After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 461648 - GdkWindowQueueItem::serial overflow
GdkWindowQueueItem::serial overflow
Status: RESOLVED FIXED
Product: gtk+
Classification: Platform
Component: Backend: X11
2.10.x
Other All
: Normal critical
: ---
Assigned To: gtk-bugs
gtk-bugs
Depends on:
Blocks:
 
 
Reported: 2007-07-30 01:50 UTC by Hui Wang
Modified: 2007-09-10 17:43 UTC
See Also:
GNOME target: ---
GNOME version: 2.15/2.16

Attachments
Sample application to reprocude the bug (581.10 KB, application/x-compressed-tar)
2007-07-30 01:52 UTC, Hui Wang 		  Details
gdkgeometry-x11.c.patch (747 bytes, patch)
2007-07-30 02:27 UTC, Hui Wang 		none Details | Review
fix serial and node handling (1.82 KB, patch)
2007-08-23 13:37 UTC, Tim Janik 		committed Details | Review

Description Hui Wang 2007-07-30 01:50:09 UTC 
Steps to reproduce:
1. Create a application which keeps on trigger expose event at a high rate(eg, 1000 expose event/second)
2. Run the application in any version of gtk+ environment for more than an hour
3. The application will crash with segv.


Stack trace:

+ Trace 151486

  • #1 queue_item_free
    at gdkgeometry-x11.c line 914
  • #2 _gdk_window_process_expose
    at gdkgeometry-x11.c line 1051
  • #3 gdk_event_translate
    at gdkevents-x11.c line 1484
  • #4 _gdk_events_queue
    at gdkevents-x11.c line 2067
  • #5 gdk_event_dispatch
    at gdkevents-x11.c line 2127
  • #6 g_main_dispatch
    at gmain.c line 1895
  • #7 g_main_context_dispatch
    at gmain.c line 2441
  • #8 g_main_context_iterate
    at gmain.c line 2522
  • #9 g_main_loop_run
    at gmain.c line 2726
  • #10 gtk_main
    at gtkmain.c line 1172
  • #11 main
    at main.cc line 260
  • #2 _gdk_window_process_expose
    at gdkgeometry-x11.c line 1051 
1046                }
1047              else
1048                {
1049                  queue_delete_link (display_x11->translate_queue,
1050                                     display_x11->translate_queue->head);
1051                  queue_item_free (item);
1052                }
1053            }
1054        }
1055
(gdb) p *(GdkWindowQueueItem *)tmp_list->data
$31 = {window = 0x9bbcc28, serial = 341, type = GDK_WINDOW_QUEUE_ANTIEXPOSE, u = {translate = {
      dx = 163135504, dy = 46399540}, antiexpose = {area = 0x9b94010}}}
(gdb) p *(GdkWindowQueueItem *)tmp_list->prev->data <= overflow
$32 = {window = 0x9a35d88, serial = 57, type = GDK_WINDOW_QUEUE_ANTIEXPOSE, u = {translate = {
      dx = 161749920, dy = 16}, antiexpose = {area = 0x9a41ba0}}}
(gdb) p *(GdkWindowQueueItem *)tmp_list->prev->prev->data      <=here, serial value is near the max ulong
$33 = {window = 0x9a36010, serial = 4294967176, type = GDK_WINDOW_QUEUE_ANTIEXPOSE, u = {translate = {
      dx = 161771960, dy = 52}, antiexpose = {area = 0x9a471b8}}}
(gdb) p *(GdkWindowQueueItem *)tmp_list->prev->prev->prev->data
$34 = {window = 0x9a36010, serial = 4294966893, type = GDK_WINDOW_QUEUE_ANTIEXPOSE, u = {translate = {
      dx = 161807208, dy = 16}, antiexpose = {area = 0x9a4fb68}}}

Other information:
The application will always crash after the internal gdk variable GdkWindowQueueItem::serial exceeds its max value, which will cause the application to remove some very old already-handled window in _gdk_window_process_expose function(gdk/x11/gdkgeometry-x11.c), and then segv happened, application crashed.
Comment 1 Hui Wang 2007-07-30 01:52:22 UTC 
Created attachment 92667 [details]
Sample application to reprocude the bug
Comment 2 Hui Wang 2007-07-30 02:27:52 UTC 
Created attachment 92669 [details] [review]
gdkgeometry-x11.c.patch

A patch is created to work around this issue
Comment 3 Tim Janik 2007-08-23 13:33:46 UTC 
(In reply to comment #2)
> Created an attachment (id=92669) [edit]
> gdkgeometry-x11.c.patch
> 
> A patch is created to work around this issue

please create patches with diff -up in the future, so readers don't need to re-diff. in any case, you're right that the serial comparison is buggy, however the segfault is more due to lack of referential integrity in the node removal branch.
Comment 4 Tim Janik 2007-08-23 13:37:25 UTC 
Created attachment 94188 [details] [review]
fix serial and node handling

Hui, please check if this patch fixes the crashers for you.
Bratsche, Tbf, can you please apply, test the test case and commit if this works?
Comment 5 Mathias Hasselmann (IRC: tbf) 2007-08-28 08:56:47 UTC 
Running the sample program on my machine now. Let's if and when it crashes.
Comment 6 Hui Wang 2007-08-28 09:02:26 UTC 
Thanks for the patch, I am also running the sample application, i will update the result after the serial overflows.
Comment 7 Mathias Hasselmann (IRC: tbf) 2007-08-28 12:27:09 UTC 
The sample program survived several overflows now.
Comment 8 Behdad Esfahbod 2007-09-10 17:43:43 UTC 
This has caused a regression btw.  Bug 474897.