Bug#925168: xwayland: Xwayland coredumps
Dear Maintainer,
just trying to get some more information from the attached core.
It looks like the pointer stored in pPixmap->drawable.pScreen got
somehow overwritten and was then invalid, therefore received a SIGSEGV.
Kind regards,
Bernhard
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007fe25804f535 in __GI_abort () at abort.c:79
#2 0x000055e22279392a in OsAbort () at ../../../../os/utils.c:1350
#3 0x000055e222799433 in AbortServer () at ../../../../os/log.c:879
#4 0x000055e22279a299 in FatalError (f=f@entry=0x55e2227be090 "Caught signal %d (%s). Server aborting\n") at ../../../../os/log.c:1017
#5 0x000055e222790d41 in OsSigHandler (signo=11, sip=<optimized out>, unused=<optimized out>) at ../../../../os/osinit.c:156
#6 <signal handler called>
#7 0x000055e222755e94 in dixDestroyPixmap (value=0x55e22469e370, pid=29360190) at ../../../../dix/dispatch.c:1389
#8 0x000055e22277f70d in doFreeResource (res=0x55e224643130, skip=0) at ../../../../dix/resource.c:880
#9 0x000055e2227802bc in FreeResource (id=29360190, skipDeleteFuncType=skipDeleteFuncType@entry=0) at ../../../../dix/resource.c:910
#10 0x000055e22275612e in ProcFreePixmap (client=0x55e2245c0950) at ../../../../dix/dispatch.c:1470
#11 0x000055e22275ae0e in Dispatch () at ../../../../dix/dispatch.c:478
#12 0x000055e22275edb6 in dix_main (argc=12, argv=0x7ffeb6154988, envp=<optimized out>) at ../../../../dix/main.c:276
#13 0x00007fe25805109b in __libc_start_main (main=0x55e2226301b0 <main>, argc=12, argv=0x7ffeb6154988, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffeb6154978) at ../csu/libc-start.c:308
#14 0x000055e2226301ea in _start ()
(gdb) up
#7 0x000055e222755e94 in dixDestroyPixmap (value=0x55e22469e370, pid=29360190) at ../../../../dix/dispatch.c:1389
1389 return (*pPixmap->drawable.pScreen->DestroyPixmap) (pPixmap);
(gdb) print pPixmap->drawable.pScreen
$3 = (ScreenPtr) 0x1006b
(gdb) print pPixmap->drawable.pScreen->DestroyPixmap
Cannot access memory at address 0x1037b
(gdb) disassemble $pc-0x20,$pc+0x20
Dump of assembler code from 0x55e222755e74 to 0x55e222755eb4:
...
0x000055e222755e90 <dixDestroyPixmap+0>: mov 0x10(%rdi),%rax
=> 0x000055e222755e94 <dixDestroyPixmap+4>: jmpq *0x310(%rax)
0x000055e222755e9a: nopw 0x0(%rax,%rax,1)
...
End of assembler dump.
(gdb) info reg
rax 0x1006b 65643
...
# Buster amd64 qemu VM 2019-03-22
apt install dpkg-dev devscripts weston sddm kde-plasma-desktop kwin-wayland systemd-coredump gdb lz4 xwayland-dbgsym
dpkg --purge kwin-x11
# dpkg -l | awk '{ print "ii " $2 " " $3 }' | sed 's/:amd64//g' | grep -E "(xwayland|libaudit1|libbsd0|libc6|libdrm2|libegl1|libepoxy0|libgbm1|libgcrypt20|libgl1|libpixman-1-0|libselinux1|libsystemd0|libunwind8|libwayland-client0|libxau6|libxdmcp6|libxfont2|libxshmfence1|xserver-common) " | sort
ii libaudit1 1:2.8.4-2
ii libbsd0 0.9.1-2
ii libc6 2.28-8
ii libdrm2 2.4.97-1
ii libegl1 1.1.0-1
ii libepoxy0 1.5.3-0.1
ii libgbm1 18.3.4-2
ii libgcrypt20 1.8.4-5
ii libgl1 1.1.0-1
ii libpixman-1-0 0.36.0-1
ii libselinux1 2.8-1+b1
ii libsystemd0 241-1
ii libunwind8 1.2.1-9
ii libwayland-client0 1.16.0-1
ii libxau6 1:1.0.8-1+b2
ii libxdmcp6 1:1.1.2-3
ii libxfont2 1:2.0.3-1
ii libxshmfence1 1.3-1
ii xserver-common 2:1.20.3-1
ii xwayland 2:1.20.3-1
systemctl start sddm
mkdir /tmp/source/xwayland/orig -p
cd /tmp/source/xwayland/orig
apt source xwayland
cd
wget "https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=925168;filename=core.Xwayland.1000.3add5670796448f2be02bc2515438b50.1347.1553103778000000.lz4;msg=5"; -O core.Xwayland.1000.3add5670796448f2be02bc2515438b50.1347.1553103778000000.lz4
unlz4 core.Xwayland.1000.3add5670796448f2be02bc2515438b50.1347.1553103778000000.lz4
gdb -q --core core.Xwayland.1000.3add5670796448f2be02bc2515438b50.1347.1553103778000000
gdb -q /usr/bin/Xwayland --core core.Xwayland.1000.3add5670796448f2be02bc2515438b50.1347.1553103778000000
set width 0
set pagination off
directory /tmp/source/xwayland/orig/xorg-server-1.20.3/hw/xfree86/os-support/linux
bt
bt full
##########
benutzer@debian:~$ gdb -q /usr/bin/Xwayland --core core.Xwayland.1000.3add5670796448f2be02bc2515438b50.1347.1553103778000000
Reading symbols from /usr/bin/Xwayland...(no debugging symbols found)...done.
[New LWP 1347]
[New LWP 1349]
[New LWP 1355]
[New LWP 1351]
[New LWP 1354]
[New LWP 1348]
[New LWP 1350]
[New LWP 1352]
[New LWP 1353]
[New LWP 1356]
warning: Could not load shared library symbols for /usr/lib/x86_64-linux-gnu/libOpenGL.so.0.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/bin/Xwayland :0 -rootless -terminate -accessx -core -listen 4 -listen 5 -d'.
Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 ../sysdeps/unix/sysv/linux/raise.c: Datei oder Verzeichnis nicht gefunden.
[Current thread is 1 (Thread 0x7fe25751ea80 (LWP 1347))]
(gdb) set width 0
(gdb) set pagination off
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007fe25804f535 in __GI_abort () at abort.c:79
#2 0x000055e22279392a in OsAbort ()
#3 0x000055e222799433 in ?? ()
#4 0x000055e22279a299 in FatalError ()
#5 0x000055e222790d41 in ?? ()
#6 <signal handler called>
#7 0x000055e222755e94 in dixDestroyPixmap ()
#8 0x000055e22277f70d in ?? ()
#9 0x000055e2227802bc in FreeResource ()
#10 0x000055e22275612e in ?? ()
#11 0x000055e22275ae0e in ?? ()
#12 0x000055e22275edb6 in ?? ()
#13 0x00007fe25805109b in __libc_start_main (main=0x55e2226301b0, argc=12, argv=0x7ffeb6154988, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffeb6154978) at ../csu/libc-start.c:308
#14 0x000055e2226301ea in _start ()
Core was generated by `/usr/bin/Xwayland :0 -rootless -terminate -accessx -core -listen 4 -listen 5 -d'.
Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 ../sysdeps/unix/sysv/linux/raise.c: Datei oder Verzeichnis nicht gefunden.
[Current thread is 1 (Thread 0x7fe25751ea80 (LWP 1347))]
(gdb) set width 0
(gdb) set pagination off
(gdb) directory /tmp/source/xwayland/orig/xorg-server-1.20.3/hw/xfree86/os-support/linux
Source directories searched: /tmp/source/xwayland/orig/xorg-server-1.20.3/hw/xfree86/os-support/linux:$cdir:$cwd
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007fe25804f535 in __GI_abort () at abort.c:79
#2 0x000055e22279392a in OsAbort () at ../../../../os/utils.c:1350
#3 0x000055e222799433 in AbortServer () at ../../../../os/log.c:879
#4 0x000055e22279a299 in FatalError (f=f@entry=0x55e2227be090 "Caught signal %d (%s). Server aborting\n") at ../../../../os/log.c:1017
#5 0x000055e222790d41 in OsSigHandler (signo=11, sip=<optimized out>, unused=<optimized out>) at ../../../../os/osinit.c:156
#6 <signal handler called>
#7 0x000055e222755e94 in dixDestroyPixmap (value=0x55e22469e370, pid=29360190) at ../../../../dix/dispatch.c:1389
#8 0x000055e22277f70d in doFreeResource (res=0x55e224643130, skip=0) at ../../../../dix/resource.c:880
#9 0x000055e2227802bc in FreeResource (id=29360190, skipDeleteFuncType=skipDeleteFuncType@entry=0) at ../../../../dix/resource.c:910
#10 0x000055e22275612e in ProcFreePixmap (client=0x55e2245c0950) at ../../../../dix/dispatch.c:1470
#11 0x000055e22275ae0e in Dispatch () at ../../../../dix/dispatch.c:478
#12 0x000055e22275edb6 in dix_main (argc=12, argv=0x7ffeb6154988, envp=<optimized out>) at ../../../../dix/main.c:276
#13 0x00007fe25805109b in __libc_start_main (main=0x55e2226301b0 <main>, argc=12, argv=0x7ffeb6154988, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffeb6154978) at ../csu/libc-start.c:308
#14 0x000055e2226301ea in _start ()
(gdb) bt full
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
set = {__val = {171516928, 0, 0, 0, 0, 0, 0, 0, 140610117830448, 0, 0, 0, 0, 0, 0, 0}}
pid = <optimized out>
tid = <optimized out>
ret = <optimized out>
#1 0x00007fe25804f535 in __GI_abort () at abort.c:79
save_stage = 1
act = {__sigaction_handler = {sa_handler = 0x0, sa_sigaction = 0x0}, sa_mask = {__val = {0, 0, 0, 0, 0, 94429729573577, 94429729573584, 2, 9223372036854775822, 0, 0, 0, 67108868, 140610117830448, 1604023505206102272, 0}}, sa_flags = 578543760, sa_restorer = 0x55e2227be090}
sigs = {__val = {32, 0 <repeats 15 times>}}
#2 0x000055e22279392a in OsAbort () at ../../../../os/utils.c:1350
No locals.
#3 0x000055e222799433 in AbortServer () at ../../../../os/log.c:879
No locals.
#4 0x000055e22279a299 in FatalError (f=f@entry=0x55e2227be090 "Caught signal %d (%s). Server aborting\n") at ../../../../os/log.c:1017
args = {{gp_offset = 24, fp_offset = 48, overflow_arg_area = 0x7ffeb6154060, reg_save_area = 0x7ffeb6153f90}}
args2 = {{gp_offset = 8, fp_offset = 48, overflow_arg_area = 0x7ffeb6154060, reg_save_area = 0x7ffeb6153f90}}
beenhere = 1
#5 0x000055e222790d41 in OsSigHandler (signo=11, sip=<optimized out>, unused=<optimized out>) at ../../../../os/osinit.c:156
unused = <optimized out>
sip = <optimized out>
signo = 11
#6 <signal handler called>
No locals.
#7 0x000055e222755e94 in dixDestroyPixmap (value=0x55e22469e370, pid=29360190) at ../../../../dix/dispatch.c:1389
pPixmap = 0x55e22469e370
#8 0x000055e22277f70d in doFreeResource (res=0x55e224643130, skip=0) at ../../../../dix/resource.c:880
No locals.
