search

LibVNC / libvncserver

LibVNCServer/LibVNCClient are cross-platform C libraries that allow you to easily implement VNC server or client functionality in your program.
GNU General Public License v2.0
1.11k stars 485 forks source link

libvncserver crash when closing a client,cl->statMsgList has an invalid address #603

Closed mayepeng0824 closed 8 months ago

mayepeng0824 commented 8 months ago

Describe the bug I am getting a libvncserver crash when closing a client.It seems that cl>statMsgList has an invalid address. When a client was closed,libvncserver uses rfbPrintStats to print some statistics,then libvncserver crash.The probability of this happening is very low,I've only encountered it once

Logs/Backtraces (gdb) bt

0 0x36eeaff8 in rfbPrintStats (cl=cl@entry=0x35000750) at /usr/src/debug/libvncserver/0.9.14/libvncserver/stats.c:396

1 0x36edfadc in rfbClientConnectionGone (cl=cl@entry=0x35000750) at /usr/src/debug/libvncserver/0.9.14/libvncserver/rfbserver.c:651

2 0x36edef10 in rfbProcessEvents (screen=, usec=) at /usr/src/debug/libvncserver/0.9.14/libvncserver/main.c:1282

3 0x0043f6f4 in ikvm::Server::run (this=0x3e89dbf0) at /usr/src/debug/obmc-ikvm/1.0+git/ikvm_server.cpp:143

4 ikvm::Manager::serverThread (manager=0x3e89d998) at /usr/src/debug/obmc-ikvm/1.0+git/ikvm_manager.cpp:36

5 0x36cc0b64 in std::execute_native_thread_routine (__p=0x13480f8) at /usr/src/debug/gcc-runtime/13.2.0/libstdc++-v3/src/c++11/thread.cc:104

6 0x36ababb8 in start_thread (arg=0x363d6340) at pthread_create.c:444

7 0x36b3299c in ?? () at ../sysdeps/unix/sysv/linux/arm/clone.S:74 from /tmp/ipkdbg.sWl/root/usr/lib/libc.so.6

Backtrace stopped: previous frame identical to this frame (corrupt stack?)

bt full

0 0x36eeaff8 in rfbPrintStats (cl=cl@entry=0x35000750) at /usr/src/debug/libvncserver/0.9.14/libvncserver/stats.c:396

    ptr = 0x30004
    encBuf = "@h=6\002\000\000\000\000\000\000\000\360\361\000\065@h=6\002\000\000\000\000\000\000\000\000\003\000\000\000\004\000\000\b\f\000\000\b\206\254\066\330\020\001\065\030\000\000\065\b\f\000\000\030H\000\000\340\034\001\065"
    savings = <optimized out>
    totalRects = 0
    totalBytes = 0
    totalBytesIfRaw = 0
    name = <optimized out>
    bytes = <optimized out>
    bytesIfRaw = <optimized out>
    count = <optimized out>

1 0x36edfadc in rfbClientConnectionGone (cl=cl@entry=0x35000750) at /usr/src/debug/libvncserver/0.9.14/libvncserver/rfbserver.c:651

    i = <optimized out>

2 0x36edef10 in rfbProcessEvents (screen=, usec=) at /usr/src/debug/libvncserver/0.9.14/libvncserver/main.c:1282

    i = 0x3500fa80
    cl = 0x0
    clPrev = 0x35000750
    result = <optimized out>

3 0x0043f6f4 in ikvm::Server::run (this=0x3e89dbf0) at /usr/src/debug/obmc-ikvm/1.0+git/ikvm_server.cpp:143

No locals.

4 ikvm::Manager::serverThread (manager=0x3e89d998) at /usr/src/debug/obmc-ikvm/1.0+git/ikvm_manager.cpp:36

No locals.

