[Bug 223718] New: Xorg dies in mouse detection
https://bugzilla.novell.com/show_bug.cgi?id=223718 Summary: Xorg dies in mouse detection Product: openSUSE 10.2 Version: RC 1 Platform: PowerPC OS/Version: Linux Status: NEW Severity: Normal Priority: P5 - None Component: X.Org AssignedTo: sndirsch@novell.com ReportedBy: olh@novell.com QAContact: sndirsch@novell.com CC: power-bugs@forge.provo.novell.com 10.2rc1, the xserver dies in the mouse code on a couple of machine. Maybe this happens if the mouse was never moved after boot. .. (II) Initializing built-in extension XInputExtension (II) Initializing built-in extension XTEST (II) Initializing built-in extension XKEYBOARD (II) Initializing built-in extension XC-APPGROUP (II) Initializing built-in extension XAccessControlExtension (II) Initializing built-in extension SECURITY (II) Initializing built-in extension XINERAMA (II) Initializing built-in extension XFIXES (II) Initializing built-in extension XFree86-Bigfont (II) Initializing built-in extension RENDER (II) Initializing built-in extension RANDR (II) Initializing built-in extension COMPOSITE (II) Initializing built-in extension DAMAGE (II) Initializing built-in extension XEVIE (**) Option "CoreKeyboard" (**) Keyboard[0]: Core Keyboard (**) Option "Protocol" "Standard" (**) Keyboard[0]: Protocol: Standard (**) Option "AutoRepeat" "500 30" (**) Option "XkbRules" "xfree86" (**) Keyboard[0]: XkbRules: "xfree86" (**) Option "XkbModel" "pc104" (**) Keyboard[0]: XkbModel: "pc104" (**) Option "XkbLayout" "us" (**) Keyboard[0]: XkbLayout: "us" (**) Option "XkbKeycodes" "xfree86" (**) Keyboard[0]: XkbKeycodes: "xfree86" (**) Option "CustomKeycodes" "off" (**) Keyboard[0]: CustomKeycodes disabled (**) Option "Protocol" "explorerps/2" (**) Mouse[1]: Device: "/dev/input/mice" (**) Mouse[1]: Protocol: "explorerps/2" (**) Option "CorePointer" (**) Mouse[1]: Core Pointer (**) Option "Device" "/dev/input/mice" (==) Mouse[1]: Emulate3Buttons, Emulate3Timeout: 50 (**) Mouse[1]: ZAxisMapping: buttons 4 and 5 (**) Mouse[1]: Buttons: 9 (II) XINPUT: Adding extended input device "Mouse[1]" (type: MOUSE) (II) XINPUT: Adding extended input device "Keyboard[0]" (type: KEYBOARD) (II) Mouse[1]: ps2EnableDataReporting: succeeded Backtrace: 0: Xorg(xf86SigHandler+0x94) [0x1009a894] 1: [0x100374] 2: Xorg(WaitForSomething+0xac4) [0x1018d2d4] 3: Xorg(Dispatch+0xf0) [0x10043370] 4: Xorg(main+0x47c) [0x1002558c] 5: /lib/libc.so.6 [0xfb77f60] 6: /lib/libc.so.6 [0xfb7818c] Fatal server error: Caught signal 11. Server aborting .. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223718 ------- Comment #1 from olh@novell.com 2006-11-25 02:00 MST ------- Created an attachment (id=106913) --> (https://bugzilla.novell.com/attachment.cgi?id=106913&action=view) x.gdb.txt -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223718 ------- Comment #2 from olh@novell.com 2006-11-25 02:00 MST ------- Created an attachment (id=106914) --> (https://bugzilla.novell.com/attachment.cgi?id=106914&action=view) xorg.conf -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223718 olh@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #106914|application/octet-stream |text/plain mime type| | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223718 ------- Comment #3 from olh@novell.com 2006-11-25 02:02 MST ------- Created an attachment (id=106915) --> (https://bugzilla.novell.com/attachment.cgi?id=106915&action=view) hwinfo.txt -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223718 sndirsch@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|sndirsch@novell.com |mhopf@novell.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223718 mhopf@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|Normal |Major Status|NEW |ASSIGNED ------- Comment #4 from mhopf@novell.com 2006-11-27 07:31 MST ------- Ouch. Could you please install the -debug packages (xorg-x11-server and xorg-x11-driver-input) and start X in gdb so we get a more verbose backtrace? Is this ppc or ppc64? How do you find out that this is inside the mouse code? The Xserver is actually waiting for *any* event at the time of crash. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223718 ------- Comment #5 from olh@novell.com 2006-11-27 07:42 MST ------- There is a corrupted stack appearently. If I do not move the mouse at all, it will crash. If I move the mouse during mouse testing, it will survive. Once I had a crash even before yast was running. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223718 ------- Comment #6 from olh@novell.com 2006-11-27 08:13 MST ------- the backtrace is always the same. and 0x100374 is also always there. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223718 ------- Comment #7 from olh@novell.com 2006-11-27 08:15 MST ------- it does not crash if I just run X -deferglyphs 16 vt07 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223718
------- Comment #9 from olh@novell.com 2006-11-27 09:05 MST -------
right now it crashed here:
CheckAllTimers, it did call TimerForce().
and that code makes no sense?! if r11 is zero, branch down, then load r10
=*(r11+4)
0x1018d2cc
https://bugzilla.novell.com/show_bug.cgi?id=223718 ------- Comment #10 from olh@novell.com 2006-11-27 09:11 MST ------- looks more like a compiler bug, but I have to find the place where the code is actually coming from -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223718 olh@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|mhopf@novell.com |matz@novell.com Status|ASSIGNED |NEW ------- Comment #11 from olh@novell.com 2006-11-27 09:22 MST ------- lwz r11,0(r28) cmpwi cr7,r11,0 beq- cr7,0x1018d348 lwz r10,4(r11) this branch, or the code where it branches to, makes no sense. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223718 matz@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Comment #12 from matz@novell.com 2006-11-27 09:53 MST ------- So, to collect it together from the initial disassembly in comment #9 this seems to be the code: lwz r11,0(r28) cmpwi cr7,r11,0 beq- cr7,0x1018d348 lwz r10,4(r11) 0x1018d348: lwz r10,4(r11) Hmm, I'm no expert in power mnemonics, but this seems to compare r11 with 0, and then no matter what the outcome was load from r11+4 . This certainly seems wrong, can you connect that asm with the source? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223718 ------- Comment #13 from olh@novell.com 2006-11-27 09:58 MST ------- I have a xorg-x11-server build on pomegranate: /usr/src/packages/BUILD/xorg-server-1.1.99.902/os gcc -DHAVE_CONFIG_H -I. -I. -I../include -I../include -I../include -I../include -I../include -I../include -I../include -I../include -DHAVE_DIX_CONFIG_H -Wall -Wpointer-arith -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -fno-strict-aliasing -D_BSD_SOURCE -DHAS_FCHOWN -DHAS_STICKY_DIR_BIT -I../include -I../include -I../Xext -I../composite -I../damageext -I../xfixes -I../Xi -I../mi -I../miext/shadow -I../miext/damage -I../render -I../randr -I../fb -O2 -fmessag -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223718 ------- Comment #14 from olh@novell.com 2006-11-27 10:06 MST ------- it is the CheckAllTimers function. bl TimerForce+32768@plt LVL178: .loc 1 450 0 #APP # foo CheckAllTimers0 .loc 1 447 0 #NO_APP lwz 11,0(28) LVL179: cmpwi 7,11,0 beq 7,.L337 lwz 8,4(11) lwz 9,8(11) b .L194 L337: lwz 8,4(11) b .L196 asm("# foo CheckAllTimers1\n"); start: for (timer = timers; timer; timer = timer->next) { if (timer->expires - now > timer->delta + 250) { TimerForce(timer); asm("# foo CheckAllTimers0\n"); goto start; } } asm("# foo CheckAllTimers2\n"); } -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223718 ------- Comment #15 from olh@novell.com 2006-11-27 10:08 MST ------- Created an attachment (id=107061) --> (https://bugzilla.novell.com/attachment.cgi?id=107061&action=view) WaitFor.c.bz2 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223718 ------- Comment #16 from olh@novell.com 2006-11-27 10:08 MST ------- Created an attachment (id=107062) --> (https://bugzilla.novell.com/attachment.cgi?id=107062&action=view) WaitFor.i.bz2 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223718 ------- Comment #17 from olh@novell.com 2006-11-27 10:08 MST ------- Created an attachment (id=107064) --> (https://bugzilla.novell.com/attachment.cgi?id=107064&action=view) WaitFor.s.bz2 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223718 ------- Comment #18 from olh@novell.com 2006-11-27 10:09 MST ------- /usr/lib/gcc/powerpc64-suse-linux/4.1.2/cc1 -fpreprocessed WaitFor.i -msecure-plt -quiet -dumpbase WaitFor.c -auxbase-strip .libs/WaitFor.o -g -O2 -Wall -Wpointer-arith -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -Wall -version -fno-strict-aliasing -fmessage-length=0 -fno-strict-aliasing -fPIC -o WaitFor.s -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223718 ------- Comment #20 from matz@novell.com 2006-11-27 12:11 MST ------- Are you sure that this is the place where it segfaults? Because