Bug#234556: xlibs: many clients get BadLength error from X_ChangeProperty request

To: 234556@bugs.debian.org
Subject: Bug#234556: xlibs: many clients get BadLength error from X_ChangeProperty request
From: Emmanuel Fleury <fleury@cs.auc.dk>
Date: Thu, 26 Feb 2004 16:50:49 +0100
Message-id: <[🔎] 1077810649.9528.104.camel@rade7.s.cs.auc.dk>
Reply-to: Emmanuel Fleury <fleury@cs.auc.dk>, 234556@bugs.debian.org
Hi all,

I also have a transmeta Crusoe processor with an ATI Radeon Mobility M6
LY (Vaio C1-MZX). Of course, I am experimenting the exact same bug as
described previously. As it is getting on my nerves I decided to
investigate a little bit by myself where does it comes from. I first
compiled xlogo with the debugging informations and ran gdb on
it. I got this output:

===============================================================

[fleury@hermes xlogo]$ gdb ./xlogo
GNU gdb 6.0
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain 
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for 
details.
This GDB was configured as "i386-linux"...
(gdb) run -synchronous
Starting program: 
/home/fleury/devel/xfree_bug/src/xc/programs/xlogo/xlogo -synchronous
X Error of failed request:  BadLength (poly request too large or 
internal Xlib length error)
  Major opcode of failed request:  18 (X_ChangeProperty)
  Serial number of failed request:  29
  Current serial number in output stream:  30

Program exited with code 01.
(gdb) break main
Note: breakpoint 1 also set at pc 0x8049327.
Breakpoint 2 at 0x8049327: file xlogo.c, line 117.
(gdb) run -synchronous
Starting program: 
/home/fleury/devel/xfree_bug/src/xc/programs/xlogo/xlogo -synchronous

Breakpoint 1, main (argc=2, argv=0xbffff8b4) at xlogo.c:117
117         toplevel = XtOpenApplication(&app_con, "XLogo",
(gdb) s
121         if (argc != 1)
(gdb)
124         XtAddCallback(toplevel, XtNsaveCallback, save, NULL);
(gdb)
125         XtAddCallback(toplevel, XtNdieCallback, die, NULL);
(gdb)
126         XtAppAddActions
(gdb)
128         XtOverrideTranslations
(gdb)
130         XtCreateManagedWidget("xlogo", logoWidgetClass, toplevel, 
NULL, ZERO);
(gdb)
131         XtRealizeWidget(toplevel);
(gdb)
X Error of failed request:  BadLength (poly request too large or 
internal Xlib length error)
  Major opcode of failed request:  18 (X_ChangeProperty)
  Serial number of failed request:  29
  Current serial number in output stream:  30

Program exited with code 01.

===============================================================

That was obviously not totally satisfactory because I was stuck at the
level of the X server and there was no way t get deeper. So, I compiled
the whole XFree86-4.3.0 with the "-g" option.

I manage to get closer to the problem, but I'm still stuck and I don't
know really why I can't go deeper (I might have done something wrong as
well). Here is the log that I get:

===============================================================
GNU gdb 6.0
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "i386-linux"...
(gdb) break Color.c:99
Breakpoint 1 at 0x808c406: file Color.c, line 99.
(gdb) run :6
Starting program:
/home/fleury/devel/xfree_bug/src/xc/programs/Xserver/Xnest :6

Breakpoint 1, xnestCreateColormap (pCmap=0x83b7310) at Color.c:99
99	    XQueryColors(xnestDisplay, xnestColormap(pCmap), colors,
ncolors);
(gdb) break QuColors.c:55
Breakpoint 2 at 0x4009cf44: file QuColors.c, line 55.
(gdb) c
Continuing.
Breakpoint 2, XQueryColors (dpy=0x83b0750, cmap=65535, defs=0x83b6218, 
    ncolors=64) at QuColors.c:55
55	    if (_XReply(dpy, (xReply *) &rep, 0, xFalse) != 0) {
(gdb) s
_XReply (dpy=0x83b0750, rep=0xbffff4f0, extra=0, discard=0) at
XlibInt.c:1642
1642	    unsigned long cur_request = dpy->request;
(gdb) 
1647	    if (dpy->flags & XlibDisplayIOError)
(gdb) 
1652	    cvl = QueueReplyReaderLock(dpy);
(gdb) 
1653	    if (cvl) {
(gdb) 
_XFlushInt (dpy=0x83b0750, cv=0x0) at XlibInt.c:589
589		if (dpy->flags & XlibDisplayIOError)
(gdb) 
597		while (dpy->flags & XlibDisplayWriting) {
(gdb) 
605		size = todo = dpy->bufptr - dpy->buffer;
(gdb) 
606		if (!size) return;
(gdb) 
605		size = todo = dpy->bufptr - dpy->buffer;
(gdb) 
606		if (!size) return;
(gdb) 
612		for (ext = dpy->flushes; ext; ext = ext->next_flush)
(gdb) 
608		dpy->flags |= XlibDisplayWriting;
(gdb) 
610		dpy->bufptr = dpy->bufmax;
(gdb) 
608		dpy->flags |= XlibDisplayWriting;
(gdb) 
612		for (ext = dpy->flushes; ext; ext = ext->next_flush)
(gdb) 
610		dpy->bufptr = dpy->bufmax;
(gdb) 
612		for (ext = dpy->flushes; ext; ext = ext->next_flush)
(gdb) 
620		while (size) {
(gdb) 
614		bufindex = dpy->buffer;
(gdb) 
620		while (size) {
(gdb) 
621		    ESET(0);
(gdb) 
622		    write_stat = _X11TransWrite(dpy->trans_conn,
(gdb) 
_X11TransWrite (ciptr=0x83b0cf0, buf=0x83b0cf0 "@g\023@\003",
size=138087664) at Xtrans.c:843
843	    return ciptr->transptr->Write (ciptr, buf, size);
(gdb) 
_X11TransSocketWrite (ciptr=0x83b0db0, buf=0x83b0db0 "<\001\002", 
    size=138087856) at Xtranssock.c:1750
1750	    return write (ciptr->fd, buf, size);
(gdb) 
1744	{
(gdb) 
1750	    return write (ciptr->fd, buf, size);
(gdb) 
1752	}
(gdb) 
_X11TransWrite (ciptr=0x30c, buf=0x30c <Address 0x30c out of bounds>,
size=780)
    at Xtrans.c:844
844	}
(gdb) 
_XFlushInt (dpy=0x83b0750, cv=0x0) at XlibInt.c:624
624		    if (write_stat >= 0) {
(gdb) 
625			size -= write_stat;
(gdb) 
627			bufindex += write_stat;
(gdb) 
626			todo = size;
(gdb) 
627			bufindex += write_stat;
(gdb) 
660		dpy->last_req = (char *)&_dummy_request;
(gdb) 
661		if ((dpy->request - dpy->last_request_read) >= SEQLIMIT &&
(gdb) 
660		dpy->last_req = (char *)&_dummy_request;
(gdb) 
661		if ((dpy->request - dpy->last_request_read) >= SEQLIMIT &&
(gdb) 
667		dpy->bufptr = dpy->buffer;
(gdb) 
669		dpy->flags &= ~XlibDisplayWriting;
(gdb) 
671	}
(gdb) 
_XReply (dpy=0x83b0750, rep=0xbffff4f0, extra=0, discard=0) at
XlibInt.c:1670
1670	    if(dpy->lock &&
(gdb) 
1674	    dpy->flags |= XlibDisplayReply;
(gdb) 
1682		if (!dpy->lock || !dpy->lock->reply_was_read)
(gdb) 
1684		    (void) _XRead(dpy, (char *)rep, (long)SIZEOF(xReply));
(gdb) 
_XRead (dpy=0x83b0750, data=0xbffff4f0 "\004398587", size=32)
    at XlibInt.c:1038
1038		if ((dpy->flags & XlibDisplayIOError) || size == 0)
(gdb) 
1032	{
(gdb) 
1035		int original_size = size;
(gdb) 
1038		if ((dpy->flags & XlibDisplayIOError) || size == 0)
(gdb) 
1040		ESET(0);
(gdb) 
1041		while ((bytes_read = _X11TransRead(dpy->trans_conn, data,
(int)size))
(gdb) 
_X11TransRead (ciptr=0x83b0cf0, buf=0x83b0cf0 "@g\023@\003",
size=138087664)
    at Xtrans.c:836
836	    return ciptr->transptr->Read (ciptr, buf, size);
(gdb) 
_X11TransSocketRead (ciptr=0xbffff4f0, buf=0xbffff4f0
"\020A*@`\\8\bD\001",  size=-1073744656) at Xtranssock.c:1736
1736	    return read (ciptr->fd, buf, size);
(gdb) 
1730	{
(gdb) 
1736	    return read (ciptr->fd, buf, size);
(gdb) 
1738	}
(gdb) 
_X11TransRead (ciptr=0x20, buf=0x20 <Address 0x20 out of bounds>,
size=32)
    at Xtrans.c:837
837	}
(gdb) 
_XRead (dpy=0x83b0750, data=0xbffff4f0 "", size=32) at XlibInt.c:1072
1072	       if (dpy->lock && dpy->lock->reply_bytes_left > 0)
(gdb) 
1081		return 0;
(gdb) 
1082	}
(gdb) 
_XReply (dpy=0x83b0750, rep=0xbffff4f0, extra=0, discard=0) at
XlibInt.c:1686
1686		if (dpy->lock)
(gdb) 
1690		switch ((int)rep->generic.type) {
(gdb) 
1748			register Bool ret = False;
(gdb) 
1753			dpy->flags &= ~XlibDisplayReply;
(gdb) 
1754			serial = _XSetLastRequestRead(dpy, (xGenericReply *)rep);
(gdb) 
_XSetLastRequestRead (dpy=0x83b0750, rep=0x83b0750) at XlibInt.c:1601
1601	    lastseq = dpy->last_request_read;
(gdb) 
1598	{
(gdb) 
1601	    lastseq = dpy->last_request_read;
(gdb) 
1607	    if ((rep->type & 0x7f) == KeymapNotify)
(gdb) 
1598	{
(gdb) 
1607	    if ((rep->type & 0x7f) == KeymapNotify)
(gdb) 
1610	    newseq = (lastseq & ~((unsigned long)0xffff)) |
rep->sequenceNumber;
(gdb) 
1612	    if (newseq < lastseq) {
(gdb) 
1623	    dpy->last_request_read = newseq;
(gdb) 
1624	    return(newseq);
(gdb) 
1623	    dpy->last_request_read = newseq;
(gdb) 
1625	}
(gdb) 
_XReply (dpy=0x83b0750, rep=0xbffff4f0, extra=0, discard=0) at
XlibInt.c:1755
1755			if (serial == cur_request)
(gdb) 
1782			for (ext = dpy->ext_procs; !ret && ext; ext = ext->next) {
(gdb) 
1783			    if (ext->error) 
(gdb) 
1782			for (ext = dpy->ext_procs; !ret && ext; ext = ext->next) {
(gdb) 
1783			    if (ext->error) 
(gdb) 
1782			for (ext = dpy->ext_procs; !ret && ext; ext = ext->next) {
(gdb) 
1783			    if (ext->error) 
(gdb) 
1782			for (ext = dpy->ext_procs; !ret && ext; ext = ext->next) {
(gdb) 
1787			    _XError(dpy, err);
(gdb) 
_XError (dpy=0x83b0750, rep=0xbffff4f0) at XlibInt.c:2873
2873	    event.xerror.serial = _XSetLastRequestRead(dpy, (xGenericReply
*)rep);
(gdb) 
2865	{
(gdb) 
2873	    event.xerror.serial = _XSetLastRequestRead(dpy, (xGenericReply
*)rep);
(gdb) 
_XSetLastRequestRead (dpy=0x83b0750, rep=0xbffff4f0) at XlibInt.c:1601
1601	    lastseq = dpy->last_request_read;
(gdb) 
1598	{
(gdb) 
1601	    lastseq = dpy->last_request_read;
(gdb) 
1607	    if ((rep->type & 0x7f) == KeymapNotify)
(gdb) 
1598	{
(gdb) 
1607	    if ((rep->type & 0x7f) == KeymapNotify)
(gdb) 
1610	    newseq = (lastseq & ~((unsigned long)0xffff)) |
rep->sequenceNumber;
(gdb) 
1612	    if (newseq < lastseq) {
(gdb) 
1623	    dpy->last_request_read = newseq;
(gdb) 
1624	    return(newseq);
(gdb) 
1623	    dpy->last_request_read = newseq;
(gdb) 
1625	}
(gdb) 
_XError (dpy=0x83b0750, rep=0xbffff4f0) at XlibInt.c:2875
2875	    for (async = dpy->async_handlers; async; async = next) {
(gdb) 
2883	    event.xerror.type = X_Error;
(gdb) 
2882	    event.xerror.display = dpy;
(gdb) 
2884	    event.xerror.resourceid = rep->resourceID;
(gdb) 
2885	    event.xerror.error_code = rep->errorCode;
(gdb) 
2886	    event.xerror.request_code = rep->majorCode;
(gdb) 
2887	    event.xerror.minor_code = rep->minorCode;
(gdb) 
2888	    if (dpy->error_vec &&
(gdb) p rep->resourceID
$1 = 12582940
(gdb) p rep->errorCode
$2 = 16 '\020'
(gdb) p rep->majorCode
$3 = 18 '\022'
(gdb) p rep->minorCode
$4 = 0
(gdb) c
Continuing.