5 0x36cc0b64 in std::execute_native_thread_routine (__p=0x13480f8) at /usr/src/debug/gcc-runtime/13.2.0/libstdc++-v3/src/c++11/thread.cc:104

    __t = std::unique_ptr<std::thread::_State> = {get() = <optimized out>}

6 0x36ababb8 in start_thread (arg=0x363d6340) at pthread_create.c:444

    ret = <optimized out>
    pd = 0x363d6340
    out = <optimized out>
    unwind_buf = {cancel_jmp_buf = {{jmp_buf = {-397971287, -388921727, 909992768, 1049220800, 1049220790, 338, 901603328, 909992768, 901603328, 909991484, 
            0 <repeats 54 times>}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
    not_first_call = <optimized out>

7 0x36b3299c in ?? () at ../sysdeps/unix/sysv/linux/arm/clone.S:74 from /tmp/ipkdbg.sWl/root/usr/lib/libc.so.6

No locals. Backtrace stopped: previous frame identical to this frame (corrupt stack?

(gdb) x/10x 0x30004 0x30004: Cannot access memory at address 0x30004

(gdb) f 2

2 0x36edef10 in rfbProcessEvents (screen=, usec=) at /usr/src/debug/libvncserver/0.9.14/libvncserver/main.c:1282

1282 /usr/src/debug/libvncserver/0.9.14/libvncserver/main.c: No such file or directory. (gdb) p clPrev $7 = {screen = 0x13459f0, scaledScreen = 0x13459f0, PalmVNC = 0 '\000', clientData = 0x0, clientGoneHook = 0x4412e0 <ikvm::Server::clientGone(_rfbClientRec)>, sock = -1, host = 0x3500dbb8 "=\241\003\065N5:\260\061", protocolMajorVersion = 3, protocolMinorVersion = 8, client_thread = 0, state = RFB_NORMAL, reverseConnection = 0 '\000', onHold = 0 '\000', readyForSetColourMapEntries = -1 '\377', useCopyRect = -1 '\377', preferredEncoding = 7, correMaxWidth = 48, correMaxHeight = 48, viewOnly = 0 '\000', authChallenge = '\000' <repeats 15 times>, copyRegion = 0x35201830, copyDX = 0, copyDY = 0, modifiedRegion = 0x3500f190, requestedRegion = 0x3500d528, startDeferring = {tv_sec = 1703703522, tv_usec = 861147}, startPtrDeferring = {tv_sec = 0, tv_usec = 0}, lastPtrX = -1, lastPtrY = 0, lastPtrButtons = 0, translateFn = 0x36eef694 , translateLookupTable = 0x350110e0 "h\017\001\065L", format = {bitsPerPixel = 32 ' ', depth = 24 '\030', bigEndian = 0 '\000', trueColour = 255 '\377', redMax = 255, greenMax = 255, blueMax = 255, redShift = 16 '\020', greenShift = 8 '\b', blueShift = 0 '\000', pad1 = 0 '\000', pad2 = 0}, updateBuf = "s\236 \234\364\351\315\000>k7@\031\006TƯ\313\f\234\250$\201Ԏ\277\227\265\000\063\354\322\371{\360\270\306\354n\033\261\353\267\071\351\317N\234\320\003\341\263w\005\234aDl\374\060\310\302\222\t\035@\351\371\373\320\005j\000\260\366\254\266\213\071d\303\022\060\035s\333\337ߧj\000o٥\362\367\341q\215\330\334\067c\327nsӞ\235\071\240\005kI\225\067\024\000m\334\006\341\222\061\234\201ԏ\376\277\245\000\vk!M\347b\256\335ܰ\310\030\310\310\352\063\333\352=h\001>\315/\227\277\v\214n\306\341\273\036\273s\236\234\364\351\315\000\071\355Ym\026rɆ$`:緿\277N\324\001^\200/Ekd\326m;\λ\031Q\224@\247\226\004\361\363\362"..., ublen = 0, statEncList = 0x35201688, statMsgList = 0x30004, rawBytesEquivalent = -855703553, bytesSent = 1, compStream = {next_in = 0x1000000 <error: Cannot access memory at address 0x1000000>, avail_in = 0, total_in = 196612, next_out = 0x0, avail_out = 0, total_out = 0, msg = 0x0, state = 0x0, zalloc = 0x0, zfree = 0x0, opaque = 0x0, data_type = 0, adler = 0, reserved = 0}, compStreamInited = 0 '\000', zlibCompressLevel = 2, tightQualityLevel = 6, zsStruct = {{next_in = 0x0, avail_in = 0, total_in = 0, next_out = 0x0, avail_out = 0, total_out = 0, msg = 0x0, state = 0x0, zalloc = 0x0, zfree = 0x0, opaque = 0x0, data_type = 0, adler = 0, reserved = 0}, { next_in = 0x0, avail_in = 0, total_in = 