Xorg crashed with SIGSEGV in XkbStringText()

We've seen this bug in Fedora 10, but haven't been able to track it down yet.
https://bugzilla.redhat.com/show_bug.cgi?id=469572

In the meantime, this (incorrect!) patch may help.

From b4b000a22c40692d0da9023b77b6638c85d2ee32 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <email address hidden>
Date: Fri, 9 Jan 2009 09:17:53 +1000
Subject: [PATCH] xkb: always fail writing XKB geometries (479122)

This is unlikely the right fix, but oh well.
---
 xkb/xkbout.c | 3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/xkb/xkbout.c b/xkb/xkbout.c
index 229cc92..eed49a1 100644
--- a/xkb/xkbout.c
+++ b/xkb/xkbout.c
@@ -806,6 +806,9 @@ XkbGeometryPtr geom;
        _XkbLibError(_XkbErrMissingGeometry,"XkbWriteXKBGeometry",0);
        return False;
     }
+
+ return False;
+
     geom= xkb->geom;
     if (geom->name==None)
         fprintf(file,"xkb_geometry {\n\n");
--
1.6.0.6

Created an attachment (id=22875)
0001-xkb-Fix-wrong-colour-reference-in-XKB-geometry-copy.patch

That should do it, please give it a test.

Fix pushed as f5bf1fdaf36163d5c2f1b9b51df96326ebbb0e9c. Please reopen if the bug persists.

I used RPMs which you posted on the RedHat bugzilla bug and it seems to have worked. Using these rpms:

38953 2009-02-17 08:45 xorg-x11-server-common-1.5.3-12.fc10.x86_64.rpm
1581802 2009-02-17 08:45 xorg-x11-server-Xorg-1.5.3-12.fc10.x86_64.rpm

Thanks again.

Thanks for the confirmation.

Why wasn't the patch included with X Server 1.6.0?

Anyway, after upgrading to 1.6.0 and still experiencing X crashes, I've applied the colour-reference patch...to no avail, unfortunately. With 1.6.0, it is now even easier to reproduce here:
  setxkbmap -layout lt
  setxkbmap -layout us
  setxkbmap -layout lt

and voila:
Errors from xkbcomp are not fatal to the X server
[xkb] BOGUS LENGTH in write keyboard desc, expected 5928, got 5944

Backtrace:
0: /usr/bin/X(xorg_backtrace+0x3b) [0x8132a1b]
1: /usr/bin/X(xf86SigHandler+0x51) [0x80d3fc1]
2: [0xb8075400]
3: /lib/libc.so.6(cfree+0x9c) [0xb7c9f7bc]
4: /usr/bin/X(Xfree+0x21) [0x8136691]
5: /usr/bin/X [0x8192041]
6: /usr/bin/X(ProcXkbGetKbdByName+0xcfc) [0x8195c8c]
7: /usr/bin/X [0x819c608]
8: /usr/bin/X(Dispatch+0x33f) [0x808cd3f]
9: /usr/bin/X(main+0x3bd) [0x8071f3d]
10: /lib/libc.so.6(__libc_start_main+0xe5) [0xb7c486c5]
11: /usr/bin/X [0x8071401]

(In reply to comment #6)
> Why wasn't the patch included with X Server 1.6.0?

weird. it was nominated and labeled as merged. anyway - renominated for 1.6.1

I don't want to be bothersome, but I feel that my comment failed to
communicate the fact that I am still seeing the bug on 1.6.0 AND with
xkb-Fix-wrong-colour-reference-in-XKB-geometry-copy.patch applied.

Could I be seeing another bug? A local case? Is there anything I could
do to help track it down (I really want to be able to use setxkbmap)?

By the way, the 'incorrect' patch from #1 doesn't help either.

I've tried to do add some printf's, but didn't go far with them: I've
only found out that X crashes just after calling xfree
  xfree((char *)start);
in xkb.c:1409 (at the end of XkbSendMap function).

Created an attachment (id=23890)
xkb_debug_output.patch

thanks, I did notice that but I needed to look into it first. Can't reproduce it here, unfortunately, so we need your help. Some memory seems to get corrupted here, the length calculation is incorrect. It'd probably help to figure out which one. Can you apply this patch please and post the output. This should tell us which field writes more than it should.

Created an attachment (id=23906)
Log of a crashed X session, with xdb_debug patch applied

I ran startx (and xmonad was run from .xinitrc), opened urxvt and typed this:
setxkbmap -layout us
setxkbmap -layout lt
setxkbmap -layout us

...and it crashed.

Probably it doesn't matter here, but I reproduced the crash with a simpler Logitech USB keyboard, which produced mostly the same log.

I have the same problem on my box under
Linux echo-roman 2.6.27.19-3.2-pae #1 SMP 2009-02-25 15:40:44 +0100 i686 i686 i386 GNU/Linux
I use nvidia binary driver 180.29 (the problem have been seen on all 180.xx and some 177.?? version) with X server 1.5.2 in twin view. No Compiz.
I do not use KVM switch, so the summary is wrong with it.

Please, give a workaround or fix. It is very annoying.. :-(

part of lspci:
01:00.0 VGA compatible controller: nVidia Corporation G72 [GeForce 7300 LE] (rev a1) (prog-if 00 [VGA controller])
 Subsystem: Micro-Star International Co., Ltd. Device 034b
 Flags: bus master, fast devsel, latency 0, IRQ 16
 Memory at e1000000 (32-bit, non-prefetchable) [size=16M]
 Memory at d0000000 (64-bit, prefetchable) [size=256M]
 Memory at e0000000 (64-bit, non-prefetchable) [size=16M]
 Capabilities: [60] Power Management version 2
 Capabilities: [68] Message Signalled Interrupts: Mask- 64bit+ Count=1/1 Enable-
 Capabilities: [78] Express Endpoint, MSI 00
 Capabilities: [100] Virtual Channel <?>
 Capabilities: [128] Power Budgeting <?>
 Kernel driver in use: nvidia
 Kernel modules: nvidia, nvidiafb

Triple setxkbmap does not triggers crash but after the crash happens I have message on tty7 saying glibc detected double free or corruption and then a backtrace. It calls ProcXkbGetKbdByName and then xfree and ends up in libc cfree. Hope it helps.

Looks like the same issue as #21464, so marking as dupe.

*** This bug has been marked as a duplicate of bug 21464 ***