#9 0x000055e2227802bc in FreeResource (id=29360190, skipDeleteFuncType=skipDeleteFuncType@entry=0) at ../../../../dix/resource.c:910
rtype = <optimized out>
cid = <optimized out>
res = <optimized out>
prev = 0x55e22458a9f0
head = <optimized out>
eltptr = <optimized out>
elements = 36
#10 0x000055e22275612e in ProcFreePixmap (client=0x55e2245c0950) at ../../../../dix/dispatch.c:1470
pMap = 0x55e22469e370
rc = 0
stuff = <optimized out>
#11 0x000055e22275ae0e in Dispatch () at ../../../../dix/dispatch.c:478
result = <optimized out>
client = 0x55e2245c0950
start_tick = 284645
#12 0x000055e22275edb6 in dix_main (argc=12, argv=0x7ffeb6154988, envp=<optimized out>) at ../../../../dix/main.c:276
i = <optimized out>
alwaysCheckForInput = {0, 1}
#13 0x00007fe25805109b in __libc_start_main (main=0x55e2226301b0 <main>, argc=12, argv=0x7ffeb6154988, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffeb6154978) at ../csu/libc-start.c:308
self = <optimized out>
result = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, -4004367369768564860, 94429727883712, 140731953269120, 0, 0, -7181964008658335868, -7174984169506633852}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x7ffeb61549f0, 0x7fe259330190}, data = {prev = 0x0, cleanup = 0x0, canceltype = -1240118800}}}
not_first_call = <optimized out>
#14 0x000055e2226301ea in _start ()
No symbol table info available.
SIGSEGV 11
(gdb) up
#1 0x00007fe25804f535 in __GI_abort () at abort.c:79
79 abort.c: Datei oder Verzeichnis nicht gefunden.
(gdb)
#2 0x000055e22279392a in OsAbort () at ../../../../os/utils.c:1350
1350 abort();
(gdb)
#3 0x000055e222799433 in AbortServer () at ../../../../os/log.c:879
879 OsAbort();
(gdb)
#4 0x000055e22279a299 in FatalError (f=f@entry=0x55e2227be090 "Caught signal %d (%s). Server aborting\n") at ../../../../os/log.c:1017
1017 AbortServer();
(gdb)
#5 0x000055e222790d41 in OsSigHandler (signo=11, sip=<optimized out>, unused=<optimized out>) at ../../../../os/osinit.c:156
156 FatalError("Caught signal %d (%s). Server aborting\n",
(gdb)
#6 <signal handler called>
(gdb)
#7 0x000055e222755e94 in dixDestroyPixmap (value=0x55e22469e370, pid=29360190) at ../../../../dix/dispatch.c:1389
1389 return (*pPixmap->drawable.pScreen->DestroyPixmap) (pPixmap);
(gdb) print pPixmap
$1 = (PixmapPtr) 0x55e22469e370
(gdb) print pPixmap->drawable
$2 = {type = 224 '\340', class = 26 '\032', depth = 129 '\201', bitsPerPixel = 34 '"', id = 21986, x = -3928, y = 8832, width = 21986, height = 0, pScreen = 0x1006b, serialNumber = 94429755627312}
(gdb) print pPixmap->drawable.pScreen
$3 = (ScreenPtr) 0x1006b
(gdb) print pPixmap->drawable.pScreen->DestroyPixmap
Cannot access memory at address 0x1037b
(gdb) print sizeof(pPixmap->drawable)
$5 = 32
(gdb) print/x sizeof(pPixmap->drawable)
$7 = 0x20
(gdb) print &pPixmap->drawable
$6 = (DrawableRec *) 0x55e22469e370
(gdb) x/80xc 0x55e22469e370-40
0x55e22469e348: 0 '\000' 0 '\000' 0 '\000' 0 '\000' 0 '\000' 0 '\000' 0 '\000' 0 '\000'
