Bug 98830

Summary: Core dumps of binary spice-vdagent due to regression introduced in 5dd6d2a
Product: Spice Reporter: Peter Mattern <pmattern>
Component: unix agentAssignee: Spice Bug List <spice-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: medium CC: teuf
Version: unspecified   
Hardware: All   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Attachments: stack trace
bactrace

Description Peter Mattern 2016-11-23 13:00:51 UTC
Created attachment 128162 [details]
stack trace

Due to a regression introduced in 5dd6d2a binary spice-vdagent is crashing and dumping core on Arch Linux.

The crashes take place right upon launch. It doesn't matter whether the binary is launched at sessions' beginning according to the autostart specification or manually within a running session. Also, the findings are the same in LXQt, Xfce 4 and Openbox ("only" / no desktop environment) sessions.
Binary spice-vdagentd is not affected and running flawlessly all the time.
Only x86_64 systems seem to be affected while the i686 platform isn't. (Recent commits of spice-vdagent seem to be dysfunctional on this platform which is probably a different issue, though.)
Commits 08ff8d7 (and 8ce6ca9 representing the last commit I had been running before) are not affected.

Both stack trace and back trace are attached. These are a bit sparse but enabling debug symbols doesn't seem to be that straight forward (a make target debug doesn't seem to exist and blindly setting a configure option --enable-debug didn't seem to have an effect)?
Comment 1 Peter Mattern 2016-11-23 13:01:33 UTC
Created attachment 128163 [details]
bactrace
Comment 2 Christophe Fergeau 2016-11-23 13:16:19 UTC
This has also been reported in fedora
https://bugzilla.redhat.com/show_bug.cgi?id=1396587

For a debug build, I usually just "make CFLAGS="-g3 -ggdb3 -O0""
Fedora is probably doing something similar as we are getting actual debug symbols there.
Comment 3 Christophe Fergeau 2016-11-23 13:35:55 UTC
valgrind trace is 
==2289== Invalid free() / delete / delete[] / realloc()
==2289==    at 0x4C2ED4A: free (vg_replace_malloc.c:530)
==2289==    by 0x4037C2: udscs_read_complete (udscs.c:239)
==2289==    by 0x4039D2: udscs_do_read (udscs.c:292)
==2289==    by 0x403B7C: udscs_client_handle_fds (udscs.c:337)
==2289==    by 0x40C251: main (vdagent.c:375)
==2289==  Address 0x7634070 is 0 bytes inside a block of size 328 free'd
==2289==    at 0x4C2ED4A: free (vg_replace_malloc.c:530)
==2289==    by 0x40B6DF: daemon_read_complete (vdagent.c:64)
==2289==    by 0x4037A6: udscs_read_complete (udscs.c:235)
==2289==    by 0x4039D2: udscs_do_read (udscs.c:292)
==2289==    by 0x403B7C: udscs_client_handle_fds (udscs.c:337)
==2289==    by 0x40C251: main (vdagent.c:375)
==2289==  Block was alloc'd at
==2289==    at 0x4C2DB9D: malloc (vg_replace_malloc.c:299)
==2289==    by 0x403959: udscs_do_read (udscs.c:282)
==2289==    by 0x403B7C: udscs_client_handle_fds (udscs.c:337)
==2289==    by 0x40C251: main (vdagent.c:375)
Comment 4 Christophe Fergeau 2016-11-23 13:49:48 UTC
https://lists.freedesktop.org/archives/spice-devel/2016-November/033859.html should fix it.
Comment 6 Peter Mattern 2016-11-24 13:24:11 UTC
The problem is not solved in 05d389d yet. Binary spice-vdagent does not crash upon launch any longer but when it's used.
E. g. launch a desktop session → both spice-vdagent{d,} are running as expected. Select some text on the host and paste it into the shell of a terminal emulator running under the guest by middle mouse click → copying works but spice-vdagent crashes thereafter.

Btw. what I wrote about i686 above was due to a misconfigured virtual machine and hence wrong. In fact i686 behaves exactly the same as x86_64.
Comment 7 Peter Mattern 2016-12-07 00:54:25 UTC
Running 2dc986f on various desktop environments I cannot reproduce the crashes any longer.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.