Bug#997040: xpaint: segfault on exit

To: 997040@bugs.debian.org
Subject: Bug#997040: xpaint: segfault on exit
From: Bernhard Übelacker <bernhardu@mailbox.org>
Date: Sun, 10 Jul 2022 11:47:35 +0200
Message-id: <[🔎] 16cbea20-de71-a9b5-8d2e-2ec5b20b53ea@mailbox.org>
Reply-to: Bernhard Übelacker <bernhardu@mailbox.org>, 997040@bugs.debian.org
In-reply-to: <163493402445.7699.10343276981887271097.reportbug@tglase-nb.lan.tarent.de>
References: <163493402445.7699.10343276981887271097.reportbug@tglase-nb.lan.tarent.de> <163493402445.7699.10343276981887271097.reportbug@tglase-nb.lan.tarent.de> <163493402445.7699.10343276981887271097.reportbug@tglase-nb.lan.tarent.de>

Control: tags -1 + upstream
Control: forwarded -1 https://sourceforge.net/p/sf-xpaint/bugs/17/


Dear Maintainer,
the core file contains this backtrace.

It can be reproduced by:
- starting xpaint
- Canvas - New Canvas
- Modify the new picture
- Canvas - Quit XPaint -> segfault happens


Upstream bug seems to be this:
https://sourceforge.net/p/sf-xpaint/bugs/17/


It looks like there is a disagreement about the memory layout of
pointers "entry" in function Highlight and "parent" in function AlertBox.

Kind regards,
Bernhard



Core was generated by `xpaint'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000055f56d8268aa in AlertBox (parent=parent@entry=0x55f56dcc8460, msg=0x55f56dc32ba0 "There are unsaved changes,\nare you sure you wish to quit?", okProc=okProc@entry=0x55f56d855650 <exitOkCallback>, nokProc=nokProc@entry=0x55f56d855610 <exitCancelCallback>,
    data=data@entry=0x0) at dialog.c:91
91          if (x>WidthOfScreen(XtScreen(parent))-260)
(gdb) set width 0
(gdb) set pagination off
(gdb) bt
#0  0x000055f56d8268aa in AlertBox (parent=parent@entry=0x55f56dcc8460, msg=0x55f56dc32ba0 "There are unsaved changes,\nare you sure you wish to quit?", okProc=okProc@entry=0x55f56d855650 <exitOkCallback>, nokProc=nokProc@entry=0x55f56d855610 <exitCancelCallback>, data=data@entry=0x0) at dialog.c:91
#1  0x000055f56d8569f7 in exitPaint (junk=<optimized out>, junk2=<optimized out>, w=0x55f56dcc8460) at operation.c:583
#2  exitPaint (w=0x55f56dcc8460, junk=<optimized out>, junk2=<optimized out>) at operation.c:573
#3  0x00007ff8f57ce6ed in XtCallCallbacks (widget=0x55f56dcc8460, name=<optimized out>, call_data=0x0) at ../../src/Callback.c:575
#4  0x00007ff8f580323f in HandleActions (w=w@entry=0x55f56dcc6860, event=0x7ffce164ade0, stateTree=0x55f56dcc6bd0, accelWidget=<optimized out>, procs=0x55f56dd092a8, actions=actions@entry=0x55f56dcc6a40) at ../../src/TMstate.c:646
#5  0x00007ff8f5803ce3 in HandleSimpleState (w=w@entry=0x55f56dcc6860, tmRecPtr=tmRecPtr@entry=0x55f56dcc68a8, curEventPtr=curEventPtr@entry=0x7ffce164a9b0) at ../../src/TMstate.c:881
#6  0x00007ff8f5804986 in _XtTranslateEvent (w=w@entry=0x55f56dcc6860, event=event@entry=0x7ffce164ade0) at ../../src/TMstate.c:1099
#7  0x00007ff8f57dc4ae in XtDispatchEventToWidget (widget=widget@entry=0x55f56dcc6860, event=event@entry=0x7ffce164ade0) at ../../src/Event.c:899
#8  0x00007ff8f57dcee7 in _XtDefaultDispatcher (event=0x7ffce164ade0) at ../../src/Event.c:1360
#9  0x00007ff8f57dd053 in XtDispatchEvent (event=event@entry=0x7ffce164ade0) at ../../src/Event.c:1416
#10 0x000055f56d82251a in main (argc=<optimized out>, argv=<optimized out>) at main.c:1111
(gdb) display/i $pc
1: x/i $pc
=> 0x55f56d8268aa <AlertBox+154>:       mov    0x18(%rcx),%esi
(gdb) print/x $rcx
$1 = 0x100
(gdb) print parent
$2 = (Widget) 0x55f56dcc8460
(gdb) print parent->core->screen
$3 = (Screen *) 0x100
(gdb) ptype /o parent->core
type = struct _CorePart {
/*    0      |     8 */    Widget self;
/*    8      |     8 */    WidgetClass widget_class;
/*   16      |     8 */    Widget parent;
/*   24      |     4 */    XrmName xrm_name;
/*   28      |     1 */    Boolean being_destroyed;
/* XXX  3-byte hole  */
/*   32      |     8 */    XtCallbackList destroy_callbacks;
/*   40      |     8 */    XtPointer constraints;
/*   48      |     2 */    Position x;
/*   50      |     2 */    Position y;
/*   52      |     2 */    Dimension width;
/*   54      |     2 */    Dimension height;
/*   56      |     2 */    Dimension border_width;
/*   58      |     1 */    Boolean managed;
/*   59      |     1 */    Boolean sensitive;
/*   60      |     1 */    Boolean ancestor_sensitive;
/* XXX  3-byte hole  */
/*   64      |     8 */    XtEventTable event_table;
/*   72      |    32 */    XtTMRec tm;
/*  104      |     8 */    XtTranslations accelerators;
/*  112      |     8 */    Pixel border_pixel;
/*  120      |     8 */    Pixmap border_pixmap;
/*  128      |     8 */    WidgetList popup_list;
/*  136      |     4 */    Cardinal num_popups;
/* XXX  4-byte hole  */
/*  144      |     8 */    String name;
/*  152      |     8 */    Screen *screen;
/*  160      |     8 */    Colormap colormap;
/*  168      |     8 */    Window window;
/*  176      |     4 */    Cardinal depth;
/* XXX  4-byte hole  */
/*  184      |     8 */    Pixel background_pixel;
/*  192      |     8 */    Pixmap background_pixmap;
/*  200      |     1 */    Boolean visible;
/*  201      |     1 */    Boolean mapped_when_managed;
/* XXX  6-byte padding  */

