CreateColormap seems to add a padding of int size between each color - lead to abort in realloc in weird cases
Submitted by Alban Browaeys
Assigned to Xorg Project Team
Description
I wonder if this is a bug in assignment or allocation . Though when assigning green and blue to pmap in CreateColormap of dix/colormap.c there is a :+(MAXCLIENTS * sizeof(int)) pmap->green = (EntryPtr)((char *)pmap->numPixelsRed +(MAXCLIENTS * sizeof(int)));
running under omapfb kernel space 32 bpp and DefaultDepth 16 in xorg conf (this was a mistake though the issue remains):
X.Org X Server 1.10.1
Release Date: 2011-04-15
X Protocol Version 11, Revision 0
Build Operating System: Linux 2.6.39-rc7-a101-initramfs-09745-gc6c0139-dirty armv7l Debian
Current Operating System: Linux archos101 2.6.39-rc7-a101-initramfs-09746-g02a1e82-dirty #263 PREEMPT Tue May 24 17:43:21 CEST 2011 armv7l
Kernel command line: console=tty0 earlyprintk loglevel=8 ram=4915200 omapfb.vrfb=y omapfb.rotate=2 omapfb.vram=0:4915200 omapdss.debug=y omapfb.debug=y debug twl4030_bci.debug=1 root=/dev/mmcblk1p1 ddebug_query="module twl4030_bci +p" ddebug_query="module twl4030_usb +p"
Build Date: 24 May 2011 12:09:27AM
xorg-server 2:1.10.1-2.1 (Alban Browaeys prahal@yahoo.com)
Current version of pixman: 0.21.8
Before reporting problems, check http://wiki.x.org
to make sure that you have the latest version.
Markers: (--) probed, (**) from config file, (==) default setting,
(++) from command line, (!!) notice, (II) informational,
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(==) Log file: "/var/log/Xorg.0.log", Time: Tue May 24 18:32:13 2011
Converted /usr/share/X11/%X' to
/usr/share/X11/xorg.conf.d'
Converted /etc/X11/%X' to
/etc/X11/xorg.conf.d'
Converted /etc/X11/%X' to
/etc/X11/xorg.conf'
Converted /etc/%X' to
/etc/xorg.conf'
Converted %P/etc/X11/%X.%H' to
/usr/etc/X11/xorg.conf.archos101'
Converted %P/etc/X11/%X' to
/usr/etc/X11/xorg.conf'
Converted %P/lib/X11/%X.%H' to
/usr/lib/X11/xorg.conf.archos101'
Converted %P/lib/X11/%X' to
/usr/lib/X11/xorg.conf'
(==) Using config directory: "/etc/X11/xorg.conf.d"
(==) Using system config directory "/usr/share/X11/xorg.conf.d"
APM: OSPMOpen called
APM: Opening device
LoaderOpen(/usr/lib/xorg/modules/extensions/libextmod.so)
LoaderOpen(/usr/lib/xorg/modules/extensions/libdbe.so)
LoaderOpen(/usr/lib/xorg/modules/extensions/libglx.so)
LoaderOpen(/usr/lib/xorg/modules/extensions/librecord.so)
LoaderOpen(/usr/lib/xorg/modules/extensions/libdri.so)
LoaderOpen(/usr/lib/xorg/modules/extensions/libdri2.so)
LoaderOpen(/usr/lib/xorg/modules/drivers/omapfb_drv.so)
LoaderOpen(/usr/lib/xorg/modules/drivers/omapfb_drv.so)
(EE) omapfb(0): OMAPFBPreInit: Opening '/dev/fb0' might have failed: (10) Invalid argument
xf86RegisterRootWindowProperty(0, 69, 19, 32, 1, 0x1e13b8)
new property filled
creating xf86RegisteredPropertiesTable[] size 1
xf86RegisteredPropertiesTable 0x1e2488
xf86RegisteredPropertiesTable[0] (nil)
xf86RegisterRootWindowProperty succeeded
(EE) omapfb(0): Mapping framebuffer memory succeeded: 4915200
LoaderOpen(/usr/lib/xorg/modules/libfb.so)
[tcsetpgrp failed in terminal_inferior: Opération non permise]
Breakpoint 3, mremap_chunk (p=0x1e5cf0, new_size=1032) at malloc.c:3574
3574 malloc.c: Aucun fichier ou dossier de ce type.
