xfce4-display-settings SGISEGV in display_settings_get_profiles

Since the update to 4.14, xfce4-display-settings seg faults on my Archlinux.
The stack trace is not really helpful:

[0] from 0x00007ffff6f9e15e in __strcmp_avx2+30
(no arguments)
[1] from 0x0000555555565a0c
(no arguments)
[+]

>>> bt
#0 0x00007ffff6f9e15e in __strcmp_avx2 () at /usr/lib/libc.so.6
#1 0x0000555555565a0c in ()
#2 0x000055555555dad5 in ()
#3 0x0000555555560896 in ()
#4 0x000055555555b201 in ()
#5 0x00007ffff6e6aee3 in __libc_start_main () at /usr/lib/libc.so.6
#6 0x000055555555bd0e in ()

System information:

System: Host: bimo Kernel: 5.2.8-arch1-1-ARCH x86_64 bits: 64 compiler: gcc v: 9.1.0 Desktop: Xfce 4.14.1 tk: Gtk 3.24.10
           info: xfce4-panel wm: xfwm4 dm: GDM 3.32.0 Distro: Arch Linux
Machine: Type: Laptop System: LENOVO product: 20HGS3B400 v: ThinkPad T470s serial: <filter> Chassis: type: 10
           serial: <filter>
           Mobo: LENOVO model: 20HGS3B400 serial: <filter> UEFI: LENOVO v: N1WET49W (1.28 ) date: 07/04/2018
Battery: ID-1: BAT0 charge: 18.8 Wh condition: 18.9/23.5 Wh (80%) volts: 12.7/11.2 model: SANYO 00HW022 type: Li-poly
           serial: <filter> status: Unknown cycles: 107
           ID-2: BAT1 charge: 23.4 Wh condition: 23.4/26.3 Wh (89%) volts: 12.8/11.4 model: SANYO 01AV405 type: Li-ion
           serial: <filter> status: Full cycles: 206
CPU: Topology: Dual Core model: Intel Core i5-7200U bits: 64 type: MT MCP arch: Kaby Lake rev: 9 L2 cache: 3072 KiB
           flags: avx avx2 lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx bogomips: 21704
           Speed: 700 MHz min/max: 400/3100 MHz Core speeds (MHz): 1: 700 2: 700 3: 700 4: 701
Graphics: Device-1: Intel HD Graphics 620 vendor: Lenovo driver: i915 v: kernel bus ID: 00:02.0 chip ID: 8086:5916
           Display: x11 server: X.org 1.20.5 driver: i915 resolution: <xdpyinfo missing>
           Message: Unable to show advanced data. Required tool glxinfo missing.
Audio: Device-1: Intel Sunrise Point-LP HD Audio vendor: Lenovo driver: snd_hda_intel v: kernel bus ID: 00:1f.3
           chip ID: 8086:9d71
           Sound Server: ALSA v: k5.2.8-arch1-1-ARCH
Network: Device-1: Intel Ethernet I219-V vendor: Lenovo driver: e1000e v: 3.2.6-k port: efa0 bus ID: 00:1f.6
           chip ID: 8086:15d8
           IF: enp0s31f6 state: up speed: 1000 Mbps duplex: full mac: <filter>
           Device-2: Intel Wireless 8265 / 8275 driver: iwlwifi v: kernel port: efa0 bus ID: 3a:00.0 chip ID: 8086:24fd
           IF: wlp58s0 state: up mac: <filter>
           IF-ID-1: docker0 state: down mac: <filter>
Drives: Local Storage: total: 476.94 GiB used: 332.20 GiB (69.7%)
           ID-1: /dev/nvme0n1 vendor: Samsung model: MZVLW512HMJP-000L7 size: 476.94 GiB speed: 31.6 Gb/s lanes: 4
           serial: <filter> rev: 6L7QCXY7 temp: 35 C scheme: GPT
Partition: ID-1: / size: 466.45 GiB used: 332.13 GiB (71.2%) fs: btrfs dev: /dev/dm-0
           ID-2: /boot size: 499.0 MiB used: 73.6 MiB (14.7%) fs: vfat dev: /dev/nvme0n1p1
           ID-3: /home size: 466.45 GiB used: 332.13 GiB (71.2%) fs: btrfs dev: /dev/dm-0
           ID-4: swap-1 size: 10.00 GiB used: 0 KiB (0.0%) fs: swap dev: /dev/nvme0n...

Can confirm. I tried to build the xfce4-settings from source with debugging on, not sure if it worked, but I ran it through valgrind and got some interesting results.

Here is valgrind output from running xfce4-settings-manager, then clicking on display, then pressing "update profile":

bryson@archpad[xfce4-settings]$ valgrind xfce4-settings-manager
==10799== Memcheck, a memory error detector
==10799== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==10799== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==10799== Command: xfce4-settings-manager
==10799==

(xfce4-settings-manager:10799): xfce4-settings-manager-CRITICAL **: 12:55:02.889: pluggable dialog "xfce4-display-settings" crashed
==10799== Invalid read of size 8
==10799== at 0x4FDC525: ??? (in /usr/lib/libgdk-3.so.0.2406.4)
==10799== by 0x4FE69C6: ??? (in /usr/lib/libgdk-3.so.0.2406.4)
==10799== by 0x503BACA: gdk_display_get_event (in /usr/lib/libgdk-3.so.0.2406.4)
==10799== by 0x4FE6703: ??? (in /usr/lib/libgdk-3.so.0.2406.4)
==10799== by 0x538DCF3: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.6000.6)
==10799== by 0x538FB10: ??? (in /usr/lib/libglib-2.0.so.0.6000.6)
==10799== by 0x5390A62: g_main_loop_run (in /usr/lib/libglib-2.0.so.0.6000.6)
==10799== by 0x4B46EEE: gtk_main (in /usr/lib/libgtk-3.so.0.2406.4)
==10799== by 0x10C274: ??? (in /usr/bin/xfce4-settings-manager)
==10799== by 0x546FEE2: (below main) (in /usr/lib/libc-2.29.so)
==10799== Address 0x9c7dc58 is 8 bytes inside a block of size 24 free'd
==10799== at 0x48399AB: free (vg_replace_malloc.c:530)
==10799== by 0x50259D2: ??? (in /usr/lib/libgdk-3.so.0.2406.4)
==10799== by 0x502C248: ??? (in /usr/lib/libgdk-3.so.0.2406.4)
==10799== by 0x4FD3D49: ??? (in /usr/lib/libgdk-3.so.0.2406.4)
==10799== by 0x49521C4: ??? (in /usr/lib/libgtk-3.so.0.2406.4)
==10799== by 0x4FDC51E: ??? (in /usr/lib/libgdk-3.so.0.2406.4)
==10799== by 0x4FE69C6: ??? (in /usr/lib/libgdk-3.so.0.2406.4)
==10799== by 0x503BACA: gdk_display_get_event (in /usr/lib/libgdk-3.so.0.2406.4)
==10799== by 0x4FE6703: ??? (in /usr/lib/libgdk-3.so.0.2406.4)
==10799== by 0x538DCF3: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.6000.6)
==10799== by 0x538FB10: ??? (in /usr/lib/libglib-2.0.so.0.6000.6)
==10799== by 0x5390A62: g_main_loop_run (in /usr/lib/libglib-2.0.so.0.6000.6)
==10799== Block was alloc'd at
==10799== at 0x483877F: malloc (vg_replace_malloc.c:299)
==10799== by 0x5387289: g_malloc (in /usr/lib/libglib-2.0.so.0.6000.6)
==10799== by 0x5369673: g_slice_alloc (in /usr/lib/libglib-2.0.so.0.6000.6)
==10799== by 0x5391B34: g_list_append (in /usr/lib/libglib-2.0.so.0.6000.6)
==10799== by 0x502C9A1: gdk_window_add_filter (in /usr/lib/libgdk-3.so.0.2406.4)
==10799== by 0x49518D9: ??? (in /usr/lib/libgtk-3.so.0.2406.4)
==10799== by 0x4952115: ??? (in /usr/lib/libgtk-3.so.0.2406.4)
==10799== by 0x4FDC51E: ??? (in /usr/lib/libgdk-3.so.0.2406.4)
==10799== by 0x4FE69C6: ??? (in /usr/lib/libgdk-3.so.0.2406.4)
==10799== by 0x503BACA: gdk_display_get_event (in /usr/lib/libgdk-3.so.0.2406.4)
==10799== by 0x4FE6703: ??? (in /...