                           /* total size (bytes):  208 */
                         }


(rr) reverse-cont
Continuing.

Hardware watchpoint 1: *0x55563e396b68

Old value = 256
New value = 0
Highlight (w=0x55563e396ad0) at SmeBSB.c:490
490         entry->sme_threeD.shadowed = True;
1: x/i $pc
=> 0x7f934ecd1940 <Highlight>:  movb   $0x1,0x99(%rdi)
(rr) bt
#0  Highlight (w=0x55563e396ad0) at SmeBSB.c:490
#1  0x00007f934ecd1545 in Highlight (num_params=0x7fff9069435c, params=<optimized out>, event=0x7fff90694970, w=0x55563e364d20) at SimpleMenu.c:901
#2  Highlight (w=0x55563e364d20, event=0x7fff90694970, params=<optimized out>, num_params=0x7fff9069435c) at SimpleMenu.c:866
#3  0x00007f934ec81047 in XtCallActionProc (widget=widget@entry=0x55563e364d20, action=action@entry=0x55563d3f63cd "highlight", event=event@entry=0x7fff90694970, params=params@entry=0x0, num_params=<optimized out>, num_params@entry=0) at ../../src/TMaction.c:1002
#4  0x000055563d3a8de4 in HighlightChild (w=0x55563e364d20, event=0x7fff90694970, params=0x0, nparams=<optimized out>) at menu.c:271
#5  0x00007f934ec8923f in HandleActions (w=w@entry=0x55563e364d20, event=0x7fff90694970, stateTree=0x55563e359780, accelWidget=<optimized out>, procs=0x55563e410128, actions=actions@entry=0x7f934eca91a0 <dummyAction.3>) at ../../src/TMstate.c:646
#6  0x00007f934ec89ce3 in HandleSimpleState (w=w@entry=0x55563e364d20, tmRecPtr=tmRecPtr@entry=0x55563e364d68, curEventPtr=curEventPtr@entry=0x7fff90694540) at ../../src/TMstate.c:881
#7  0x00007f934ec8a986 in _XtTranslateEvent (w=w@entry=0x55563e364d20, event=event@entry=0x7fff90694970) at ../../src/TMstate.c:1099
#8  0x00007f934ec624ae in XtDispatchEventToWidget (widget=widget@entry=0x55563e364d20, event=event@entry=0x7fff90694970) at ../../src/Event.c:899
#9  0x00007f934ec62a43 in DispatchEvent (event=event@entry=0x7fff90694970, widget=widget@entry=0x55563e364d20) at ../../src/Event.c:1281
#10 0x00007f934ec62cfe in _XtDefaultDispatcher (event=0x7fff90694970) at ../../src/Event.c:1343
#11 0x00007f934ec63053 in XtDispatchEvent (event=event@entry=0x7fff90694970) at ../../src/Event.c:1416
#12 0x000055563d37851a in main (argc=<optimized out>, argv=<optimized out>) at main.c:1111
(rr) ptype /o entry
type = struct _SmeBSBRec {
/*    0      |    48 */    ObjectPart object;
/*   48      |    14 */    RectObjPart rectangle;
/* XXX  2-byte hole  */
/*   64      |     8 */    SmePart sme;
/*   72      |    88 */    SmeThreeDPart sme_threeD;
/*  160      |   144 */    SmeBSBPart sme_bsb;

                           /* total size (bytes):  304 */
                         } *

Reply to:

Prev by Date: Processed: Re: Bug#997040: xpaint: segfault on exit
Next by Date: Processing of emscripten_3.1.6~dfsg-5_source.changes
Previous by thread: Bug#1010165: bug fix in upstream new version
Next by thread: Processed: Re: Bug#997040: xpaint: segfault on exit
Index(es):
- Date
- Thread