OpenSolaris

Printable Version Enter a New Search
Bug ID 6529064
Synopsis twm dumps core due to website windows automatically closing.
State 10-Fix Delivered:Verified (Fix available in build)
Category:Subcategory xserver:programs
Keywords
Responsible Engineer Dan Mcdonald
Reported Against
Duplicate Of
Introduced In solaris_7
Commit to Fix snv_61
Fixed In snv_61
Release Fixed solaris_nevada(snv_61)
Related Bugs
Submit Date 27-February-2007
Last Update Date 22-March-2007
Description 
Short answer:  Run firefox, visit www.united.com, and watch twm dump core.

Long answer:

I finally ran twm with libumem enabled.  THAT made me dump core in the place
I was expecting in VERY short order.  Here's the stack trace:

everywhere(~)[0]% mdb core
Loading modules: [ libumem.so.1 libc.so.1 ld.so.1 ]
> $c
NotActiveIconManager+9(deadbeef)
HandleEnterNotify+0x41(0, 0, 806387a, 80478fc, 8063882, 50)
DispatchEvent+0x97(50, 0, 0, 804798c, 804798c, 805c5b5)
HandleEvents+0x86(8047a4c, 8047974, feffa7c0, feffcc90, d7acdc4, 0)
main+0xc49(1, 80479b8, 80479c0) 
_start+0x7a(1, 8047ab4, 0, 84001c0, 8047ac3, 8047aea)
>
 
With libumem, the 0xdeadbeef is an obvious sign of the use of
previously-freed memory.  Looking at the source in HandleEnterNotify(), I
see:

    /*
     * Save the id of the window entered.  This will be used to remove
     * border highlight on entering the next application window.
     */
    if (UnHighLight_win && ewp->window != UnHighLight_win->w) {
      SetBorder (UnHighLight_win, False);       /* application window */
      if (UnHighLight_win->list) /* in the icon box */
        NotActiveIconManager(UnHighLight_win->list);  
    }   
    if (ewp->window == Scr->Root)
      UnHighLight_win = NULL;
    else if (Tmp_win) 
      UnHighLight_win = Tmp_win;
      
And lucky me!  UnHighLight_win is a global!  Let's go back to MDB:

> UnHighLight_win/P
twm`UnHighLight_win:
twm`UnHighLight_win:            0x84ca908
> 0x84ca908::whatis
84ca908 is 84ca900+8, bufctl 84c9468 freed from umem_alloc_512
> 84c9468$<bufctl_audit
            ADDR          BUFADDR        TIMESTAMP           THREAD
                            CACHE          LASTLOG         CONTENTS
         84c9468          84ca900     b04a48492269                1
                          8415290                0                0
                 libumem.so.1`umem_cache_free_debug+0x135         
                 libumem.so.1`umem_cache_free+0x42
                 libumem.so.1`umem_free+0xd8
                 libumem.so.1`process_free+0x55
                 libumem.so.1`free+0x17
                 HandleDestroyNotify+0x34c
                 DispatchEvent+0x97
                 HandleEvents+0x86
                 main+0xc49
                 _start+0x7a
                 
>                
                 
Wow!  It looks like a TWM window was freed without being removed from this
UnHighLight_win.  I'm guessing things like Firefox pop-ups that disappear 
(indicating status of some sort) really jam this particular case up.

Looking at the code in HandleDestroyNotify():

...
    free((char *)Tmp_win);
}   
    
and I'm guessing that Tmp_win isn't checked to see if it was assigned into
UnHighLight_win.
Work Around 
Avoid toxic web sites.  :)
Comments 
N/A