Ubuntu
xorg-server package

Xorg segfaults in XkbHandleBell() if pressing "Del" key

Bug #231484 reported by TTL
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
X.Org X server
Fix Released
High
xorg-server (Ubuntu)
Fix Released
High
Unassigned

Bug Description

[Problem]
Xorg crashes in XkbHandleBell() when DEL key pressed, in various applications.

[Backtrace]
#0 XkbHandleBell (force=0 '\0', eventOnly=0 '\0', kbd=0x8273490, percent=50 '2', pCtrl=0x8273cc8, class=0 '\0', name=0, pWin=0x0, pClient=0x8262fd8)
    at ../../xkb/xkbEvents.c:404
        bn = {type = 111 'o', xkbType = 8 '\b', sequenceNumber = 280, time = 504481, deviceID = 0 '\0', bellClass = 0 '\0', bellID = 0 '\0',
  percent = 50 '2', pitch = 400, duration = 100, name = 0, window = 0, eventOnly = 0 '\0', pad1 = 58 ':', pad2 = 2167, pad3 = 4120}
        initialized = <value optimized out>
        xkbi = <value optimized out>
        interest = <value optimized out>
        id = <value optimized out>
        pitch = <value optimized out>
        duration = <value optimized out>
        time = <value optimized out>
        winID = <value optimized out>
#1 0x0808386c in ProcBell (client=0x8262fd8) at ../../dix/devices.c:1859
        keybd = (DeviceIntPtr) 0x8273490
        base = <value optimized out>
        newpercent = 0
#2 0x0815076e in XaceCatchDispatchProc (client=0x8262fd8) at ../../Xext/xace.c:281
        major = 104
#3 0x0808d8df in Dispatch () at ../../dix/dispatch.c:502
        result = <value optimized out>
        client = (ClientPtr) 0x8262fd8
        nready = 0
        start_tick = 2680
#4 0x0807471b in main (argc=3, argv=0xbfeb0fd4, envp=Cannot access memory at address 0x8
) at ../../dix/main.c:452
        i = 1
        error = 136163204
        xauthfile = <value optimized out>
        alwaysCheckForInput = {0, 1}

[Original Report]
I get crashes of the Xorg server if I press the "Del" key. This happened three times recently and seems to be repeatable. The system is an up-to-date Kubuntu 8.04.
The dmesg says:
[ 754.699253] Xorg[5444]: segfault at 000001a4 eip 0818fa3a esp bfa98800 error 4
[ 866.241862] Xorg[9589]: segfault at 000001a4 eip 0818fa3a esp bfd02030 error 4
[ 1039.389615] Xorg[10174]: segfault at 000001a4 eip 0818fa3a esp bfd978d0 error 4

The first two crashes happened with a Java program while saving a file. I placed the cursor in the middle of the default filename and pressed the "Del" key. As here were no more characters to delete left, Xorg crashed.
The third crash happened with Seamonkey while editing the Ubuntu bug report search query.

Note: Special on my system is, that I have a Wacom Bamboo connected.

My xorg.conf will follow.

See original description
Revision history for this message
TTL (supernova-2149) wrote :
Revision history for this message
Bryce Harrington (bryce) wrote :

Please attach your /var/log/Xorg.0.log.
Also, please collect a full backtrace from the crash. See http://wiki.ubuntu.com/X/Backtracing for directions.

Changed in xorg:
status: New → Incomplete
Revision history for this message
TTL (supernova-2149) wrote :

I repeated the steps, and the server crashed again. This time, I saved the xorg logfile.

Interestingly I did not found a Xorg crash in my dmesg this time. The only crash reported here was:
dmesg | grep segf:
klauncher[12424]: segfault at 00000095 eip b73e5ee7 esp bfe16620 error 4

Note, I installed the Wacom Drivers similar to this way:
http://ph.ubuntuforums.com/showthread.php?t=765915

I will try the Backtracing thing some time next week.

Revision history for this message
TTL (supernova-2149) wrote :

Ok, backtracing was easier and more fun than I expected. I tried it two times:
Program received signal SIGSEGV, Segmentation fault.
XkbHandleBell (force=0 '\0', eventOnly=0 '\0', kbd=0x8273488, percent=50 '2', pCtrl=0x8273cc0, class=0 '\0', name=0, pWin=0x0, pClient=0x868c628) at ../../xkb/xkbEvents.c:404
404 ../../xkb/xkbEvents.c: No such file or directory.
        in ../../xkb/xkbEvents.c
(gdb)

Program received signal SIGSEGV, Segmentation fault.
XkbHandleBell (force=0 '\0', eventOnly=0 '\0', kbd=0x8273488, percent=50 '2', pCtrl=0x8273cc0, class=0 '\0', name=0, pWin=0x0, pClient=0x86a9270) at ../../xkb/xkbEvents.c:404
404 in ../../xkb/xkbEvents.c

Line 404 in xkbEvents.c
would be:
xkbi = kbd->key->xkbInfo;

Interestingly, the crashes happen only if the Wacom is connected during the server start. If it is removed later the server still crashes and if the Wacom is added later it does not (however it then is less usable).
I hope this helps.

Revision history for this message
TTL (supernova-2149) wrote :

If I can submit anything more for fixing this, please let me know.

Changed in xorg:
status: Incomplete → New
Revision history for this message
Bryce Harrington (bryce) wrote :

Thanks, XkbHandleBell is defined in the xserver, so moving there.

Could you attach the full output from the full backtrace? The lines you posted are very useful, but sometimes the bug is triggered in an earlier call, and understanding the path the bug took to reach the crash can be very instructive.

Backtrace:
0: /usr/bin/X(xf86SigHandler+0x7e) [0x80c780e]
1: [0xb7f88420]
2: /usr/bin/X(ProcBell+0x13c) [0x808386c]
3: /usr/bin/X [0x815075e]
4: /usr/bin/X(Dispatch+0x2cf) [0x808d8df]
5: /usr/bin/X(main+0x48b) [0x807471b]
6: /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0) [0xb7d19450]
7: /usr/bin/X(FontFileCompleteXLFD+0x201) [0x8073a91]

Changed in xorg:
importance: Undecided → High
status: New → Triaged
Revision history for this message
TTL (supernova-2149) wrote :

Sorry, for waiting so long with answering. I hope the full backtrace is that what you need.

Revision history for this message
Gunni (fgunni) wrote :

I seem to have a similar issue, but it is since the last few days.

[ 1053.897822] NVRM: Xid (0006:00): 13, 0000 80019700 00004097 00001900 00000000 00000800
[ 1053.953477] Xorg[5489]: segfault at 000001a4 eip 0818faaa esp bfe25800 error 4
[ 1126.836035] NVRM: Xid (0006:00): 13, 0000 80019700 00004097 00001900 00000000 00000800
[ 1126.875484] Xorg[10244]: segfault at 000001a4 eip 0818faaa esp bfcaa270 error 4

Revision history for this message
Gunni (fgunni) wrote :
Revision history for this message
TTL (supernova-2149) wrote :

@Gunni:
I don't think the crashes are related together. Moreover, it would be very helpful to know what you did to provoke the crash. And please do a back trace as described in the wiki (see Bryce Harrington comment) if you have a second Linux computer available.

Revision history for this message
Bryce Harrington (bryce) wrote :

Thanks, I think you're correct that it's failing here:

Line 404 in xkbEvents.c
would be:
xkbi = kbd->key->xkbInfo;

The kbd pointer is defined, so presumably the likely way this would segfault is if kbd->key were undefined. Perhaps there should be a check on that.

description: updated
Changed in xorg-server:
assignee: nobody → bryceharrington
Revision history for this message
Bryce Harrington (bryce) wrote :

Would you mind testing this patch to see if it fixes it?

(Possibly this would stop it from crashing here, but still result in a fault somewhere else in the code.)

Revision history for this message
In , Bryce Harrington (bryce) wrote :

Created an attachment (id=20290)
xkbhandlebell-segfault.patch

Forwarding this bug from a Ubuntu reporter:
https://bugs.edge.launchpad.net/ubuntu/+source/xorg-server/+bug/231484

[Problem]
Xorg crashes in XkbHandleBell() when DEL key pressed, in various applications.

[Discussion]
The attached patch addresses the symptom but maybe not the root cause. The kbd pointer is defined, but perhaps kbd->key is not, which could explain the fault. The obvious question being why that would be null in the first place? Perhaps xkbEvents.c could use additional NULL pointer checks before this one.

[Backtrace]
#0 XkbHandleBell (force=0 '\0', eventOnly=0 '\0', kbd=0x8273490, percent=50 '2', pCtrl=0x8273cc8, class=0 '\0', name=0, pWin=0x0, pClient=0x8262fd8)
    at ../../xkb/xkbEvents.c:404
        bn = {type = 111 'o', xkbType = 8 '\b', sequenceNumber = 280, time = 504481, deviceID = 0 '\0', bellClass = 0 '\0', bellID = 0 '\0',
  percent = 50 '2', pitch = 400, duration = 100, name = 0, window = 0, eventOnly = 0 '\0', pad1 = 58 ':', pad2 = 2167, pad3 = 4120}
        initialized = <value optimized out>
        xkbi = <value optimized out>
        interest = <value optimized out>
        id = <value optimized out>
        pitch = <value optimized out>
        duration = <value optimized out>
        time = <value optimized out>
        winID = <value optimized out>
#1 0x0808386c in ProcBell (client=0x8262fd8) at ../../dix/devices.c:1859
        keybd = (DeviceIntPtr) 0x8273490
        base = <value optimized out>
        newpercent = 0
#2 0x0815076e in XaceCatchDispatchProc (client=0x8262fd8) at ../../Xext/xace.c:281
        major = 104
#3 0x0808d8df in Dispatch () at ../../dix/dispatch.c:502
        result = <value optimized out>
        client = (ClientPtr) 0x8262fd8
        nready = 0
        start_tick = 2680
#4 0x0807471b in main (argc=3, argv=0xbfeb0fd4, envp=Cannot access memory at address 0x8
) at ../../dix/main.c:452
        i = 1
        error = 136163204
        xauthfile = <value optimized out>
        alwaysCheckForInput = {0, 1}

[Original Report]
I get crashes of the Xorg server if I press the "Del" key. This happened three times recently and seems to be repeatable. The system is an up-to-date Kubuntu 8.04.
The dmesg says:
[ 754.699253] Xorg[5444]: segfault at 000001a4 eip 0818fa3a esp bfa98800 error 4
[ 866.241862] Xorg[9589]: segfault at 000001a4 eip 0818fa3a esp bfd02030 error 4
[ 1039.389615] Xorg[10174]: segfault at 000001a4 eip 0818fa3a esp bfd978d0 error 4

The first two crashes happened with a Java program while saving a file. I placed the cursor in the middle of the default filename and pressed the "Del" key. As here were no more characters to delete left, Xorg crashed.
The third crash happened with Seamonkey while editing the Ubuntu bug report search query.

Note: Special on my system is, that I have a Wacom Bamboo connected.

My xorg.conf will follow.

Revision history for this message
In , Peter Hutterer (peter-hutterer) wrote :

On Thu, Nov 13, 2008 at 04:52:15PM -0800, <email address hidden> wrote:
> Note: Special on my system is, that I have a Wacom Bamboo connected.

my gut feeling is that that's the root cause here because I've seen similar
issues here. Need to wait until my tablet arrives before I can debug that.

Revision history for this message
In , Daniel Stone (daniels) wrote :

On Thu, Nov 13, 2008 at 05:49:50PM -0800, <email address hidden> wrote:
> --- Comment #1 from Peter Hutterer <email address hidden> 2008-11-13 17:49:49 PST ---
> On Thu, Nov 13, 2008 at 04:52:15PM -0800, <email address hidden>
> wrote:
> > Note: Special on my system is, that I have a Wacom Bamboo connected.
>
> my gut feeling is that that's the root cause here because I've seen similar
> issues here. Need to wait until my tablet arrives before I can debug that.

http://linuxwacom.cvs.sourceforge.net/viewvc/linuxwacom/linuxwacom-dev/src/xdrv/xf86Wacom.c?revision=1.47&view=markup

grep for 'long-standing misunderstanding': Wacom will always define a
keyboard feedback class, but not necessarily a key class. XkbHandleBell
expects a key class to exist as well as a keyboard feedback class, so if
we have a Wacom tablet with no keys, a bell will cause the server to
explode. I guess strengthening the test to (!dev->kbdfeed || !dev->key)
should solve this.

Revision history for this message
In , Daniel Stone (daniels) wrote :

On Fri, Nov 14, 2008 at 01:28:33PM +1100, Daniel Stone wrote:
> grep for 'long-standing misunderstanding': Wacom will always define a
> keyboard feedback class, but not necessarily a key class. XkbHandleBell
> expects a key class to exist as well as a keyboard feedback class, so if
> we have a Wacom tablet with no keys, a bell will cause the server to
> explode. I guess strengthening the test to (!dev->kbdfeed || !dev->key)
> should solve this.

(Tangentially, not sure why it defines feedback classes, as it doesn't
 do anything with keyboard feedback, bells, or LED feedback. Oh well.)

Revision history for this message
Bryce Harrington (bryce) wrote :

Alright, well I'll just forward it upstream. Please subscribe to https://bugs.freedesktop.org/show_bug.cgi?id=18520, in case they need you to test something.

Changed in xorg-server:
assignee: bryceharrington → nobody
Bug Watch Updater (bug-watch-updater)
Changed in xorg-server:
status: Unknown → Confirmed
Revision history for this message
TTL (supernova-2149) wrote :

Good news. I finally had time to figure out how to compile xorg myself. By checking the variable as described in the patch above, the crashes went away.

if (!kbd) {
xf86MsgVerb(X_WARNING, 0, "XkbHandleBell: Warning: kbd was NULL\n");
return;
}
if (!kbd->key) {
xf86MsgVerb(X_WARNING, 0, "XkbHandleBell: Warning: kbd->key was NULL\n");
return;
}

For every
* pressing of the 'Del' key without a char to delete after the cursor
* or pressing the 'backspace' key without a char to delete before the cursor,
the second message is added.

Of course I dont know if this silently corrupts the memory somewhere else.

Revision history for this message
In , Peter Hutterer (peter-hutterer) wrote :

AFAICT, fixed with

commit 95fc59a199f99bf167fbb09297a9bb0e33e31869
Author: Peter Hutterer <email address hidden>
AuthorDate: Fri Nov 28 14:55:15 2008 +1000

    xkb: Extra sanity checks to prevent dev->key == NULL dereferencing.

Bug Watch Updater (bug-watch-updater)
Changed in xorg-server:
status: Confirmed → Fix Released
Bryce Harrington (bryce)
Changed in xorg-server:
assignee: nobody → bryceharrington
status: Triaged → In Progress
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

Fixed by xserver 1.6rc in jaunty.

Changed in xorg-server:
assignee: bryceharrington → nobody
status: In Progress → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in xorg-server:
importance: Unknown → High
Bug Watch Updater (bug-watch-updater)
Changed in xorg-server:
importance: High → Unknown
Bug Watch Updater (bug-watch-updater)
Changed in xorg-server:
importance: Unknown → High
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.