luik@einstein.isa.de (Andreas Luik) (10/26/90)
X Window System Bug Report
xbugs@expo.lcs.mit.edu
VERSION:
R4, Patches 1-14
CLIENT MACHINE and OPERATING SYSTEM:
Sun 386i running SunOS 4.0.1
DISPLAY TYPE:
Sun CG3 (maybe all mi/cfb servers)
WINDOW MANAGER:
twm (all)
AREA:
server (mi/cfb)
SYNOPSIS:
Call to XClearArea with height == -1 crashes server
DESCRIPTION:
A call to XClearArea with a height value of -1 (or 65535) crashes
the Sun server. The traceback is as follows:
core file = core -- program ``Xsun''
SIGSEGV 11: segmentation violation
cfbFillBoxSolid() + 152
cfbPaintWindow() + 14d
miSpritePaintWindowBackground(0xc9380,0xc8a04,0x0) + 61
miClearToBackground() + 150
miSpriteClearToBackground() + 10a
ProcClearToBackground(0xc8a94) + 85
Dispatch() + 103
main(0x4,0xfbfffd64,0xfbfffd78) + 39b
The values are as follows:
1.) Call XClearArea(dpy, w, x=5, y=5, width=65535, height=65535)
2.) shipped X request: req->x=5, req->y=5,
req->width=65535, req->height=65535
3.) ProcClearToBackground: stuff->x=5, stuff->y=5,
stuff->width=65535, stuf->height=65535
4.) miSpriteClearToBackground calls miClearToBackground
5.) miClearToBackground: x=5, y=5, w=65535, h=65535
computes box (suppose window has origin (0,0), width = height = 100):
box.x1 = 0+5 = 5, box.y1 = 0+5 = 5,
box.x2 = box.x1 + w = (short) (5 + 65535) = 4
box.y2 = box.y1 + h = (short) (5 + 65535) = 4
pReg = miRegionCreate(&box,1) ---> pReg->extents == box
miIntersect(pReg,pReg,&pWin->clipList) ---> pReg->extends unchanged
6.) miSpritePaintWindowBackground and cfbPaintWindow do not change
pReg
7.) cfbFillBoxSolid is called with nBox=1, pBox=pReg->extends:
pBox.x1 = 5, pBox.y1 = 5, pBox.x2 = 4, pBox.y2 = 4
computations:
h = pBox->y2 - pBox->y1 = 4 - 5 = -1
w = pBox->x2 - pBox->x1 = 4 - 5 = -1
loop: while (h--) { /* fill box */ }
---> crash
This seems to be a signed/unsigned problem, but I don't really
know where to correct this (Xlib, region code in mi, cfb code). I also
don't know in which other functions this problem exists.
REPEAT BY:
Start the following program on a color Sun (using cfb code) and
click into the window it creates:
#include <X11/Xlib.h>
#define BLACK (BlackPixel (dpy, DefaultScreen (dpy)))
#define WHITE (WhitePixel (dpy, DefaultScreen (dpy)))
main ()
{
Display *dpy;
Window w1;
GC gc;
dpy = XOpenDisplay (0);
w1 = XCreateSimpleWindow (dpy, DefaultRootWindow (dpy),
100, 100, 400, 500, 0, BLACK, WHITE);
XSelectInput (dpy, w1, ButtonPressMask | ExposureMask);
XMapWindow (dpy, w1);
while (1) {
XEvent event;
XNextEvent (dpy, &event);
switch (event.type) {
case ButtonPress:
XClearArea (dpy, w1, 5, 5, 65535, 65535, False);
break;
}
}
}
SAMPLE FIX:
None. But would you please mail me one, if you have repaired the
bug. Would you please send me at least some suggestions in which area
this bug should be fixed.
Thanks,
Andreas Luik Domain: luik@isa.de
(postmaster@isa.de) BITNET: luik%isa.de@unido.bitnet
Bang: ...!{uunet!unido,pyramid}!isaak!luik