Various packages using xvfb-run to run tests against an X server start failing to build due a regression in the Xvfb or xvfb-run script. Before: [test@fedora-21 tmp]$ rpm -q xorg-x11-server-Xvfb xorg-x11-server-Xvfb-1.15.99.902-8.20140428.fc21.x86_64 [test@fedora-21 tmp]$ cat /tmp/test #!/bin/sh xhost sleep 2 [test@fedora-21 tmp]$ xvfb-run -a /tmp/test access control enabled, only authorized clients can connect And after the upgrade: [test@fedora-21 tmp]$ rpm -q xorg-x11-server-Xvfb xorg-x11-server-Xvfb-1.15.99.903-1.fc21.x86_64 [test@fedora-21 tmp]$ xvfb-run -a /tmp/test access control enabled, only authorized clients can connect /bin/xvfb-run: line 171: kill: (1991) - No such process [test@fedora-21 tmp]$ echo $? 1 It looks like the Xvfb would terminate prematurely.
Well, it segfaults when the client disconnects: $ Xvfb -ac :0 (EE) (EE) Backtrace: (EE) 0: Xvfb (OsLookupColor+0x119) [0x561dd9] (EE) 1: /lib64/libpthread.so.0 (__restore_rt+0x0) [0x7f360e757e3f] (EE) 2: Xvfb (FreePixmap+0x4) [0x525bd4] (EE) 3: Xvfb (fbCloseScreen+0x64) [0x4256a4] (EE) 4: Xvfb (PictureCloseScreen+0x51) [0x49c6c1] (EE) 5: Xvfb (fbTile+0x9a8) [0x43ea28] (EE) 6: Xvfb (PanoramiXRenderReset+0x85c) [0x4a6d9c] (EE) 7: Xvfb (present_register_complete_notify+0x622) [0x4aa372] (EE) 8: Xvfb (remove_fs_handlers+0x527) [0x50ddd7] (EE) 9: /lib64/libc.so.6 (__libc_start_main+0xf0) [0x7f360d3860c0] (EE) 10: Xvfb (_start+0x29) [0x422a1e] (EE) 11: ? (?+0x29) [0x29] (EE) (EE) Segmentation fault at address 0x20 (EE) Fatal server error: (EE) Caught signal 11 (Segmentation fault). Server aborting (EE)
Full back-trace: (gdb) bt #0 FreePixmap (pPixmap=0x0) at pixmap.c:129 #1 0x00000000004256a4 in fbCloseScreen (pScreen=0x7f00b0) at fbscreen.c:40 #2 0x000000000049c6c1 in PictureCloseScreen (pScreen=0x7f00b0) at picture.c:90 #3 0x000000000043e108 in CursorCloseScreen (pScreen=0x7f00b0) at cursor.c:187 #4 0x00000000004a65ec in AnimCurCloseScreen (pScreen=<optimized out>) at animcur.c:106 #5 0x00000000004a9d92 in present_close_screen (screen=0x7f00b0) at present_screen.c:63 #6 0x000000000050dd97 in dix_main (argc=3, argv=0x7fffffffe008, envp=<optimized out>) at main.c:349 #7 0x00007ffff5b5d0c0 in __libc_start_main (main=0x4229f0 <main>, argc=3, argv=0x7fffffffe008, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdff8) at libc-start.c:289 #8 0x0000000000422a1e in _start () (gdb) bt full #0 FreePixmap (pPixmap=0x0) at pixmap.c:129 No locals. #1 0x00000000004256a4 in fbCloseScreen (pScreen=0x7f00b0) at fbscreen.c:40 d = <optimized out> depths = 0x7f0720 #2 0x000000000049c6c1 in PictureCloseScreen (pScreen=0x7f00b0) at picture.c:90 ret = <optimized out> n = <optimized out> #3 0x000000000043e108 in CursorCloseScreen (pScreen=0x7f00b0) at cursor.c:187 ret = <optimized out> close_proc = <optimized out> display_proc = <optimized out> #4 0x00000000004a65ec in AnimCurCloseScreen (pScreen=<optimized out>) at animcur.c:106 ret = <optimized out> #5 0x00000000004a9d92 in present_close_screen (screen=0x7f00b0) at present_screen.c:63 No locals. #6 0x000000000050dd97 in dix_main (argc=3, argv=0x7fffffffe008, envp=<optimized out>) at main.c:349 i = 0 alwaysCheckForInput = {0, 1} #7 0x00007ffff5b5d0c0 in __libc_start_main (main=0x4229f0 <main>, argc=3, ---Type <return> to continue, or q <return> to quit--- argv=0x7fffffffe008, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdff8) at libc-start.c:289 result = <optimized out> unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, -6943193878347437744, 4336117, 140737488347136, 0, 0, 6943194541387098448, 6943207237135313232}, mask_was_saved = 0}}, priv = {pad = { 0x0, 0x0, 0x56f0e0 <__libc_csu_init>, 0x7fffffffe008}, data = { prev = 0x0, cleanup = 0x0, canceltype = 5697760}}} not_first_call = <optimized out> #8 0x0000000000422a1e in _start () It looks like a NULL dereference when freen a pixmap (pixmap.c:129). And indeed: (gdb) info registers rax 0x1 1 rbx 0x0 0 rcx 0x7ffff5efdcf0 140737319525616 rdx 0x0 0 rsi 0x0 0 rdi 0x0 0 rbp 0x7f0788 0x7f0788 rsp 0x7fffffffddd0 0x7fffffffddd0 r8 0x0 0 r9 0x7f0720 8324896 r10 0x0 0 r11 0x1 1 r12 0x7f00b0 8323248 r13 0x7f0720 8324896 r14 0x7dd700 8247040 r15 0x7e3d18 8273176 rip 0x525bd4 0x525bd4 <FreePixmap+4> eflags 0x10206 [ PF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 ---Type <return> to continue, or q <return> to quit--- gs 0x0 0 (gdb) disa disable disassemble (gdb) disa disable disassemble (gdb) disassemble Dump of assembler code for function FreePixmap: 0x0000000000525bd0 <+0>: push %rbx 0x0000000000525bd1 <+1>: mov %rdi,%rbx => 0x0000000000525bd4 <+4>: mov 0x20(%rdi),%rdi 0x0000000000525bd8 <+8>: mov $0x9,%esi 0x0000000000525bdd <+13>: callq 0x526970 <_dixFiniPrivates> 0x0000000000525be2 <+18>: mov %rbx,%rdi 0x0000000000525be5 <+21>: pop %rbx 0x0000000000525be6 <+22>: jmpq 0x41fb60 <free@plt> End of assembler dump.
A workaround is available here: http://svnweb.mageia.org/packages/cauldron/x11-server/current/SOURCES/fix-xvfb-crash.diff?revision=639902&view=markup it fixes Gtk2 build on Mageia which was broken (xvfb is segfaulting when a client connects but this is hidden by xvfb-run...)
Thanks for the bug report, xorg-x11-server-1.15.99.903-3.fc21 which fixes this is now building for rawhide.