Bug 24181

Summary:

Reproducible segfault in miPointerUpdateSprite()

Product:

xorg

Reporter:

Martin Jansa <Martin.Jansa>

Component:

Server/General

Assignee:

Xorg Project Team <xorg-team>

Status:

RESOLVED MOVED

QA Contact:

Xorg Project Team <xorg-team>

Severity:

major

Priority:

medium

CC:

peter.hutterer

Version:

git

Hardware:

ARM

OS:

Linux (All)

Whiteboard:

i915 platform:

i915 features:

Attachments:

Description	Flags
backtrace - better format	none
227_null_ptr_midispcur.patch	none

Description Martin Jansa 2009-09-27 01:54:09 UTC

Hello,

on armv4t (neo freerunner) we're using xorg from git master and 1.7 branch. There is reproducible segfault in miPointerUpdateSprite()

Not sure where exactly, because first it occured in miDCRestoreUnderCursor(), so commented this function out and tested again and it occured in miDCSaveUnderCursor(), so I commented this one too and it occured in miDCPutUpCursor().

With all miPointerUpdateSprite() calls commented out it works good (just cursor background isn't redrawn).

Another workaround is to run Xorg with -nocursor.

Easiest way to reproduce this is run terminal (vala-terminal) and on screen keyboard (illume-keyboard) and type wery quickly. Maybe its because every key-press is highlighted with key drawn slightly above keyboard, so we're redrawing the same part of screen twice (for cursor-left redraw and key up&down - maybe some concurrency).

Maybe the problem lives in DDX driver for SMedia Glamo graphics http://git.openmoko.org/?p=xf86-video-glamo.git;a=summary

   1.
      Program received signal SIGSEGV, Segmentation fault.
   2.
      [Switching to Thread 0x4001edc0 (LWP 1701)]
   3.
      0x0013c9b4 in miDCRestoreUnderCursor ()
   4.
      Current language:  auto; currently asm
   5.
      (gdb) back
   6.
      #0  0x0013c9b4 in miDCRestoreUnderCursor ()
   7.
      #1  0x00160780 in miSpriteRemoveCursor ()
   8.
      #2  0x00160934 in miSpriteSetCursor ()
   9.
      #3  0x00160a40 in miSpriteMoveCursor ()
  10.
      #4  0x00056ad4 in miPointerUpdateSprite ()
  11.
      #5  0x0009da28 in ProcXTestFakeInput ()
  12.
      #6  0x0004fc58 in Dispatch ()
  13.
      #7  0x000216a8 in main ()
  14.
       
  15.
      /* now i commented miDCRestoreUnderCursor out from Xorg */
  16.
       
  17.
      Program received signal SIGSEGV, Segmentation fault.
  18.
      [Switching to Thread 0x4001edc0 (LWP 2175)]
  19.
      0x0013c8e4 in miDCSaveUnderCursor ()
  20.
      Current language:  auto; currently asm
  21.
      (gdb) back
  22.
      #0  0x0013c8e4 in miDCSaveUnderCursor ()
  23.
      #1  0x001602d4 in miSpriteSaveUnderCursor ()
  24.
      #2  0x0016078c in miSpriteSetCursor ()
  25.
      #3  0x001608e0 in miSpriteMoveCursor ()
  26.
      #4  0x00056ad4 in miPointerUpdateSprite ()
  27.
      #5  0x0009da28 in ProcXTestFakeInput ()
  28.
      #6  0x0004fc58 in Dispatch ()
  29.
      #7  0x000216a8 in main ()
  30.
       
  31.
      /* now i commented miDCSaveUnderCursor out from Xorg */
  32.
       
