Static CompRegion destruction causes memory corruption at compiz exit

Bug #1750619 reported by Marco Trevisan (Treviño)
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
compiz (Ubuntu)
Fix Released
High
Marco Trevisan (Treviño)
Xenial
Fix Released
Undecided
Unassigned

Bug Description

[ Impact ]

Unity could crash when closed with some memory corruption error

[ Test case ]

Run unity, loging in and out multiple times, you should get no crash report or /var/lib/crash file mentioning compiz.

[ Regression potential ]

Really none, the change could only cause compilation issues, not really anything for the user changed.

---------

Valgrind is a good friend here...

==30842== Memcheck, a memory error detector
==30842== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==30842== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==30842== Command: ./test-decorations-input-mixer
==30842==
Gtk-Message: 12:17:20.414: Failed to load module "canberra-gtk-module"
Gtk-Message: 12:17:20.483: Failed to load module "unity-gtk-module"
Gtk-Message: 12:17:22.584: Failed to load module "canberra-gtk-module"
Gtk-Message: 12:17:22.699: Failed to load module "canberra-gtk-module"
m_GLCtx = glXCreateContext(m_X11Display, m_X11VisualInfo, 0, GL_TRUE);
WARN 2018-02-20 12:17:37 xim.controller XIMController.cpp:103 IBus natively supported.
Cleaning up window 178257923
curThreadState = 0x15b427e0
DispatchCurrentUnref, currents are 1
DEstroying context 0x1f2687e0
m_GLCtx = NULL;
==30842== Invalid read of size 8
==30842== at 0x68EA1E4: XDestroyRegion (in /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0)
==30842== by 0x4130A16: CompRegion::~CompRegion() (region.cpp:113)
==30842== by 0x8A8F239: __cxa_finalize (cxa_finalize.c:56)
==30842== by 0x76D6B02: ??? (in /tmp/NUX_INSTALL/lib/libcompiz_core.so.0.9.13.1)
==30842== by 0x4011219: _dl_fini (dl-fini.c:235)
==30842== by 0x8A8EEBF: __run_exit_handlers (exit.c:83)
==30842== by 0x8A8EF19: exit (exit.c:105)
==30842== by 0x8A741C7: (below main) (libc-start.c:342)
==30842== Address 0x15943e10 is 16 bytes inside a block of size 32 free'd
==30842== at 0x4C30D3B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==30842== by 0x68EA1F4: XDestroyRegion (in /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0)
==30842== by 0x4130A16: CompRegion::~CompRegion() (region.cpp:113)
==30842== by 0x8A8F239: __cxa_finalize (cxa_finalize.c:56)
==30842== by 0x40E5432: ??? (in /tmp/NUX_INSTALL/lib/compiz/libopengl.so)
==30842== by 0x4011219: _dl_fini (dl-fini.c:235)
==30842== by 0x8A8EEBF: __run_exit_handlers (exit.c:83)
==30842== by 0x8A8EF19: exit (exit.c:105)
==30842== by 0x8A741C7: (below main) (libc-start.c:342)
==30842== Block was alloc'd at
==30842== at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==30842== by 0x68EA03A: XCreateRegion (in /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0)
==30842== by 0x4130A2A: CompRegion::init() (region.cpp:120)
==30842== by 0x41307CB: CompRegion::CompRegion() (region.cpp:56)
==30842== by 0x4131E29: __static_initialization_and_destruction_0(int, int) (region.cpp:43)
==30842== by 0x4131E73: _GLOBAL__sub_I_region.cpp (region.cpp:441)
==30842== by 0x4010AD9: call_init.part.0 (dl-init.c:72)
==30842== by 0x4010BEA: call_init (dl-init.c:30)
==30842== by 0x4010BEA: _dl_init (dl-init.c:120)
==30842== by 0x4000ED9: ??? (in /lib/x86_64-linux-gnu/ld-2.26.so)
==30842==
==30842== Invalid free() / delete / delete[] / realloc()
==30842== at 0x4C30D3B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==30842== by 0x68EA1EC: XDestroyRegion (in /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0)
==30842== by 0x4130A16: CompRegion::~CompRegion() (region.cpp:113)
==30842== by 0x8A8F239: __cxa_finalize (cxa_finalize.c:56)
==30842== by 0x76D6B02: ??? (in /tmp/NUX_INSTALL/lib/libcompiz_core.so.0.9.13.1)
==30842== by 0x4011219: _dl_fini (dl-fini.c:235)
==30842== by 0x8A8EEBF: __run_exit_handlers (exit.c:83)
==30842== by 0x8A8EF19: exit (exit.c:105)
==30842== by 0x8A741C7: (below main) (libc-start.c:342)
==30842== Address 0x15943e60 is 0 bytes inside a block of size 8 free'd
