Bug 29412

Summary: [regression] unexpected libX11 IOError
Product: xorg Reporter: Jon Turney <jon.turney>
Component: Lib/XlibAssignee: Xorg Project Team <xorg-team>
Status: RESOLVED FIXED QA Contact: Xorg Project Team <xorg-team>
Severity: normal    
Priority: medium CC: matthieu.herrb, xcb, yselkowi
Version: git   
Hardware: Other   
OS: All   
i915 platform: i915 features:
Description Flags
Testcase to demonstrate the problem
Git bisection log none

Description Jon Turney 2010-08-05 10:07:18 UTC
glean --quick on a git master mesa built with --with-driver=xlib fails with:

XIO:  fatal IO error 11 (Resource temporarily unavailable) on X server ":1.0"
      after 529 requests (529 known processed) with 3 events remaining.

with libX11 git master and 1.3.4. Reverting to libX11 1.3.3 allows glean to run successully.
Comment 1 Jon Turney 2010-08-05 10:08:47 UTC
Created attachment 37594 [details]
Testcase to demonstrate the problem

A small testcase, distilled from what seems to be causing the problem in the mesa xlib driver.
Comment 2 Jon Turney 2010-08-05 10:10:11 UTC
Created attachment 37595 [details]
Git bisection log

git bisect on libX11 seems to point to commit 933aee1d5c53b0cc7d608011a29188b594c8d70b "Fix Xlib/XCB for multi-threaded applications (with caveats)." as the first revision showing this problem.
Comment 3 Jon Turney 2010-08-05 10:21:09 UTC
From a brief debugging attempt, it seems the XIO error is raised because we end up in the "it's not an error, but we don't have a reply, so it's an I/O error" case in _XReply(), despite xscope showing the reply having been sent...
Comment 4 Matthieu Herrb 2010-08-05 11:24:08 UTC
I strongly believe that this is the use-after-free problem I reported here:


> After updating to libX11 1.3.4, I started seeing window managers or
> toolbar programs exit without reasons when closing windows or pop-ups.

> After a bit of debugging, I figured out that this is caused by
> a use after free bug in _XReply. Most people running Linux won't see it 
> because the data in the just free()'d memory is still there. But
> Using OpenBSD's malloc which fills free()'d memory with a specific 
> pattern, you get a different code path. 

> The proplem arises in xcb_io.c:582. the 'current' pointer can have
> been free()'d already (by dequeue_pending_request() called at line 562)
> when getting there.

> A simple test program to reproduce the issue is appended below: just
> call XGetWindowProperty on a non-existent window.

> Using his favourite malloc debugger one should be able to see the problem
> on Linux too...

> Unfortunatly I'm not sure of what the fix is...
Comment 5 Josh Triplett 2010-08-06 16:04:29 UTC
Thanks for the test case.  Jamey and I reproduced this problem on Linux via valgrind, which does indeed show a use-after-free.  We've fixed this in current git, commit 4b8ff7db39f2fe7ef12968d462aaf3f9054b6c18:

    Fix use-after-free in _XReply on X errors.
    _XReply would always call dequeue_pending_request on errors.  When it
    got an error for the current request, it would call dequeue, then break
    out of the loop; then, if it had an error in the event queue, it would
    compare it with the sequence number of the now-freed pending request.
    _XReply already stored that sequence number in dpy->last_request_read
    before freeing it, so look at that instead.
    Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=29412
    Signed-off-by: Jamey Sharp <jamey@minilop.net>
    Signed-off-by: Josh Triplett <josh@joshtriplett.org>
Comment 6 Yaakov Selkowitz 2010-08-08 22:27:41 UTC
This patch on top of 1.3.4 seems to fix the issue I was seeing (XWin would quit suddenly only seconds after launch).  Jon?

Could we get this confirmed as the fix, then c-p this commit onto libX11-1.3-branch and release a 1.3.5?
Comment 7 Jon Turney 2010-08-09 03:24:30 UTC
Confirming that this patch fixes my issue.

Thanks for your prompt attention.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.