0, next_out = 0x0, avail_out = 0, total_out = 0, msg = 0x0, state = 0x0, zalloc = 0x0, zfree = 0x0, opaque = 0x0, data_type = 0, adler = 0, reserved = 0}, {next_in = 0x0, avail_in = 0, total_in = 0, next_out = 0x0, avail_out = 0, total_out = 0, msg = 0x0, state = 0x0, zalloc = 0x0, zfree = 0x0, opaque = 0x0, data_type = 0, adler = 0, reserved = 0}, {next_in = 0x0, avail_in = 0, total_in = 0, next_out = 0x0, avail_out = 0, total_out = 0, msg = 0x0, state = 0x0, zalloc = 0x0, zfree = 0x0, opaque = 0x0, data_type = 0, adler = 0, reserved = 0}}, zsActive = "\000\000\000", zsLevel = {0, 0, 0, 0}, tightCompressLevel = 2, compStreamInitedLZO = 0 '\000', lzoWrkMem = 0x0, fileTransfer = {fd = -1, compressionEnabled = 0, fileSize = 0, numPackets = 0, receiving = 0, sending = 0}, lastKeyboardLedState = -1, enableSupportedMessages = 0 '\000', enableSupportedEncodings = 0 '\000', enableServerIdentity = 0 '\000', enableKeyboardLedState = 0 '\000', enableLastRectEncoding = -1 '\377', enableCursorShapeUpdates = -1 '\377', enableCursorPosUpdates = 0 '\000', useRichCursorEncoding = -1 '\377', cursorWasChanged = 0 '\000', cursorWasMoved = 0 '\000', cursorX = 10, cursorY = 312, useNewFBSize = -1 '\377', newFBSizePending = 0 '\000', prev = 0x0, next = 0x0, refCount = -2656, refCountMutex = {data = {lock = 0, count = 0, owner = 0, kind = 0, nusers = 0, { spins = 0, list = {next = 0x0}}}, size = '\000' <repeats 23 times>, align = 0}, deleteCond = {data = {wseq = {value64 = 0, value32 = {low = 0, high = 0}}, g1_start = {value64 = 0, value32 = {low = 0, high = 0}}, g_refs = {0, 0}, __g_size = {0, 0}, g1_orig_size = 0, wrefs = 0, g_signals = {0, 0}}, size = '\000' <repeats 47 times>, align = 0}, outputMutex = {data = {lock = 0, count = 0, owner = 0, kind = -1, nusers = 0, { spins = 0, list = {next = 0x0}}}, size = '\000' <repeats 12 times>, "\377\377\377\377\000\000\000\000\000\000\000", align = 0}, updateMutex = {data = { lock = 0, count = 0, owner = 0, kind = -1, nusers = 0, {spins = 0, list = {next = 0x0}}}, size = '\000' <repeats 12 times>, "\377\377\377\377\000\000\000\000\000\000\000", align = 0}, updateCond = {data = {wseq = {value64 = 0, value32 = { low = 0, high = 0}}, g1_start = {value64 = 0, value32 = {low = 0, high = 0}}, __g_refs = {0, 0}, g_size = {0, 0}, g1_orig_size = 0, wrefs = 4, __g_signals = {0, 0}}, size = '\000' <repeats 36 times>, "\004\000\000\000\000\000\000\000\000\000\000", align = 0}, zrleData = 0x0, zywrleLevel = 0, zywrleBuf = {0 <repeats 4096 times>}, progressiveSliceY = 0, extensions = 0x0, zrleBeforeBuf = 0x0, paletteHelper = 0x0, sendMutex = {data = { lock = 0, count = 0, owner = 0, kind = -1, nusers = 0, {spins = 0, list = {next = 0x0}}}, size = '\000' <repeats 12 times>, "\377\377\377\377\000\000\000\000\000\000\000", __align = 0}, beforeEncBuf = 0x3500f130 "\367W\002\065N5:\260", beforeEncBufSize = 4, afterEncBuf = 0x0, afterEncBufSize = 0, afterEncBufLen = 0, tightEncoding = 7, turboSubsampLevel = 0, turboQualityLevel = 79, sslctx = 0x0, wsctx = 0x0, wspath = 0x0, pipe_notify_client_thread = {-1, -1}, clientFramebufferUpdateRequestHook = 0x43f4b4 <ikvm::Server::clientFramebufferUpdateRequest(_rfbClientRec, rfbFramebufferUpdateRequestMsg)>, useExtDesktopSize = -1 '\377', requestedDesktopSizeChange = 0, lastDesktopSizeChangeError = 0, enableExtendedClipboard = -1 '\377', extClipboardUserCap = 520093697, extClipboardMaxUnsolicitedSize = 0, extClipboardData = 0x0, extClipboardDataSize = 0, tightUsePixelFormat24 = -1 '\377', tightTJ = 0x0, tightPngDstDataLen = 0} (gdb) p i $8 = (rfbClientIteratorPtr) 0x3500fa80 (gdb) f 2