  33.
      Program received signal SIGSEGV, Segmentation fault.
  34.
      [Switching to Thread 0x4001edc0 (LWP 2306)]
  35.
      0x0013d500 in miDCPutUpCursor ()
  36.
      Current language:  auto; currently asm
  37.
      (gdb) back
  38.
      #0  0x0013d500 in miDCPutUpCursor ()
  39.
      #1  0x0015ffc8 in miSpriteRestoreCursor ()
  40.
      #2  0x00160734 in miSpriteMoveCursor ()
  41.
      #3  0x00056ad4 in miPointerUpdateSprite ()
  42.
      #4  0x0009da20 in ProcXTestFakeInput ()
  43.
      #5  0x0004fc58 in Dispatch ()
  44.
      #6  0x000216a8 in main ()
  45.
       
  46.
      /* It works ok when I removed every miPointerUpdateSprite call, or when Xorg is executed with -nocursor */
  47.
       
  48.
      /* better backtrace */
  49.
       
  50.
      Program received signal SIGSEGV, Segmentation fault.
  51.
      [Switching to Thread 0x404da000 (LWP 1748)]
  52.
      0x00232d34 in miDCSaveUnderCursor (pDev=0x32f728, pScreen=0x2c2a80, x=304, y=509, w=32, h=32) at midispcur.c:536
  53.
      536     midispcur.c: No such file or directory.
  54.
              in midispcur.c
  55.
      (gdb) break
  56.
      Breakpoint 1 at 0x232d34: file midispcur.c, line 536.
  57.
      (gdb) back
  58.
      #0  0x00232d34 in miDCSaveUnderCursor (pDev=0x32f728, pScreen=0x2c2a80, x=304, y=509, w=32, h=32) at midispcur.c:536
  59.
      #1  0x00270588 in miSpriteSaveUnderCursor (pDev=0x32f728, pScreen=0x2c2a80) at misprite.c:1039
  60.
      #2  0x0026fe20 in miSpriteSetCursor (pDev=0x32f728, pScreen=0x2c2a80, pCursor=0x335dd0, x=319, y=524) at misprite.c:902
  61.
      #3  0x0026ff74 in miSpriteMoveCursor (pDev=0x32f728, pScreen=0x2c2a80, x=319, y=524) at misprite.c:922
  62.
      #4  0x00082420 in miPointerUpdateSprite (pDev=0x32f728) at mipointer.c:428
  63.
      #5  0x00103d60 in ProcXTestFakeInput (client=0x453cd8) at xtest.c:454
  64.
      #6  0x00103ec0 in ProcXTestDispatch (client=0x453cd8) at xtest.c:487
  65.
      #7  0x0006e0a4 in Dispatch () at dispatch.c:445
  66.
      #8  0x000218c0 in main (argc=1, argv=0xbec36d14, envp=0xbec36d1c) at main.c:285

Comment 1 Martin Jansa 2009-09-27 01:56:45 UTC

Created attachment 29880 [details]
backtrace - better format

Comment 2 Stephen White 2010-07-22 02:36:59 UTC

Bug 29212 and bug 27942 look similar to this one.

Comment 3 Bryce Harrington 2013-02-08 02:13:22 UTC

Created attachment 74395 [details] [review]
227_null_ptr_midispcur.patch

The stacktrace looks very similar to the one in this downstream Ubuntu bug:
https://bugs.launchpad.net/xorg-server/+bug/930936

The patch we added to Ubuntu for that bug is attached.  It was confirmed to fix the issue by that user, but would be helpful if others could test it as well.

Comment 4 Peter Hutterer 2013-02-12 05:04:22 UTC

(In reply to comment #3)
> The patch we added to Ubuntu for that bug is attached.  It was confirmed to
> fix the issue by that user, but would be helpful if others could test it as
> well.

it doesn't fix the issue, it merely papers over the crash. would be useful to find a reproducible test case for the upstream git server. What versions do you see this one on? launchpad suggests 1.10 and 1.11, both of which are out of date by now.

Comment 5 GitLab Migration User 2018-12-13 22:21:34 UTC

-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/xorg/xserver/issues/383.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.