==30842== at 0x4C30D3B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==30842== by 0x68EA1EC: XDestroyRegion (in /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0)
==30842== by 0x4130A16: CompRegion::~CompRegion() (region.cpp:113)
==30842== by 0x8A8F239: __cxa_finalize (cxa_finalize.c:56)
==30842== by 0x40E5432: ??? (in /tmp/NUX_INSTALL/lib/compiz/libopengl.so)
==30842== by 0x4011219: _dl_fini (dl-fini.c:235)
==30842== by 0x8A8EEBF: __run_exit_handlers (exit.c:83)
==30842== by 0x8A8EF19: exit (exit.c:105)
==30842== by 0x8A741C7: (below main) (libc-start.c:342)
==30842== Block was alloc'd at
==30842== at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==30842== by 0x68EA04C: XCreateRegion (in /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0)
==30842== by 0x4130A2A: CompRegion::init() (region.cpp:120)
==30842== by 0x41307CB: CompRegion::CompRegion() (region.cpp:56)
==30842== by 0x4131E29: __static_initialization_and_destruction_0(int, int) (region.cpp:43)
==30842== by 0x4131E73: _GLOBAL__sub_I_region.cpp (region.cpp:441)
==30842== by 0x4010AD9: call_init.part.0 (dl-init.c:72)
==30842== by 0x4010BEA: call_init (dl-init.c:30)
==30842== by 0x4010BEA: _dl_init (dl-init.c:120)
==30842== by 0x4000ED9: ??? (in /lib/x86_64-linux-gnu/ld-2.26.so)
==30842==
==30842== Invalid free() / delete / delete[] / realloc()
==30842== at 0x4C30D3B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==30842== by 0x68EA1F4: XDestroyRegion (in /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0)
==30842== by 0x4130A16: CompRegion::~CompRegion() (region.cpp:113)
==30842== by 0x8A8F239: __cxa_finalize (cxa_finalize.c:56)
==30842== by 0x76D6B02: ??? (in /tmp/NUX_INSTALL/lib/libcompiz_core.so.0.9.13.1)
==30842== by 0x4011219: _dl_fini (dl-fini.c:235)
==30842== by 0x8A8EEBF: __run_exit_handlers (exit.c:83)
==30842== by 0x8A8EF19: exit (exit.c:105)
==30842== by 0x8A741C7: (below main) (libc-start.c:342)
==30842== Address 0x15943e00 is 0 bytes inside a block of size 32 free'd
==30842== at 0x4C30D3B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==30842== by 0x68EA1F4: XDestroyRegion (in /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0)
==30842== by 0x4130A16: CompRegion::~CompRegion() (region.cpp:113)
==30842== by 0x8A8F239: __cxa_finalize (cxa_finalize.c:56)
==30842== by 0x40E5432: ??? (in /tmp/NUX_INSTALL/lib/compiz/libopengl.so)
==30842== by 0x4011219: _dl_fini (dl-fini.c:235)
==30842== by 0x8A8EEBF: __run_exit_handlers (exit.c:83)
==30842== by 0x8A8EF19: exit (exit.c:105)
==30842== by 0x8A741C7: (below main) (libc-start.c:342)
==30842== Block was alloc'd at
==30842== at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==30842== by 0x68EA03A: XCreateRegion (in /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0)
==30842== by 0x4130A2A: CompRegion::init() (region.cpp:120)
==30842== by 0x41307CB: CompRegion::CompRegion() (region.cpp:56)
==30842== by 0x4131E29: __static_initialization_and_destruction_0(int, int) (region.cpp:43)
==30842== by 0x4131E73: _GLOBAL__sub_I_region.cpp (region.cpp:441)
==30842== by 0x4010AD9: call_init.part.0 (dl-init.c:72)
==30842== by 0x4010BEA: call_init (dl-init.c:30)
==30842== by 0x4010BEA: _dl_init (dl-init.c:120)
==30842== by 0x4000ED9: ??? (in /lib/x86_64-linux-gnu/ld-2.26.so)
==30842==
current theadd at destroy table 0
==30842==
==30842== HEAP SUMMARY:
==30842== in use at exit: 1,443,511 bytes in 16,537 blocks
==30842== total heap usage: 190,069 allocs, 173,536 frees, 62,998,214 bytes allocated
==30842==
==30842== LEAK SUMMARY:
==30842== definitely lost: 6,255 bytes in 263 blocks
==30842== indirectly lost: 898 bytes in 45 blocks
==30842== possibly lost: 3,794 bytes in 28 blocks
==30842== still reachable: 1,362,788 bytes in 15,635 blocks
==30842== of which reachable via heuristic:
==30842== length64 : 3,176 bytes in 59 blocks
==30842== newarray : 2,064 bytes in 49 blocks
==30842== suppressed: 0 bytes in 0 blocks
==30842== Rerun with --leak-check=full to see details of leaked memory
==30842==
==30842== For counts of detected and suppressed errors, rerun with: -v
==30842== ERROR SUMMARY: 6 errors from 3 contexts (suppressed: 0 from 0)

