:56)
==30842== by 0x40E5432: ??? (in /tmp/NUX_INSTALL/lib/compiz/libopengl.so)
==30842== by 0x4011219: _dl_fini (dl-fini.c:235)
==30842== by 0x8A8EEBF: __run_exit_handlers (exit.c:83)
==30842== by 0x8A8EF19: exit (exit.c:105)
==30842== by 0x8A741C7: (below main) (libc-start.c:342)
==30842== Block was alloc'd at
==30842== at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==30842== by 0x68EA03A: XCreateRegion (in /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0)
==30842== by 0x4130A2A: CompRegion::init() (region.cpp:120)
==30842== by 0x41307CB: CompRegion::CompRegion() (region.cpp:56)
==30842== by 0x4131E29: __static_initialization_and_destruction_0(int, int) (region.cpp:43)
==30842== by 0x4131E73: _GLOBAL__sub_I_region.cpp (region.cpp:441)
==30842== by 0x4010AD9: call_init.part.0 (dl-init.c:72)
==30842== by 0x4010BEA: call_init (dl-init.c:30)
==30842== by 0x4010BEA: _dl_init (dl-init.c:120)
==30842== by 0x4000ED9: ??? (in /lib/x86_64-linux-gnu/ld-2.26.so)
==30842==
==30842== Invalid free() / delete / delete[] / realloc()
==30842== at 0x4C30D3B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==30842== by 0x68EA1EC: XDestroyRegion (in /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0)
==30842== by 0x4130A16: CompRegion::~CompRegion() (region.cpp:113)
==30842== by 0x8A8F239: __cxa_finalize (cxa_finalize.c:56)
==30842== by 0x76D6B02: ??? (in /tmp/NUX_INSTALL/lib/libcompiz_core.so.0.9.13.1)
==30842== by 0x4011219: _dl_fini (dl-fini.c:235)
==30842== by 0x8A8EEBF: __run_exit_handlers (exit.c:83)
==30842== by 0x8A8EF19: exit (exit.c:105)
==30842== by 0x8A741C7: (below main) (libc-start.c:342)
==30842== Address 0x15943e60 is 0 bytes inside a block of size 8 free'd
==30842== at 0x4C30D3B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==30842== by 0x68EA1EC: XDestroyRegion (in /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0)
==30842== by 0x4130A16: CompRegion::~CompRegion() (region.cpp:113)
==30842== by 0x8A8F239: __cxa_finalize (cxa_finalize.c:56)
==30842== by 0x40E5432: ??? (in /tmp/NUX_INSTALL/lib/compiz/libopengl.so)
==30842== by 0x4011219: _dl_fini (dl-fini.c:235)
==30842== by 0x8A8EEBF: __run_exit_handlers (exit.c:83)
==30842== by 0x8A8EF19: exit (exit.c:105)
==30842== by 0x8A741C7: (below main) (libc-start.c:342)
==30842== Block was alloc'd at
==30842== at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==30842== by 0x68EA04C: XCreateRegion (in /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0)
==30842== by 0x4130A2A: CompRegion::init() (region.cpp:120)
==30842== by 0x41307CB: CompRegion::CompRegion() (region.cpp:56)
==30842== by 0x4131E29: __static_initialization_and_destruction_0(int, int) (region.cpp:43)
==30842== by 0x4131E73: _GLOBAL__sub_I_region.cpp (region.cpp:441)
==30842== by 0x4010AD9: call_init.part.0 (dl-init.c:72)
==30842== by 0x4010BEA: call_init (dl-init.c:30)
==30842== by 0x4010BEA: _dl_init (dl-init.c:120)
==30842== by 0x4000ED9: ??? (in /lib/x86_64-linux-gnu/ld-2.26.so)
==30842==
==30842== Invalid free() / delete / delete[] / realloc()
==30842== at 0x4C30D3B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==30842== by 0x68EA1F4: XDestroyRegion (in /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0)
==30842== by 0x4130A16: CompRegion::~CompRegion() (region.cpp:113)
==30842== by 0x8A8F239: __cxa_finalize (cxa_finalize.c:56)
==30842== by 0x76D6B02: ??? (in /tmp/NUX_INSTALL/lib/libcompiz_core.so.0.9.13.1)
==30842== by 0x4011219: _dl_fini (dl-fini.c:235)
==30842== by 0x8A8EEBF: __run_exit_handlers (exit.c:83)
==30842== by 0x8A8EF19: exit (exit.c:105)
==30842== by 0x8A741C7: (below main) (libc-start.c:342)
==30842== Address 0x15943e00 is 0 bytes inside a block of size 32 free'd
==30842== at 0x4C30D3B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==30842== by 0x68EA1F4: XDestroyRegion (in /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0)
==30842== by 0x4130A16: CompRegion::~CompRegion() (region.cpp:113)
==30842== by 0x8A8F239: __cxa_finalize (cxa_finalize.c:56)
==30842== by 0x40E5432: ??? (in /tmp/NUX_INSTALL/lib/compiz/libopengl.so)
==30842== by 0x4011219: _dl_fini (dl-fini.c:235)
==30842== by 0x8A8EEBF: __run_exit_handlers (exit.c:83)
==30842== by 0x8A8EF19: exit (exit.c:105)
==30842== by 0x8A741C7: (below main) (libc-start.c:342)
==30842== Block was alloc'd at
==30842== at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==30842== by 0x68EA03A: XCreateRegion (in /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0)
==30842== by 0x4130A2A: CompRegion::init() (region.cpp:120)
==30842== by 0x41307CB: CompRegion::CompRegion() (region.cpp:56)
==30842== by 0x4131E29: __static_initialization_and_destruction_0(int, int) (region.cpp:43)
==30842== by 0x4131E73: _GLOBAL__sub_I_region.cpp (region.cpp:441)
==30842== by 0x4010AD9: call_init.part.0 (dl-init.c:72)
==30842== by 0x4010BEA: call_init (dl-init.c:30)
==30842== by 0x4010BEA: _dl_init (dl-init.c:120)
==30842== by 0x4000ED9: ??? (in /lib/x86_64-linux-gnu/ld-2.26.so)
==30842==
current theadd at destroy table 0
==30842==
==30842== HEAP SUMMARY:
==30842== in use at exit: 1,443,511 bytes in 16,537 blocks
==30842== total heap usage: 190,069 allocs, 173,536 frees, 62,998,214 bytes allocated
==30842==
==30842== LEAK SUMMARY:
==30842== definitely lost: 6,255 bytes in 263 blocks
==30842== indirectly lost: 898 bytes in 45 blocks
==30842== possibly lost: 3,794 bytes in 28 blocks
==30842== still reachable: 1,362,788 bytes in 15,635 blocks
==30842== of which reachable via heuristic:
==30842== length64 : 3,176 bytes in 59 blocks
==30842== newarray : 2,064 bytes in 49 blocks
==30842== suppressed: 0 bytes in 0 blocks
==30842== Rerun with --leak-check=full to see details of leaked memory
==30842==
==30842== For counts of detected and suppressed errors, rerun with: -v
==30842== ERROR SUMMARY: 6 errors from 3 contexts (suppressed: 0 from 0)

