36716 – xv crashed at _xcb_map_remove (list=0x828d9c0, key=2818) at xcb_list.c:89

Bug 36716 - xv crashed at _xcb_map_remove (list=0x828d9c0, key=2818) at xcb_list.c:89

Summary: xv crashed at _xcb_map_remove (list=0x828d9c0, key=2818) at xcb_list.c:89

Status:	RESOLVED MOVED

Alias:	None

Product:	XCB
Classification:	Unclassified
Component:	Library (show other bugs)
Version:	unspecified
Hardware:	x86 (IA32) Linux (All)

Importance:	medium normal
Assignee:	xcb mailing list dummy
QA Contact:	xcb mailing list dummy

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2011-04-30 10:09 UTC by Martin Mokrejs
Modified:	2019-02-16 19:41 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments

Description Martin Mokrejs 2011-04-30 10:09:31 UTC

Hi,
  I found a core file of my xv (image viewer) crash. I looks XCB is at fault and not the xv:

Core was generated by `xv ../file.png'.
Program terminated with signal 11, Segmentation fault.
#0  _xcb_map_remove (list=0x828d9c0, key=2818) at xcb_list.c:89
89      xcb_list.c: No such file or directory.
        in xcb_list.c
(gdb) where
#0  _xcb_map_remove (list=0x828d9c0, key=2818) at xcb_list.c:89
#1  0xb73acafe in poll_for_reply (c=0x828dc40, request=<value optimized out>, reply=0xbfb04c8c, error=0xbfb04cec) at xcb_in.c:297
#2  0xb73acf17 in xcb_wait_for_reply (c=0x828dc40, request=2818, e=0xbfb04cec) at xcb_in.c:377
#3  0xb763db85 in _XReply (dpy=0x828d018, rep=0xbfb04d30, extra=0, discard=1) at xcb_io.c:533
#4  0xb7623425 in XAllocColor (dpy=0x828d018, cmap=32, def=0xbfb04de0) at GetHColor.c:48
#5  0x08068bfa in screen_init (pic24=0xb7147008 '?' <repeats 200 times>..., wide=1123, high=666) at xvimage.c:140
#6  Pic24ToXImage (pic24=0xb7147008 '?' <repeats 200 times>..., wide=1123, high=666) at xvimage.c:2190
#7  0x080695af in CreateXImage () at xvimage.c:1735
#8  0x08050fbc in openPic (filenum=<value optimized out>) at xv.c:2917
#9  0x080529a8 in openFirstPic () at xv.c:3657
#10 mainLoop () at xv.c:3776
#11 0x08055f15 in main (argc=2, argv=0xbfb05f04) at xv.c:1037
(gdb) bt full
#0  _xcb_map_remove (list=0x828d9c0, key=2818) at xcb_list.c:89
        cur = 0x828d9c0
#1  0xb73acafe in poll_for_reply (c=0x828dc40, request=<value optimized out>, reply=0xbfb04c8c, error=0xbfb04cec) at xcb_in.c:297
        head = <value optimized out>
#2  0xb73acf17 in xcb_wait_for_reply (c=0x828dc40, request=2818, e=0xbfb04cec) at xcb_in.c:377
        cond = {__data = {__lock = 0, __futex = 0, __total_seq = 0, __wakeup_seq = 0, __woken_seq = 0, __mutex = 0x0, __nwaiters = 0, __broadcast_seq = 0}, __size = '\000' <repeats 47 times>, __align = 0}
        reader = {request = 2818, data = 0xbfb04c50, next = 0x0}
        prev_reader = <value optimized out>
        widened_request = <value optimized out>
        ret = 0x0
#3  0xb763db85 in _XReply (dpy=0x828d018, rep=0xbfb04d30, extra=0, discard=1) at xcb_io.c:533
        error = 0x0
        c = 0x828dc40
        current = <value optimized out>
        __PRETTY_FUNCTION__ = "_XReply"
#4  0xb7623425 in XAllocColor (dpy=0x828d018, cmap=32, def=0xbfb04de0) at GetHColor.c:48
        status = <value optimized out>