Program exited with code 01.
(gdb) quit

==============================================

Ok, so I didn't found yet the exact point where I get this error (it's a
little bit blurred to me as I am not an expert in X debugging), but I
think I'm getting closer (it's somewhere here in the trace given by
gdb).

Well, if somebody can help me out to go deeper. :)

I also found some documentations about the Transmeta here:
http://www.realworldtech.com/page.cfm?ArticleID=RWT010204000000
http://www.realworldtech.com/page.cfm?ArticleID=RWT012704012616


Regards
-- 
Emmanuel Fleury

Computer Science Department, |  Office: B1-201
Aalborg University,          |  Phone:  +45 96 35 72 23
Fredriks Bajersvej 7E,       |  Fax:    +45 98 15 98 89
9220 Aalborg East, Denmark   |  Email:  fleury@cs.auc.dk
Reply to:
Follow-Ups:
- Bug#234556: xlibs: many clients get BadLength error from X_ChangeProperty request
  - From: Emmanuel Fleury <fleury@cs.auc.dk>
Prev by Date: Bug#233702: xserver-xfree86: no VT switch problems with KDE
Next by Date: Bug#118856: xbase-clients: xconsole: loses messages (possible buffer overrun?)
Previous by thread: Bug#234903: xfree86: [INTL:fr] French debconf templates translation
Next by thread: Bug#234556: xlibs: many clients get BadLength error from X_ChangeProperty request
Index(es):
- Date
- Thread