2 0x36edef10 in rfbProcessEvents (screen=, usec=) at /usr/src/debug/libvncserver/0.9.14/libvncserver/main.c:1282

1282 in /usr/src/debug/libvncserver/0.9.14/libvncserver/main.c

(gdb) p cl $5 = {screen = 0x13459f0, scaledScreen = 0x13459f0, PalmVNC = 0 '\000', clientData = 0x0, clientGoneHook = 0x4412e0 <ikvm::Server::clientGone(_rfbClientRec)>, sock = -1, host = 0x3500dbb8 "=\241\003\065N5:\260\061", protocolMajorVersion = 3, protocolMinorVersion = 8, client_thread = 0, state = RFB_NORMAL, reverseConnection = 0 '\000', onHold = 0 '\000', readyForSetColourMapEntries = -1 '\377', useCopyRect = -1 '\377', preferredEncoding = 7, correMaxWidth = 48, correMaxHeight = 48, viewOnly = 0 '\000', authChallenge = '\000' <repeats 15 times>, copyRegion = 0x35201830, copyDX = 0, copyDY = 0, modifiedRegion = 0x3500f190, requestedRegion = 0x3500d528, startDeferring = {tv_sec = 1703703522, tv_usec = 861147}, startPtrDeferring = {tv_sec = 0, tv_usec = 0}, lastPtrX = -1, lastPtrY = 0, lastPtrButtons = 0, translateFn = 0x36eef694 , translateLookupTable = 0x350110e0 "h\017\001\065L", format = {bitsPerPixel = 32 ' ', depth = 24 '\030', bigEndian = 0 '\000', trueColour = 255 '\377', redMax = 255, greenMax = 255, blueMax = 255, redShift = 16 '\020', greenShift = 8 '\b', blueShift = 0 '\000', pad1 = 0 '\000', pad2 = 0}, updateBuf = "s\236\234\364\351\315\000>k7@\031\006TƯ\313\f\234\250$\201Ԏ\277\227\265\000\063\354\322\371{\360\270\306\354n\033\261\353\267\071\351\317N\234\320\003\341\263w\005\234aDl\374\060\310\302\222\t\035@\351\371\373\320\005j\000\260\366\254\266\213\071d\303\022\060\035s\333\337ߧj\000o٥\362\367\341q\215\330\334\067c\327nsӞ\235\071\240\005kI\225\067\024\000m\334\006\341\222\061\234\201ԏ\376\277\245\000\vk!M\347b\256\335ܰ\310\030\310\310\352\063\333\352=h\001>\315/\227\277\v\214n\306\341\273\036\273s\236\234\364\351\315\000\071\355Ym\026rɆ$`:緿\277N\324\001^\200/Ekd\326m;\λ\031Q\224@\247\226\004\361\363\362"..., ublen = 0, statEncList = 0x35201688, statMsgList = 0x30004, rawBytesEquivalent = -855703553, bytesSent = 1, compStream = {next_in = 0x1000000 <error: Cannot access memory at address 0x1000000>, avail_in = 0, total_in = 196612, next_out = 0x0, avail_out = 0, total_out = 0, msg = 0x0, state = 0x0, zalloc = 0x0, zfree = 0x0, opaque = 0x0, data_type = 0, adler = 0, reserved = 0}, compStreamInited = 0 '\000', zlibCompressLevel = 2, tightQualityLevel = 6, zsStruct = {{next_in = 0x0, avail_in = 0, total_in = 0, next_out = 0x0, avail_out = 0, total_out = 0, msg = 0x0, state = 0x0, zalloc = 0x0, zfree = 0x0, opaque = 0x0, data_type = 0, adler = 0, reserved = 0}, { next_in = 0x0, avail_in = 0, total_in = 0, next_out = 0x0, avail_out = 0, total_out = 0, msg = 0x0, state = 0x0, zalloc = 0x0, zfree = 0x0, opaque = 0x0, data_type = 0, adler = 0, reserved = 0}, {next_in = 0x0, avail_in = 0, total_in = 0, next_out = 0x0, avail_out = 0, total_out = 0, msg = 0x0, state = 0x0, zalloc = 0x0, zfree = 0x0, opaque = 0x0, data_type = 0, adler = 0, reserved = 0}, {next_in = 0x0, avail_in = 0, total_in = 0, next_out = 0x0, avail_out = 0, total_out = 0, msg = 