        rep = {type = 0 '\000', pad1 = 0 '\000', sequenceNumber = 0, length = 1, red = 37824, green = 2066, blue = 0, pad2 = 0, pixel = 3076567184, pad3 = 0, pad4 = 135476064, pad5 = 3216002528}
#5  0x08068bfa in screen_init (pic24=0xb7147008 '?' <repeats 200 times>..., wide=1123, high=666) at xvimage.c:140
        check_map = 44041082
        check_col = {pixel = 1123, red = 0, green = 0, blue = 0, flags = -80 '\260', pad = -65 '\277'}
        ci = 0
        i = 0
        init_flag = 1
        check_gc = 0x829efe8
        check_image = <value optimized out>
#6  Pic24ToXImage (pic24=0xb7147008 '?' <repeats 200 times>..., wide=1123, high=666) at xvimage.c:2190
        xcol = <value optimized out>
        lip = <value optimized out>
        pp = <value optimized out>
        bperpix = 32
        ip = <value optimized out>
        i = <value optimized out>
        j = <value optimized out>
        xim = <value optimized out>
#7  0x080695af in CreateXImage () at xvimage.c:1735
No locals.
#8  0x08050fbc in openPic (filenum=<value optimized out>) at xv.c:2917
        pinfo = {pic = 0xb7147008 '?' <repeats 200 times>..., w = 1123, h = 666, type = 1, r = '\000' <repeats 255 times>, g = '\000' <repeats 255 times>, b = '\000' <repeats 255 times>, normw = 1123, normh = 666, 
          frmType = 0, colType = 0, fullInfo = "PNG, 24 bit truecolor, non-interlaced. (125056 bytes)", '\000' <repeats 74 times>, shrtInfo = "1123x666 PNG", '\000' <repeats 115 times>, 
          comment = 0x828d9b0 "Comment::Created with GIMP\n", exifInfo = 0x0, exifInfoSize = 0, numpages = 1, pagebname = '\000' <repeats 63 times>}
        i = <value optimized out>
        filetype = <value optimized out>
        freename = 1
        frompipe = 0
        frompoll = 0
        fromint = 0
        killpage = 0
        oldeWIDE = 0
        oldeHIGH = 0
        oldpWIDE = 0
        oldpHIGH = 0
        oldCXOFF = 0
        oldCYOFF = 0
        oldCWIDE = 0
        oldCHIGH = 0
        wascropped = 0
        tmp = <value optimized out>
        fullname = <value optimized out>
        filename = "/home/XXXXXX/file.png\000mm\221\221\221\221\266\266\266\266\332\332\332\332\377\377\377\377\000\000\000\000$$$$HHHHmmmm\221\221\221\221\266\266\266\266\332\332\332\332\377\377\377\377\000\000\000\000$$$$HHHHmmmm\221\221\221\221\266\266\266\266\332\332\332\332\377\377\377\377\000\000\000\000$$$$HHHHmmmm\221\221\221\221\266\266\266\266\332\332\332\332\377\377\377\377\000\000\000\000$$$$HHHHmmmm\221\221\221\221\266\266\266\266\332\332\332\332\377\377\377\377", '\000' <repeats 32 times>, '$' <repeats 32 times>...
#9  0x080529a8 in openFirstPic () at xv.c:3657
        i = 0
#10 mainLoop () at xv.c:3776
---Type <return> to continue, or q <return> to quit---
        i = <value optimized out>
#11 0x08055f15 in main (argc=2, argv=0xbfb05f04) at xv.c:1037
        i = <value optimized out>
        ecdef = {pixel = 9148853, red = 35584, green = 39168, blue = 46336, flags = 7 '\a', pad = -65 '\277'}
        rootReturn = 125
        parentReturn = 0
        children = 0x829d068
        numChildren = 122
(gdb)


I am on a Gentoo Linux with x11-misc/xcb-2.4, x11-base/xorg-server-1.9.2.902, x11-base/xorg-drivers-1.9, x11-proto/xextproto-7.1.2, and regarding the application itself it is media-gfx/xv-3.10a-r15.

$ ldd /usr/bin/xv
        linux-gate.so.1 =>  (0xffffe000)
        libz.so.1 => /lib/libz.so.1 (0xb7794000)
        libX11.so.6 => /usr/lib/libX11.so.6 (0xb767d000)
        libm.so.6 => /lib/libm.so.6 (0xb7657000)
        libjpeg.so.8 => /usr/lib/libjpeg.so.8 (0xb761c000)
        libpng14.so.14 => /usr/lib/libpng14.so.14 (0xb75f7000)
        libtiff.so.5 => /usr/lib/libtiff.so.5 (0xb7590000)
        libc.so.6 => /lib/libc.so.6 (0xb7436000)
        libxcb.so.1 => /usr/lib/libxcb.so.1 (0xb741c000)
        libdl.so.2 => /lib/libdl.so.2 (0xb7418000)
        /lib/ld-linux.so.2 (0xb77dc000)
        libjbig.so => /usr/lib/libjbig.so (0xb740b000)
        libXau.so.6 => /usr/lib/libXau.so.6 (0xb7407000)
        libXdmcp.so.6 => /usr/lib/libXdmcp.so.6 (0xb7401000)
$

Comment 1 Jamey Sharp 2011-04-30 10:57:26 UTC

If the stack trace is accurate (and it might not be, due to compiler optimization) then the only way that line could have failed is due to *cur pointing some wild place. Would you try "p *cur" and "p **cur"?

If you can reproduce the bug, running xv under valgrind may give more useful information.

Comment 2 Martin Mokrejs 2011-05-02 15:15:21 UTC

(gdb) p *cur
$1 = (node *) 0x74697720
(gdb) p **cur
Cannot access memory at address 0x74697720
(gdb)


I tried again but got a different stacktrace (filed on Gentoo as http://bugs.gentoo.org/show_bug.cgi?id=365765)

Regarding valgrind ...

$ valgrind xv ../file.png 
==2688== Memcheck, a memory error detector
==2688== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==2688== Using Valgrind-3.5.0 and LibVEX; rerun with -h for copyright info
==2688== Command: xv ../file.png
==2688== 
==2688== Invalid read of size 8
==2688==    at 0x4391FE9: __strncmp_ssse3 (strcmp-ssse3.S:911)
==2688==    by 0x43FD0B8: XauGetBestAuthByAddr (AuGetBest.c:154)
==2688==    by 0x43DE7BA: get_authptr (xcb_auth.c:143)
==2688==    by 0x43DEA09: _xcb_get_auth_info (xcb_auth.c:314)
==2688==    by 0x43DE390: xcb_connect_to_display_with_auth_info (xcb_util.c:424)
==2688==    by 0x43DE6B2: xcb_connect (xcb_util.c:395)
==2688==    by 0x40ADDF4: _XConnectXCB (xcb_disp.c:78)
==2688==    by 0x409E73D: XOpenDisplay (OpenDis.c:129)
==2688==    by 0x80532A6: parseResources (xv.c:1243)
==2688==    by 0x8054AC9: main (xv.c:375)
==2688==  Address 0x44090e0 is 16 bytes inside a block of size 18 alloc'd
==2688==    at 0x40256DD: malloc (vg_replace_malloc.c:195)
==2688==    by 0x43FD40D: read_counted_string (AuRead.c:58)
==2688==    by 0x43FD4FF: XauReadAuth (AuRead.c:86)
==2688==    by 0x43FD003: XauGetBestAuthByAddr (AuGetBest.c:116)
==2688==    by 0x43DE7BA: get_authptr (xcb_auth.c:143)
==2688==    by 0x43DEA09: _xcb_get_auth_info (xcb_auth.c:314)
==2688==    by 0x43DE390: xcb_connect_to_display_with_auth_info (xcb_util.c:424)
==2688==    by 0x43DE6B2: xcb_connect (xcb_util.c:395)
==2688==    by 0x40ADDF4: _XConnectXCB (xcb_disp.c:78)
==2688==    by 0x409E73D: XOpenDisplay (OpenDis.c:129)
==2688==    by 0x80532A6: parseResources (xv.c:1243)
==2688==    by 0x8054AC9: main (xv.c:375)
==2688== 
vex x86->IR: unhandled instruction bytes: 0x66 0x66 0x66 0x2E
==2688== valgrind: Unrecognised instruction at address 0x4392c64.
==2688== Your program just tried to execute an instruction that Valgrind
==2688== did not recognise.  There are two possible reasons for this.
==2688== 1. Your program has a bug and erroneously jumped to a non-code
==2688==    location.  If you are running Memcheck and you just saw a
==2688==    warning about a bad jump, it's probably your program's fault.
==2688== 2. The instruction is legitimate but Valgrind doesn't handle it,
==2688==    i.e. it's Valgrind's fault.  If you think this is the case or
==2688==    you are not sure, please let us know and we'll try to fix it.
==2688== Either way, Valgrind will now raise a SIGILL signal which will
==2688== probably kill your program.
==2688== 
==2688== Process terminating with default action of signal 4 (SIGILL): dumping core
==2688==  Illegal opcode at address 0x4392C64
==2688==    at 0x4392C64: __strncmp_ssse3 (strcmp-ssse3.S:1877)
==2688==    by 0x43FD0B8: XauGetBestAuthByAddr (AuGetBest.c:154)
==2688==    by 0x43DE7BA: get_authptr (xcb_auth.c:143)
==2688==    by 0x43DEA09: _xcb_get_auth_info (xcb_auth.c:314)
==2688==    by 0x43DE390: xcb_connect_to_display_with_auth_info (xcb_util.c:424)
==2688==    by 0x43DE6B2: xcb_connect (xcb_util.c:395)
==2688==    by 0x40ADDF4: _XConnectXCB (xcb_disp.c:78)
==2688==    by 0x409E73D: XOpenDisplay (OpenDis.c:129)
==2688==    by 0x80532A6: parseResources (xv.c:1243)
==2688==    by 0x8054AC9: main (xv.c:375)
==2688== 
==2688== HEAP SUMMARY:
==2688==     in use at exit: 3,019 bytes in 13 blocks
==2688==   total heap usage: 25 allocs, 12 frees, 3,192 bytes allocated
==2688== 
==2688== LEAK SUMMARY:
==2688==    definitely lost: 0 bytes in 0 blocks
==2688==    indirectly lost: 0 bytes in 0 blocks
==2688==      possibly lost: 0 bytes in 0 blocks
==2688==    still reachable: 3,019 bytes in 13 blocks
==2688==         suppressed: 0 bytes in 0 blocks
==2688== Rerun with --leak-check=full to see details of leaked memory
==2688== 
==2688== For counts of detected and suppressed errors, rerun with: -v
==2688== ERROR SUMMARY: 2 errors from 1 contexts (suppressed: 7 from 7)
Illegal instruction
$

Comment 3 Martin Mokrejs 2011-05-02 15:17:38 UTC

(In reply to comment #1)
> If the stack trace is accurate (and it might not be, due to compiler
> optimization) then the only way that line could have failed is due to *cur

BTW, I compile on this Gentoo box as follows:

CFLAGS="-O2 -march=pentium4 -mmmx -msse -msse2 -pipe -fno-strict-aliasing -ggdb"

Comment 4 GitLab Migration User 2019-02-16 19:41:34 UTC

-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/xorg/lib/libxcb/issues/28.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.