www.cendio.com
Bug 6044 - Xvnc crash after opening Chromium application menu
: Xvnc crash after opening Chromium application menu
Status: CLOSED FIXED
: ThinLinc
VNC
: 4.6.0
: PC Unknown
: P2 Normal
: 4.7.0
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2016-10-05 15:52 by
Modified: 2016-10-17 12:33 (History)
Acceptance Criteria:


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From cendio 2016-10-05 15:52:42
Client: ThinLinc 4.7.0rc1, Windows XP
Server: ThinLinc 4.6.0, RHEL6 (tl.cendio.se)

I've managed to reproduce this three times by performing these steps:

 1. Log in to tl.cendio.se
 2. Select Gnome Desktop when asked
 3. Start Chromium Web Browser from the application menu
 4. Click the application menu (the three horizontal dots button over to the
right)
 5. Mouse pointer turns into "busy" (spinning wheel-ish)
 6. After a couple of seconds: Xvnc crashes

Crash 1 & 3:

> (EE)
> (EE) Backtrace:
> (EE) 0: /opt/thinlinc/libexec/Xvnc (xorg_backtrace+0x3f) [0x5d724f]
> (EE) 1: /opt/thinlinc/libexec/Xvnc (0x400000+0x1da6d9) [0x5da6d9]
> (EE) 2: /lib64/libpthread.so.0 (0x3dacc00000+0xf7e0) [0x3dacc0f7e0]
> (EE) 3: /opt/thinlinc/libexec/Xvnc (0x400000+0x12e42b) [0x52e42b]
> (EE) 4: /opt/thinlinc/libexec/Xvnc (BlockHandler+0x4a) [0x58c96a]
> (EE) 5: /opt/thinlinc/libexec/Xvnc (WaitForSomething+0x18d) [0x5d4c0d]
> (EE) 6: /opt/thinlinc/libexec/Xvnc (Dispatch+0x9d) [0x58853d]
> (EE) 7: /opt/thinlinc/libexec/Xvnc (main+0x3ae) [0x49cc5e]
> (EE) 8: /lib64/libc.so.6 (__libc_start_main+0xfd) [0x3dac81ed1d]
> (EE) 9: /opt/thinlinc/libexec/Xvnc (0x400000+0x9e523) [0x49e523]
> (EE)
> (EE) Segmentation fault at address 0x0

Crash 2:

> (EE)
> (EE) Backtrace:
> (EE) 0: /opt/thinlinc/libexec/Xvnc (xorg_backtrace+0x3f) [0x5d724f]
> (EE) 1: /opt/thinlinc/libexec/Xvnc (0x400000+0x1da6d9) [0x5da6d9]
> (EE) 2: /lib64/libpthread.so.0 (0x3dacc00000+0xf7e0) [0x3dacc0f7e0]
> (EE) 3: /opt/thinlinc/libexec/Xvnc (miPointerUpdateSprite+0x242) [0x5c6782]
> (EE) 4: /opt/thinlinc/libexec/Xvnc (0x400000+0x1c69fa) [0x5c69fa]
> (EE) 5: /opt/thinlinc/libexec/Xvnc (0x400000+0x1ea101) [0x5ea101]
> (EE) 6: /opt/thinlinc/libexec/Xvnc (0x400000+0xba171) [0x4ba171]
> (EE) 7: /opt/thinlinc/libexec/Xvnc (0x400000+0x12e431) [0x52e431]
> (EE) 8: /opt/thinlinc/libexec/Xvnc (BlockHandler+0x4a) [0x58c96a]
> (EE) 9: /opt/thinlinc/libexec/Xvnc (WaitForSomething+0x18d) [0x5d4c0d]
> (EE) 10: /opt/thinlinc/libexec/Xvnc (Dispatch+0x9d) [0x58853d]
> (EE) 11: /opt/thinlinc/libexec/Xvnc (main+0x3ae) [0x49cc5e]
> (EE) 12: /lib64/libc.so.6 (__libc_start_main+0xfd) [0x3dac81ed1d]
> (EE) 13: /opt/thinlinc/libexec/Xvnc (0x400000+0x9e523) [0x49e523]
> (EE)
> (EE) Segmentation fault at address 0xf
------- Comment #1 From cendio 2016-10-05 17:59:59 -------
Reproducable from Fedora 24, ThinLinc Client 4.6.0post-5163.
------- Comment #2 From cendio 2016-10-05 18:11:09 -------
With debug packages and gdb:

> Program received signal SIGSEGV, Segmentation fault.
> 0x000000000052e42b in AnimCurScreenBlockHandler () at animcur.c:167
> 167	                (void) (*pScreen->DisplayCursor) (dev,
> (gdb) bt full
> #0  0x000000000052e42b in AnimCurScreenBlockHandler () at animcur.c:167
>         empty = "\000\000\000"
>         AnimCurScreenPrivateKeyRec = {offset = 272, size = 0, initialized = 1, allocated = 0, 
>           type = PRIVATE_SCREEN, next = 0xb2cdc0}
>         animCursorBits = {source = 0xb2f8a0 "", mask = 0xb2f8a0 "", emptyMask = 2, width = 1, height = 1, 
>           xhot = 0, yhot = 0, refcnt = 2, devPrivates = 0x0, argb = 0x0}
> #1  0x000000000058c96a in BlockHandler ()
>         std::__cxx11::money_get<wchar_t, std::istreambuf_iterator<wchar_t, std::char_traits<wchar_t> > >::id = {
>           _M_index = 0, static _S_refcount = 0}
>         std::__cxx11::money_put<wchar_t, std::ostreambuf_iterator<wchar_t, std::char_traits<wchar_t> > >::id = {
>           _M_index = 0, static _S_refcount = 0}
>         std::__cxx11::time_get<wchar_t, std::istreambuf_iterator<wchar_t, std::char_traits<wchar_t> > >::id = {
>           _M_index = 0, static _S_refcount = 0}
>         std::__cxx11::messages<wchar_t>::id = {_M_index = 0, static _S_refcount = 0}
>         std::__cxx11::moneypunct<wchar_t, false>::id = {_M_index = 0, static _S_refcount = 0}
>         std::__cxx11::moneypunct<wchar_t, false>::intl = false
>         std::__cxx11::moneypunct<wchar_t, true>::intl = true
>         std::__cxx11::collate<wchar_t>::id = {_M_index = 0, static _S_refcount = 0}
>         std::__cxx11::moneypunct_byname<wchar_t, false>::intl = false
>         std::__cxx11::numpunct<wchar_t>::id = {_M_index = 0, static _S_refcount = 0}
>         std::__cxx11::moneypunct_byname<wchar_t, true>::intl = true
>         std::__cxx11::moneypunct<wchar_t, true>::id = {_M_index = 0, static _S_refcount = 0}
> #2  0x00000000005d4c0d in WaitForSomething ()
>         std::__cxx11::money_get<wchar_t, std::istreambuf_iterator<wchar_t, std::char_traits<wchar_t> > >::id = {
>           _M_index = 0, static _S_refcount = 0}
>         std::__cxx11::money_put<wchar_t, std::ostreambuf_iterator<wchar_t, std::char_traits<wchar_t> > >::id = {
>           _M_index = 0, static _S_refcount = 0}
>         std::__cxx11::time_get<wchar_t, std::istreambuf_iterator<wchar_t, std::char_traits<wchar_t> > >::id = {
>           _M_index = 0, static _S_refcount = 0}
>         std::__cxx11::messages<wchar_t>::id = {_M_index = 0, static _S_refcount = 0}
>         std::__cxx11::moneypunct<wchar_t, false>::id = {_M_index = 0, static _S_refcount = 0}
>         std::__cxx11::moneypunct<wchar_t, false>::intl = false
>         std::__cxx11::moneypunct<wchar_t, true>::intl = true
>         std::__cxx11::collate<wchar_t>::id = {_M_index = 0, static _S_refcount = 0}
>         std::__cxx11::moneypunct_byname<wchar_t, false>::intl = false
>         std::__cxx11::numpunct<wchar_t>::id = {_M_index = 0, static _S_refcount = 0}
>         std::__cxx11::moneypunct_byname<wchar_t, true>::intl = true
>         std::__cxx11::moneypunct<wchar_t, true>::id = {_M_index = 0, static _S_refcount = 0}
> #3  0x000000000058853d in Dispatch ()
>         std::__cxx11::money_get<wchar_t, std::istreambuf_iterator<wchar_t, std::char_traits<wchar_t> > >::id = {
>           _M_index = 0, static _S_refcount = 0}
>         std::__cxx11::money_put<wchar_t, std::ostreambuf_iterator<wchar_t, std::char_traits<wchar_t> > >::id = {
>           _M_index = 0, static _S_refcount = 0}
>         std::__cxx11::time_get<wchar_t, std::istreambuf_iterator<wchar_t, std::char_traits<wchar_t> > >::id = {
>           _M_index = 0, static _S_refcount = 0}
>         std::__cxx11::messages<wchar_t>::id = {_M_index = 0, static _S_refcount = 0}
>         std::__cxx11::moneypunct<wchar_t, false>::id = {_M_index = 0, static _S_refcount = 0}
>         std::__cxx11::moneypunct<wchar_t, false>::intl = false
>         std::__cxx11::moneypunct<wchar_t, true>::intl = true
>         std::__cxx11::collate<wchar_t>::id = {_M_index = 0, static _S_refcount = 0}
>         std::__cxx11::moneypunct_byname<wchar_t, false>::intl = false
>         std::__cxx11::numpunct<wchar_t>::id = {_M_index = 0, static _S_refcount = 0}
>         std::__cxx11::moneypunct_byname<wchar_t, true>::intl = true
>         std::__cxx11::moneypunct<wchar_t, true>::id = {_M_index = 0, static _S_refcount = 0}
> #4  0x000000000049cc5e in main () at main.c:295
------- Comment #3 From cendio 2016-10-06 15:20:39 -------
I can reproduce on a 32-bit Linux Mint 18 server with ThinLinc Server 4.7.0rc1.
------- Comment #4 From cendio 2016-10-06 16:36:10 -------
I could not reproduce it on SLES 12 with Chrome and Gnome 3.
------- Comment #5 From cendio 2016-10-06 17:11:20 -------
I could not reproduce it on Ubuntu 16.04 with chromium-browser and Unity. Will
test Gnome.
------- Comment #6 From cendio 2016-10-07 10:28:49 -------
(In reply to comment #3)
> I can reproduce on a 32-bit Linux Mint 18 server with ThinLinc Server 4.7.0rc1.

This was with Cinnamon (the "fallback" version of Cinnamon since the regular
version crashed).

I can't reproduce on the same Linux Mint 18 server with a Mate desktop, oddly
enough.
------- Comment #7 From cendio 2016-10-07 11:09:51 -------
Fedora 24 as a server doesn't seem to be able to provoke the bug. I tried with
Gnome 3 and Xfce as desktop environments.
------- Comment #8 From cendio 2016-10-07 12:02:51 -------
It happens for my user as well on tl.cendio.se. However I cannot provoke the
bug with chromium forwarded from my machine to tl.cendio.se, or forwarded from
tl.cendio.se to my machine. It never switches to the busy cursor in those
cases.
------- Comment #9 From cendio 2016-10-07 12:41:46 -------
It seems that gdb on RHEL 6 is confused by our binaries somehow. I got a better
backtrace using gdbserver:

(gdb) bt full
#0  miPointerUpdateSprite (pDev=0x1830b70) at mipointer.c:447
        y = 199
        devy = 199
        pScreen = 0x16600e0
        pCursor = 0x1b92cb0
        x = 798
        devx = 798
        pPointer = 0x1848ed0
        pDev = 0x1830b70
#1  0x00000000005c69fa in miPointerDisplayCursor (pDev=0x1830b70,
pScreen=0x16600e0, pCursor=0x1b92cb0) at mipointer.c:201
        pPointer = <optimized out>
        pCursor = 0x1b92cb0
        pScreen = 0x16600e0
        pDev = 0x1830b70
#2  0x00000000005ea101 in vncHooksDisplayCursor (pDev=<optimized out>,
pScreen_=0x16600e0, cursor=0x1b92cb0) at vncHooks.c:625
        ret = <optimized out>
        pScreen = 0x16600e0
#3  0x00000000004ba171 in CursorDisplayCursor (pDev=0x1830b70,
pScreen=0x16600e0, pCursor=0x1b92cb0) at cursor.c:156
        ret = <optimized out>
        backupProc = 0x4b9fd0 <CursorDisplayCursor>
#4  0x000000000052e431 in AnimCurScreenBlockHandler (pScreen=0x16600e0,
pTimeout=0x7ffcc759b6f8, pReadmask=0xb43480 <LastSelectMask>) at animcur.c:167
        ac = 0x1b8d698
        elt = 26
        DisplayCursor = 0x52eac0 <AnimCurDisplayCursor>
        dev = 0x1830b70
        activeDevice = 1
        now = 1804505069
        soonest = 4294967295
#5  0x000000000058c96a in BlockHandler (pTimeout=pTimeout@entry=0x7ffcc759b6f8,
pReadmask=pReadmask@entry=0xb43480 <LastSelectMask>) at dixutils.c:387
        i = 0
        j = <optimized out>
#6  0x00000000005d4c0d in WaitForSomething
(pClientsReady=pClientsReady@entry=0x191ddd0) at WaitFor.c:217
        i = <optimized out>
        waittime = {tv_sec = 453, tv_usec = 641000}
        wt = 0x7ffcc759b700
        timeout = <optimized out>
        clientsReadable = {fds_bits = {0 <repeats 16 times>}}
        clientsWritable = {fds_bits = {0, 0, 192, 214748364810, 532575944795,
472446402679, 28581328, 37272168, 107, 89, 117, 619, 32, 264890802464, 24,
23512448}}
        socketsWritable = {fds_bits = {0 <repeats 16 times>}}
        curclient = <optimized out>
        selecterr = <optimized out>
        nready = 0
        devicesReadable = {fds_bits = {0 <repeats 16 times>}}
        now = <optimized out>
        someReady = <optimized out>
#7  0x000000000058853d in Dispatch () at dispatch.c:361
        clientReady = 0x191ddd0
        result = <optimized out>
        client = <optimized out>
        nready = <optimized out>
        icheck = 0xb3d2b0 <checkForInput>
        start_tick = <optimized out>
#8  0x000000000049cc5e in main (argc=22, argv=0x7ffcc759bb88, envp=<optimized
out>) at main.c:295
        i = <optimized out>
        alwaysCheckForInput = {0, 1}
------- Comment #10 From cendio 2016-10-07 13:01:47 -------
This seems to be a use-after-free kind of bug. The animated cursor that it is
trying to update has bogus data in it.
------- Comment #11 From cendio 2016-10-10 12:46:00 -------
This seems to have started with Chrome/Chromium 51, released in May 2016. That
release saw an updated menu button which for unknown reasons sets a busy mouse
cursor.
------- Comment #12 From cendio 2016-10-11 10:59:01 -------
Chrome/Chromium is a very common application so we need to have a look at this
now. We'll start by trying to apply upstream fixes to the animated cursor code.
------- Comment #14 From cendio 2016-10-12 11:08:06 -------
Also sent upstream:

https://lists.x.org/archives/xorg-devel/2016-October/051598.html
------- Comment #15 From cendio 2016-10-12 11:09:12 -------
Tester should make sure that animated cursors still work properly.
------- Comment #16 From cendio 2016-10-13 13:29:21 -------
Can't reproduce the crash with Chromium on Linux Mint 18 with RC2.
------- Comment #17 From cendio 2016-10-17 12:33:00 -------
Tested on CentOS6.8 with chromium-browser-53.0.2785.143-1.el6.x86_64.

Verified that I could reproduce the problem using tl-4.7.0rc1, there was no
problems at all. Xvnc crash was reproducible every try. However couldn't find
another test case than using chromium and hitting the settings menu button.

Upgrade to tl-4.7.0rc2 and I can't reproduce the crash. I verified that
animated cursor shows up when expected. Seems all good.