0x0, state = 0x0, zalloc = 0x0, zfree = 0x0, opaque = 0x0, data_type = 0, adler = 0, reserved = 0}}, zsActive = "\000\000\000", zsLevel = {0, 0, 0, 0}, tightCompressLevel = 2, compStreamInitedLZO = 0 '\000', lzoWrkMem = 0x0, fileTransfer = {fd = -1, compressionEnabled = 0, fileSize = 0, numPackets = 0, receiving = 0, sending = 0}, lastKeyboardLedState = -1, enableSupportedMessages = 0 '\000', enableSupportedEncodings = 0 '\000', enableServerIdentity = 0 '\000', enableKeyboardLedState = 0 '\000', enableLastRectEncoding = -1 '\377', enableCursorShapeUpdates = -1 '\377', enableCursorPosUpdates = 0 '\000', useRichCursorEncoding = -1 '\377', cursorWasChanged = 0 '\000', cursorWasMoved = 0 '\000', cursorX = 10, cursorY = 312, useNewFBSize = -1 '\377', newFBSizePending = 0 '\000', prev = 0x0, next = 0x0, refCount = -2656, refCountMutex = {data = {lock = 0, count = 0, owner = 0, kind = 0, nusers = 0, { spins = 0, list = {next = 0x0}}}, size = '\000' <repeats 23 times>, align = 0}, deleteCond = {data = {wseq = {value64 = 0, value32 = {low = 0, high = 0}}, g1_start = {value64 = 0, value32 = {low = 0, high = 0}}, g_refs = {0, 0}, __g_size = {0, 0}, g1_orig_size = 0, wrefs = 0, g_signals = {0, 0}}, size = '\000' <repeats 47 times>, align = 0}, outputMutex = {data = {lock = 0, count = 0, owner = 0, kind = -1, nusers = 0, { spins = 0, list = {next = 0x0}}}, size = '\000' <repeats 12 times>, "\377\377\377\377\000\000\000\000\000\000\000", align = 0}, updateMutex = {data = { lock = 0, count = 0, owner = 0, kind = -1, nusers = 0, {spins = 0, list = {next = 0x0}}}, size = '\000' <repeats 12 times>, "\377\377\377\377\000\000\000\000\000\000\000", align = 0}, updateCond = {data = {wseq = {value64 = 0, value32 = { low = 0, high = 0}}, g1_start = {value64 = 0, value32 = {low = 0, high = 0}}, __g_refs = {0, 0}, g_size = {0, 0}, g1_orig_size = 0, wrefs = 4, __g_signals = {0, 0}}, size = '\000' <repeats 36 times>, "\004\000\000\000\000\000\000\000\000\000\000", align = 0}, zrleData = 0x0, zywrleLevel = 0, zywrleBuf = {0 <repeats 4096 times>}, progressiveSliceY = 0, extensions = 0x0, zrleBeforeBuf = 0x0, paletteHelper = 0x0, sendMutex = {data = { lock = 0, count = 0, owner = 0, kind = -1, nusers = 0, {spins = 0, list = {next = 0x0}}}, size = '\000' <repeats 12 times>, "\377\377\377\377\000\000\000\000\000\000\000", __align = 0}, beforeEncBuf = 0x3500f130 "\367W\002\065N5:\260", beforeEncBufSize = 4, afterEncBuf = 0x0, afterEncBufSize = 0, afterEncBufLen = 0, tightEncoding = 7, turboSubsampLevel = 0, turboQualityLevel = 79, sslctx = 0x0, wsctx = 0x0, wspath = 0x0, pipe_notify_client_thread = {-1, -1}, clientFramebufferUpdateRequestHook = 0x43f4b4 <ikvm::Server::clientFramebufferUpdateRequest(_rfbClientRec, rfbFramebufferUpdateRequestMsg)>, useExtDesktopSize = -1 '\377', requestedDesktopSizeChange = 0, lastDesktopSizeChangeError = 0, enableExtendedClipboard = -1 '\377', extClipboardUserCap = 520093697, extClipboardMaxUnsolicitedSize = 0, extClipboardData = 0x0, extClipboardDataSize = 0, tightUsePixelFormat24 = -1 '\377', tightTJ = 0x0, tightPngDstDataLen = 0} (gdb) f 1

