tigervnc dumps core on stop

[antonbutanaev]

tigervnc dumps core on stop
After issuing command
systemctl --user stop vncserver@:1.service
coredump detected

To Reproduce
Steps to reproduce the behavior:

1. systemctl --user start vncserver@:1.service
2. systemctl --user stop vncserver@:1.service

Expected behavior
No coredump

Server (please complete the following information):

• OS: Arch linux
• VNC server: TigerVNC
• VNC server version: tigervnc 1.9.0-1

Additional context
journalctl:

мар 31 21:43:51 kitat systemd[9263]: Stopping Remote desktop service (VNC)...
мар 31 21:43:52 kitat vncserver[11609]: Killing Xvnc process ID 11418
мар 31 21:43:52 kitat pulseaudio[11353]: ICE default IO error handler doing an exit(), pid = 11353, errno = 11
мар 31 21:43:52 kitat org.a11y.Bus[11432]: XIO:  fatal IO error 11 (Resource temporarily unavailable) on X server ":1"
мар 31 21:43:52 kitat org.a11y.Bus[11432]:       after 21 requests (21 known processed) with 0 events remaining.
мар 31 21:43:52 kitat xfce4-notifyd[11552]: xfce4-notifyd: Fatal IO error 11 (Ресурс временно недоступен) on X server :1.
мар 31 21:43:52 kitat audit[11418]: ANOM_ABEND auid=1000 uid=1000 gid=1000 ses=54 pid=11418 comm="Xvnc" exe="/usr/bin/Xvnc" sig=6 res=1
мар 31 21:43:52 kitat kernel: audit: type=1701 audit(1554043432.011:219): auid=1000 uid=1000 gid=1000 ses=54 pid=11418 comm="Xvnc" exe="/usr/bin/Xvnc" sig=6 res=1
мар 31 21:43:52 kitat systemd[9263]: pulseaudio.service: Main process exited, code=exited, status=1/FAILURE
мар 31 21:43:52 kitat systemd[9263]: pulseaudio.service: Failed with result 'exit-code'.
мар 31 21:43:52 kitat polkitd[4175]: Unregistered Authentication Agent for unix-session:53 (system bus name :1.541, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale ru_RU.UTF-8) (disconnected from bus)
мар 31 21:43:52 kitat systemd[1]: Started Process Core Dump (PID 11615/UID 0).
мар 31 21:43:52 kitat audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-coredump@4-11615-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
мар 31 21:43:52 kitat kernel: audit: type=1130 audit(1554043432.031:220): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-coredump@4-11615-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
мар 31 21:43:52 kitat systemd[9263]: pulseaudio.service: Service RestartSec=100ms expired, scheduling restart.
мар 31 21:43:52 kitat systemd[9263]: pulseaudio.service: Scheduled restart job, restart counter is at 3.
мар 31 21:43:52 kitat systemd[9263]: Stopped Sound Service.
мар 31 21:43:52 kitat systemd[9263]: Starting Sound Service...
мар 31 21:43:52 kitat pulseaudio[11617]: W: [pulseaudio] pid.c: Stale PID file, overwriting.
мар 31 21:43:52 kitat systemd[9263]: Started Sound Service.
мар 31 21:43:52 kitat systemd-coredump[11616]: Process 11418 (Xvnc) of user 1000 dumped core.
                                                  
                                                  Stack trace of thread 11418:
                                                  #0  0x00007fb68e767d7f raise (libc.so.6)
                                                  #1  0x00007fb68e752672 abort (libc.so.6)
                                                  #2  0x0000557b266041fd OsAbort (Xvnc)
                                                  #3  0x0000557b26608f49 AbortServer (Xvnc)
                                                  #4  0x0000557b26609dcf FatalError (Xvnc)
                                                  #5  0x0000557b26601454 n/a (Xvnc)
                                                  #6  0x00007fb68f0ea3c0 __restore_rt (libpthread.so.0)
                                                  #7  0x0000557b2655d0db _ZN14XserverDesktopD2Ev (Xvnc)
                                                  #8  0x0000557b2655d24a _ZN14XserverDesktopD0Ev (Xvnc)
                                                  #9  0x0000557b265516b8 vncExtensionClose (Xvnc)
                                                  #10 0x0000557b265c1071 CloseDownExtensions (Xvnc)
                                                  #11 0x0000557b265b13c2 dix_main (Xvnc)
                                                  #12 0x00007fb68e754223 __libc_start_main (libc.so.6)
                                                  #13 0x0000557b2647f06a _start (Xvnc)
                                                  
