Bug 30367

Summary: X server segfaults when setting a property with xrandr on a non-existing output
Product: xorg Reporter: Tobias Droste <tdroste>
Component: Server/GeneralAssignee: Xorg Project Team <xorg-team>
Status: RESOLVED FIXED QA Contact: Xorg Project Team <xorg-team>
Severity: normal    
Priority: medium Keywords: patch
Version: git   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Bug Depends on:    
Bug Blocks: 27592    
Attachments:
Description Flags
possible patch (set error numbers in RRExtensionInit) none

Description Tobias Droste 2010-09-24 17:17:37 UTC 
Running the command (notice the "-" before "HDMI-0"):

xrandr --output -HDMI-0 --set "underscan" "off"

causes an segfault at ProcRRGetOutputProperty in X server.

Running the right command works without problems (xrandr --output HDMI-0 --set "underscan" "off")

X: current git (1.9)
ddx (r600): current git (6.13)
kernel: 2.6.36-rc3
xrandr: 1.3
Comment 1 Tomas Carnecky 2010-09-25 05:13:34 UTC 
Program received signal SIGSEGV, Segmentation fault.
0x00000000004c4af4 in ProcRRGetOutputProperty (client=0xef0800) at rrproperty.c:604
604	    for (prev = &output->properties; (prop = *prev); prev = &prop->next)
(gdb) bt
#0  0x00000000004c4af4 in ProcRRGetOutputProperty (client=0xef0800) at rrproperty.c:604
#1  0x000000000042fe01 in Dispatch () at dispatch.c:432
#2  0x0000000000425375 in main (argc=4, argv=<value optimized out>, envp=<value optimized out>) at main.c:291
(gdb) p output
$1 = (RROutputPtr) 0x0

Interesting that VERIFY_RR_OUTPUT() returns Success when the output doesn't exist.
Comment 2 Tobias Droste 2010-09-27 17:40:31 UTC 
The problem is that RRExtensionInit() (randr/randr.c) is called _after_ RROutputInit() (randr/rroutput.c) which results in RRErrorBase being 0 while setting the error number of the resource type RROutput (BadRROutput (also 0)).

RRErrorBase+BadRROutput = 0+0 = 0 (0 == Success)

This error is returned by dixLookupResourceByType() (dix/resource.c) and _is_ equal to Success (which should not happen).

RRExtensionInit() has to be called _before_ RROutputInit() to get a RRErrorBase>0 and a BadRROutput!=Succes.
Comment 3 Tobias Droste 2010-09-27 19:15:11 UTC 
Created attachment 39000 [details] [review]
possible patch (set error numbers in RRExtensionInit)
Comment 4 Tobias Droste 2010-09-30 07:19:43 UTC 
fixed with 
http://cgit.freedesktop.org/xorg/xserver/commit/?id=c7e4222c9a27094ce4fc2831ac92acbb7b21fb1a 
(in xserver master)

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.