Bugzilla will be upgraded to version 5.0 on December 2, 2018. The outage period for the upgrade will start at 0:00 UTC and have a duration of 12 hours
Bug 591100 - Xvfb crashes with a segfault when the last client disconnect (double free)
Xvfb crashes with a segfault when the last client disconnect (double free)
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: xorg-x11-server (Show other bugs)
4.8
All Linux
high Severity high
: rc
: ---
Assigned To: Adam Jackson
desktop-bugs@redhat.com
: Patch, Triaged
Depends On:
Blocks: 674741
  Show dependency treegraph
 
Reported: 2010-05-11 08:57 EDT by Olivier Fourdan
Modified: 2018-11-14 15:16 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 674741 (view as bug list)
Environment:
Last Closed: 2012-04-17 15:24:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed patch from upstream git commit 5c7aef14 (826 bytes, patch)
2010-05-11 08:57 EDT, Olivier Fourdan
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
FreeDesktop.org 4247 None None None Never
Red Hat Knowledge Base (Legacy) 31877 None None None Never

  None (edit)
Description Olivier Fourdan 2010-05-11 08:57:25 EDT
Created attachment 413131 [details]
Proposed patch from upstream git commit 5c7aef14

Description of problem:

Xvfb crashes with a segfault randomly when the last client disconnects, ie when the server resets. Disabling Render in the server avoids the crash on reset.

Version-Release number of selected component (if applicable):

xorg-x11-6.8.2

How reproducible:

Randomly

Steps to Reproduce:
1. Run an Xvfb server

   Xvfb -pn :999

2. Run Mozilla with -SelectProfile on that display

   DISPLAY=:999 mozilla -SelectProfile

3. Stop mozilla after a few secs

   <Ctrl-C>
  
Actual results:

Xvfb crashes

Expected results:

No crash

Additional info:

The crash is random and not necessarily easy to reproduce. Disabling XRender in the server (Xvfb -render) or using another color depth works around the issue.

When run with MALLOC_CHECK_=3 the backtrace is:

(gdb) bt
#0  0x0000003f48068c66 in malloc_consolidate () from /lib64/tls/libc.so.6
#1  0x0000003f4806920f in _int_free () from /lib64/tls/libc.so.6
#2  0x0000003f4806e421 in free_check () from /lib64/tls/libc.so.6
#3  0x00000000004a5934 in Xfree (ptr=0xd22e00) at utils.c:1481
#4  0x00000000005bcab1 in miCloseIndexed (pScreen=0xd6a0c0, pFormat=0xd69b08) at miindex.c:322
#5  0x00000000005ad8bc in PictureCloseScreen (index=0, pScreen=0xd6a0c0) at picture.c:137
#6  0x0000000000505dec in miDCCloseScreen (index=0, pScreen=0xd6a0c0) at midispcur.c:186
#7  0x000000000051ad94 in damageCloseScreen (i=0, pScreen=0xd6a0c0) at damage.c:1696
#8  0x0000000000505115 in miPointerCloseScreen (index=0, pScreen=0xd6a0c0) at mipointer.c:145
#9  0x000000000050e8db in miSpriteCloseScreen (i=0, pScreen=0xd6a0c0) at misprite.c:270
#10 0x00000000004b3002 in vfbCloseScreen (index=0, pScreen=0xd6a0c0) at InitOutput.c:851
#11 0x00000000005a2522 in LbxCloseScreen (i=0, pScreen=0xd6a0c0) at lbxcmap.c:159
#12 0x000000000051e8f4 in CursorCloseScreen (index=0, pScreen=0xd6a0c0) at cursor.c:124
#13 0x00000000005ba6e1 in AnimCurCloseScreen (index=0, pScreen=0xd6a0c0) at animcur.c:126
#14 0x00000000004590fd in main (argc=4, argv=0x7fbffff808, envp=0x7fbffff830) at main.c:489

When run from valgrind, this can be spot in the log:

==14537== Invalid read of size 4
==14537==    at 0x5B0A47: FreePicture (picture.c:1295)
==14537==    by 0x505DB1: miDCCloseScreen (midispcur.c:182)
==14537==    by 0x51AD93: damageCloseScreen (damage.c:1696)
==14537==    by 0x505114: miPointerCloseScreen (mipointer.c:145)
==14537==    by 0x50E8DA: miSpriteCloseScreen (misprite.c:270)
==14537==    by 0x4B3001: vfbCloseScreen (InitOutput.c:851)
==14537==    by 0x5A2521: LbxCloseScreen (lbxcmap.c:159)
==14537==    by 0x51E8F3: CursorCloseScreen (cursor.c:124)
==14537==    by 0x5BA6E0: AnimCurCloseScreen (animcur.c:126)
==14537==    by 0x4590FC: main (main.c:489)
==14537==  Address 0x4B345BC is 20 bytes inside a block of size 144 free'd
==14537==    at 0x490555D: free (vg_replace_malloc.c:235)
==14537==    by 0x4A5933: Xfree (utils.c:1481)
==14537==    by 0x5B0B6A: FreePicture (picture.c:1326)
==14537==    by 0x5AD798: PictureDestroyWindow (picture.c:116)
==14537==    by 0x51AC95: damageDestroyWindow (damage.c:1678)
==14537==    by 0x45CC91: FreeWindowResources (window.c:838)
==14537==    by 0x45CFA2: DeleteWindow (window.c:921)
==14537==    by 0x45B1FA: FreeClientResources (resource.c:800)
==14537==    by 0x45B2AE: FreeAllResources (resource.c:817)
==14537==    by 0x45909F: main (main.c:476)

That's seems to be upstream bug 4247:

   https://bugs.freedesktop.org/show_bug.cgi?id=4247

The fix is trivial, it's git commit 5c7aef14

   http://cgit.freedesktop.org/xorg/xserver/commit/?id=5c7aef148de23f39027fda647bbb53bb5b992683

Applying that patch, I am not able to reproduce anymore.
Comment 1 RHEL Product and Program Management 2010-10-22 15:09:43 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 2 RHEL Product and Program Management 2011-02-17 04:58:24 EST
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 3 RHEL Product and Program Management 2011-02-17 05:18:17 EST
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 9 Adam Jackson 2012-04-17 15:24:03 EDT
No further non-security updates are planned for xorg-x11 in RHEL4.  If this issue is not addressed in RHEL5 or newer, please update the affected product version and reopen this bug.

Note You need to log in before you can comment on or make changes to this bug.