the code is correct. You missed some surrounding code which checks that "timers != 0". In effect we have this code in WaitForSomething: .. if (timers) { now = GetTimeInMillis(); timeout = timers->expires - now; if (timeout > 0 && timeout > timers->delta + 250) { CheckAllTimers(now); timeout = timers->expires - now; asm("# foo CheckAllTimers3\n"); } .... } The call to CheckAllTimers is expanded inline, and it contains this loop: CheckAllTimers(CARD32 now) { OsTimerPtr timer; start: for (timer = timers; timer; timer = timer->next) { if (timer->expires - now > timer->delta + 250) { TimerForce(timer); goto start; } } } So, inside that call to CheckAllTimers we know that "timers" will be non-zero. Now the code from CheckAllTimers will be combined with the one from the caller, and in effect it will look like so: if (timers) { timeout = timers->expires - now; if (timeout > 0 && timeout > timers->delta + 250) { OsTimerPtr timer; start: for (timer = timers; timer; timer = timer->next) { if (timer->expires - now > timer->delta + 250) { TimerForce(timer); goto start; } } timeout = timers->expires - now; } .... What you see as load from an address which could be zero is the load of "timer->expires" in the loop (guarded by the loop guard), and the "timers->expires" from after the loop. If you look at the assembler it loads r11 from r28+0, from the TOC, i.e. the address of "times" and then checks it for zero. Let's ignore the check for a moment but see if it can become 0 at that point at all. I think it can't. We can come there only through label L199 and L195, and L195 isn't used in a jump. So only from L199. There are two jumps to L199, reachable from labels L200 and L194. L200 can be reached from fallthough of L194 and from label L201. L201 can only be reached from label L200 (i.e. a loop). So only reachable from L194, which in turn can only be reached as fallthrough from L391 and from the block we started from (also shown in comment #14). So, we must pass the path from L391 to L194 when we want to hit this test. But that very path contains these insns: LVL151: .loc 1 201 0 lwz 9,0(28) cmpwi 7,9,0 beq 7,.L188 I.e. here we test if (r28) is zero and jump to L188 if that's the case. We never go into the loop, so actually the test shown in comment #14 will never be true (i.e. at that point (r28) will never be zero), so the code is okay as far as I can see. So again, my question: Are you sure that this is the place where it segfaults? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223718 ------- Comment #21 from matz@novell.com 2006-11-27 12:16 MST ------- The backtrace looked like so: #0 0x0fb8ece0 in *__GI_raise (sig=6) at ./nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 0x0fb90620 in *__GI_abort () at abort.c:88 #2 0x10063cb0 in ddxGiveUp () at xf86Init.c:1235 #3 0x1019cacc in AbortServer () at log.c:407 #4 0x1019d258 in FatalError (f=0x101ab350 "Caught signal %d. Server aborting\n") at log.c:553 #5 0x1009a8fc in xf86SigHandler (signo=11) at xf86Events.c:1460 #6 0x00100374 in ?? () #7 0x1018d2d4 in WaitForSomething (pClientsReady=0xffe2b2e0) at WaitFor.c:447 #8 0x20000442 in ?? () #9 0x10043370 in Dispatch () at dispatch.c:383 #10 0x1002558c in main (argc=4, argv=0xffe2ba24, envp=<value optimized out>) at main.c:445 Frame 6 actually was the segfault. The address 0x1018d2d4 contains the return address after the call to TimerForce, which means that the segfault did not happen after the call, but during that call, i.e. somewhere in TimerForce or subroutines, or during access of the address of TimerForce. This seems to match my analysis that the crash is not in the assembler code posted. The asm code is suboptimal (a superfluous test) but not wrong. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223718 ------- Comment #22 from olh@novell.com 2006-11-27 13:39 MST ------- (gdb) info registers r0 0x1018d2d4 270062292 r1 0x7ffebf00 2147401472 r2 0x3002c7f0 805488624 r3 0x1 1 r4 0x0 0 r5 0x0 0 r6 0x0 0 r7 0xfc2585c 264394844 r8 0xd032 53298 r9 0x1b7740 1800000 r10 0x1032 4146 r11 0x0 0 r12 0xec188000 3961028608 r13 0x101e247c 270410876 r14 0x101da79c 270378908 r15 0x101da694 270378644 r16 0x101da764 270378852 r17 0x101da684 270378628 r18 0x101da764 270378852 r19 0x101da6fc 270378748 r20 0x7ffec170 2147402096 r21 0x0 0 r22 0x101e90d8 270438616 r23 0x101da684 270378628 r24 0xffffffff 4294967295 r25 0x101da69c 270378652 r26 0x7ffec170 2147402096 r27 0x7ffebf14 2147401492 r28 0x101daf08 270380808 r29 0x294 660 r30 0x101d74b8 270365880 r31 0x26672 157298 pc 0x1018d348 270062408 cr 0x28000282 671089282 lr 0x1018d2d4 270062292 ctr 0xc018c9e4 3222850020 xer 0x0 0 (gdb) disassemble $pc-160 $pc+16 Dump of assembler code from 0x1018d2a8 to 0x1018d358: 0x1018d2a8: crclr 4*cr1+eq 0x1018d2ac: bl 0x1019d180 0x1018d2b0: li r11,32 0x1018d2b4: li r9,0 0x1018d2b8: mtctr r11 0x1018d2bc: lwzx r0,r22,r9 0x1018d2c0: stwx r0,r27,r9 0x1018d2c4: addi r9,r9,4 0x1018d2c8: bdz+ 0x1018ceb8 0x1018d2cc: b 0x1018d2bc 0x1018d2d0: bl 0x1018c750 0x1018d2d4: lwz r11,0(r28) 0x1018d2d8: cmpwi cr7,r11,0 0x1018d2dc: beq- cr7,0x1018d348 0x1018d2e0: lwz r10,4(r11) 0x1018d2e4: lwz r9,8(r11) 0x1018d2e8: addi r9,r9,250 0x1018d2ec: subf r0,r31,r10 0x1018d2f0: mr r3,r11 0x1018d2f4: cmplw cr7,r9,r0 0x1018d2f8: blt+ cr7,0x1018d2d0 0x1018d2fc: mr r3,r11 0x1018d300: b 0x1018d328 0x1018d304: nop 0x1018d308: nop 0x1018d30c: nop 0x1018d310: lwz r0,4(r3) 0x1018d314: lwz r9,8(r3) 0x1018d318: subf r0,r31,r0 0x1018d31c: addi r9,r9,250 0x1018d320: cmplw cr7,r0,r9 0x1018d324: bgt+ cr7,0x1018d2d0 0x1018d328: lwz r3,0(r3) 0x1018d32c: cmpwi cr7,r3,0 0x1018d330: bne+ cr7,0x1018d310 0x1018d334: subf. r8,r31,r10 0x1018d338: bge+ 0x1018d1b0 0x1018d33c: li r0,0 0x1018d340: li r9,0 0x1018d344: b 0x1018d1d4 0x1018d348: lwz r10,4(r11) 0x1018d34c: b 0x1018d334 0x1018d350: mflr r0 0x1018d354: stwu r1,-16(r1) End of assembler dump. thats what I had in my gdb session. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223718 ------- Comment #23 from olh@novell.com 2006-11-27 14:20 MST ------- If I read this correctly: If there is one single timer in the list 'timers', DoTimer will be called. DoTimer will set 'timers' to NULL, eventually? Who knows what timer->next contains? Bool TimerForce(OsTimerPtr timer) { OsTimerPtr *prev; for (prev = &timers; *prev; prev = &(*prev)->next) { if (*prev == timer) { DoTimer(timer, GetTimeInMillis(), prev); return TRUE; } } return FALSE; } static void DoTimer(OsTimerPtr timer, CARD32 now, OsTimerPtr *prev) { CARD32 newTime; *prev = timer->next; timer->next = NULL; newTime = (*timer->callback)(timer, now, timer->arg); if (newTime) TimerSet(timer, 0, newTime, timer->callback, timer->arg); } -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223718 matz@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mhopf@novell.com, matz@novell.com AssignedTo|matz@novell.com |sndirsch@novell.com Status|ASSIGNED |NEW ------- Comment #24 from matz@novell.com 2006-11-27 14:34 MST ------- Hmm, okay, maybe I've missing something in my analysis as r11 really is zero here. So [r28] is zero, but as I said we should be only able to get here after the check much earlier that [r28] is in fact not zero. I wonder if something was able to somehow overwrite or reset that memory. The load of r28 is some instructions before the call to GetTimeInMillis(), as is also a compare of that place with zero. The code reads like so in the .s file: lwz 28,.LC30-.LCTOC1(30) LVL150: .loc 1 200 0 li 0,0 stw 0,8(1) LVL151: .loc 1 201 0 lwz 9,0(28) cmpwi 7,9,0 beq 7,.L188 .loc 1 203 0 bl GetTimeInMillis+32768@plt You should be able to locate it and set a breakpoint onto the "lwz r9,0(28)" instruction. There you can see if the [r28] memory is zero or not. Also set a breakpoint to the load on 0x1018d2d4 (from comment #22), there it's loaded the second time. It should still be nonzero. If not then something in between the first and the second check did change the variable. .. Hmm, actually that might happen indeed. The first check is before the call to CheckAllTimers (later inlined), which calls TimerForce() which can change the static "timers" variable. So, actually the code is wrong. Again, the initial code looks like: if (timers) { now = GetTimeInMillis(); timeout = timers->expires - now; if (timeout > 0 && timeout > timers->delta + 250) { /* time has rewound. reset the timers. */ CheckAllTimers(now); timeout = timers->expires - now; } if (timeout < 0) timeout = 0; waittime.tv_sec = timeout / MILLI_PER_SECOND; waittime.tv_usec = (timeout % MILLI_PER_SECOND) * (1000000 / MILLI_PER_SECOND); wt = &waittime; } So it checks "timers" for NULL, then calls CheckAllTimers, and then tries to access timers->expires after that call again, without further checking. But CheckAllTimers calls TimerForce, which in turn calls DoTimer() which overwrites it's given "previous timer" argument, which might be &timers. So the call to CheckAllTimers might make "timers" zero, so the access after that call really needs to check again for nullness. As this is sensitive code it needs probably some carefull thought. I think it's required that if "timers" is zero at that point that "wt" is set to NULL and not to &waittime. The timers list is sorted per wakeup time, so if there's no timer then the process does not need to wakeup at all. I think this should work (sometimes it does a little too much work, but otherwise it's a bit ugly to implement this without goto's): if (timers) { now = GetTimeInMillis(); timeout = timers->expires - now; if (timeout > 0 && timeout > timers->delta + 250) { /* time has rewound. reset the timers. */ CheckAllTimers(now); } /* timers might have changed by CheckAllTimers */ if (timers) { timeout = timers->expires - now; if (timeout < 0) timeout = 0; waittime.tv_sec = timeout / MILLI_PER_SECOND; waittime.tv_usec = (timeout % MILLI_PER_SECOND) * (1000000 / MILLI_PER_SECOND); wt = &waittime; } else { wt = NULL; } } -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223718 ------- Comment #25 from matz@novell.com 2006-11-27 14:36 MST ------- My comment #24 was written before olafs comment #23, that's why it looks a little strange, but I didn't want to revisit the whole thing as I also reassigned and the like. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223718 sndirsch@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|sndirsch@novell.com |mhopf@novell.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223718 ------- Comment #26 from mhopf@novell.com 2006-11-28 05:44 MST ------- Nice finding, guys! I conclude with your analysis. Actually, I find the whole code pretty fragile (e.g. it relies on OsTimerRec.next to be the first struct entry, which is not documented), and I cannot see trivially, that a similar issue isn't lurking somewhere else in the code. The else part isn't necessary, wt is set to NULL immedeately before the if (timers). (In reply to comment #23)
If I read this correctly: If there is one single timer in the list 'timers', DoTimer will be called. DoTimer will set 'timers' to NULL, eventually? Who knows what timer->next contains?
If only a single timer is in the list, timer->next should be 0. prev is &timers, bingo. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223718 ------- Comment #27 from mhopf@novell.com 2006-11-28 05:46 MST ------- Created an attachment (id=107181) --> (https://bugzilla.novell.com/attachment.cgi?id=107181&action=view) proposed patch Fix in patch form. I'll submit this upstream. Thanks Matze! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223718 mhopf@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|mhopf@novell.com |sndirsch@novell.com ------- Comment #28 from mhopf@novell.com 2006-11-28 05:47 MST ------- Stefan, please include. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223718
Olaf Hering
participants (1)
-
bugzilla_noreply@novell.com