Bug 458219 - xvfb segmentation fault in FreeColormap
xvfb segmentation fault in FreeColormap
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: xorg-x11-server (Show other bugs)
9
All Linux
medium Severity medium
: ---
: ---
Assigned To: Adam Jackson
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-06 22:08 EDT by Zing
Modified: 2009-06-16 15:19 EDT (History)
4 users (show)

See Also:
Fixed In Version: F11
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-06-16 15:19:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
my xorg.conf file (593 bytes, text/plain)
2008-09-17 11:50 EDT, Zing
no flags Details
first xorg.log (42.09 KB, text/plain)
2008-09-17 11:50 EDT, Zing
no flags Details
the old xorg.log file (27.05 KB, text/plain)
2008-09-17 11:51 EDT, Zing
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
FreeDesktop.org 19470 None None None Never

  None (edit)
Description Zing 2008-08-06 22:08:02 EDT
Description of problem:
# gdb Xvfb core.22745 
GNU gdb Fedora (6.8-12.fc9)
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...

warning: Can't read pathname for load map: Input/output error.
Reading symbols from /usr/lib/libXfont.so.1...done.
Loaded symbols for /usr/lib/libXfont.so.1
Reading symbols from /usr/lib/libXau.so.6...done.
Loaded symbols for /usr/lib/libXau.so.6
Reading symbols from /usr/lib/libfontenc.so.1...done.
Loaded symbols for /usr/lib/libfontenc.so.1
Reading symbols from /usr/lib/libpixman-1.so.0...done.
Loaded symbols for /usr/lib/libpixman-1.so.0
Reading symbols from /usr/lib/libhal.so.1...done.
Loaded symbols for /usr/lib/libhal.so.1
Reading symbols from /lib/libdbus-1.so.3...done.
Loaded symbols for /lib/libdbus-1.so.3
Reading symbols from /usr/lib/libXdmcp.so.6...done.
Loaded symbols for /usr/lib/libXdmcp.so.6
Reading symbols from /lib/libcrypto.so.7...done.
Loaded symbols for /lib/libcrypto.so.7
Reading symbols from /lib/libaudit.so.0...done.
Loaded symbols for /lib/libaudit.so.0
Reading symbols from /lib/libselinux.so.1...done.
Loaded symbols for /lib/libselinux.so.1
Reading symbols from /lib/libm.so.6...done.
Loaded symbols for /lib/libm.so.6
Reading symbols from /lib/librt.so.1...done.
Loaded symbols for /lib/librt.so.1
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/libdl.so.2...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /usr/lib/libfreetype.so.6...done.
Loaded symbols for /usr/lib/libfreetype.so.6
Reading symbols from /lib/libz.so.1...done.
Loaded symbols for /lib/libz.so.1
Reading symbols from /lib/libcap.so.2...done.
Loaded symbols for /lib/libcap.so.2
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/libpthread.so.0...done.
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /usr/lib/dri/swrast_dri.so...done.
Loaded symbols for /usr/lib/dri/swrast_dri.so
Reading symbols from /usr/lib/dri/libdricore.so...done.
Loaded symbols for /usr/lib/dri/libdricore.so
Reading symbols from /usr/lib/libdrm.so.2...done.
Loaded symbols for /usr/lib/libdrm.so.2
Reading symbols from /lib/libexpat.so.1...done.
Loaded symbols for /lib/libexpat.so.1
Core was generated by `Xvfb -fbdir /home/myuser/tmp/ :2'.
Program terminated with signal 11, Segmentation fault.
[New process 22745]
#0  0x0814ec0b in FreeColormap (value=0x90fecd0, mid=64) at colormap.c:454
454			if (--pent->co.shco.red->refcnt == 0)
Missing separate debuginfos, use: debuginfo-install audit.i386 dbus.i386 expat.i386 freetype.i386 glibc.i686 hal.i386 libXau.i386 libXdmcp.i386 libXfont.i386 libcap.i386 libdrm.i386 libfontenc.i386 libselinux.i386 mesa.i386 openssl.i686 pixman.i386 zlib.i386
(gdb) bt
#0  0x0814ec0b in FreeColormap (value=0x90fecd0, mid=64) at colormap.c:454
#1  0x081729e6 in FreeClientResources (client=0x8ee4c00) at resource.c:807
#2  0x08172ac7 in FreeAllResources () at resource.c:824
#3  0x0816f284 in main (argc=4, argv=0xbffda774, envp=Cannot access memory at address 0x139
) at main.c:453


Version-Release number of selected component (if applicable):
xorg-x11-server-Xvfb-1.4.99.905-2.20080702.fc9

How reproducible:
I can get about 20 to 30 runs out of mozilla2ps before Xvfb seg faults.

Steps to Reproduce:
1. start up Xvfb
2. run mozilla2ps in a loop.
3. Xvfb seg faults around the 20th run.
  