in malloc.c
(gdb) bt
#0 mremap_chunk (p=0x1e5cf0, new_size=1032) at malloc.c:3574
#1 0x4033b70c in __libc_realloc (oldmem=0x1e5cf8, bytes=1028) at malloc.c:3790
#2 0x000a1854 in AllocColor (pmap=0x1e35a8, pred=<value optimized out>, pgreen=0xbefff59e, pblue=0xbefff59e, pPix=0xbefff590, client=0)
at ../../dix/colormap.c:878
#3 0x000a4e84 in miCreateDefColormap (pScreen=0x1e24a8) at ../../mi/micmap.c:330
#4 0x40592c4c in OMAPFBScreenInit (scrnIndex=0, pScreen=0x1e24a8, argc=1, argv=0xbefff864) at ../../src/omapfb-driver.c:571
#5 0x000318c8 in AddScreen (pfnInit=0x1b9744 <_GLOBAL_OFFSET_TABLE_>, argc=1845032, argv=0x405928b4) at ../../dix/dispatch.c:3890
#6 0x00074a6c in InitOutput (pScreenInfo=0x12fdfc, argc=1825576, argv=0x72e28) at ../../../../hw/xfree86/common/xf86Init.c:738
#7 0x00025cec in main (argc=1, argv=0xbefff864, envp=<value optimized out>) at ../../dix/main.c:205
(gdb) n
Xorg: malloc.c:3574: mremap_chunk: Assertion `((size + offset) & (mp_.pagesize-1)) == 0' failed.
Valgrind shows: creating xf86RegisteredPropertiesTable[] size 1 xf86RegisteredPropertiesTable 0x4e40950 xf86RegisteredPropertiesTable[0] (nil) xf86RegisterRootWindowProperty succeeded (EE) omapfb(0): Mapping framebuffer memory succeeded: 4915200 LoaderOpen(/usr/lib/xorg/modules/libfb.so) ==9607== Invalid write of size 2 ==9607== at 0x9F968: CreateColormap (colormap.c:382) ==9607== by 0xA4E3F: miCreateDefColormap (micmap.c:315) ==9607== by 0x51ACC4B: OMAPFBScreenInit (omapfb-driver.c:571) ==9607== by 0x318C7: AddScreen (dispatch.c:3890) ==9607== by 0x74A6B: InitOutput (xf86Init.c:738) ==9607== by 0x25CEB: main (main.c:205) ==9607== Address 0x4e5e250 is 16 bytes before a block of size 1,024 alloc'd ==9607== at 0x48334BC: malloc (in /usr/lib/valgrind/vgpreload_memcheck-arm-linux.so) ==9607== ==9607== Invalid write of size 2 ==9607== at 0x9F958: CreateColormap (colormap.c:383) ==9607== by 0xA4E3F: miCreateDefColormap (micmap.c:315) ==9607== by 0x51ACC4B: OMAPFBScreenInit (omapfb-driver.c:571) ==9607== by 0x318C7: AddScreen (dispatch.c:3890) ==9607== by 0x74A6B: InitOutput (xf86Init.c:738) ==9607== by 0x25CEB: main (main.c:205) ==9607== Address 0x4e5de04 is 4 bytes after a block of size 10,056 alloc'd ==9607== at 0x48334BC: malloc (in /usr/lib/valgrind/vgpreload_memcheck-arm-linux.so) ==9607== ==9607== Invalid read of size 2 ==9607== at 0x9DC04: FindBestPixel (colormap.c:1158) ==9607== by 0xA17AB: AllocColor (colormap.c:868) ==9607== by 0xA4E83: miCreateDefColormap (micmap.c:330) ==9607== by 0x51ACC4B: OMAPFBScreenInit (omapfb-driver.c:571) ==9607== by 0x318C7: AddScreen (dispatch.c:3890) ==9607== by 0x74A6B: InitOutput (xf86Init.c:738) ==9607== by 0x25CEB: main (main.c:205) ==9607== Address 0x4e5de10 is not stack'd, malloc'd or (recently) free'd ==9607== ==9607== Invalid read of size 2 ==9607== at 0x9DC04: FindBestPixel (colormap.c:1158) ==9607== by 0xA17AB: AllocColor (colormap.c:868) ==9607== by 0xA4EC3: miCreateDefColormap (micmap.c:332) ==9607== by 0x51ACC4B: OMAPFBScreenInit (omapfb-driver.c:571) ==9607== by 0x318C7: AddScreen (dispatch.c:3890) ==9607== by 0x74A6B: InitOutput (xf86Init.c:738) ==9607== by 0x25CEB: main (main.c:205) ==9607== Address 0x4e5de10 is not stack'd, malloc'd or (recently) free'd ==9607==
I fixed this by removing "+(MAXCLIENTS * sizeof(int))" from : pmap->green = (EntryPtr)((char *)pmap->numPixelsRed +(MAXCLIENTS * sizeof(int))); and : pmap->blue = (EntryPtr)((char *)pmap->numPixelsGreen + (MAXCLIENTS * sizeof(int)));
though I might be mistaken in the fix . Ie I did not found any evidence there is a use for this addition to the pointer offset. If this clue is wrong I will look after allocation were it does not seems to be accounted for.
Version: git