[jira] [Comment Edited] (GUACAMOLE-1903) guacd 1.5.4/master double free issue

Tue, 16 Jan 2024 04:34:07 -0800 


    [ 
https://issues.apache.org/jira/browse/GUACAMOLE-1903?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17807170#comment-17807170
 ] 

Simon Vogl edited comment on GUACAMOLE-1903 at 1/16/24 12:33 PM:
-----------------------------------------------------------------

One more tidbit: I installed the head revision of libvncclient, same behavior, 
but...

It really looks like a race condition - if I run guacd under valgrind (with 
memcheck, the default tool) on this dual-core VM, it behaves quite stable... :)

valgrind reports this at the very beginning:

{{guacd[1575205]: TRACE:  Server completed frame 864082397ms (0 logical 
frames)}}
{{guacd[1575205]: TRACE:  User confirmation of frame 864082397ms received at 
864082406ms (processing_lag=0ms, estimated_rtt=9ms)}}
{{guacd[1575205]: TRACE:  Server completed frame 864083883ms (0 logical 
frames)}}
{{==1575205== Thread 5:}}
{{==1575205== Invalid free() / delete / delete[] / realloc()}}
{{==1575205==    at 0x48399AB: free (vg_replace_malloc.c:538)}}
{{==1575205==    by 0x71DD658: HandleCursorShape (in 
/usr/local/lib/libvncclient.so.0.9.14)}}
{{==1575205==    by 0x71E404D: HandleRFBServerMessage (in 
/usr/local/lib/libvncclient.so.0.9.14)}}
{{==1575205==    by 0x71C9187: guac_vnc_client_thread (vnc.c:473)}}
{{==1575205==    by 0x488EEA6: start_thread (pthread_create.c:477)}}
{{==1575205==    by 0x4A37A2E: clone (clone.S:95)}}
{{==1575205==  Address 0x69bd370 is 0 bytes inside a block of size 1,024 
free'd}}
{{==1575205==    at 0x48399AB: free (vg_replace_malloc.c:538)}}
{{==1575205==    by 0x71C7ADD: guac_vnc_cursor (cursor.c:127)}}
{{==1575205==    by 0x71DD807: HandleCursorShape (in 
/usr/local/lib/libvncclient.so.0.9.14)}}
{{==1575205==    by 0x71E404D: HandleRFBServerMessage (in 
/usr/local/lib/libvncclient.so.0.9.14)}}
{{==1575205==    by 0x71C9187: guac_vnc_client_thread (vnc.c:473)}}
{{==1575205==    by 0x488EEA6: start_thread (pthread_create.c:477)}}
{{==1575205==    by 0x4A37A2E: clone (clone.S:95)}}
{{==1575205==  Block was alloc'd at}}
{{==1575205==    at 0x483877F: malloc (vg_replace_malloc.c:307)}}
{{==1575205==    by 0x71DD66F: HandleCursorShape (in 
/usr/local/lib/libvncclient.so.0.9.14)}}
{{==1575205==    by 0x71E404D: HandleRFBServerMessage (in 
/usr/local/lib/libvncclient.so.0.9.14)}}
{{==1575205==    by 0x71C9187: guac_vnc_client_thread (vnc.c:473)}}
{{==1575205==    by 0x488EEA6: start_thread (pthread_create.c:477)}}
{{==1575205==    by 0x4A37A2E: clone (clone.S:95)}}
{{==1575205== }}
{{guacd[1575205]: TRACE:  Server completed frame 864083920ms (0 logical 
frames)}}
{{guacd[1575205]: TRACE:  Server completed frame 864083951ms (0 logical 
frames)}}
{{guacd[1575205]: TRACE:  User confirmation of frame 864083883ms received at 
864083952ms (processing_lag=60ms, estimated_rtt=9ms)}}

 

... and: building & installing libvncclient with RelWithDebInfo hides the bug 
as well to a certain extent. It can be triggered quite consistently when the 
mouse cursor changes often (entering/leaving text fields, window resize 
cursors,...)


was (Author: JIRAUSER303784):
One more tidbit: I installed the head revision of libvncclient, same behavior, 
but...