Actual results:
Xvfb seg faults

Expected results:
Xvfb doesn't seg fault

Additional info:
dmesg has this:
Xvfb[14448]: segfault at 142 ip 0814ec0b sp bf9ab600 error 4 in Xvfb[8047000+1b6000]
Xvfb[21223]: segfault at 38 ip 0814ebd7 sp bff645a0 error 4 in Xvfb[8047000+1b6000]
Xvfb[22745]: segfault at 2 ip 0814ec0b sp bffda610 error 4 in Xvfb[8047000+1b6000]
Xvfb[24736]: segfault at 3 ip 0814ebd7 sp bf93b780 error 4 in Xvfb[8047000+1b6000]
Xvfb[26665]: segfault at 3 ip 0814ebd7 sp bfb40180 error 4 in Xvfb[8047000+1b6000]
Comment 1 Zing 2008-08-07 15:57:00 EDT
This seems to have something to do with pixel depth.  At a depth of 24, Xvfb has been running continously stable for the past couple of hours.  At a depth of 8 (the default), it'll crash within a few minutes with the usage above.
Comment 2 Matěj Cepl 2008-09-08 10:23:09 EDT
Thanks for the bug report.  We have reviewed the information you have provided above, and there is some additional information we require that will be helpful in our diagnosis of this issue.

Please attach your X server config file (/etc/X11/xorg.conf) and X server log file (/var/log/Xorg.*.log) to the bug report as individual uncompressed file attachments using the bugzilla file attachment link below.

Could you please also try to run without any /etc/X11/xorg.conf whatsoever and let X11 autodetect your display and video card? Attach to this bug /var/log/Xorg.0.log from this attempt as well, please.

We will review this issue again once you've had a chance to attach this information.

Thanks in advance.
Comment 3 Zing 2008-09-17 11:50:03 EDT
Created attachment 316984 [details]
my xorg.conf file

It doesn't matter if this xorg.conf is used or it's deleted... Xvfb still segfaults eventually.
Comment 4 Zing 2008-09-17 11:50:50 EDT
Created attachment 316986 [details]
first xorg.log
Comment 5 Zing 2008-09-17 11:51:22 EDT
Created attachment 316987 [details]
the old xorg.log file
Comment 6 Adam Tkac 2008-10-13 05:13:06 EDT
It seems this bug is GLX extension related. I tried run "Xvfb :1 -ac -depth 8", terminate it with "CTRL + C" and Xvfb gets sigsegv (same backtrace as written in description). valgrind shows this (stripped output, of course):

==24379== Invalid read of size 2
==24379==    at 0x5DB257: FreeColormap (colormap.c:448)
==24379==    by 0x60E119: FreeClientResources (resource.c:807)
==24379==    by 0x60E20B: FreeAllResources (resource.c:824)
==24379==    by 0x609346: main (main.c:453)
==24379==  Address 0x4d05058 is 64 bytes inside a block of size 560 free'd
==24379==    at 0x4A074D1: realloc (vg_replace_malloc.c:429)
==24379==    by 0x65C4C6: Xrealloc (utils.c:1426)
==24379==    by 0x4B6A63: AddScreenVisuals (glxscreens.c:364)
==24379==    by 0x4B7155: addFullSet (glxscreens.c:530)
==24379==    by 0x4B7368: __glXScreenInit (glxscreens.c:591)
==24379==    by 0x4B615D: __glXDRIscreenProbe (glxdriswrast.c:522)
==24379==    by 0x4B4E57: GlxExtensionInit (glxext.c:297)
==24379==    by 0x45881E: InitExtensions (miinitext.c:667)
==24379==    by 0x60901D: main (main.c:367)

When I run "Xvfb :1 -ac -depth 8 -extension GLX" all works as expected, no sigsegv. I'm using rawhide x86_64 but X codebase is nearly same as in F9
Comment 7 Peter Åstrand 2009-01-23 04:25:45 EST
I can reproduce this segfault using just:

Xvfb :50
DISPLAY=:50 xdpyinfo

Core was generated by `Xvfb :50'.
Program terminated with signal 11, Segmentation fault.
[New process 27781]
#0  0x00000000004f986f in FreeColormap (value=0x174b420, mid=64) at colormap.c:454
454                     if (--pent->co.shco.red->refcnt == 0)
Missing separate debuginfos, use: debuginfo-install mesa.x86_64
(gdb) bt
#0  0x00000000004f986f in FreeColormap (value=0x174b420, mid=64) at colormap.c:454
#1  0x000000000051c19b in FreeClientResources (client=0x1730ee0) at resource.c:807
#2  0x000000000051c284 in FreeAllResources () at resource.c:824
#3  0x0000000000518a9b in main (argc=2, argv=0x7fffb7f0f2e8, envp=<value optimized out>) at main.c:453

(I have executed "debuginfo-install mesa.x86_64".)
Comment 8 Peter Åstrand 2009-01-23 04:47:37 EST
This upstream report looks relevant:
http://bugs.freedesktop.org/show_bug.cgi?id=19470
Comment 9 Bug Zapper 2009-06-09 22:23:59 EDT
This message is a reminder that Fedora 9 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 9.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '9'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 9's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 9 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 10 Richard W.M. Jones 2009-06-10 04:58:47 EDT
I can't reproduce this on Fedora 11.
Comment 11 Peter Åstrand 2009-06-15 08:58:34 EDT
Seems to work fine for me as well on Fedora 11.
Comment 12 Matěj Cepl 2009-06-15 09:33:57 EDT
Reporter, can you confirm, that this has been fixed in F11, please?
Comment 13 Zing 2009-06-15 22:34:21 EDT
looks good to me on F11.

Note You need to log in before you can comment on or make changes to this bug.