Bug 1390

Summary: Server crash under specific operation
Product: xorg Reporter: J. Scott Berg <jsberg>
Component: * OtherAssignee: Xorg Project Team <xorg-team>
Status: CLOSED NOTOURBUG QA Contact:
Severity: critical    
Priority: highest CC: ajax
Version: 6.8.0   
Hardware: x86 (IA32)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Attachments:
Description Flags
host.def file used to build server none

Description J. Scott Berg 2004-09-15 07:10:20 UTC
Server 6.8.0, built with gcc-3.4.2 (same result with 3.4.1).  Using the mga
driver.  I'm attaching my host.def.  The server crashes when, under gnome-2.6
using yelp-2.6.3 (the help browser), I get to a point where it has a table of
contents with arrows on the left (try Desktop->User Guide).  Enter the arrow,
then leave; the server segfaults on exiting the arrow.  The readable part of the
backtrace is

#53 0x0819f70d in miComputeCompositeClip ()
#54 0x0815a22f in damagePolylines ()
#55 0x080bcadc in ProcPolyLine ()
#56 0x080c0bf1 in Dispatch ()
#57 0x080cca4c in main ()
Comment 1 J. Scott Berg 2004-09-15 07:11:46 UTC
Created attachment 913 [details]
host.def file used to build server
Comment 2 J. Scott Berg 2004-09-15 09:00:15 UTC
Almost forgot: the bug disappears when I run the server with -nolisten local.
Comment 3 J. Scott Berg 2004-09-16 06:24:13 UTC
The bug does not appear to be driver-dependent; I built it with the same setup
on a machine with a Radeon card, and had exactly the same result.
Comment 4 Andrew Church 2005-01-03 01:31:27 UTC
I've gotten what seems to be the same bug in 6.8.1; in my case, it's triggered
by clicking the fold/unfold arrow next to "Folders" in the Preferences dialog of
Gimp 2.2.1 (GTK 2.4.14).  The meaningful part of the backtrace looks like

#0  0x086cb540 in ?? ()
#1  0x667f3bcc in ?? ()
#2  0x3fd6a09e in ?? ()
[...]
#65 0x080c57aa in TryClientEvents (client=0x52, pEvents=0x3, count=0, mask=464,
filter=464, grab=0xbffff2ac) at events.c:1572
#66 0x0815ace9 in damagePolylines (pDrawable=0x8957550, pGC=0x8923b88, mode=0,
npt=4, ppt=0x896ba50) at damage.c:918
#67 0x080bcc91 in ProcPolyLine (client=0x8923700) at dispatch.c:1863
#68 0x080c0d7d in Dispatch () at dispatch.c:455
#69 0x080ccd28 in main (argc=2, argv=0xbffff9d4, envp=0x1d0) at main.c:442

but I think everything before ProcPolyLine() is bogus--when I disabled Damage,
the routine before it changed to malloc_set_state() at times and ValidateGC() at
other times, and sometimes I couldn't even get a backtrace at all.

The crash itself happens in xaaWideSegment() (xaaWideLine.c:416):

        if (projectRight) {
            double xap = xa + projectXoff;
            double yap = ya + projectYoff;
            bottomy = miPolyBuildEdge (xap, yap, xap * dx + yap * dy,
                                       -dy, dx, x2, y2, dx < 0, bottom);
            maxy = -ya + projectYoff;
        } else {
            bottomy = miPolyBuildEdge (xa, ya, 0.0,
                                        -dy, dx, x2, y2, dx < 0, bottom);
>>>>>       maxy = -ya;
        }

and 0x86cb540 corresponds to

     c21:       e8 fc ff ff ff          call   c22 <XAAWideSegment+0x72e>
     c26:       f2 0f 10 8d 48 ff ff    movsd  0xffffff48(%ebp),%xmm1
     c2d:       ff 
     c2e:       89 c1                   mov    %eax,%ecx
>>>>>c30:       66 0f 57 0d 10 00 00    xorpd  0x10,%xmm1
     c37:       00 
     c38:       e9 e3 fe ff ff          jmp    b20 <XAAWideSegment+0x62c>
     c3d:       8b 95 24 ff ff ff       mov    0xffffff24(%ebp),%edx
     c43:       31 c0                   xor    %eax,%eax

where the 0x10 is a reference to a bitmask that (presumably) reverses the sign
of a double-precision value.  The problem seems to be that that 0x10 is
relocated to 0x86ca8a8, which is not 16-byte aligned and therefore generates a
GP fault, so I suspect the module loader may be at fault.

Compiling libxaa without optimizations (or, presumably, compiling with
-mno-sse2, though I haven't tried that yet) makes the bug go away.
Comment 5 Adam Jackson 2005-03-22 13:18:00 UTC
hm, very interesting.  i'll assume it's an elfloader bug for the moment.  do you
get the same crash when using dlloader?  you can enable dlloader modules by saying

#define MakeDllModules YES

in your host.def
Comment 6 J. Scott Berg 2005-03-22 14:52:49 UTC
Sorry, I had forgotten about this bug.  As far as I can tell the problem was a
gcc optimizer bug.  I've been building servers under gcc-3.4.3 up through 6.8.1
without problems.  Well, not without problems, but without THIS problem.  If
gcc-3.4.3 works for Andrew, then I think this should become NOTOURBUG.
Comment 7 Adam Jackson 2005-06-08 19:35:00 UTC
sounds like a gcc bug to me then.  please reopen if this resurfaces.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.