Related branches

Actually things seems more deeper into the gcc changes than expected.

See: https://gcc.gnu.org/ml/gcc-help/2010-10/msg00255.html

description: updated

Hello Marco, or anyone else affected,

Accepted compiz into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/compiz/1:0.9.12.3+16.04.20180221-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in compiz (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed verification-needed-xenial

Tested version:

apt-cache policy compiz
compiz:
  Installed: 1:0.9.12.3+16.04.20180221-0ubuntu1
  Candidate: 1:0.9.12.3+16.04.20180221-0ubuntu1

Can confirm restarting unity doesn't cause this crash anymore and so didn't while building and launching tests inside bileto. So we can safely mark as verified.

tags: added: verification-done verification-done-xenial
removed: verification-needed verification-needed-xenial
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package compiz - 1:0.9.13.1+18.04.20180221.1-0ubuntu1

---------------
compiz (1:0.9.13.1+18.04.20180221.1-0ubuntu1) bionic; urgency=medium

  [ Marco Trevisan (Treviño) ]
  * Region: define static const functions returning infinite and empty
    regions (LP: #1749957, #1750619)

  [ Samuel Thibault ]
  * ezoom: Add option to choose between no smoothing and linear
    smoothing (LP: #1736446)

 -- Marco Trevisan (Treviño) <mail@3v1n0.net> Wed, 21 Feb 2018 17:34:08 +0000

Changed in compiz (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package compiz - 1:0.9.12.3+16.04.20180221-0ubuntu1

---------------
compiz (1:0.9.12.3+16.04.20180221-0ubuntu1) xenial; urgency=medium

  * Region: define static const functions returning infinite and empty
    regions (LP: #1750619)

 -- Marco Trevisan (Treviño) <mail@3v1n0.net> Wed, 21 Feb 2018 17:42:11 +0000

Changed in compiz (Ubuntu Xenial):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for compiz has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers