Closed RolKau closed 6 months ago
@RolKau
I'm unable to reproduce this using the commands above and this RDP client:-
$ xfreerdp --version
This is FreeRDP version 2.2.0 (n/a)
I don't get a chance to close the client window myself incidentally - the command completes and the session exits pretty swiftly. Am I missing something there?
Also, what version of xorgxrdp
are you using when the crash happens? This might also have a bearing on the problem
So I'd think this is either invalid at this point, or it gets written over while it's sitting in the fifo
I don't think that the enc->data
array itself becomes invalid, because it is accessed in earlier iterations in the loop, and I don't see how it could be freed there (unless there is another thread doing it). I suspect that it is an overrun, but I don't know where the size of the array is determined.
what version of xorgxrdp are you using when the crash happens?
I was using 0.2.17, but you may want to schedule another release of that one as well: If I upgrade to the devel branch I am unable to reproduce the problem over at least ten attempts.
The only real change seems to have been the full screen refresh; maybe this straighten out some internal state or changes some timings.
@RolKau - please accept my apologies for the auto-close. That was not my intention. We'll be working on the v0.9.18 release for a bit. I'd like to pick this up again afterwards.
Just as a quick note for you - enc->data
could possibly become invalid.
There's a memory area shared between xorgxrdp and the xrdp process. xorgxrdp writes to the memory area and then tells xrdp what the changes are, rather than sending the data directly.
Along with the change info, xorgxrdp sends the ID of the shared memory area (see shmop(2)). The ID is normally stable, but there are situations like a resize where the ID changes. If this happens, xrdp detaches from the old area and attaches to the new area. The code for this is in the xrdp xup module xrdp/xup.c
.
I'm not at all clear whether enc->data
points to the shared memory area, but a bit of logging should resolve this. Also, this is only a supposition on my part. I'm still learning about this area, and I only found the shared memory area when investigating a FreeBSD issue recently. Since there are threads involved here it just seems like a possibility to me.
I hope this is useful information.
please accept my apologies for the auto-close
On the contrary, I regarded myself this issue as solved. I reckon that the second trap I discovered is really another problem, and in particular we probably need a better repro before we can make progress on it.
There's a memory area shared between xorgxrdp and the xrdp process
Just a thought: Who closes this memory area, and how is the other process notified about this? Can it be that the xorgxrdp process close the area upon shutdown, but that the xrdp process is not quite done writing all out of the bitmaps, so it disappears halfway down the loop?
This would make it somewhat timing-dependent, which would explain why we have problems reproducing it in other than my particular setup (I am on a rather crappy DOCSIS 3 residential broadband). And also why it only happens on shutdown.
The lifecycle of the shared area is controlled by xorgxrdp as xorgxrdp's lifetime is the session lifetime, and xrdp may have a shorter lifetime.
xorgxrdp sends over an ID, and if the ID has changed, xrdp disconnects from the old area and connects to the new one. However, I can't find any sync between the threads in this area, so it could be related to this.
On the other hand, I may have this completely wrong. I'll get some logging in when I can get to this, and at least determine whether enc->data
is pointing to this area or not.
I'd like to leave this open for now. If we find a better way to reproduce we can open another fault, but I'd like to do at least a bit more exploration on this one.
I'm closing this one now, as we've completely reworked the shared memory support for the GFX merge (will ship in v0.10). That affects the RFX codepaths too.
xrdp version: 0.9.17 (git sha 5808832) xorgxrdp version: 0.2.17 (git sha b943f0e) Client: FreeRDP 2.2.0+dfsg1-0ubuntu0.20.04.2
First I compile xrdp with:
I connect to the server with these options:
This crashes immediately upon connect, with backtrace (from
coredumpctl debug
):and the line in
/var/log/xrdp.log
:If I however now recompile again without the range check:
I can log on, even with more caching options enabled:
I can now start Firefox and browse a bunch of webpages without any problem. But, if I put two terminal windows sized to 1920x2160 side-by-side and run the command
od -c /dev/random
in each of them, the server coredumps rather quickly with this backtrace:The
buffer_size
parameter in line 7 looks suspicious. Unfortunately, if I build withCFLAGS="-O0"
, the backtrace gets cut off after item 6 instead of getting more information for some unknown reason.It seems to me that this bug is triggered whenever a lot of text is written as characters to the display; programs that draws the text themselves as graphics don't elicit this behaviour.