On Wed, Oct 20, 2021 at 02:06:49PM +0200, Rubén Llorente wrote:
> On Wed, Oct 20, 2021 at 01:34:20PM +0200, Solene Rapenne wrote:
> >
> > this seems a fluxbox bug which is not OpenBSD specific, you should
> > rather report it on fluxbox bug tracker if any.
>
> I can't reproduce it on Linux.
>
> On the other hand I have not seen anything in the code that was OpenBSD
> specific in this regard so I am a bit confused.
>
> I don't think Fluxbox has a formal bug tracker. I might dust off my
> rusty gdb skills and see what is going on, but really, I should be
> considered a last resort :-)
>
> --
> OpenPGP Key Fingerprint:
> 543F EB89 7FDE 8E33 AFF7 E794 E4AB 4807 58F7 6C76
It's definaltly a use after free issue. Linux is more permissive than
OpenBSD in this area.
Here's a excerpt of a debuging session ::
Thread 1 received signal SIGSEGV, Segmentation fault.
0x000002237870b2ef in std::__1::less<unsigned long>::operator() (
this=0x22378872770 <FbTk::EventManager::instance()::ev+16>, __x=<error
reading variable>,
__y=@0x7f7ffffe9878: 2097514) at /usr/include/c++/v1/__functional_base:54
54 {return __x < __y;}
(gdb) p __x
$1 = (const unsigned long &) <error reading variable>
(gdb) p __y
$2 = (const unsigned long &) @0x7f7ffffe9878: 2097514
(gdb) up
#1 0x000002237870bcf2 in std::__1::__map_value_compare<unsigned long,
std::__1::__value_type<unsigned long, FbTk::EventHandler*>,
std::__1::less<unsigned long>, true>::operator() (
this=0x22378872770 <FbTk::EventManager::instance()::ev+16>, __x=...,
__y=@0x7f7ffffe9878: 2097514)
at /usr/include/c++/v1/map:518
518 {return static_cast<const
_Compare&>(*this)(__x.__get_value().first, __y);}
(gdb) p __x
$3 = (const std::__1::__value_type<unsigned long, FbTk::EventHandler*> &)
<error reading variable>
(gdb) up
#2 0x000002237871084b in std::__1::__tree<std::__1::__value_type<unsigned
long, FbTk::EventHandler*>, std::__1::__map_value_compare<unsigned long,
std::__1::__value_type<unsigned long, FbTk::EventHandler*>,
std::__1::less<unsigned long>, true>,
std::__1::allocator<std::__1::__value_type<unsigned long, FbTk::EventHandler*>
> >::__lower_bound<unsigned long> (this=0x22378872760
<FbTk::EventManager::instance()::ev>,
__v=@0x7f7ffffe9878: 2097514, __root=0xdfdfdfdfdfdfdfdf,
__result=0x2259e120ac0)
at /usr/include/c++/v1/__tree:2637
2637 if (!value_comp()(__root->__value_, __v))
(gdb) p __root
$4 = (std::__1::__tree<std::__1::__value_type<unsigned long,
FbTk::EventHandler*>, std::__1::__map_value_compare<unsigned long,
std::__1::__value_type<unsigned long, FbTk::EventHandler*>,
std::__1::less<unsigned long>, true>,
std::__1::allocator<std::__1::__value_type<unsigned long, FbTk::EventHandler*>
> >::__node_pointer) 0xdfdfdfdfdfdfdfdf
(gdb) p __root->__value_
Cannot access memory at address 0xdfdfdfdfdfdfdfff
>>» 0xdfdf is used by free() to mark free'd memory.
Sorry, I don't want to dig deeper into that.
A way to "fix" the issue, a tad better than ignoring SIGSEGV is to use
_exit(2) instead of exit(3) in handleXIOErrors() : this won't call the
problematic C++ destructors.
--
Matthieu Herrb