Can confirm this is also happening to me. Segmentation fault (core dumped) for xfce4-display-settings. Has been like this since 4.14. Problem exists on clean install as well.

i am experiencing the same issue when opening the Display properties. reverting to an older xfce4-settings did not fix the issue nor did a complete reinstall. still persists.

(In reply to Christian Herold from comment #0)
> Since the update to 4.14, xfce4-display-settings seg faults on my Archlinux.
I also use Arch, but I can't reproduce this crash. Do you have an external monitor plugged? The crash happens when a single monitor is in use?

> The stack trace is not really helpful
That's because the binary from the repository doesn't have debug symbols.

(In reply to Bryson Reese from comment #1)
> Here is valgrind output from running xfce4-settings-manager, then clicking
> on display, then pressing "update profile"
Can you crash xfce4-display-settings without opening it in Settings Manager?

> If needed, I could compile from source and try to provide better backtraces
> and such, but that will have to wait until tonight as I have work!
Backtraces (gdb) would be helpful, if they are too long, please attach a file.

> I also use Arch, but I can't reproduce this crash. Do you have an external monitor plugged? The crash happens when a single monitor is in use?

Yes there are two external monitors connected.

> Can you crash xfce4-display-settings without opening it in Settings Manager?

When I make a fresh boot and start the display settings using Settings Manager, it works well for the first time.
But when I close the display-settings and try again to open using Settings Manager, then it is not working.

> Backtraces (gdb) would be helpful, if they are too long, please attach a file.

Could I build the display-manager standalone?

I have the same problem, however it's not xfce4-settings-manager that crashes for me, but the daemon xfsettingsd, and when it segfaults, xfce4-display-settings crashes.

And I managed to find that it segfaults as soon as you connect the THIRD monitor.

It's stable with one or two monitors, and crashes when he detects the third, whichever it is.

I can provide a log from coredumpctl
https://pastebin.com/raw/0h0S4biu

and a log obtained launching 'XFSETTINGSD_DEBUG=1 xfsettingsd --replace --no-daemon'
https://pastebin.com/raw/4yJNvGhi

Managed to compile xfce4-settings with debug symbols on, here is the same coredump
https://pastebin.com/raw/MY5aD0RG

and a gdb trace from the same coredump
https://pastebin.com/raw/2gvssvuL

I will add that this issue is not present on 4.12.4

Created attachment 8887
Very rough patch

Hi, please try if the attached patch fixes the problem for you!
Thanks!

Patch works for more then 2 Displays - thank you.

Does not work for me, xfsettingsd segfaults with the same coredump as before.

I verified that display-profiles.c is changed before compiling, but for me it still segfaults at line 135, when connecting the third screen.

Created attachment 8899
Add noutput as parameter, remove call to g_strv_length

Since I am affected by the same problem, i tried to debug it. For me, g_strv_length reports inconsistent values, I've seen 4, 9 and 12 while it should be 3. Obviously, this crashes.

This patch makes the number of outputs a parameter to the function call.

Hm, thinking about it: g_strv_length requires a NULL-terminated array. Currently, I can't test it, but would it suffice to extend the array with a NULL-element, i.e. adding +1 to the calls to g_new0 when initializing the array?