                                                  Stack trace of thread 11422:
                                                  #0  0x00007fb68f0e5afc pthread_cond_wait@@GLIBC_2.3.2 (libpthread.so.0)
                                                  #1  0x00007fb68c4a1434 n/a (swrast_dri.so)
                                                  #2  0x00007fb68c4a1378 n/a (swrast_dri.so)
                                                  #3  0x00007fb68f0dfa9d start_thread (libpthread.so.0)
                                                  #4  0x00007fb68e82bb23 __clone (libc.so.6)
                                                  
                                                  Stack trace of thread 11423:
                                                  #0  0x00007fb68f0e5afc pthread_cond_wait@@GLIBC_2.3.2 (libpthread.so.0)
                                                  #1  0x00007fb68c4a1434 n/a (swrast_dri.so)
                                                  #2  0x00007fb68c4a1378 n/a (swrast_dri.so)
                                                  #3  0x00007fb68f0dfa9d start_thread (libpthread.so.0)
                                                  #4  0x00007fb68e82bb23 __clone (libc.so.6)
                                                  
                                                  Stack trace of thread 11420:
                                                  #0  0x00007fb68f0e5afc pthread_cond_wait@@GLIBC_2.3.2 (libpthread.so.0)
                                                  #1  0x00007fb68c4a1434 n/a (swrast_dri.so)
                                                  #2  0x00007fb68c4a1378 n/a (swrast_dri.so)
                                                  #3  0x00007fb68f0dfa9d start_thread (libpthread.so.0)
                                                  #4  0x00007fb68e82bb23 __clone (libc.so.6)
                                                  
                                                  Stack trace of thread 11419:
                                                  #0  0x00007fb68f0e5afc pthread_cond_wait@@GLIBC_2.3.2 (libpthread.so.0)
                                                  #1  0x00007fb68c4a1434 n/a (swrast_dri.so)
                                                  #2  0x00007fb68c4a1378 n/a (swrast_dri.so)
                                                  #3  0x00007fb68f0dfa9d start_thread (libpthread.so.0)
                                                  #4  0x00007fb68e82bb23 __clone (libc.so.6)
                                                  
                                                  Stack trace of thread 11424:
                                                  #0  0x00007fb68f0e5afc pthread_cond_wait@@GLIBC_2.3.2 (libpthread.so.0)
                                                  #1  0x00007fb68c4a1434 n/a (swrast_dri.so)
                                                  #2  0x00007fb68c4a1378 n/a (swrast_dri.so)
                                                  #3  0x00007fb68f0dfa9d start_thread (libpthread.so.0)
                                                  #4  0x00007fb68e82bb23 __clone (libc.so.6)
                                                  
                                                  Stack trace of thread 11421:
                                                  #0  0x00007fb68f0e5afc pthread_cond_wait@@GLIBC_2.3.2 (libpthread.so.0)
                                                  #1  0x00007fb68c4a1434 n/a (swrast_dri.so)
                                                  #2  0x00007fb68c4a1378 n/a (swrast_dri.so)
                                                  #3  0x00007fb68f0dfa9d start_thread (libpthread.so.0)
                                                  #4  0x00007fb68e82bb23 __clone (libc.so.6)
мар 31 21:43:52 kitat systemd[1]: [email protected]: Succeeded.
мар 31 21:43:53 kitat kernel: audit: type=1131 audit(1554043432.864:221): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-coredump@4-11615-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
мар 31 21:43:52 kitat audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-coredump@4-11615-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
мар 31 21:43:53 kitat systemd[1]: run-user-1000-gvfs.mount: Succeeded.
мар 31 21:43:53 kitat systemd[9263]: run-user-1000-gvfs.mount: Succeeded.
мар 31 21:43:54 kitat systemd[9263]: vncserver@:1.service: Succeeded.
мар 31 21:43:54 kitat systemd[9263]: Stopped Remote desktop service (VNC).

kitat:1.log:

Gdk-Message: 19:41:22.453: wrapper-2.0: Fatal IO error 11 (Ресурс временно недоступен) on X server :1.0.

wrapper-1.0: Fatal IO error 11 (Ресурс временно недоступен) on X server :1.0.
(EE) 
(EE) Backtrace:
(EE) 0: /usr/bin/Xvnc (OsLookupColor+0x13a) [0x55dbb823e51a]
(EE) 1: /usr/lib/libpthread.so.0 (funlockfile+0x50) [0x7fda1067a40f]
(EE) 2: /usr/bin/Xvnc (_ZN14XserverDesktopD2Ev+0xdb) [0x55dbb819a0db]
(EE) 3: /usr/bin/Xvnc (_ZN14XserverDesktopD0Ev+0xa) [0x55dbb819a24a]
(EE) 4: /usr/bin/Xvnc (vncExtensionClose+0x28) [0x55dbb818e6b8]
(EE) 5: /usr/bin/Xvnc (CloseDownExtensions+0x31) [0x55dbb81fe071]
Gdk-Message: 19:41:22.458: xfdesktop: Fatal IO error 11 (Ресурс временно недоступен) on X server :1.0.

