Bug 1385258

Summary: [abrt] xorg-x11-server-Xwayland: Segmentation fault at address 0x100000035: TAINTED
Product: [Fedora] Fedora Reporter: Vít Ondruch <vondruch>
Component: xorg-x11-serverAssignee: X/OpenGL Maintenance List <xgl-maint>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: daniel, debarshir, erik-fedora, hhan, ofourdan, rmatos, xgl-maint
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:77c1e494531cebd8e907d35a317d1ad5ca4d6f85;
Fixed In Version: xorg-x11-server-1.19.0-1.fc25 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-26 22:53:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
File: Xorg.0.log
none
File: backtrace
none
File: dmesg
none
File: dso_list
none
File: etc_X11_xorg_conf_d.tar.gz
none
File: usr_share_xorg_conf_d.tar.gz
none
journal none

Description Vít Ondruch 2016-10-15 17:23:23 UTC
Version-Release number of selected component:
xorg-x11-server-Xwayland-1.19.0-0.2.20160929.fc26

Additional info:
reporter:       libreport-2.8.0
executable:     /usr/bin/Xwayland
kernel:         4.8.1-1.fc25.x86_64
pkg_fingerprint: 812A 6B4B 64DA B85D
pkg_vendor:     Fedora Project
runlevel:       N 5
type:           xorg
uid:            0

Truncated backtrace:
0: /usr/bin/Xwayland (OsLookupColor+0x139) [0x58f439]
1: /lib64/libpthread.so.0 (__restore_rt+0x0) [0x7f907ea8e63f]
2: /usr/bin/Xwayland (miPointerUpdateSprite+0x242) [0x473132]
3: /usr/bin/Xwayland (mieqProcessInputEvents+0x186) [0x46ef56]
4: /usr/bin/Xwayland (SendErrorToClient+0x126) [0x5551f6]
5: /usr/bin/Xwayland (InitFonts+0x428) [0x559418]
6: /lib64/libc.so.6 (__libc_start_main+0xf1) [0x7f907e6d8451]
7: /usr/bin/Xwayland (_start+0x2a) [0x423a2a]
8: ? (?+0x2a) [0x2a]

Comment 1 Vít Ondruch 2016-10-15 17:23:28 UTC
Created attachment 1210814 [details]
File: Xorg.0.log

Comment 2 Vít Ondruch 2016-10-15 17:23:30 UTC
Created attachment 1210815 [details]
File: backtrace

Comment 3 Vít Ondruch 2016-10-15 17:23:32 UTC
Created attachment 1210816 [details]
File: dmesg

Comment 4 Vít Ondruch 2016-10-15 17:23:33 UTC
Created attachment 1210817 [details]
File: dso_list

Comment 5 Vít Ondruch 2016-10-15 17:23:35 UTC
Created attachment 1210818 [details]
File: etc_X11_xorg_conf_d.tar.gz

Comment 6 Vít Ondruch 2016-10-15 17:23:36 UTC
Created attachment 1210819 [details]
File: usr_share_xorg_conf_d.tar.gz

Comment 7 Han Han 2016-10-19 07:03:10 UTC
Description of problem:
Segmentation fault when switch windows with ALT+TAB

Version-Release number of selected component:
xorg-x11-server-Xwayland-1.19.0-0.2.20160929.fc26

Additional info:
reporter:       libreport-2.8.0
executable:     /usr/bin/Xwayland
kernel:         4.8.0-0.rc8.git1.1.fc26.x86_64
pkg_fingerprint: 812A 6B4B 64DA B85D
pkg_vendor:     Fedora Project
runlevel:       N 5
type:           xorg
uid:            0

Truncated backtrace:
0: /usr/bin/Xwayland (OsLookupColor+0x139) [0x58f439]
1: /lib64/libpthread.so.0 (__restore_rt+0x0) [0x7ff2b6ebc63f]
2: /usr/bin/Xwayland (miPointerUpdateSprite+0x242) [0x473132]
3: /usr/bin/Xwayland (mieqProcessInputEvents+0x186) [0x46ef56]
4: /usr/bin/Xwayland (SendErrorToClient+0x126) [0x5551f6]
5: /usr/bin/Xwayland (InitFonts+0x428) [0x559418]
6: /lib64/libc.so.6 (__libc_start_main+0xf1) [0x7ff2b6b06451]
7: /usr/bin/Xwayland (_start+0x2a) [0x423a2a]
8: ? (?+0x2a) [0x2a]

Comment 8 Daniel Stone 2016-10-19 09:58:27 UTC
I'm seeing this too, fairly randomly, but addr2line seems to point me deep into mifillarc, which is entirely wrong. Not sure what's up with the debuginfo packages:

 (EE) Backtrace:
 (EE) 0: /usr/bin/Xwayland (OsLookupColor+0x139) [0x58f4d9]
 (EE) 1: /lib64/libpthread.so.0 (__restore_rt+0x0) [0x7fe2f28fc5bf]
 (EE) 2: /usr/bin/Xwayland (miPointerUpdateSprite+0x242) [0x4731d2]

strictly:~% addr2line -e /usr/lib/debug/usr/bin/Xwayland.debug 0x4731d2
/usr/src/debug/xorg-server-1.18.4/mi/mifillarc.c:609

This is wrong ...

