Bug 33645 - Bugfix for bug#3040 introduces a xserver crash when fontserver path appears as a fontpath element
Summary: Bugfix for bug#3040 introduces a xserver crash when fontserver path appears a...
Status: RESOLVED INVALID
Alias: None
Product: xorg
Classification: Unclassified
Component: Server/General (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Xorg Project Team
QA Contact: Xorg Project Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-01-28 05:17 UTC by Rajesh
Modified: 2018-06-12 18:43 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:

Attachments

Description Rajesh 2011-01-28 05:17:26 UTC 
Hello,

This patch for bug#3040:

http://cgit.freedesktop.org/xorg/xserver/commit/?id=3ab6cd31cbdf8095b2948034fce5fb645422d8da

which is incorporated into xorg-server v1.9 appears problematic.  I am using TigerVNC X VNC server built with xorg-server v1.9.x source.  The Xvnc server crashes (segfaults) if a fontserver is specified as one of the fontpath elements (i.e as tcp/fontserver:7100).  The crash is consistent on Linux (RHEL5.5) and Solaris 10 - however looks like the manifestation is a bit different.  Please note that the Xvnc X server was built with XINERMA support (actual xorg-server configure options used: “--disable-xvfb --disable-xnest --disable-xorg --enable-glx=yes”).

The following are the stack traces on Solaris/Linux, when Xvnc is run under gdb:

<<<<>>>
Program received signal SIGSEGV, Segmentation fault.
0x00000000005a33b9 in doListFontsAndAliases (client=0xb72270, c=0xb4d280)
    at dixfonts.c:611
611	    while (c->current.current_fpe < c->num_fpes) {
(gdb) bt
#0  0x00000000005a33b9 in doListFontsAndAliases (client=0xb72270, c=0xb4d280)
    at dixfonts.c:611
#1  0x00000000005a4e31 in ProcessWorkQueue () at dixutils.c:527
#2  0x00000000005f396f in WaitForSomething (pClientsReady=0xac00b0)
    at WaitFor.c:169
#3  0x00000000005a06a0 in Dispatch () at dispatch.c:368
#4  0x0000000000535c05 in main (argc=23, argv=0x7fffffffe3b8, 
    envp=<value optimized out>) at main.c:291
(gdb) p *c
$1 = {client = 0x632d65626f64612d, num_fpes = 1769108847, 
  fpe_list = 0x6f6e2d6f2d646c6f, names = 0x34312d2d6c616d72, current = {
    pattern = "-100-100-100-m-90-iso8859-1", '\000' <repeats 13 times>, "Q\000\000\000\000\000\000\000-adobe-courier-bold-o-normal--17-120-100-100-m-100-iso8859-1\000\000\000\000q\000\000\000Q\000\000\000Q\000\000\000\000\000\000\000-adobe-courier-bold-o-normal--20-140-100-100-m-110-iso8859-1\000\000\000\000r\000\000\000R\000\000\000Q\000\000\000\000\000\000\000"..., patlen = 1764569141, 
    current_fpe = 943222643, max_names = 825047349, list_started = 0, 
    private = 0x8cbf80}, saved = {
    pattern = "Q\000\000\000\000\000\000\000-adobe-courier-bold-o-normal--34-240-100-100-m-200-iso8859-1\000\000\000\000\bÿ\000\000\000\000\000\000Q\000\000\000\000\000\000\000-adobe-courier-bold-r-normal--11-80-100-100-m-60-iso8859-1\000\000W", '\000' <repeats 11 times>, "Q\000\000\000\000\000\000\000-adobe-courier-bold-r-normal--14-"..., patlen = 1769108847, current_fpe = 1647145573, 
    max_names = 761556079, list_started = 1869491567, 
    private = 0x2d302d2d6c616d72}, haveSaved = 808529200, 
  savedName = 0x73692d302d6d2d30 <Address 0x73692d302d6d2d30 out of bounds>, 
  savedNameLen = 892876911}
(gdb) quit
<<<<>>>

Clearly the c->num_fpes, and current->current_fpe above look bogus (although c->fpe_list is still pointing to a valid addres).

On Solaris 10 x86, the stack trace is same - however c->fpe_list is bogus (0x0 address):

<<<<>>>
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1 (LWP 1)]
0x00000000004aacf1 in doListFontsAndAliases (client=0xd30bc0, c=0xd6a500) at dixfonts.c:611
611             fpe = c->fpe_list[c->current.current_fpe];
(gdb) bt
#0  0x00000000004aacf1 in doListFontsAndAliases (client=0xd30bc0, c=0xd6a500) at dixfonts.c:611
#1  0x00000000004ac792 in ProcessWorkQueue () at dixutils.c:527
#2  0x00000000004dabb7 in WaitForSomething (pClientsReady=0xb5b1e0) at WaitFor.c:169
#3  0x00000000004a7f97 in Dispatch () at dispatch.c:368
#4  0x00000000005f5e0d in main (argc=24, argv=0xfffffd7fffdff558, envp=<value optimized out>) at main.c:291
(gdb) p *c
$1 = {client = 0xd38e70, num_fpes = 11, fpe_list = 0x0, names = 0xc996d0, current = {
    pattern = "\000\000\000\000\000\000\000\000am-chart\000\000\000\000\000\000\000\000-r-normal--0-0-0-0-p-0-iso8859-1", '\000' <repeats 199 times>, patlen = 56, current_fpe = 10, max_names = 1228, list_started = 0, private = 0xb64560}, saved = {
    pattern = "*\324", '\000' <repeats 252 times>, patlen = 1, current_fpe = 4, max_names = 2000, list_started = 1, private = 0xb64760},
  haveSaved = 1, savedName = 0xb643a0 "P\266", savedNameLen = 5}
(gdb)
<<<<>>>

A similar piece has been reported here too - https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers/+bug/683016

I can get around with the above, if I wrap “xinerama_sleep” statements in the original patch with a

#ifdef XINERMA
….
#endif

(and recompile xorg-server with XINERMA support disabled)

However, I am not sure if this is the correct thing to do.

Thanks!
Rajesh
Comment 1 Alan Coopersmith 2011-01-28 09:35:08 UTC 
Does this later change solve the problem?

http://cgit.freedesktop.org/xorg/xserver/commit/?id=7a9062f2f029b4f911ba56f291375fbf5a98ca73
Comment 2 Rajesh 2011-01-31 01:03:03 UTC 
(In reply to comment #1)
> Does this later change solve the problem?
> 
> http://cgit.freedesktop.org/xorg/xserver/commit/?id=7a9062f2f029b4f911ba56f291375fbf5a98ca73

No - the problem stills exists, even after applying the patch above.
Comment 3 Adam Jackson 2018-06-12 18:43:56 UTC 
Mass closure: This bug has been untouched for more than six years, and is not obviously still valid. Please file a new report if you continue to experience issues with a current server.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.