From owner-freebsd-x11@FreeBSD.ORG Fri Feb 20 10:06:58 2009 Return-Path: Delivered-To: freebsd-x11@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D048E1065670; Fri, 20 Feb 2009 10:06:58 +0000 (UTC) (envelope-from peterjeremy@optushome.com.au) Received: from mail35.syd.optusnet.com.au (mail35.syd.optusnet.com.au [211.29.133.51]) by mx1.freebsd.org (Postfix) with ESMTP id 5B7A78FC18; Fri, 20 Feb 2009 10:06:58 +0000 (UTC) (envelope-from peterjeremy@optushome.com.au) Received: from server.vk2pj.dyndns.org (c122-106-216-167.belrs3.nsw.optusnet.com.au [122.106.216.167]) by mail35.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id n1KA6tsW031334 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 20 Feb 2009 21:06:56 +1100 X-Bogosity: Ham, spamicity=0.000000 Received: from server.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1]) by server.vk2pj.dyndns.org (8.14.3/8.14.3) with ESMTP id n1KA6tpK020196; Fri, 20 Feb 2009 21:06:55 +1100 (EST) (envelope-from peter@server.vk2pj.dyndns.org) Received: (from peter@localhost) by server.vk2pj.dyndns.org (8.14.3/8.14.3/Submit) id n1KA6t6m020195; Fri, 20 Feb 2009 21:06:55 +1100 (EST) (envelope-from peter) Date: Fri, 20 Feb 2009 21:06:55 +1100 From: Peter Jeremy To: Robert Noland Message-ID: <20090220100655.GA56539@server.vk2pj.dyndns.org> References: <1234248221.1524.31.camel@ferret.2hip.net> <20090216190037.GA41111@server.vk2pj.dyndns.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="G4iJoqBmSsgzjUCe" Content-Disposition: inline In-Reply-To: <20090216190037.GA41111@server.vk2pj.dyndns.org> X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc User-Agent: Mutt/1.5.19 (2009-01-05) Cc: freebsd-x11 Subject: Re: [CFT] xf86-video-ati-6.10.99.0 X-BeenThere: freebsd-x11@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: X11 on FreeBSD -- maintaining and support List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Feb 2009 10:06:59 -0000 --G4iJoqBmSsgzjUCe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2009-Feb-17 06:00:37 +1100, Peter Jeremy = wrote: >On 2009-Feb-10 01:43:41 -0500, Robert Noland wrote: >>This patch is for the 6.11.0rc version of the ati driver driver. >> >>http://people.freebsd.org/~rnoland/xf86-video-ati-6.10.99.0.patch > >Summary: Still broken: Exiting Xserver core-dumps and doesn't restore >VTY video (though keyboard is restored). I rebuilt the Xserver related ports with debugging enabled and it turns out that this is a bug in xorg-server-1.5.3 rather than xf86-video-ati. The backtrace is: (gdb) where =2E.. #9 #10 DeliverPropertyEvent (pWin=3D0x5a5a5a5a5a5a5a5a, value=3D0x7fffffffe990= ) at rrproperty.c:34 #11 0x000000000042f0a3 in TraverseTree (pWin=3D0x802911000, func=3D0x511780= , data=3D0x7fffffffe990) at window.c:225 #12 0x000000000051173a in RRDeleteAllOutputProperties (output=3D0x8029ff1c0= ) at rrproperty.c:80 #13 0x0000000000510131 in RROutputDestroyResource (value=3DVariable "value"= is not available.) at rroutput.c:410 #14 0x000000000042e6d2 in FreeClientResources (client=3D0x801821140) at res= ource.c:807 #15 0x000000000042e7af in FreeAllResources () at resource.c:824 #16 0x000000000042c423 in main (argc=3D4, argv=3D0x7fffffffeb58, envp=3DVar= iable "envp" is not available. This fairly clearly shows DeliverPropertyEvent() is being called with a garbage window pointer - specifically it's a use-after-free bug: The root window _Window is being freed too early. I'm still digging through the code to work out where/why. --=20 Peter Jeremy --G4iJoqBmSsgzjUCe Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (FreeBSD) iEYEARECAAYFAkmegL8ACgkQ/opHv/APuIcZ7gCfaTYYAQOg3o5OEVC0O5hQqPUt RYYAoLL6KP45zyW4wBwcebY/aCHIPlr4 =KtF5 -----END PGP SIGNATURE----- --G4iJoqBmSsgzjUCe--