Related branches

Revision history for this message
Marco Trevisan (Treviño) (3v1n0) wrote :

Actually things seems more deeper into the gcc changes than expected.

See: https://gcc.gnu.org/ml/gcc-help/2010-10/msg00255.html

description: updated
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Marco, or anyone else affected,

Accepted compiz into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/compiz/1:0.9.12.3+16.04.20180221-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in compiz (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed verification-needed-xenial
Revision history for this message
Marco Trevisan (Treviño) (3v1n0) wrote :

Tested version:

apt-cache policy compiz
compiz:
  Installed: 1:0.9.12.3+16.04.20180221-0ubuntu1
  Candidate: 1:0.9.12.3+16.04.20180221-0ubuntu1

Can confirm restarting unity doesn't cause this crash anymore and so didn't while building and launching tests inside bileto. So we can safely mark as verified.

tags: added: verification-done verification-done-xenial
removed: verification-needed verification-needed-xenial
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package compiz - 1:0.9.13.1+18.04.20180221.1-0ubuntu1

---------------
compiz (1:0.9.13.1+18.04.20180221.1-0ubuntu1) bionic; urgency=medium

  [ Marco Trevisan (Treviño) ]
  * Region: define static const functions returning infinite and empty
    regions (LP: #1749957, #1750619)

  [ Samuel Thibault ]
  * ezoom: Add option to choose between no smoothing and linear
    smoothing (LP: #1736446)

 -- Marco Trevisan (Treviño) <mail@3v1n0.net> Wed, 21 Feb 2018 17:34:08 +0000

Changed in compiz (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package compiz - 1:0.9.12.3+16.04.20180221-0ubuntu1

---------------
compiz (1:0.9.12.3+16.04.20180221-0ubuntu1) xenial; urgency=medium

  * Region: define static const functions returning infinite and empty
    regions (LP: #1750619)

 -- Marco Trevisan (Treviño) <mail@3v1n0.net> Wed, 21 Feb 2018 17:42:11 +0000

Changed in compiz (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for compiz has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.