Xvfb crashes with SIGSEGV in FreeColormap()

If I specify a screen the crash does not occur.

 Xvfb :1 -auth hosts -screen 0 800x600x24

Hi adam-indexdata,

Please attach the output of `lspci -vvnn`, and attach your /var/log/Xorg.0.log (and maybe Xorg.0.log.old) file from after reproducing this issue. If you've made any customizations to your /etc/X11/xorg.conf please attach that as well.

Could you please collect a full backtrace from when this crash occurs? Directions on collecting full backtraces are at https://wiki.ubuntu.com/X/Backtracing

[This is an automated message. Apologies if it has reached you inappropriately; please just reply to this message indicating so.]

Please collect a 'bt full' on this issue. The 'bt' alone doesn't provide the variable values.

Program received signal SIGSEGV, Segmentation fault.
---Type <return> to continue, or q <return> to quit---
[Switching to Thread 0x7facb72e46f0 (LWP 7931)]
0x0000000000507665 in FreeColormap ()
(gdb) bt full
#0 0x0000000000507665 in FreeColormap ()
No symbol table info available.
#1 0x000000000052a1cb in FreeClientResources ()
No symbol table info available.
#2 0x000000000052a2b4 in FreeAllResources ()
No symbol table info available.
#3 0x0000000000526adb in main ()
No symbol table info available.
(gdb)

xserver configuration

also confirmed in a 64-bit ubuntu 9.04
(however, this didn't happen on a 32-bit ubuntu 9.04)

Unfortunately there still is not enough information in the backtrace to troubleshoot this bug; please follow the directions at http://wiki.ubuntu.com/X/Backtracing to collect a full backtrace.

We're closing this bug since it is has been some time with no response from the original reporter. However, if the issue still exists please feel free to reopen with the requested information. Also, if you could, please test against the latest development version of Ubuntu, since this confirms the bug is one we may be able to pass upstream for help.

The problem still exists and has been reported by others..
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529927

Compiled xvfb (2:1.6.0-0ubuntu14) from deb sources but with debugging enabled and no stripping..

adam@durum:~/xvfb$ diff rules xorg-server-1.6.0/debian/rules
16c16
< CFLAGS += -O0
---
> CFLAGS += -O2
181c181
< # dh_strip -s --dbg-package=xserver-xorg-core
---
> dh_strip -s --dbg-package=xserver-xorg-core

In console 1:
   valgrind Xvfb -auth hosts :1
In console 2:
   xeyes -display :1

valgrind output shows that the immediate problem is that xrealloc in glx/glxscreen.c:276 causes some colormaps to have a bad pVisual member.. That is : some colormaps STILL point to the old memory .. In other words.. not all colormaps gets fixed up in AddScreenVisuals. Here is a gdb session where we track the colormaps created/destroyed.

adam@durum:~/xvfb$ gdb --args Xvfb -auth hosts :1
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"...
(gdb) break colormap.c:279
Breakpoint 1 at 0x56db8c: file ../../dix/colormap.c, line 279.
(gdb) break FreeColormap
Breakpoint 2 at 0x56e2d1: file ../../dix/colormap.c, line 428.
(gdb) run
Starting program: /usr/bin/Xvfb -auth hosts :1
[Thread debugging using libthread_db enabled]
[New Thread 0x7f0639991710 (LWP 3767)]
[Switching to Thread 0x7f0639991710 (LWP 3767)]

Breakpoint 1, CreateColormap (mid=32, pScreen=0x2253800, pVisual=0x2253dc0,
    ppcmap=0x7fff419bba90, alloc=0, client=0) at ../../dix/colormap.c:279
279 if (!pmap)
(gdb) print pmap
$1 = (ColormapPtr) 0x2254e20
(gdb) bt
#0 CreateColormap (mid=32, pScreen=0x2253800, pVisual=0x2253dc0,
    ppcmap=0x7fff419bba90, alloc=0, client=0) at ../../dix/colormap.c:279
#1 0x00000000005cf8b2 in miCreateDefColormap (pScreen=0x2253800)
    at ../../mi/micmap.c:318
#2 0x000000000056d551 in fbCreateDefColormap (pScreen=0x2253800)
    at ../../../fb/fbcmap_mi.c:91
#3 0x000000000042defc in vfbScreenInit (index=0, pScreen=0x2253800, argc=4,
    argv=0x7fff419bbd28) at ../../../hw/vfb/InitOutput.c:952
#4 0x00000000005a1199 in AddScreen (pfnInit=0x42db2b <vfbScreenInit>, argc=4,
    argv=0x7fff419bbd28) at ../../dix/main.c:702
#5 0x000000000042e0e3 in InitOutput (screenInfo=0x88a780, argc=4,
    argv=0x7fff419bbd28) at ../../../hw/vfb/InitOutput.c:1018
#6 0x00000000005a03b6 in main (argc=4, argv=0x7fff419bbd28,
    envp=0x7fff419bbd50) at ../../dix/main.c:315
(gdb) cont
Continuing.

Breakpoint 1, CreateColormap (mid=64, pScreen=0x2253800, pVisual=0x2253df8,
    ppcmap=0x2254238, alloc=0, client=0) at ../../dix/colormap.c:279
279 if (!pmap)
(gdb) print pmap
$2 = (ColormapPtr) 0x2265d90
(gdb) bt
#0 CreateColormap (mid=64, pScreen=0x2253800, pVisual=0x2253df8,
    ppcmap=0x2254238, alloc=0, client=0) at ../../dix/colormap.c:279
#1 0x00000000004ee198 in PictureInitIndexedFormat (pScreen=0x2253800,
    format=0x2254210) at ../../render/picture.c:417
#2 0x00000000004ee238 in PictureInitIndexedFormats (pScreen=0x2253800)
    at ../../render/picture.c:439
#3 0x00000000004ee28b in PictureFinishInit () at ../../render/picture.c:451
#4 0x00000000004f133c in RenderExtensionInit () at ../../render/render.c:244
#5 0x000000000042e41c in InitExtensions (argc=4, argv=0x7fff419bbd28)
    at ../../../mi/miinitext.c:457
#6 0x00000000005a03e1 in main (argc=4, argv=0x7fff419bbd28,
    envp=0x7fff419bbd50) at ../../dix/main.c:319
(gdb) cont
Cont...