(EE) 6: /usr/bin/Xvnc (dix_main+0x3d2) [0x55dbb81ee3c2]
(EE) 7: /usr/lib/libc.so.6 (__libc_start_main+0xf3) [0x7fda0fce4223]
(EE) 8: /usr/bin/Xvnc (_start+0x2a) [0x55dbb80bc06a]
(EE) 
(EE) Segmentation fault at address 0x8
(EE) 
Fatal server error:
(EE) Caught signal 11 (Segmentation fault). Server aborting
(EE) 

[CendioOssman]

Hmm.. That backtrace is very odd and does not match the code. I wonder if it is corrupted somewhere. Also noteworthy that both you and #800 has OsLookupColor in the backtrace. The other issue was a Debian build though, and this is Arch...

The last sane address suggests that XserverDesktop::listeners has been corrupted somehow. Are you able to rebuild Xvnc? Could you build it with this patch:

diff --git a/unix/xserver/hw/vnc/XserverDesktop.cc b/unix/xserver/hw/vnc/XserverDesktop.cc
index d8b3a4d4..932fa8ba 100644
--- a/unix/xserver/hw/vnc/XserverDesktop.cc
+++ b/unix/xserver/hw/vnc/XserverDesktop.cc
@@ -93,6 +93,8 @@ XserverDesktop::XserverDesktop(int screenIndex_,
 XserverDesktop::~XserverDesktop()
 {
   while (!listeners.empty()) {
+    vlog.error("Listener:");
+    vlog.error("    %p", listeners.back());
     vncRemoveNotifyFd(listeners.back()->getFd());
     delete listeners.back();
     listeners.pop_back();

[antonbutanaev]

Hi!

Builded it from git (fd3bfa6).
Had to add CPPFLAGS=-I/usr/include/libdrm to ./configure or else drm_fourcc.h was not found:
$ find /usr/include -name drm_fourcc.h
/usr/include/libdrm/drm_fourcc.h

No coredump on stop. The problem gone.

[antonbutanaev]

Attached gdb to Xvnc process (tigervnc 1.9.0). Called vncserver -kill :1

Attaching to process 3025
[New LWP 3026]
[New LWP 3027]
[New LWP 3028]
[New LWP 3029]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
0x00007fe5ffdfbe57 in epoll_wait () from /usr/lib/libc.so.6
(gdb) c
Continuing.

Thread 1 "Xvnc" received signal SIGTERM, Terminated.
0x00007fe5ffdfbe57 in epoll_wait () from /usr/lib/libc.so.6
(gdb) c
Continuing.

Thread 1 "Xvnc" received signal SIGSEGV, Segmentation fault.
0x000055801a2170db in XserverDesktop::~XserverDesktop() ()
(gdb) bt
#0  0x000055801a2170db in XserverDesktop::~XserverDesktop() ()
#1  0x000055801a21724a in XserverDesktop::~XserverDesktop() ()
#2  0x000055801a20b6b8 in vncExtensionClose ()
#3  0x000055801a27b071 in CloseDownExtensions ()
#4  0x000055801a26b3c2 in dix_main ()
#5  0x00007fe5ffd24223 in __libc_start_main () from /usr/lib/libc.so.6
#6  0x000055801a13906a in _start ()
(gdb)

[CendioOssman]

Interesting that master works. Perhaps this got fixed. But I don't see any commits explaining it, so let's dig a bit more.

Did you rebuild 1.9.0 with that suggested patch? What does kitat:1.log say in that case?

[antonbutanaev]

Built 1.9.0 with suggested patch, and with debug enabled.
askiz:1.log:

 XserverDesktop: Listener:
 XserverDesktop:     0x55e569d49fc0
 XserverDesktop: Listener:
 XserverDesktop:     0x55e569d4a160
(EE) 
(EE) Backtrace:
(EE) 0: /usr/bin/Xvnc (OsSigHandler+0x2a) [0x55e56908111a]
(EE) 1: /usr/lib/libpthread.so.0 (funlockfile+0x50) [0x7f0d927ca40f]
(EE) 2: /usr/bin/Xvnc (_ZN14XserverDesktopD2Ev+0x113) [0x55e568fe2523]
(EE) 3: /usr/bin/Xvnc (_ZN14XserverDesktopD0Ev+0xa) [0x55e568fe268a]
(EE) 4: /usr/bin/Xvnc (vncExtensionClose+0x28) [0x55e568fd6ac8]
(EE) 5: /usr/bin/Xvnc (CloseDownExtensions+0x31) [0x55e569040a81]
(EE) 6: /usr/bin/Xvnc (dix_main+0x3d2) [0x55e569030db2]
(EE) 7: /usr/lib/libc.so.6 (__libc_start_main+0xf3) [0x7f0d91c1c223]
(EE) 8: /usr/bin/Xvnc (_start+0x2e) [0x55e568f03d9e]
(EE) 
(EE) Segmentation fault at address 0x8
(EE) 
Fatal server error:
(EE) Caught signal 11 (Segmentation fault). Server aborting
(EE) 

It seems that destructor ~XserverDesktop() called twice, as if ~XserverDesktop() called itself.