It really looks like a race condition - if I run guacd under valgrind (with 
memcheck, the default tool) on this dual-core VM, it behaves quite stable... :)

valgrind reports this at the very beginning:

{{guacd[1575205]: TRACE:  Server completed frame 864082397ms (0 logical 
frames)}}
{{guacd[1575205]: TRACE:  User confirmation of frame 864082397ms received at 
864082406ms (processing_lag=0ms, estimated_rtt=9ms)}}
{{guacd[1575205]: TRACE:  Server completed frame 864083883ms (0 logical 
frames)}}
{{==1575205== Thread 5:}}
{{==1575205== Invalid free() / delete / delete[] / realloc()}}
{{==1575205==    at 0x48399AB: free (vg_replace_malloc.c:538)}}
{{==1575205==    by 0x71DD658: HandleCursorShape (in 
/usr/local/lib/libvncclient.so.0.9.14)}}
{{==1575205==    by 0x71E404D: HandleRFBServerMessage (in 
/usr/local/lib/libvncclient.so.0.9.14)}}
{{==1575205==    by 0x71C9187: guac_vnc_client_thread (vnc.c:473)}}
{{==1575205==    by 0x488EEA6: start_thread (pthread_create.c:477)}}
{{==1575205==    by 0x4A37A2E: clone (clone.S:95)}}
{{==1575205==  Address 0x69bd370 is 0 bytes inside a block of size 1,024 
free'd}}
{{==1575205==    at 0x48399AB: free (vg_replace_malloc.c:538)}}
{{==1575205==    by 0x71C7ADD: guac_vnc_cursor (cursor.c:127)}}
{{==1575205==    by 0x71DD807: HandleCursorShape (in 
/usr/local/lib/libvncclient.so.0.9.14)}}
{{==1575205==    by 0x71E404D: HandleRFBServerMessage (in 
/usr/local/lib/libvncclient.so.0.9.14)}}
{{==1575205==    by 0x71C9187: guac_vnc_client_thread (vnc.c:473)}}
{{==1575205==    by 0x488EEA6: start_thread (pthread_create.c:477)}}
{{==1575205==    by 0x4A37A2E: clone (clone.S:95)}}
{{==1575205==  Block was alloc'd at}}
{{==1575205==    at 0x483877F: malloc (vg_replace_malloc.c:307)}}
{{==1575205==    by 0x71DD66F: HandleCursorShape (in 
/usr/local/lib/libvncclient.so.0.9.14)}}
{{==1575205==    by 0x71E404D: HandleRFBServerMessage (in 
/usr/local/lib/libvncclient.so.0.9.14)}}
{{==1575205==    by 0x71C9187: guac_vnc_client_thread (vnc.c:473)}}
{{==1575205==    by 0x488EEA6: start_thread (pthread_create.c:477)}}
{{==1575205==    by 0x4A37A2E: clone (clone.S:95)}}
{{==1575205== }}
{{guacd[1575205]: TRACE:  Server completed frame 864083920ms (0 logical 
frames)}}
{{guacd[1575205]: TRACE:  Server completed frame 864083951ms (0 logical 
frames)}}
{{guacd[1575205]: TRACE:  User confirmation of frame 864083883ms received at 
864083952ms (processing_lag=60ms, estimated_rtt=9ms)}}

 

... and: building & installing libvncclient with RelWithDebInfo hides the bug 
as well... oh my.

> guacd 1.5.4/master double free issue
> ------------------------------------
>
>                 Key: GUACAMOLE-1903
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1903
>             Project: Guacamole
>          Issue Type: Bug
>          Components: guacamole-server, guacd
>    Affects Versions: 1.5.4
>            Reporter: Simon Vogl
>            Priority: Major
>         Attachments: drd.log
>
>
> Hi all,
> we have a running 1.4 installation that serves vnc connections (only). I am 
> trying to upgrade to a recent code basis as we want to add some features 
> (alt-f4 etc on the OSD).
> I installed client and server versions 1.5.4 on a test machine and it works 
> only for some of our client boxes (ones in our office,p.ex.) but guacd dies 
> for other connections (at a remote site behind a firewall) with a 'double 
> free' error. Guacd seemingly dies when cursor movements happen on the web 
> client, and I saw it happen consistently when the mouse enters / leaves the 
> rendered remote display in the browser window.
> I ran guacd with the valgrind drd tool
> valgrind --tool=drd --trace-fork-join=yes /usr/local/sbin/guacd-1.5.4a -f -L 
> trace -b 127.0.0.1 -l 4822 -p /tmp/guacd.pid
> and captured the state in the attachmed drd.log when guacd died away.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to