 (EE) 3: /usr/bin/Xwayland (mieqProcessInputEvents+0x186) [0x46eff6]

strictly:~% addr2line -e /usr/lib/debug/usr/bin/Xwayland.debug 0x46eff6
/usr/src/debug/xorg-server-1.18.4/mi/micmap.c:345

This is definitely wrong.

 (EE) 4: /usr/bin/Xwayland (SendErrorToClient+0x126) [0x555296]


strictly:~% addr2line -e /usr/lib/debug/usr/bin/Xwayland.debug 0x555296
/usr/src/debug/xorg-server-1.18.4/dix/dispatch.c:2804 (discriminator 1)

And so is this (should be Dispatch).

Comment 9 Olivier Fourdan 2016-10-19 14:23:27 UTC
Right, there are quite a few similar bugs (with slightly different backtraces), I could never reproduce (so if you have any hint on how to reproduce...) and could not really make sense of the backtrace either, at least not enough to investigate very far.

Last time I checked one of these, it took me to dixGetPrivateAddr() which would be supposedly from MIPOINTER() at the beginning of miPointerUpdateSprite(), so basically the given DeviceIntPtr is corrupted, but I could not really get much farther with the little (presumably broken) info the backtrace provides.

What gives "rpm -qf /usr/lib/debug/usr/bin/Xwayland.debug" on your system?

Comment 10 Olivier Fourdan 2016-10-19 14:42:32 UTC
PResumably same as bug 1384775 in f25 which may lead to a more realistic backtrace:

$ addr2line -fe /usr/lib/debug/usr/bin/Xwayland.debug 0x427108 0x4731fb 0x46eff6 0x555296 0x5594b8 
xwl_seat_set_cursor
/usr/src/debug/xorg-server-20160929/hw/xwayland/xwayland-cursor.c:46
miPointerUpdateSprite
/usr/src/debug/xorg-server-20160929/mi/mipointer.c:477
mieqProcessInputEvents
/usr/src/debug/xorg-server-20160929/mi/mieq.c:567
Dispatch
/usr/src/debug/xorg-server-20160929/dix/dispatch.c:312
dix_main
/usr/src/debug/xorg-server-20160929/dix/main.c:321

Comment 11 Olivier Fourdan 2016-10-19 15:44:29 UTC
Out of curiosity, does your system feature a touch screen?

Comment 12 Daniel Stone 2016-10-19 17:17:26 UTC
Oh, this explains a lot ...

xorg-x11-server-Xwayland-1.19.0-0.2.20160929.fc25.x86_64
xorg-x11-server-debuginfo-1.18.4-5.fc25.x86_64

As for the touchscreen - it does! Unfortunately I can't see #1384775 though.

Comment 13 Vít Ondruch 2016-10-20 06:27:23 UTC
My system has no touchscreen if that makes any difference.

Comment 14 Olivier Fourdan 2016-10-20 06:33:11 UTC
I'd wish I could reproduce, but I never had this crash happening here...

Maybe it has to do with the apps running, the type of cursor they use? Do you remember what application you were using when the crash occurred?

Comment 15 Vít Ondruch 2016-10-20 06:58:46 UTC
(In reply to Olivier Fourdan from comment #14)
> Do you remember what application you were using when the crash occurred?

Since this is XWayland issue, it was very likely Nuvola Player:

https://tiliado.eu/nuvolaplayer/

But it was not the latest version. It is GTK3 app, using WebKit (and probably flash) on the background. Will try to dig through journal entries when I'll be back to that computer.

Comment 16 Olivier Fourdan 2016-10-20 14:46:47 UTC
Another one that looks similar but yet slightly different: bug 1387281

Comment 17 Vít Ondruch 2016-10-20 18:40:44 UTC
Created attachment 1212617 [details]
journal

This is my journal content from around the crash (sorry for the czech, it does not look like journal can be convinced to use english :/). I can't see nothing really suspicious, but may be it will help ...

Comment 18 Olivier Fourdan 2016-10-21 08:48:14 UTC
I am a bit wary with Xorg backtraces to be honest (well, even though this one looks "plausible").

Ideally, if you can, the best course of action is to:

1. Make sure you have the xorg-x11-server-debuginfo package installed for the same version of xorg-x11-server-Xwayland version

2. From a *remote* machine, connect to your workstation, and run gdb on your running Xwayland process:

  $ gdb /usr/bin/Xwayland $(pidof Xwayland)
  (gdb)
  (gdb) handle SIGUSR1 nostop
  (gdb) handle SIGUSR2 nostop
  (gdb) handle SIGPIPE nostop
  (gdb) cont

3. When the crash occurs, capture the core file and the full backtrace:

  (gdb) generate-core-file
  (gdb) bt full

Comment 19 Olivier Fourdan 2016-10-21 09:23:35 UTC
Also, what gives "xinput list" on your system?

