Bug 19470

Summary: any X11 client can crash Xvfb
Product: xorg Reporter: Olaf Freyer <aaron>
Component: Server/DDX/XvfbAssignee: Peter Hutterer <peter.hutterer>
Status: RESOLVED FIXED QA Contact: Xorg Project Team <xorg-team>
Severity: normal    
Priority: medium CC: airlied, astrand, orion, peter.hutterer, remi, rjones
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Bug Depends on:    
Bug Blocks: 23613    
Attachments:
Description Flags
plplot.spec none

Description Olaf Freyer 2009-01-08 12:41:06 UTC 
Steps to Reproduce:
1. console1:
aaron@erding ~ $ Xvfb :20
(EE) config/hal: NewInputDeviceRequest failed
(EE) config/hal: NewInputDeviceRequest failed
(EE) config/hal: NewInputDeviceRequest failed

2. console2:
aaron@erding ~ $ DISPLAY=:20 xrandr -v
Xlib:  extension "RANDR" missing on display ":20.0".
RandR extension missing

3. console1:
segmentation fault


Initial bug report is to be found at gentoo bugzilla:
http://bugs.gentoo.org/show_bug.cgi?id=253980


Running Xvfb under valgrind reveals:

aaron@erding ~ $ valgrind  Xvfb :20 -ac
==18741== Memcheck, a memory error detector.
==18741== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==18741== Using LibVEX rev 1854, a library for dynamic binary translation.
==18741== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==18741== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==18741== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==18741== For more details, rerun with: -v
==18741==
==18741== Conditional jump or move depends on uninitialised value(s)
==18741==    at 0x43E861: fbBltOne (in /usr/bin/Xvfb)
==18741==    by 0x4332BF: fbPushFill (in /usr/bin/Xvfb)
==18741==    by 0x43347B: fbPushImage (in /usr/bin/Xvfb)
==18741==    by 0x433507: fbPushPixels (in /usr/bin/Xvfb)
==18741==    by 0x4AA68B: (within /usr/bin/Xvfb)
==18741==    by 0x52043B: (within /usr/bin/Xvfb)
==18741==    by 0x5209A8: (within /usr/bin/Xvfb)
==18741==    by 0x5299A7: (within /usr/bin/Xvfb)
==18741==    by 0x52473A: miPointerUpdateSprite (in /usr/bin/Xvfb)
==18741==    by 0x524864: (within /usr/bin/Xvfb)
==18741==    by 0x441593: (within /usr/bin/Xvfb)
==18741==    by 0x49ED6B: (within /usr/bin/Xvfb)
==18741==
==18741== Conditional jump or move depends on uninitialised value(s)
==18741==    at 0x43E8C8: fbBltOne (in /usr/bin/Xvfb)
==18741==    by 0x4332BF: fbPushFill (in /usr/bin/Xvfb)
==18741==    by 0x43347B: fbPushImage (in /usr/bin/Xvfb)
==18741==    by 0x433507: fbPushPixels (in /usr/bin/Xvfb)
==18741==    by 0x4AA68B: (within /usr/bin/Xvfb)
==18741==    by 0x52043B: (within /usr/bin/Xvfb)
==18741==    by 0x5209A8: (within /usr/bin/Xvfb)
==18741==    by 0x5299A7: (within /usr/bin/Xvfb)
==18741==    by 0x52473A: miPointerUpdateSprite (in /usr/bin/Xvfb)
==18741==    by 0x524864: (within /usr/bin/Xvfb)
==18741==    by 0x441593: (within /usr/bin/Xvfb)
==18741==    by 0x49ED6B: (within /usr/bin/Xvfb)
==18741==
==18741== Use of uninitialised value of size 8
==18741==    at 0x43E929: fbBltOne (in /usr/bin/Xvfb)
==18741==    by 0x4332BF: fbPushFill (in /usr/bin/Xvfb)
==18741==    by 0x43347B: fbPushImage (in /usr/bin/Xvfb)
==18741==    by 0x433507: fbPushPixels (in /usr/bin/Xvfb)
==18741==    by 0x4AA68B: (within /usr/bin/Xvfb)
==18741==    by 0x52043B: (within /usr/bin/Xvfb)
==18741==    by 0x5209A8: (within /usr/bin/Xvfb)
==18741==    by 0x5299A7: (within /usr/bin/Xvfb)
==18741==    by 0x52473A: miPointerUpdateSprite (in /usr/bin/Xvfb)
==18741==    by 0x524864: (within /usr/bin/Xvfb)
==18741==    by 0x441593: (within /usr/bin/Xvfb)
==18741==    by 0x49ED6B: (within /usr/bin/Xvfb)
==18741==
==18741== Conditional jump or move depends on uninitialised value(s)
==18741==    at 0x5157C5: (within /usr/bin/Xvfb)
==18741==    by 0x515E0D: (within /usr/bin/Xvfb)
==18741==    by 0x5146D5: (within /usr/bin/Xvfb)
==18741==    by 0x535BC4: (within /usr/bin/Xvfb)
==18741==    by 0x536212: WaitForSomething (in /usr/bin/Xvfb)
==18741==    by 0x4F453A: Dispatch (in /usr/bin/Xvfb)
==18741==    by 0x50621A: main (in /usr/bin/Xvfb)
(EE) config/hal: NewInputDeviceRequest failed
(EE) config/hal: NewInputDeviceRequest failed
(EE) config/hal: NewInputDeviceRequest failed    