@Andreas: Thanks for helping to debug this!
Unfortunately I'm not close to a real multi-monitor setup which is why it's impossible for me to properly debug the problem (I obviously also can't reproduce it). Your conclusion is very plausible, I guess I would have had to initialize it in a NULL-terminated manner. The old way of freeing the array also has to be replaced with g_strfreev in the functions calling get_profiles and that also requires a NULL-terminated array.

In any case, your current patch does no harm and surely works. Let's see what the testers that still experienced issues (like Fanfurlio) say.

Created attachment 8910
Proper patch, assuring correct null-terminated gchar**

Ok, so here goes a proper patch. As far as I have understood the testing and feedback, this should resolve the bug.
In any case, please test thoroughly! Thanks!

Comment on attachment 8910
Proper patch, assuring correct null-terminated gchar**

Fwiw, i've tested the patch on two laptops (single screen) and a desktop (dual screen) - all with 4.14 on OpenBSD - and that solves the xfce4-display-settings crashes i was seeing.

Created attachment 8912
Tweaked version of patch posted by Landry Breuil

This patch is the same as the one posted by Landry Breuil, except that it drops explicitly assigning NULL to the last element of display_infos, as that is already taken care of by g_new0.

On my 3-display system, xfce4-display-settings was failing 100% of the time without the patch, and with this patch, it works fine.

can someone explain how to apply the patch?

On my 3-screen system (sorry to have kept you waiting, I only have access to it at work) both patches work without a hitch.

Created attachment 8922
Assuring correct null-terminated gchar** and profile matching

When testing the patch a bit more I noticed that now that the array is null-terminated it contains one more element that needs to be subtracted when comparing the amount of displays in a profile and the ones that are currently connected.

Now I have extended the patch in this direction and from my point of view it's ready to merge. Feel free to give it a last try with both saving profiles or just retaining the default settings.

For me, noutput correctly contains the number of connected displays, since g_strv_length() does not count the last NULL element. I'm unsure whether subtracting 1 is really necessary here?

If I save a profile with the old patch, it is correctly saved and available in the GUI. If I open xfce4-display-settings with your new patch, the previously saved profile is not available.

If I try to save a profile with your new patch, it asks me if I want to overwrite the existing profile "xxx", however, this profile is not displayed.

Interesting. Can you check if after starting your session the profile you saved is correctly enabled too?

(After startup it needs to have the checkmark, otherwise it wasn't matched and activated.)

Let me be more precise: I now see the behavior you're describing. I was focusing on xfsettingsd/displays.c, which handles e.g. the session startup.

For some reason I get different amount of displays in the display dialog and xfsettingsd. I'll investigate a little more...

Yes, the checkmark is there - good that you were able to reproduce it.

I can also reproduce your point, I'm getting 9 outputs from helper->resources->noutput - that makes perfect sense, since xrandr reports 9 outputs for me, but only 3 of them have connected screens.

xfce4-display-settings reports only 3 outputs, which is just the ones actually having screens connected.

Created attachment 8925
Part1: Assure correct gchar

Ok, so here goes part one again, which fixes the bug that was reported here.

Created attachment 8926
Part2: Fix profile matching in xfsettingsd

The second patch fixes profile matching in xfsettingsd, i.e. when connecting a new display or when starting up the session. (Previously saved profiles were not loaded correctly.)

Thanks, this seems to work fine - at least, xfsettingsd correctly restores the screen configuration upon startup and xfce4-display-settings reports the profiles and saving and loading works, applying profiles and settings as well, of course.

Great! Thanks for helping with debugging this.

Simon Steinbeiss referenced this bugreport in commit ae8221b23f72f62276bd0a0ffe129329b217a612

display: Assure correct gchar** (Bug #15816)

https://git.xfce.org/xfce/xfce4-settings/commit?id=ae8221b23f72f62276bd0a0ffe129329b217a612