1 0x36edfadc in rfbClientConnectionGone (cl=cl@entry=0x35000750) at /usr/src/debug/libvncserver/0.9.14/libvncserver/rfbserver.c:651

651 /usr/src/debug/libvncserver/0.9.14/libvncserver/rfbserver.c: No such file or directory. (gdb) p cl $6 = {screen = 0x13459f0, scaledScreen = 0x13459f0, PalmVNC = 0 '\000', clientData = 0x0, clientGoneHook = 0x4412e0 <ikvm::Server::clientGone(_rfbClientRec)>, sock = -1, host = 0x3500dbb8 "=\241\003\065N5:\260\061", protocolMajorVersion = 3, protocolMinorVersion = 8, client_thread = 0, state = RFB_NORMAL, reverseConnection = 0 '\000', onHold = 0 '\000', readyForSetColourMapEntries = -1 '\377', useCopyRect = -1 '\377', preferredEncoding = 7, correMaxWidth = 48, correMaxHeight = 48, viewOnly = 0 '\000', authChallenge = '\000' <repeats 15 times>, copyRegion = 0x35201830, copyDX = 0, copyDY = 0, modifiedRegion = 0x3500f190, requestedRegion = 0x3500d528, startDeferring = {tv_sec = 1703703522, tv_usec = 861147}, startPtrDeferring = {tv_sec = 0, tv_usec = 0}, lastPtrX = -1, lastPtrY = 0, lastPtrButtons = 0, translateFn = 0x36eef694 , translateLookupTable = 0x350110e0 "h\017\001\065L", format = {bitsPerPixel = 32 ' ', depth = 24 '\030', bigEndian = 0 '\000', trueColour = 255 '\377', redMax = 255, greenMax = 255, blueMax = 255, redShift = 16 '\020', greenShift = 8 '\b', blueShift = 0 '\000', pad1 = 0 '\000', pad2 = 0}, updateBuf = "s\236\234\364\351\315\000>k7@\031\006TƯ\313\f\234\250$\201Ԏ\277\227\265\000\063\354\322\371{\360\270\306\354n\033\261\353\267\071\351\317N\234\320\003\341\263w\005\234aDl\374\060\310\302\222\t\035@\351\371\373\320\005j\000\260\366\254\266\213\071d\303\022\060\035s\333\337ߧj\000o٥\362\367\341q\215\330\334\067c\327nsӞ\235\071\240\005kI\225\067\024\000m\334\006\341\222\061\234\201ԏ\376\277\245\000\vk!M\347b\256\335ܰ\310\030\310\310\352\063\333\352=h\001>\315/\227\277\v\214n\306\341\273\036\273s\236\234\364\351\315\000\071\355Ym\026rɆ$`:緿\277N\324\001^\200/Ekd\326m;\λ\031Q\224@\247\226\004\361\363\362"..., ublen = 0, statEncList = 0x35201688, statMsgList = 0x30004, rawBytesEquivalent = -855703553, bytesSent = 1, compStream = {next_in = 0x1000000 <error: Cannot access memory at address 0x1000000>, avail_in = 0, total_in = 196612, next_out = 0x0, avail_out = 0, total_out = 0, msg = 0x0, state = 0x0, zalloc = 0x0, zfree = 0x0, opaque = 0x0, data_type = 0, adler = 0, reserved = 0}, compStreamInited = 0 '\000', zlibCompressLevel = 2, tightQualityLevel = 6, zsStruct = {{next_in = 0x0, avail_in = 0, total_in = 0, next_out = 0x0, avail_out = 0, total_out = 0, msg = 0x0, state = 0x0, zalloc = 0x0, zfree = 0x0, opaque = 0x0, data_type = 0, adler = 0, reserved = 0}, { next_in = 0x0, avail_in = 0, total_in = 0, next_out = 0x0, avail_out = 0, total_out = 0, msg = 0x0, state = 0x0, zalloc = 0x0, zfree = 0x0, opaque = 0x0, data_type = 0, adler = 0, reserved = 0}, {next_in = 0x0, avail_in = 0, total_in = 0, next_out = 0x0, avail_out = 0, total_out = 0, msg = 0x0, state = 0x0, zalloc = 0x0, zfree = 0x0, opaque = 0x0, data_type = 0, adler = 0, reserved = 0}, {next_in = 0x0, avail_in = 0, total_in = 0, next_out = 0x0, avail_out = 0, total_out = 0, msg = 0x0, state = 0x0, zalloc = 0x0, zfree = 0x0, opaque = 0x0, data_type = 0, adler = 0, reserved = 0}}, zsActive = "\000\000\000", zsLevel = {0, 0, 0, 0}, tightCompressLevel = 2, compStreamInitedLZO = 0 '\000', lzoWrkMem = 0x0, fileTransfer = {fd = -1, compressionEnabled = 0, fileSize = 0, numPackets = 0, receiving = 0, sending = 0}, lastKeyboardLedState = -1, enableSupportedMessages = 0 '\000', enableSupportedEncodings = 0 '\000', enableServerIdentity = 0 '\000', enableKeyboardLedState = 0 '\000', enableLastRectEncoding = -1 '\377', enableCursorShapeUpdates = -1 '\377', enableCursorPosUpdates = 0 '\000', useRichCursorEncoding = -1 '\377', cursorWasChanged = 0 '\000', cursorWasMoved = 0 '\000', cursorX = 10, cursorY = 312, useNewFBSize = -1 '\377', newFBSizePending = 0 '\000', prev = 0x0, next = 0x0, refCount = -2656, refCountMutex = {data = {lock = 0, count = 0, owner = 0, kind = 0, nusers = 0, { spins = 0, list = {next = 0x0}}}, size = '\000' <repeats 23 times>, align = 0}, deleteCond = {data = {wseq = {value64 = 0, value32 = {low = 0, high = 0}}, g1_start = {value64 = 0, value32 = {low = 0, high = 0}}, g_refs = {0, 0}, __g_size = {0, 0}, g1_orig_size = 0, wrefs = 0, g_signals = {0, 0}}, size = '\000' <repeats 47 times>, align = 0}, outputMutex = {data = {lock = 0, count = 0, owner = 0, kind = -1, nusers = 0, { spins = 0, list = {next = 0x0}}}, size = '\000' <repeats 12 times>, "\377\377\377\377\000\000\000\000\000\000\000", align = 0}, updateMutex = {data = { lock = 0, count = 0, owner = 0, kind = -1, nusers = 0, {spins = 0, list = {next = 0x0}}}, size = '\000' <repeats 12 times>, "\377\377\377\377\000\000\000\000\000\000\000", align = 0}, updateCond = {data = {wseq = {value64 = 0, value32 = { low = 0, high = 0}}, g1_start = {value64 = 0, value32 = {low = 0, high = 0}}, __g_refs = {0, 0}, g_size = {0, 0}, g1_orig_size = 0, wrefs = 4, __g_signals = {0, 0}}, size = '\000' <repeats 36 times>, "\004\000\000\000\000\000\000\000\000\000\000", align = 0}, zrleData = 0x0, zywrleLevel = 0, zywrleBuf = {0 <repeats 4096 times>}, progressiveSliceY = 0, extensions = 0x0, zrleBeforeBuf = 0x0, paletteHelper = 0x0, sendMutex = {data = { lock = 0, count = 0, owner = 0, kind = -1, nusers = 0, {spins = 0, list = {next = 0x0}}}, size = '\000' <repeats 12 times>, "\377\377\377\377\000\000\000\000\000\000\000", __align = 0}, beforeEncBuf = 0x3500f130 "\367W\002\065N5:\260", beforeEncBufSize = 4, afterEncBuf = 0x0, afterEncBufSize = 0, afterEncBufLen = 0, tightEncoding = 7, turboSubsampLevel = 0, turboQualityLevel = 79, sslctx = 0x0, wsctx = 0x0, wspath = 0x0, pipe_notify_client_thread = {-1, -1}, clientFramebufferUpdateRequestHook = 0x43f4b4 <ikvm::Server::clientFramebufferUpdateRequest(_rfbClientRec, rfbFramebufferUpdateRequestMsg)>, useExtDesktopSize = -1 '\377', requestedDesktopSizeChange = 0, lastDesktopSizeChangeError = 0, enableExtendedClipboard = -1 '\377', extClipboardUserCap = 520093697, extClipboardMaxUnsolicitedSize = 0, extClipboardData = 0x0, extClipboardDataSize = 0, tight