[antonbutanaev]

Here is how package is built on Arch (I added debug and patch):

prepare() {
  cd "$srcdir"/${pkgname}-${pkgver}
  cd unix/xserver
  cp -r "$srcdir"/xorg-server-${_xorgver}/* .
  patch -Np1 -i ../xserver120.patch
  patch -p3 -i ../../../a.patch # suggested patch
}

build() {
  cd "$srcdir"/${pkgname}-${pkgver}

  cmake -G "Unix Makefiles" \
    -DCMAKE_INSTALL_PREFIX=/usr -DCMAKE_BUILD_TYPE=RelWithDebInfo \
    -DBUILD_JAVA=TRUE
  make

  cd unix/xserver
  autoreconf -fiv
  LDFLAGS="$LDFLAGS -g " \
  CPPFLAGS="$CPPFLAGS -g " \
  CXXFLAGS="$CXXFLAGS -g " \
  CFLAGS="$CFLAGS -g -I/usr/include/libdrm" ./configure --prefix=/usr \
    --disable-static --without-dtrace --enable-debug \
    --disable-xorg --disable-xnest --disable-xvfb --disable-dmx \
    --disable-xwin --disable-xephyr --disable-kdrive --disable-xwayland \
    --disable-config-hal --disable-config-udev --with-pic \
    --disable-unit-tests --disable-devel-docs --disable-selective-werror \
    --disable-dri --enable-dri2 --enable-dri3 --enable-glx
  make
}

If I change -DBUILD_JAVA=TRUE to -DBUILD_JAVA=FALSE, the problem's gone, no crash. Then, if I change it back, the problem returns. Arch linux uses openjdk: jre8-openjdk-headless jre8-openjdk jdk8-openjdk.

And this probably explains why build from git doesn't crash. It builds without java:

prepare() {
  cd tigervnc
  cd unix/xserver
  cp -r "$srcdir"/xorg-server-${_xorgver}/* .
  patch -Np1 -i ../xserver120.patch
}

build() {
  cd tigervnc

  cmake -G "Unix Makefiles" \
    -DCMAKE_INSTALL_PREFIX=/usr \

  make

  cd unix/xserver
  autoreconf -fiv
  ./configure --prefix=/usr \
	--disable-static --without-dtrace \
	--disable-xorg --disable-xnest --disable-xvfb --disable-dmx \
	--disable-xwin --disable-xephyr --disable-kdrive --disable-xwayland \
	--disable-config-hal --disable-config-udev --with-pic \
	--disable-unit-tests --disable-devel-docs --disable-selective-werror \
	--disable-dri --enable-dri2 --enable-dri3 --enable-glx
  make
}

[CendioOssman]

Built 1.9.0 with suggested patch, and with debug enabled.

Hmm.... Nothing odd there.

It seems that destructor ~XserverDesktop() called twice, as if ~XserverDesktop() called itself.

That's a C++ quirk and is some magic that has to do with virtual destructors. You can see that it is actually two different functions (D2 vs D0).

If I change -DBUILD_JAVA=TRUE to -DBUILD_JAVA=FALSE, the problem's gone, no crash. Then, if I change it back, the problem returns. Arch linux uses openjdk: jre8-openjdk-headless jre8-openjdk jdk8-openjdk.

That is extremely odd. That only controls the Java client and has no effect on the server at all. I'm afraid I have to insist that it must have been some other side effect happening at the same time.

The build type was changed at the same time, which could be a reason for a change in behaviour. There are also differences in the configure line.

Could you attach the entire server log? Perhaps there is some subtle clue in there.

[antonbutanaev]

Here is entire server log:
askiz:1.log

[CendioOssman]

Thank you. Unfortunately I could not see any clues in there. :/

[CendioOssman]

Hang on! I just spotted the bug!

And apparently so did @alanc, and I thought it was fixed:

3fed95e#diff-cad379b518c09467c09520f2f863c6d1R165

This code has been removed in master though, so the bug is most definitely gone now. If you want to fix 1.9.0 then change that listeners to httpListeners and it should be fixed.