[E-devel] e17 bug

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hello,

I found a reproductible bug on the enlightenment code. I am=20
using the last cvs version of e17 and compiled it with gcc-4.1.1 and=20
glibc 2.4 for informations. The bug occurs when I want to quit=20
enlightenment or when I quit the configuration menu. After making a=20
debugging session, I found that e17 frees some pointers named=20
bd->client.icccm.command.argv[i]. this line can be found at=20
e_border.c:2937. I was trying to search a line where this variable is
allocated but I found nothing interesting. You will find some debugging
informations in the following.

command line /usr/local/bin/enlightenment -evil
Reproduction : 100 %
Way to reproduce it : just quit e17

backtrace with gdb

(gdb) bt=20
#0  0xffffe410 in __kernel_vsyscall ()
#1  0xb798a36d in ___newselect_nocancel () from /lib/libc.so.6
#2  0xb7a46154 in _XWaitForReadable () from /usr/X11R6/lib/libX11.so.6
#3  0xb7a46511 in _XRead () from /usr/X11R6/lib/libX11.so.6
#4  0xb7a47969 in _XReadEvents () from /usr/X11R6/lib/libX11.so.6
#5  0xb7a3663a in XNextEvent () from /usr/X11R6/lib/libX11.so.6
#6  0x080d181f in e_alert_show (
    text=3D0x812efa4 "This is very bad. Enlightenment has=20
segfaulted.\nThis is not meant to happen and is likely a sign of a\nbug=20
in Enlightenment or the libraries it relies on.\n\nYou can gdb attach
to this process now to try"...) at e_alert.c:137
#7  0x080b9fb2 in e_sigseg_act (x=3D11, info=3D0xbfd0b52c, data=3D0xbfd0b5a=
c)=20
at e_signals.c:53
#8  <signal handler called>
#9  0xb793878f in free () from /lib/libc.so.6
#10 0x08082e38 in _e_border_free (bd=3D0x8474658) at e_border.c:2937
#11 0x080a1ddd in e_object_free (obj=3D0x8474658) at e_object.c:77
#12 0x080a1e2c in e_object_unref (obj=3D0x8474658) at e_object.c:96
#13 0x0808c561 in _e_border_event_border_remove_free (data=3D0x0,=20
ev=3D0x845c028) at e_border.c:6236
#14 0xb7ca1658 in _ecore_event_del (event=3D0x8409c98) at
ecore_events.c:357 #15 0xb7ca1910 in _ecore_event_call () at
ecore_events.c:445 #16 0xb7ca8a36 in _ecore_main_loop_iterate_internal
(once_only=3D0) at ecore_main.c:639
#17 0xb7ca7c25 in ecore_main_loop_begin () at ecore_main.c:79
#18 0x080638a9 in main (argc=3D2, argv=3D0xbfd0ec34) at e_main.c:689
(gdb) fr 10
#10 0x08082e38 in _e_border_free (bd=3D0x8474658) at e_border.c:2937
2937              free(bd->client.icccm.command.argv[i]);
(gdb) l
2932       if ((bd->client.icccm.command.argc > 0) &&=20
(bd->client.icccm.command.argv))
2933         {
2934            int i;
2935          =20
2936            for (i =3D 0; i < bd->client.icccm.command.argc; i++)
2937              free(bd->client.icccm.command.argv[i]);
2938            free(bd->client.icccm.command.argv);
2939         }
2940       if (bd->client.netwm.name) free(bd->client.netwm.name);
2941       if (bd->client.netwm.icon_name)
free(bd->client.netwm.icon_name); (gdb) p bd
$11 =3D (E_Border *) 0x8474658
(gdb) p bd->client.icccm.command.argv[i]
$10 =3D 0x836cd65 "-evil"
(gdb) p bd->client.icccm.command.argv =20
$12 =3D (char **) 0x8471288
(gdb) p bd->client.icccm.command
$13 =3D {argc =3D 2, argv =3D 0x8471288}
(gdb) p bd->client.icccm
$14 =3D {title =3D 0x0, name =3D 0x8388ad0 "\230A@\b", class =3D 0x8388468=
=20
"=C8\2128\bfigure", icon_name =3D 0x0,
  machine =3D 0x83c90c8 "`\2048\bite", min_w =3D 352, min_h =3D 310, max_w =
=3D=20
9999, max_h =3D 9999, base_w =3D -1, base_h =3D -1,
  step_w =3D -1, step_h =3D -1, start_x =3D 0, start_y =3D 0, min_aspect =
=3D 0,=20
max_aspect =3D 0,
  initial_state =3D ECORE_X_WINDOW_STATE_HINT_WITHDRAWN, state =3D=20
ECORE_X_WINDOW_STATE_HINT_ICONIC, icon_pixmap =3D 0,
  icon_mask =3D 0, icon_window =3D 0, window_group =3D 0, transient_for =3D
163, client_leader =3D 0, gravity =3D ECORE_X_GRAVITY_NW,
  window_role =3D 0x0, take_focus =3D 0 '\0', accepts_focus =3D 1 '\001',=20
urgent =3D 0 '\0', delete_request =3D 1 '\001',
  request_pos =3D 0 '\0', command =3D {argc =3D 2, argv =3D 0x8471288}, fet=
ch =3D=20
{title =3D 0 '\0', name_class =3D 0 '\0',
    icon_name =3D 0 '\0', machine =3D 0 '\0', hints =3D 0 '\0',
size_pos_hints =3D 0 '\0', protocol =3D 0 '\0',
    transient_for =3D 0 '\0', client_leader =3D 0 '\0', window_role =3D 0=20
'\0', state =3D 0 '\0', command =3D 0 '\0'}}
(gdb) p bd
$15 =3D (E_Border *) 0x8474658
(gdb) fr 11
#11 0x080a1ddd in e_object_free (obj=3D0x8474658) at e_object.c:77
77         obj->cleanup_func(obj);
(gdb) l
72              e_object_breadcrumb_debug(obj);
73           }
74       */
75         if (obj->free_att_func) obj->free_att_func(obj);
76         obj->magic =3D E_OBJECT_MAGIC_FREED;
77         obj->cleanup_func(obj);
78      }
79    =20
80      EAPI int
81      e_object_ref(E_Object *obj)
(gdb) p obj
$16 =3D (E_Object *) 0x8474658
(gdb) p obj->magic
$17 =3D -524325139

If you need more informations about it feel free to contact me
=20
regards

Mathieu