[Debian-astro-maintainers] Bug#805641: ds9 segfaults when asked to display dev$pix

Fri Nov 20 15:03:33 UTC 2015

Package: saods9
Version: 7.3.2+repack-1+b1

Starting ds9 with

gdb /usr/bin/saods9
(gdb) run -unix_only

and then issuing the command "display dev$pix 1" in IRAF cl triggers a
segmentation fault with the following backtrace:

Starting program: /usr/bin/ds9 -unix_only
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/i686/cmov/libthread_db.so.1".
[New Thread 0xb68a8b40 (LWP 3535)]

Program received signal SIGSEGV, Segmentation fault.
0x0823118d in ?? ()
(gdb) bt
#0  0x0823118d in ?? ()
#1  0xb7328b8a in FileHandlerEventProc (evPtr=0x8e9b618, flags=-3)
    at /build/tcl8.6-sXsM5C/tcl8.6-8.6.2+dfsg/unix/tclUnixNotfy.c:765
#2  0xb72e3c50 in Tcl_ServiceEvent (flags=-3)
    at /build/tcl8.6-sXsM5C/tcl8.6-8.6.2+dfsg/generic/tclNotify.c:670
#3  0xb72e3f9b in Tcl_DoOneEvent (flags=-3)
    at /build/tcl8.6-sXsM5C/tcl8.6-8.6.2+dfsg/generic/tclNotify.c:967
#4  0xb73f7e5d in Tk_MainLoop () from /usr/lib/i386-linux-gnu/libtk8.6.so
#5  0xb7406d79 in Tk_MainEx () from /usr/lib/i386-linux-gnu/libtk8.6.so
#6  0x0804ffae in ?? ()
#7  0xb6cdaa63 in __libc_start_main (main=0x804ff70, argc=2, argv=0xbffffa74, 
    init=0x824eb80, fini=0x824ebf0, rtld_fini=0xb7fedc90 <_dl_fini>, 
    stack_end=0xbffffa6c) at libc-start.c:287
#8  0x08052719 in ?? ()

(I've installed libtcl8.6-dbg for the purpose of preparing this bug report.
The problem also occurs without it, and even when ds9 is not run under gdb.)

The unnamed function at the top of the stack appears to be iisIO() in
tcliis1.0/xim.C . I've rebuilt the package without the obviously incorrect
last hunk in debian/patches/iis.patch:

--- a/tcliis1.0/xim.C
+++ b/tcliis1.0/xim.C
@@ -19,7 +19,7 @@
 
 void iisIO(ClientData data, int mask)
 {
-  int fd = (long)data;
+  int fd = *(long *)data;
 
   if (IISDebug)
     cerr << "iisIO() " << fd << ' ' << mask << endl;

and this seems to have solved the problem.

To see why the hunk above is incorrect one needs to look at the code for
xim_addInput() later in the same file. The client data is set to
(ClientData)long(fd), that is (void *)long(fd), so *(long *)data ends
up interpreting the value of fd as a memory address.