Comment 20 Vít Ondruch 2016-10-21 09:41:15 UTC
(In reply to Olivier Fourdan from comment #19)
> Also, what gives "xinput list" on your system?


$ xinput list
⎡ Virtual core pointer                    	id=2	[master pointer  (3)]
⎜   ↳ Virtual core XTEST pointer              	id=4	[slave  pointer  (2)]
⎜   ↳ xwayland-pointer:14                     	id=6	[slave  pointer  (2)]
⎣ Virtual core keyboard                   	id=3	[master keyboard (2)]
    ↳ Virtual core XTEST keyboard             	id=5	[slave  keyboard (3)]
    ↳ xwayland-keyboard:14                    	id=7	[slave  keyboard (3)]

Comment 21 Olivier Fourdan 2016-11-10 19:50:05 UTC
Most likelt the same as bug 1393158 in F25

Comment 22 Olivier Fourdan 2016-11-16 07:59:00 UTC
I have posted a patch upstream that should fix this issue:

  https://patchwork.freedesktop.org/series/15344/

And also prepared a test package for Fedora which includes this patch:

  F25:     http://koji.fedoraproject.org/koji/taskinfo?taskID=16471034
  rawhide: http://koji.fedoraproject.org/koji/taskinfo?taskID=16471224

Could you try this build and see if that fixes the issue for you?

Note: these builds are scratch builds, they will automatically be deleted shortly.

Comment 23 Vít Ondruch 2016-11-16 10:06:58 UTC
(In reply to Olivier Fourdan from comment #22)
Thx. Will try to update the package, but since I have not met this bug for two weeks, its will be hard to confirm anything ....

Comment 24 Olivier Fourdan 2016-11-21 19:41:37 UTC
On further investigation and even more testing, I don't think the previous patch actually fixed the issue...

So new patch, new scratch build here:

f25:     http://koji.fedoraproject.org/koji/taskinfo?taskID=16555185
rawhide: http://koji.fedoraproject.org/koji/taskinfo?taskID=16555199

Comment 25 Vít Ondruch 2016-11-22 12:58:30 UTC
*** Bug 1397401 has been marked as a duplicate of this bug. ***

Comment 26 Vít Ondruch 2016-11-22 13:00:35 UTC
(In reply to Olivier Fourdan from comment #24)
> On further investigation and even more testing, I don't think the previous
> patch actually fixed the issue...
> 
> So new patch, new scratch build here:
> 
> f25:     http://koji.fedoraproject.org/koji/taskinfo?taskID=16555185
> rawhide: http://koji.fedoraproject.org/koji/taskinfo?taskID=16555199

Either I am luckier or this ^^^ is much worser, since I hit the bug 1397401 just in 4 hours

Comment 27 Olivier Fourdan 2016-11-22 13:29:34 UTC
(In reply to Vít Ondruch from comment #26)
> Either I am luckier or this ^^^ is much worser, since I hit the bug 1397401
> just in 4 hours

This is unexpected, can you capture the exact backtrace?

Comment 28 Olivier Fourdan 2016-11-22 14:41:38 UTC
(In reply to Olivier Fourdan from comment #27)
> This is unexpected, can you capture the exact backtrace?

Quick update, after discussing with Vít on irc, it appears the old version of Xwayland was still in use at the time of the crash as the session had not been restarted after installing the new test package, which explains why the issue occurred.

Comment 29 Vít Ondruch 2016-11-22 20:58:03 UTC
I tried the reproducer from https://bugzilla.redhat.com/show_bug.cgi?id=1387281#c13 and it always crashed on first or second attempt. With the test build from comment 24, I cannot reproduce the issue anymore.

Similar experience with the "testclose.c" you provided me.

So it seems you nailed it!

Comment 30 Olivier Fourdan 2016-11-23 08:17:13 UTC
(In reply to Vít Ondruch from comment #29)
> I tried the reproducer from
> https://bugzilla.redhat.com/show_bug.cgi?id=1387281#c13 and it always
> crashed on first or second attempt. With the test build from comment 24, I
> cannot reproduce the issue anymore.
> 
> Similar experience with the "testclose.c" you provided me.
> 
> So it seems you nailed it!

Excellent! Are you okay with me adding "Tested-by: Vít Ondruch <vondruch@redhat.com>" to the patch upstream?

Comment 31 Vít Ondruch 2016-11-23 09:28:13 UTC
(In reply to Olivier Fourdan from comment #30)
> Are you okay with me adding "Tested-by: Vít Ondruch
> <vondruch@redhat.com>" to the patch upstream?

Yes I am. Thx.

Comment 32 Fedora Update System 2016-11-23 10:53:15 UTC
xorg-x11-server-1.19.0-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-45775f3dcf

Comment 33 Fedora Update System 2016-11-25 09:41:15 UTC
xorg-x11-server-1.19.0-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-45775f3dcf

Comment 34 Fedora Update System 2016-11-26 22:53:04 UTC
xorg-x11-server-1.19.0-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.