==18741==
==18741== Syscall param writev(vector[...]) points to uninitialised byte(s)
==18741==    at 0x688DA86: (within /lib64/libc-2.9.so)
==18741==    by 0x53F3E1: (within /usr/bin/Xvfb)
==18741==    by 0x539F6B: FlushClient (in /usr/bin/Xvfb)
==18741==    by 0x53A982: FlushAllOutput (in /usr/bin/Xvfb)
==18741==    by 0x4F47C1: Dispatch (in /usr/bin/Xvfb)
==18741==    by 0x50621A: main (in /usr/bin/Xvfb)
==18741==  Address 0x7b78cac is 36 bytes inside a block of size 4,096 alloc'd
==18741==    at 0x4C221A0: malloc (in
/usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==18741==    by 0x53C01F: Xalloc (in /usr/bin/Xvfb)
==18741==    by 0x53C2D4: Xcalloc (in /usr/bin/Xvfb)
==18741==    by 0x53A809: WriteToClient (in /usr/bin/Xvfb)
==18741==    by 0x4EF490: ProcEstablishConnection (in /usr/bin/Xvfb)
==18741==    by 0x4F4797: Dispatch (in /usr/bin/Xvfb)
==18741==    by 0x50621A: main (in /usr/bin/Xvfb)
==18741==
==18741== Invalid read of size 2
==18741==    at 0x4EA4D0: FreeColormap (in /usr/bin/Xvfb)
==18741==    by 0x509337: FreeClientResources (in /usr/bin/Xvfb)
==18741==    by 0x50940E: FreeAllResources (in /usr/bin/Xvfb)
==18741==    by 0x506246: main (in /usr/bin/Xvfb)
==18741==  Address 0x7095eb8 is 64 bytes inside a block of size 336 free'd
==18741==    at 0x4C2226E: realloc (in
/usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==18741==    by 0x53BF1B: Xrealloc (in /usr/bin/Xvfb)
==18741==    by 0x4696BC: __glXScreenInit (in /usr/bin/Xvfb)
==18741==    by 0x468C01: (within /usr/bin/Xvfb)
==18741==    by 0x4682E1: GlxExtensionInit (in /usr/bin/Xvfb)
==18741==    by 0x506077: main (in /usr/bin/Xvfb)
==18741==
==18741== Conditional jump or move depends on uninitialised value(s)
==18741==    at 0x4E5871C: BuiltinReadDirectory (in
/usr/lib64/libXfont.so.1.4.1)
==18741==    by 0x4E58D1A: (within /usr/lib64/libXfont.so.1.4.1)
==18741==    by 0x4F557D: (within /usr/bin/Xvfb)
==18741==    by 0x4F5759: SetDefaultFontPath (in /usr/bin/Xvfb)
==18741==    by 0x5063EC: main (in /usr/bin/Xvfb)
==18741==                                                                       
==18741== Conditional jump or move depends on uninitialised value(s)
==18741==    at 0x4E587D0: BuiltinReadDirectory (in
/usr/lib64/libXfont.so.1.4.1)
==18741==    by 0x4E58D1A: (within /usr/lib64/libXfont.so.1.4.1)
==18741==    by 0x4F557D: (within /usr/bin/Xvfb)
==18741==    by 0x4F5759: SetDefaultFontPath (in /usr/bin/Xvfb)
==18741==    by 0x5063EC: main (in /usr/bin/Xvfb)
[config/dbus] couldn't register object path
(EE) config/hal: NewInputDeviceRequest failed
(EE) config/hal: NewInputDeviceRequest failed
(EE) config/hal: NewInputDeviceRequest failed
^C


