Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2017:1905
Description of problem: - Xvnc crashes due to what appears to be a memory corruption Version-Release number of selected component (if applicable): - tigervnc-server-1.3.1-9 - kde-workspace-4.11.19-8 - devtoolset-4-eclipse Steps to Reproduce: This is for an up-to-date RHEL 7.3 system, with devtoolset-4. VNC is started via: /usr/bin/vncserver :20 -geometry 2455x1575 -nolisten tcp -localhost .vnc/xstartup: echo '**** HH starting/exec xinitrc ****' # Force KDE exec /usr/bin/startkde Then, start eclipse via menu ("Kickoff Application Launcher" > "Applications" > "Development" > "DTS Eclipse"). Some keypresses cause Xvnc to crash, which happens after ~15 minutes. The attached VNC log contains a stackdump of the crash. Actual results: - vncserver crashes Expected results: Additional info: Reading symbols from /usr/bin/Xvnc...Reading symbols from /usr/lib/debug/usr/bin/Xvnc.debug...done. done. [New LWP 122034] [New LWP 122036] [New LWP 122041] [New LWP 122035] [New LWP 122046] [New LWP 122048] [New LWP 122037] [New LWP 122038] [New LWP 122039] [New LWP 122042] [New LWP 122040] [New LWP 122043] [New LWP 122047] [New LWP 122045] [New LWP 122044] [New LWP 122049] [New LWP 122050] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Core was generated by `/usr/bin/Xvnc :20 -desktop round.circularcapital.com:20 (e) -auth /home/e/.Xaut'. Program terminated with signal 6, Aborted. #0 0x00007f26e981e1d7 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 56 return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig); Missing separate debuginfos, use: debuginfo-install audit-libs-2.6.5-3.el7.x86_64 elfutils-libelf-0.166-2.el7.x86_64 expat-2.1.0-10.el7_3.x86_64 freetype-2.4.11-12.el7.x86_64 gmp-6.0.0-12.el7_1.x86_64 keyutils-libs-1.5.8-3.el7.x86_64 krb5-libs-1.14.1-27.el7_3.x86_64 libXdamage-1.1.4-4.1.el7.x86_64 libXfixes-5.0.1-2.1.el7.x86_64 libXxf86vm-1.1.3-2.1.el7.x86_64 libcap-ng-0.7.5-4.el7.x86_64 libcom_err-1.42.9-9.el7.x86_64 libdrm-2.4.67-3.el7.x86_64 libffi-3.0.13-18.el7.x86_64 libfontenc-1.1.2-3.el7.x86_64 libselinux-2.5-6.el7.x86_64 libtasn1-3.8-3.el7.x86_64 libxcb-1.11-4.el7.x86_64 libxshmfence-1.2-1.el7.x86_64 mesa-private-llvm-3.8.1-1.el7.x86_64 openssl-libs-1.0.1e-60.el7.x86_64 p11-kit-0.20.7-3.el7.x86_64 pcre-8.32-15.el7_2.1.x86_64 trousers-0.3.13-1.el7.x86_64 (gdb) bt #0 0x00007f26e981e1d7 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00007f26e981f8c8 in __GI_abort () at abort.c:90 #2 0x00000000005c10be in OsAbort () at utils.c:1342 #3 0x00000000005c5b13 in AbortServer () at log.c:807 #4 0x00000000005c695d in FatalError (f=f@entry=0x5e3ad0 "Caught signal %d (%s). Server aborting\n") at log.c:945 #5 0x00000000005bea2c in OsSigHandler (signo=11, sip=<optimized out>, unused=<optimized out>) at osinit.c:147 #6 <signal handler called> #7 0x00000000005be2c1 in FlushAllOutput () at io.c:675 #8 0x00000000005b8165 in WaitForSomething (pClientsReady=pClientsReady@entry=0xf91f80) at WaitFor.c:224 #9 0x00000000005698dd in Dispatch () at dispatch.c:361 #10 0x000000000056dadb in dix_main (argc=21, argv=0x7ffcf330b948, envp=<optimized out>) at main.c:298 #11 0x00007f26e980ab35 in __libc_start_main (main=0x449b00 <main>, argc=21, ubp_av=0x7ffcf330b948, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffcf330b938) at ../csu/libc-start.c:274 #12 0x000000000044adba in _start () All other threads are similar to the following: Thread 17 (Thread 0x7f26d85d5700 (LWP 122050)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 #1 0x00007f26e2ad5483 in cnd_wait (mtx=0xcc26d8, cond=<optimized out>) at ../../../../include/c11/threads_posix.h:159 #2 pipe_semaphore_wait (sema=0xcc26d8) at ../../../../src/gallium/auxiliary/os/os_thread.h:259 #3 thread_function (init_data=init_data@entry=0xcc2630) at lp_rast.c:805 #4 0x00007f26e2ad4fa7 in impl_thrd_routine (p=<optimized out>) at ../../../../include/c11/threads_posix.h:87 #5 0x00007f26ea70fdc5 in start_thread (arg=0x7f26d85d5700) at pthread_create.c:308 #6 0x00007f26e98e073d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 (gdb) f 7 #7 0x00000000005be2c1 in FlushAllOutput () at io.c:675 675 client = clients[index]; (gdb) list 670 mask &= ~lowbit(mask); 671 if ((index = 672 ConnectionTranslation[(base * (sizeof(fd_mask) * 8)) + 673 index]) == 0) 674 continue; 675 client = clients[index]; 676 if (client->clientGone) 677 continue; 678 oc = (OsCommPtr) client->osPrivate; 679 if (FD_ISSET(oc->fd, &ClientsWithInput)) { (gdb) p clients $1 = {0xc9dd90, 0xf99710, 0xfafea0, 0x2a94960, 0xfa1c20, 0xfa0470, 0xfaf570, 0xfa07e0, 0xfc7950, 0xfc7b60, 0x1904f00, 0xddbc40, 0x2a69d20, 0xfc2720, 0xfc2ff0, 0x15c1350, 0x16a8c50, 0x14f95a0, 0x18f6110, 0x18f66f0, 0x184c370, 0x120c2f0, 0xff3690, 0xff4ca0, 0x10b8500, 0x1260a60, 0x175e2b0, 0x0 <repeats 229 times>} (gdb) p index $2 = 1819632498 (gdb) p clients[index] Cannot access memory at address 0x364306c10 (gdb) 655 656 /* 657 * It may be that some client still has critical output pending, 658 * but he is not yet ready to receive it anyway, so we will 659 * simply wait for the select to tell us when he's ready to receive. 660 */ 661 CriticalOutputPending = FALSE; 662 NewOutputPending = FALSE; 663 664 #ifndef WIN32 (gdb) 665 for (base = 0; base < howmany(XFD_SETSIZE, NFDBITS); base++) { 666 mask = OutputPending.fds_bits[base]; 667 OutputPending.fds_bits[base] = 0; 668 while (mask) { 669 index = ffs(mask) - 1; 670 mask &= ~lowbit(mask); 671 if ((index = 672 ConnectionTranslation[(base * (sizeof(fd_mask) * 8)) + 673 index]) == 0) 674 continue; (gdb) 675 client = clients[index]; 676 if (client->clientGone) 677 continue; 678 oc = (OsCommPtr) client->osPrivate; 679 if (FD_ISSET(oc->fd, &ClientsWithInput)) { 680 FD_SET(oc->fd, &OutputPending); /* set the bit again */ 681 NewOutputPending = TRUE; 682 } 683 else 684 (void) FlushClient(client, oc, (char *) NULL, 0); (gdb) 685 } 686 } -------------- (gdb) p *clients[25]->clientIds $38 = { pid = 123255, cmdname = 0x10b9310 "/opt/rh/rh-eclipse46/root/usr/lib/jvm/java/bin/java", cmdargs = 0x1260da0 "-Dosgi.requiredJavaVersion=1.8 -Xms512m -Xmx1024m -Dorg.eclipse.swt.browser.UseWebKitGTK=true -Dhelp.lucene.tokenizer=standard -XX:CompileCommand=exclude,org/eclipse/core/internal/dtree/DataTreeNode,f"... } (gdb) p clients $39 = {0xc9dd90, 0xf99710, 0xfafea0, 0x2a94960, 0xfa1c20, 0xfa0470, 0xfaf570, 0xfa07e0, 0xfc7950, 0xfc7b60, 0x1904f00, 0xddbc40, 0x2a69d20, 0xfc2720, 0xfc2ff0, 0x15c1350, 0x16a8c50, 0x14f95a0, 0x18f6110, 0x18f66f0, 0x184c370, 0x120c2f0, 0xff3690, 0xff4ca0, 0x10b8500, 0x1260a60, 0x175e2b0, 0x0 <repeats 229 times>} (gdb) p *clients[26]->clientIds $40 = { pid = 133602, cmdname = 0x183ecf0 "qgit", cmdargs = 0x0 } (gdb) p *clients[27]->clientIds Cannot access memory at address 0x78 (gdb) p mask $5 = 140724388541952 (gdb) p OutputPending $3 = {fds_bits = {0, 0, 0, 0, 0, 17841488, 0, 5601509, 13281488, 5376849, 17525200, 7416468848074552832, 17841360, 18644208, 51155824, 5369263}}