0x55e22469e350: 0 '\000' 0 '\000' 0 '\000' 0 '\000' 0 '\000' 0 '\000' 0 '\000' 0 '\000'
0x55e22469e358: 80 'P' 83 'S' 92 '\\' 36 '$' -30 '\342' 85 'U' 0 '\000' 0 '\000'
0x55e22469e360: 0 '\000' 0 '\000' 0 '\000' 0 '\000' 0 '\000' 0 '\000' 0 '\000' 0 '\000'
0x55e22469e368: 81 'Q' 0 '\000' 0 '\000' 0 '\000' 0 '\000' 0 '\000' 0 '\000' 0 '\000'
0x55e22469e370: -32 '\340' 26 '\032' -127 '\201' 34 '"' -30 '\342' 85 'U' 0 '\000' 0 '\000'
0x55e22469e378: -88 '\250' -16 '\360' -128 '\200' 34 '"' -30 '\342' 85 'U' 0 '\000' 0 '\000'
0x55e22469e380: 107 'k' 0 '\000' 1 '\001' 0 '\000' 0 '\000' 0 '\000' 0 '\000' 0 '\000'
0x55e22469e388: 48 '0' 87 'W' 10 '\n' 36 '$' -30 '\342' 85 'U' 0 '\000' 0 '\000'
0x55e22469e390: -8 '\370' 87 'W' 10 '\n' 36 '$' -30 '\342' 85 'U' 0 '\000' 0 '\000'
(gdb) x/80xb 0x55e22469e370-40
0x55e22469e348: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x55e22469e350: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x55e22469e358: 0x50 0x53 0x5c 0x24 0xe2 0x55 0x00 0x00
0x55e22469e360: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x55e22469e368: 0x51 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x55e22469e370: 0xe0 0x1a 0x81 0x22 0xe2 0x55 0x00 0x00
0x55e22469e378: 0xa8 0xf0 0x80 0x22 0xe2 0x55 0x00 0x00
0x55e22469e380: 0x6b 0x00 0x01 0x00 0x00 0x00 0x00 0x00
0x55e22469e388: 0x30 0x57 0x0a 0x24 0xe2 0x55 0x00 0x00
0x55e22469e390: 0xf8 0x57 0x0a 0x24 0xe2 0x55 0x00 0x00
(gdb) disassemble $pc-0x20,$pc+0x20
Dump of assembler code from 0x55e222755e74 to 0x55e222755eb4:
0x000055e222755e74 <ProcListFontsWithInfo+52>: (bad)
0x000055e222755e75 <ProcListFontsWithInfo+53>: add %r8b,(%rax)
0x000055e222755e78 <ProcListFontsWithInfo+56>: movzwl 0x4(%rdx),%ecx
0x000055e222755e7c <ProcListFontsWithInfo+60>: add $0x8,%rdx
0x000055e222755e80 <ProcListFontsWithInfo+64>: jmpq 0x55e22275e370 <StartListFontsWithInfo>
0x000055e222755e85: data16 nopw %cs:0x0(%rax,%rax,1)
0x000055e222755e90 <dixDestroyPixmap+0>: mov 0x10(%rdi),%rax
=> 0x000055e222755e94 <dixDestroyPixmap+4>: jmpq *0x310(%rax)
0x000055e222755e9a: nopw 0x0(%rax,%rax,1)
0x000055e222755ea0 <ProcCreatePixmap+0>: push %r13
0x000055e222755ea2 <ProcCreatePixmap+2>: push %r12
0x000055e222755ea4 <ProcCreatePixmap+4>: push %rbp
0x000055e222755ea5 <ProcCreatePixmap+5>: mov $0x10,%ebp
0x000055e222755eaa <ProcCreatePixmap+10>: push %rbx
0x000055e222755eab <ProcCreatePixmap+11>: sub $0x18,%rsp
0x000055e222755eaf <ProcCreatePixmap+15>: mov %fs:0x28,%rax
End of assembler dump.
(gdb) info reg
rax 0x1006b 65643
rbx 0x55e224643130 94429761515824
rcx 0x40000002 1073741826
rdx 0x55e22283bd28 94429730028840
rsi 0x1c0003e 29360190
rdi 0x55e22469e370 94429761889136
rbp 0x0 0x0
rsp 0x7ffeb6154718 0x7ffeb6154718
r8 0x1 1
r9 0x0 0
r10 0xa 10
r11 0x0 0
r12 0x0 0
r13 0x55e22458a9f0 94429760760304
r14 0x24 36
r15 0x55e22281f380 94429729911680
rip 0x55e222755e94 0x55e222755e94 <dixDestroyPixmap+4>
eflags 0x246 [ PF ZF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
Reply to: