Bug 6044 - Xvnc crash after opening Chromium application menu
Summary: Xvnc crash after opening Chromium application menu
Status: CLOSED FIXED
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: VNC (show other bugs)
Version: 4.6.0
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.7.0
Assignee: Pierre Ossman
URL:
Keywords: hean01_tester, relnotes
Depends on:
Blocks:
 
Reported: 2016-10-05 15:52 CEST by Karl Mikaelsson
Modified: 2016-10-17 12:33 CEST (History)
2 users (show)

See Also:
Acceptance Criteria:


Attachments

Description Karl Mikaelsson cendio 2016-10-05 15:52:42 CEST
Client: ThinLinc 4.7.0rc1, Windows XP
Server: ThinLinc 4.6.0, RHEL6 (tl.cendio.se)

I've managed to reproduce this three times by performing these steps:

 1. Log in to tl.cendio.se
 2. Select Gnome Desktop when asked
 3. Start Chromium Web Browser from the application menu
 4. Click the application menu (the three horizontal dots button over to the right)
 5. Mouse pointer turns into "busy" (spinning wheel-ish)
 6. After a couple of seconds: Xvnc crashes

Crash 1 & 3:

> (EE)
> (EE) Backtrace:
> (EE) 0: /opt/thinlinc/libexec/Xvnc (xorg_backtrace+0x3f) [0x5d724f]
> (EE) 1: /opt/thinlinc/libexec/Xvnc (0x400000+0x1da6d9) [0x5da6d9]
> (EE) 2: /lib64/libpthread.so.0 (0x3dacc00000+0xf7e0) [0x3dacc0f7e0]
> (EE) 3: /opt/thinlinc/libexec/Xvnc (0x400000+0x12e42b) [0x52e42b]
> (EE) 4: /opt/thinlinc/libexec/Xvnc (BlockHandler+0x4a) [0x58c96a]
> (EE) 5: /opt/thinlinc/libexec/Xvnc (WaitForSomething+0x18d) [0x5d4c0d]
> (EE) 6: /opt/thinlinc/libexec/Xvnc (Dispatch+0x9d) [0x58853d]
> (EE) 7: /opt/thinlinc/libexec/Xvnc (main+0x3ae) [0x49cc5e]
> (EE) 8: /lib64/libc.so.6 (__libc_start_main+0xfd) [0x3dac81ed1d]
> (EE) 9: /opt/thinlinc/libexec/Xvnc (0x400000+0x9e523) [0x49e523]
> (EE)
> (EE) Segmentation fault at address 0x0

Crash 2:

> (EE)
> (EE) Backtrace:
> (EE) 0: /opt/thinlinc/libexec/Xvnc (xorg_backtrace+0x3f) [0x5d724f]
> (EE) 1: /opt/thinlinc/libexec/Xvnc (0x400000+0x1da6d9) [0x5da6d9]
> (EE) 2: /lib64/libpthread.so.0 (0x3dacc00000+0xf7e0) [0x3dacc0f7e0]
> (EE) 3: /opt/thinlinc/libexec/Xvnc (miPointerUpdateSprite+0x242) [0x5c6782]
> (EE) 4: /opt/thinlinc/libexec/Xvnc (0x400000+0x1c69fa) [0x5c69fa]
> (EE) 5: /opt/thinlinc/libexec/Xvnc (0x400000+0x1ea101) [0x5ea101]
> (EE) 6: /opt/thinlinc/libexec/Xvnc (0x400000+0xba171) [0x4ba171]
> (EE) 7: /opt/thinlinc/libexec/Xvnc (0x400000+0x12e431) [0x52e431]
> (EE) 8: /opt/thinlinc/libexec/Xvnc (BlockHandler+0x4a) [0x58c96a]
> (EE) 9: /opt/thinlinc/libexec/Xvnc (WaitForSomething+0x18d) [0x5d4c0d]
> (EE) 10: /opt/thinlinc/libexec/Xvnc (Dispatch+0x9d) [0x58853d]
> (EE) 11: /opt/thinlinc/libexec/Xvnc (main+0x3ae) [0x49cc5e]
> (EE) 12: /lib64/libc.so.6 (__libc_start_main+0xfd) [0x3dac81ed1d]
> (EE) 13: /opt/thinlinc/libexec/Xvnc (0x400000+0x9e523) [0x49e523]
> (EE)
> (EE) Segmentation fault at address 0xf
Comment 1 Karl Mikaelsson cendio 2016-10-05 17:59:59 CEST
Reproducable from Fedora 24, ThinLinc Client 4.6.0post-5163.
Comment 2 Karl Mikaelsson cendio 2016-10-05 18:11:09 CEST
With debug packages and gdb:

> Program received signal SIGSEGV, Segmentation fault.
> 0x000000000052e42b in AnimCurScreenBlockHandler () at animcur.c:167
> 167	                (void) (*pScreen->DisplayCursor) (dev,
> (gdb) bt full
> #0  0x000000000052e42b in AnimCurScreenBlockHandler () at animcur.c:167
>         empty = "\000\000\000"
>         AnimCurScreenPrivateKeyRec = {offset = 272, size = 0, initialized = 1, allocated = 0, 
>           type = PRIVATE_SCREEN, next = 0xb2cdc0}
>         animCursorBits = {source = 0xb2f8a0 "", mask = 0xb2f8a0 "", emptyMask = 2, width = 1, height = 1, 
>           xhot = 0, yhot = 0, refcnt = 2, devPrivates = 0x0, argb = 0x0}
> #1  0x000000000058c96a in BlockHandler ()
>         std::__cxx11::money_get<wchar_t, std::istreambuf_iterator<wchar_t, std::char_traits<wchar_t> > >::id = {
>           _M_index = 0, static _S_refcount = 0}
>         std::__cxx11::money_put<wchar_t, std::ostreambuf_iterator<wchar_t, std::char_traits<wchar_t> > >::id = {
>           _M_index = 0, static _S_refcount = 0}
>         std::__cxx11::time_get<wchar_t, std::istreambuf_iterator<wchar_t, std::char_traits<wchar_t> > >::id = {
>           _M_index = 0, static _S_refcount = 0}
>         std::__cxx11::messages<wchar_t>::id = {_M_index = 0, static _S_refcount = 0}
>         std::__cxx11::moneypunct<wchar_t, false>::id = {_M_index = 0, static _S_refcount = 0}
>         std::__cxx11::moneypunct<wchar_t, false>::intl = false
>         std::__cxx11::moneypunct<wchar_t, true>::intl = true
>         std::__cxx11::collate<wchar_t>::id = {_M_index = 0, static _S_refcount = 0}
>         std::__cxx11::moneypunct_byname<wchar_t, false>::intl = false
>         std::__cxx11::numpunct<wchar_t>::id = {_M_index = 0, static _S_refcount = 0}
>         std::__cxx11::moneypunct_byname<wchar_t, true>::intl = true
>         std::__cxx11::moneypunct<wchar_t, true>::id = {_M_index = 0, static _S_refcount = 0}
> #2  0x00000000005d4c0d in WaitForSomething ()
>         std::__cxx11::money_get<wchar_t, std::istreambuf_iterator<wchar_t, std::char_traits<wchar_t> > >::id = {
>           _M_index = 0, static _S_refcount = 0}
>         std::__cxx11::money_put<wchar_t, std::ostreambuf_iterator<wchar_t, std::char_traits<wchar_t> > >::id = {
>           _M_index = 0, static _S_refcount = 0}
>         std::__cxx11::time_get<wchar_t, std::istreambuf_iterator<wchar_t, std::char_traits<wchar_t> > >::id = {
>           _M_index = 0, static _S_refcount = 0}
>         std::__cxx11::messages<wchar_t>::id = {_M_index = 0, static _S_refcount = 0}
>         std::__cxx11::moneypunct<wchar_t, false>::id = {_M_index = 0, static _S_refcount = 0}
>         std::__cxx11::moneypunct<wchar_t, false>::intl = false
>         std::__cxx11::moneypunct<wchar_t, true>::intl = true
>         std::__cxx11::collate<wchar_t>::id = {_M_index = 0, static _S_refcount = 0}
>         std::__cxx11::moneypunct_byname<wchar_t, false>::intl = false
>         std::__cxx11::numpunct<wchar_t>::id = {_M_index = 0, static _S_refcount = 0}
>         std::__cxx11::moneypunct_byname<wchar_t, true>::intl = true
>         std::__cxx11::moneypunct<wchar_t, true>::id = {_M_index = 0, static _S_refcount = 0}
> #3  0x000000000058853d in Dispatch ()
>         std::__cxx11::money_get<wchar_t, std::istreambuf_iterator<wchar_t, std::char_traits<wchar_t> > >::id = {
>           _M_index = 0, static _S_refcount = 0}
>         std::__cxx11::money_put<wchar_t, std::ostreambuf_iterator<wchar_t, std::char_traits<wchar_t> > >::id = {
>           _M_index = 0, static _S_refcount = 0}
>         std::__cxx11::time_get<wchar_t, std::istreambuf_iterator<wchar_t, std::char_traits<wchar_t> > >::id = {
>           _M_index = 0, static _S_refcount = 0}
>         std::__cxx11::messages<wchar_t>::id = {_M_index = 0, static _S_refcount = 0}
>         std::__cxx11::moneypunct<wchar_t, false>::id = {_M_index = 0, static _S_refcount = 0}
>         std::__cxx11::moneypunct<wchar_t, false>::intl = false
>         std::__cxx11::moneypunct<wchar_t, true>::intl = true
>         std::__cxx11::collate<wchar_t>::id = {_M_index = 0, static _S_refcount = 0}
>         std::__cxx11::moneypunct_byname<wchar_t, false>::intl = false
>         std::__cxx11::numpunct<wchar_t>::id = {_M_index = 0, static _S_refcount = 0}
>         std::__cxx11::moneypunct_byname<wchar_t, true>::intl = true
>         std::__cxx11::moneypunct<wchar_t, true>::id = {_M_index = 0, static _S_refcount = 0}
> #4  0x000000000049cc5e in main () at main.c:295
Comment 3 Karl Mikaelsson cendio 2016-10-06 15:20:39 CEST
I can reproduce on a 32-bit Linux Mint 18 server with ThinLinc Server 4.7.0rc1.
Comment 4 Pierre Ossman cendio 2016-10-06 16:36:10 CEST
I could not reproduce it on SLES 12 with Chrome and Gnome 3.
Comment 5 Samuel Mannehed cendio 2016-10-06 17:11:20 CEST
I could not reproduce it on Ubuntu 16.04 with chromium-browser and Unity. Will test Gnome.
Comment 6 Karl Mikaelsson cendio 2016-10-07 10:28:49 CEST
(In reply to comment #3)
> I can reproduce on a 32-bit Linux Mint 18 server with ThinLinc Server 4.7.0rc1.

This was with Cinnamon (the "fallback" version of Cinnamon since the regular version crashed).

I can't reproduce on the same Linux Mint 18 server with a Mate desktop, oddly enough.
Comment 7 Pierre Ossman cendio 2016-10-07 11:09:51 CEST
Fedora 24 as a server doesn't seem to be able to provoke the bug. I tried with Gnome 3 and Xfce as desktop environments.
Comment 8 Pierre Ossman cendio 2016-10-07 12:02:51 CEST
It happens for my user as well on tl.cendio.se. However I cannot provoke the bug with chromium forwarded from my machine to tl.cendio.se, or forwarded from tl.cendio.se to my machine. It never switches to the busy cursor in those cases.
Comment 9 Pierre Ossman cendio 2016-10-07 12:41:46 CEST
It seems that gdb on RHEL 6 is confused by our binaries somehow. I got a better backtrace using gdbserver:

(gdb) bt full
#0  miPointerUpdateSprite (pDev=0x1830b70) at mipointer.c:447
        y = 199
        devy = 199
        pScreen = 0x16600e0
        pCursor = 0x1b92cb0
        x = 798
        devx = 798
        pPointer = 0x1848ed0
        pDev = 0x1830b70
#1  0x00000000005c69fa in miPointerDisplayCursor (pDev=0x1830b70, pScreen=0x16600e0, pCursor=0x1b92cb0) at mipointer.c:201
        pPointer = <optimized out>
        pCursor = 0x1b92cb0
        pScreen = 0x16600e0
        pDev = 0x1830b70
#2  0x00000000005ea101 in vncHooksDisplayCursor (pDev=<optimized out>, pScreen_=0x16600e0, cursor=0x1b92cb0) at vncHooks.c:625
        ret = <optimized out>
        pScreen = 0x16600e0
#3  0x00000000004ba171 in CursorDisplayCursor (pDev=0x1830b70, pScreen=0x16600e0, pCursor=0x1b92cb0) at cursor.c:156
        ret = <optimized out>
        backupProc = 0x4b9fd0 <CursorDisplayCursor>
#4  0x000000000052e431 in AnimCurScreenBlockHandler (pScreen=0x16600e0, pTimeout=0x7ffcc759b6f8, pReadmask=0xb43480 <LastSelectMask>) at animcur.c:167
        ac = 0x1b8d698
        elt = 26
        DisplayCursor = 0x52eac0 <AnimCurDisplayCursor>
        dev = 0x1830b70
        activeDevice = 1
        now = 1804505069
        soonest = 4294967295
#5  0x000000000058c96a in BlockHandler (pTimeout=pTimeout@entry=0x7ffcc759b6f8, pReadmask=pReadmask@entry=0xb43480 <LastSelectMask>) at dixutils.c:387
        i = 0
        j = <optimized out>
#6  0x00000000005d4c0d in WaitForSomething (pClientsReady=pClientsReady@entry=0x191ddd0) at WaitFor.c:217
        i = <optimized out>
        waittime = {tv_sec = 453, tv_usec = 641000}
        wt = 0x7ffcc759b700
        timeout = <optimized out>
        clientsReadable = {fds_bits = {0 <repeats 16 times>}}
        clientsWritable = {fds_bits = {0, 0, 192, 214748364810, 532575944795, 472446402679, 28581328, 37272168, 107, 89, 117, 619, 32, 264890802464, 24, 23512448}}
        socketsWritable = {fds_bits = {0 <repeats 16 times>}}
        curclient = <optimized out>
        selecterr = <optimized out>
        nready = 0
        devicesReadable = {fds_bits = {0 <repeats 16 times>}}
        now = <optimized out>
        someReady = <optimized out>
#7  0x000000000058853d in Dispatch () at dispatch.c:361
        clientReady = 0x191ddd0
        result = <optimized out>
        client = <optimized out>
        nready = <optimized out>
        icheck = 0xb3d2b0 <checkForInput>
        start_tick = <optimized out>
#8  0x000000000049cc5e in main (argc=22, argv=0x7ffcc759bb88, envp=<optimized out>) at main.c:295
        i = <optimized out>
        alwaysCheckForInput = {0, 1}
Comment 10 Pierre Ossman cendio 2016-10-07 13:01:47 CEST
This seems to be a use-after-free kind of bug. The animated cursor that it is trying to update has bogus data in it.
Comment 11 Pierre Ossman cendio 2016-10-10 12:46:00 CEST
This seems to have started with Chrome/Chromium 51, released in May 2016. That release saw an updated menu button which for unknown reasons sets a busy mouse cursor.
Comment 12 Pierre Ossman cendio 2016-10-11 10:59:01 CEST
Chrome/Chromium is a very common application so we need to have a look at this now. We'll start by trying to apply upstream fixes to the animated cursor code.
Comment 14 Pierre Ossman cendio 2016-10-12 11:08:06 CEST
Also sent upstream:

https://lists.x.org/archives/xorg-devel/2016-October/051598.html
Comment 15 Pierre Ossman cendio 2016-10-12 11:09:12 CEST
Tester should make sure that animated cursors still work properly.
Comment 16 Karl Mikaelsson cendio 2016-10-13 13:29:21 CEST
Can't reproduce the crash with Chromium on Linux Mint 18 with RC2.
Comment 17 Henrik Andersson cendio 2016-10-17 12:33:00 CEST
Tested on CentOS6.8 with chromium-browser-53.0.2785.143-1.el6.x86_64.

Verified that I could reproduce the problem using tl-4.7.0rc1, there was no problems at all. Xvnc crash was reproducible every try. However couldn't find another test case than using chromium and hitting the settings menu button.

Upgrade to tl-4.7.0rc2 and I can't reproduce the crash. I verified that animated cursor shows up when expected. Seems all good.

Note You need to log in before you can comment on or make changes to this bug.