(gdb) p &cl->statMsgList $7 = (struct _rfbStatList **) 0x35008804 (gdb) x/1x 0x35008804 0x35008804: 0x00030004 (gdb) f 0

0 0x36eeaff8 in rfbPrintStats (cl=cl@entry=0x35000750) at /usr/src/debug/libvncserver/0.9.14/libvncserver/stats.c:396

396 in /usr/src/debug/libvncserver/0.9.14/libvncserver/stats.c (gdb) x/1x 0x35008804 0x35008804: 0x00030004 (gdb) f 3

3 0x0043f6f4 in ikvm::Server::run (this=0x3e89dbf0) at /usr/src/debug/obmc-ikvm/1.0+git/ikvm_server.cpp:143

143 rfbProcessEvents(server, processTime); (gdb) x/1x 0x35008804 0x35008804: 0x00030004 (gdb) f 4

4 ikvm::Manager::serverThread (manager=0x3e89d998) at /usr/src/debug/obmc-ikvm/1.0+git/ikvm_manager.cpp:36

36 manager->server.run(); (gdb) x/1x 0x35008804 0x35008804: 0x00030004 (gdb) f 7

7 0x36b3299c in ?? () at ../sysdeps/unix/sysv/linux/arm/clone.S:74 from /tmp/ipkdbg.Fv8/root/usr/lib/libc.so.6

74 ../sysdeps/unix/sysv/linux/arm/clone.S: No such file or directory. (gdb) x/1x 0x35008804 0x35008804: 0x00030004 (gdb) f 8 No frame at level 8.

Your environment (please complete the following information):

Additional context

mayepeng0824 commented 8 months ago

from gdb info cl->statMsgList = 0x30004 is an invalid address

MichaelXie98 commented 8 months ago

To Reproduce

Keep open/close vnc client

bk138 commented 8 months ago

can you maybe create a throw-away github repo with code that reproduces this?

MichaelXie98 commented 8 months ago

I am using obmc-ikvm from OpenBmc. https://github.com/openbmc/obmc-ikvm libvncserver version 0.9.14

MichaelXie98 commented 8 months ago

By refreshing client, I can reproduce this crash. The probability of this crash happening is very small, perhaps only once in hundreds of times. In backtrace I can see crash sometimes in rfbStatLookupMessage sometimes in rfbPrintStats with same reason: cl->statMsgList = 0x30004 is an invalid address. I am guessing this address is released before rfbStatLookupMessage/rfbPrintStats when closing the client.

bk138 commented 8 months ago

@mayepeng0824 @MichaelXie98 can you please provide a scripted environment that reproduces the crash - am unable to repro here.

MichaelXie98 commented 8 months ago

Sorry I don‘t know how to provide a scripted environment. But now I roughly know what the problem is. I am using rfbSendCompressedDataTight and rfbSendExtDesktopSize in two threads. When two threads modify cl->updateBuf at the same time, it will cause undefined behavior. This is not a libvncserver bug. We can close this issue.

bk138 commented 8 months ago

OK!