Bug 24685 - _XRead: Assertion failed running xdmx (info client)
Summary: _XRead: Assertion failed running xdmx (info client)
Status: RESOLVED FIXED
Alias: None
Product: xorg
Classification: Unclassified
Component: Server/DDX/dmx (show other bugs)
Version: git
Hardware: x86 (IA32) Linux (All)
: medium normal
Assignee: dmx-bugs
QA Contact: Xorg Project Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-10-22 19:56 UTC by Lee Leahu
Modified: 2009-10-29 17:35 UTC (History)
2 users (show)

See Also:
i915 platform:
i915 features:


Attachments
Correctly compute DMXGetScreenAttributes reply length (1.15 KB, patch)
2009-10-23 06:40 UTC, Jon Turney
no flags Details | Splinter Review

Description Lee Leahu 2009-10-22 19:56:43 UTC
# xdmx :1 (:1 is the Xdmx display)
DMX extension present: event_base = 0, error_base = 0
Extension version: 2.2 patch 20040604
Screen count = 4
xdmx: xcb_io.c:550: _XRead: Assertion `dpy->xcb->reply_consumed + size <= dpy->xcb->reply_length' failed.
Aborted
Comment 1 Jon Turney 2009-10-23 04:41:57 UTC
Reproduced with a backtrace


(gdb) r
Starting program: /opt/jhbuild/install/bin/xdmx byron:2
[Thread debugging using libthread_db enabled]
[New Thread 0xb7dc66c0 (LWP 6433)]
DMX extension present: event_base = 0, error_base = 0
Extension version: 2.2 patch 20040604
Screen count = 1
xdmx: /opt/jhbuild/git/xorg/lib/libX11/src/xcb_io.c:553: _XRead: Assertion `dpy->xcb->reply_data != ((void *)0)' failed.

Program received signal SIGABRT, Aborted.
[Switching to Thread 0xb7dc66c0 (LWP 6433)]
0xffffe424 in __kernel_vsyscall ()
(gdb) bt
#0  0xffffe424 in __kernel_vsyscall ()
#1  0xb7e0a660 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2  0xb7e0be98 in *__GI_abort () at abort.c:88
#3  0xb7e036ce in *__GI___assert_fail (assertion=0xb804861c "dpy->xcb->reply_data != ((void *)0)",
    file=0xb80485ec "/opt/jhbuild/git/xorg/lib/libX11/src/xcb_io.c", line=553, function=0xb8048771 "_XRead")
    at assert.c:78
#4  0xb7fda44b in _XRead (dpy=0x9ee8008, data=0x9ef28d8 "(+▒\t\v", size=2)
    at /opt/jhbuild/git/xorg/lib/libX11/src/xcb_io.c:553
#5  0xb7fda488 in _XReadPad (dpy=0x9ee8008, data=0x9ef28d8 "(+▒\t\v", size=2)
    at /opt/jhbuild/git/xorg/lib/libX11/src/xcb_io.c:568
#6  0xb80c678f in DMXGetScreenAttributes (dpy=0x9ee8008, physical_screen=0, attr=0xbff44764)
    at /opt/jhbuild/git/xorg/lib/libdmx/src/dmx.c:253
#7  0x08048ecc in main (argc=Cannot access memory at address 0x1921
) at /opt/jhbuild/git/xorg/xserver/hw/dmx/examples/xdmx.c:192
Comment 2 Jon Turney 2009-10-23 06:40:06 UTC
Created attachment 30636 [details] [review]
 Correctly compute DMXGetScreenAttributes reply length

This looks to be due to a miscalculation of the reply length in the Xserver's handling of DMXGetScreenAttributes.  It doesn't allow for the excess of DMXGetScreenAttributes reply over 32 bytes as well as the display name string's length.
Comment 3 Jon Turney 2009-10-23 06:42:25 UTC
https://bugs.launchpad.net/ubuntu/+source/libdmx/+bug/281430 looks like it might be the same thing?
Comment 4 Julien Cristau 2009-10-23 06:56:24 UTC
> --- Comment #2 from Jon TURNEY <jon.turney@dronecode.org.uk>  2009-10-23 06:40:06 PST ---
> Created an attachment (id=30636)
>  --> (http://bugs.freedesktop.org/attachment.cgi?id=30636)
>  Correctly compute DMXGetScreenAttributes reply length
> 
> This looks to be due to a miscalculation of the reply length in the Xserver's
> handling of DMXGetScreenAttributes.  It doesn't allow for the excess of
> DMXGetScreenAttributes reply over 32 bytes as well as the display name string's
> length.

Looks good to me.  Maybe make it
paddedLength = bytes_to_int32(sizeof(xDMXGetScreenAttributesReply) - sizeof(xGenericReply) + length)
instead?  In any case feel free to add my Reviewed-by.
Comment 5 Jon Turney 2009-10-23 11:35:45 UTC
(In reply to comment #4)
> > --- Comment #2 from Jon TURNEY <jon.turney@dronecode.org.uk>  2009-10-23 06:40:06 PST ---
> > Created an attachment (id=30636) [details]
> >  --> (http://bugs.freedesktop.org/attachment.cgi?id=30636)
> >  Correctly compute DMXGetScreenAttributes reply length
> > 
> > This looks to be due to a miscalculation of the reply length in the Xserver's
> > handling of DMXGetScreenAttributes.  It doesn't allow for the excess of
> > DMXGetScreenAttributes reply over 32 bytes as well as the display name string's
> > length.
> 
> Looks good to me.  Maybe make it
> paddedLength = bytes_to_int32(sizeof(xDMXGetScreenAttributesReply) -
> sizeof(xGenericReply) + length)
> instead?  In any case feel free to add my Reviewed-by.

Yeah, it could be simplified, but I'm a bit nervous about ignoring any interaction between any rounding which pad_to_int32 does and bytes_to_int32...
Comment 6 Jon Turney 2009-10-29 17:35:31 UTC
Applied as commit 50a5c32430a5267f2a05656d2417f9a8a44d8b97


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.