I can very well live with the fact that Xvfb doesn't support the xrandr extension - just the fact that it crashes when using it seems a bit annoying.
(This first cam to my attention when trying Selenium via Xvfb - which seems to have triggered the exact same crash in Xfvb.)
Comment 1 Rémi Cardona 2009-01-12 04:49:34 UTC 
Actually, pretty much any client can crash Xvfb. I can reproduce with xdpyinfo and gcalctool...
Comment 2 Peter Åstrand 2009-01-23 01:46:56 UTC 
Verified on Fedora 9: https://bugzilla.redhat.com/show_bug.cgi?id=458219.
Comment 3 Julien Cristau 2009-09-09 11:15:35 UTC 
*** Bug 23815 has been marked as a duplicate of this bug. ***
Comment 4 Orion Poplawski 2009-09-09 11:20:21 UTC 
The Fedora bug was closed because it could not be reproduced on F11.  Perhaps it is back.
Comment 5 Olaf Freyer 2009-09-09 12:34:07 UTC 
I first experienced this issue on gentoo with xorg-server-1.5.3, the current version I'm using (xorg-server-1.6.3.901) seems to have the issue fixed. As I haven't tried it along the upgrade path I have no clue when it has been fixed.
Comment 6 Orion Poplawski 2009-09-09 13:06:48 UTC 
Posting the duplicate bug info here:

Trying to run Xvfb in a Fedora package build to provide a local X server for
testing.  Running with:

xvfb-run -f /tmp/tmp.SO97KN1qiR -e /dev/stderr ctest -V -E compare

Get:

 19/ 26 Testing examples_bmpqt                                                  
Test command: /bin/bash -c
EXAMPLES_DIR=/builddir/build/BUILD/plplot-5.9.5/fedora/examples\
SRC_EXAMPLES_DIR=/builddir/build/BUILD/plplot-5.9.5/examples\ ./plplot-test.sh\
--verbose\ --front-end=c\ --device=bmpqt                                        
Test timeout computed to be: 1500                                    
Testing front-end c                                                  
x01c              
x02c                                  
record: RECORD extension enabled at configure time.         
record: This extension is known to be broken, disabling extension now..  
record: http://bugs.freedesktop.org/show_bug.cgi?id=20500      
SELinux: Invalid object class mapping, disabling SELinux support.
Backtrace:                                       
0: Xvfb (xorg_backtrace+0x28) [0x5519e8]           
1: Xvfb (0x400000+0x155369) [0x555369]                
2: /lib64/libpthread.so.0 (0x2b6924d60000+0xf320) [0x2b6924d6f320]
3: Xvfb (FreeColormap+0xb5) [0x4f4dc5]                    
4: Xvfb (FreeClientResources+0xd3) [0x51d653]               
5: Xvfb (FreeAllResources+0x47) [0x51d717]               
6: Xvfb (0x400000+0xf0572) [0x4f0572]                       
7: /lib64/libc.so.6 (__libc_start_main+0xfd) [0x2b692646bb4d]         
8: Xvfb (0x400000+0x1ae79) [0x41ae79]                         
Segmentation fault at address 0x2                         
Fatal server error:                                        
Caught signal 11 (Segmentation fault). Server aborting         
qt_driver: cannot connect to X server :99                    

Packages:

xorg-x11-server-Xvfb.x86_64 0:1.6.99.900-1.fc12                
xorg-x11-xauth.x86_64 1:1.0.2-7.fc12                           
xorg-x11-font-utils.x86_64 1:7.2-9.fc12                        
xorg-x11-proto-devel.noarch 0:7.4-31.fc12                      
xorg-x11-server-common.x86_64 0:1.6.99.900-1.fc12              
xorg-x11-xkb-utils.x86_64 0:7.4-5.fc12
Comment 7 Peter Hutterer 2009-09-13 23:03:07 UTC 
Orion, please attach a way reproduce this crash I just tried a git build from Xvfb and ran the X test suite against it without it crashing.
Comment 8 Orion Poplawski 2009-09-14 08:30:33 UTC 
Here is a link to the src.rpm I am trying to build:

http://www.cora.nwra.com/~orion/fedora/plplot-5.9.5-1.fc12.src.rpm
Comment 9 Peter Hutterer 2009-09-15 00:20:40 UTC 
Hmm. rawhide is broken enough that I can't install the build requires for
this package.
Comment 10 Orion Poplawski 2009-09-15 10:25:36 UTC 
Works for me today:

http://koji.fedoraproject.org/koji/getfile?taskID=1680846&name=build.log
Comment 11 Peter Hutterer 2009-09-16 18:17:48 UTC 
(In reply to comment #10)
> Works for me today:
> http://koji.fedoraproject.org/koji/getfile?taskID=1680846&name=build.log

is it possible to extract the test that is failing from that RPM and attach it to here so it can be run as a single program. Building this rpm on the machines I have for testing right now is just full of fail today.
Comment 12 Orion Poplawski 2009-09-18 15:12:08 UTC 
Created attachment 29675 [details]
plplot.spec

I've attached an updated plplot.spec that pretty much just builds the basic stuff plus the Qt driver so has most of the BuildRequires removed.  Hopefully that will work better.

I've not had any trouble building with mock for rawhide though.
Comment 13 Peter Hutterer 2009-09-20 22:30:48 UTC 
used the spec with rpmbuild -bb, build failed with: sip: Unable to find file "QtCore/QtCoremod.sip"

built the examples only, running 
:: whot@dingo:~/rpmbuild/BUILD/plplot-5.9.5/fedora/examples> EXAMPLES_DIR=$PWD SRC_EXAMPLES_DIR=$PWD ../plplot_test/plplot-test.sh --verbose --front-end=c --device=bmpqt
Testing front-end c
x01c
Unable to load driver: qt.

*** PLPLOT ERROR, IMMEDIATE EXIT ***
Unable to load driver
Program aborted

what do I do now? considering the number of open bugs, I'd rather not have to dive into the plplot source to figure out what's going on there.
Comment 14 Orion Poplawski 2009-09-21 08:44:14 UTC 
You'll need to add "-DENABLE_python:BOOL=OFF" to the cmake options to disable python/pyqt4 building.
Comment 15 Peter Hutterer 2009-09-24 22:38:08 UTC 
Verified (finally!)
Comment 16 Peter Hutterer 2009-09-27 20:27:07 UTC 
Patch proposed at: http://lists.freedesktop.org/archives/xorg-devel/2009-September/002253.html
Comment 17 Peter Hutterer 2009-09-30 19:00:37 UTC 
commit 6ffda5aae75272fabdc27d6f693ae827be119e95
Author: Dave Airlie <airlied@redhat.com>
Date:   Tue Sep 29 11:49:09 2009 +1000

    dix/glx/composite: consolidate visual resize in one place.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.