Summary: | SIGSEGV when opening email - Address out of bounds in RADEONUploadToScreenCS | ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | xorg | Reporter: | Bryce Harrington <bryce> | ||||||||||||||||||
Component: | Server/General | Assignee: | Xorg Project Team <xorg-team> | ||||||||||||||||||
Status: | RESOLVED INVALID | QA Contact: | Xorg Project Team <xorg-team> | ||||||||||||||||||
Severity: | major | ||||||||||||||||||||
Priority: | high | CC: | biguphpc | ||||||||||||||||||
Version: | 7.6 (2010.12) | ||||||||||||||||||||
Hardware: | x86 (IA32) | ||||||||||||||||||||
OS: | Linux (All) | ||||||||||||||||||||
Whiteboard: | |||||||||||||||||||||
i915 platform: | i915 features: | ||||||||||||||||||||
Attachments: |
|
Description
Bryce Harrington
2011-05-04 14:10:33 UTC
Created attachment 46333 [details]
BootDmesg.txt
Created attachment 46334 [details]
CurrentDmesg.txt
Created attachment 46335 [details]
CurrentDmesg.txt
xorg.conf specifies a Virtual rez
Created attachment 46336 [details]
XorgLog.txt
Created attachment 46337 [details]
Xorg.0.log.old
Created attachment 46338 [details]
gdb-Xorg3.txt
Is it possible that __memcpy_ssse3 accesses the destination beyond its bounds? Looks like it's a scratch BO exactly covering 63 pages... Reproducing the problem with the X server running in valgrind might help clarify this. Here's the valgrind log. The Xorg server don't crash under valgrind but I guess that's normal. Created attachment 46818 [details]
valgring xserver log
(In reply to comment #8) > Here's the valgrind log. The Xorg server don't crash under valgrind but I guess > that's normal. Yes, but the valgrind output doesn't mention RADEONUploadToScreenCS at all. The only thing that seems possibly related to the crash is the invalid read below; it looks like the X server or pixman is prematurely freeing memory still in use by other parts of the X server, which could cause all kinds of problems. It might be useful if you could get another valgrind log with libpixman-1-0-dbg installed. ==6143== Invalid read of size 1 ==6143== at 0x40351DF: RecordAReply (record.c:613) ==6143== by 0x8074E1D: _CallCallbacks (dixutils.c:743) ==6143== by 0x80A7606: WriteToClient (callback.h:86) ==6143== by 0x4034135: RecordFlushReplyBuffer (record.c:253) ==6143== by 0x40341E3: RecordFlushAllContexts (record.c:870) ==6143== by 0x8074E1D: _CallCallbacks (dixutils.c:743) ==6143== by 0x80A76E7: FlushAllOutput (callback.h:86) ==6143== by 0x80A7830: FlushIfCriticalOutputPending (io.c:711) ==6143== by 0x806FF12: Dispatch (dispatch.c:364) ==6143== by 0x806281B: main (main.c:287) ==6143== Address 0x5d6cfc8 is 48 bytes inside a block of size 188 free'd ==6143== at 0x4025BF0: free (vg_replace_malloc.c:366) ==6143== by 0x4100AA9: pixman_image_unref (in /usr/lib/libpixman-1.so.0.20.2) ==6143== by 0x49AD630: free_pixman_pict (fbpict.c:362) ==6143== by 0x49B29D9: fbRasterizeTrapezoid (fbtrap.c:65) ==6143== by 0x49C7676: exaTrapezoids (exa_render.c:1175) ==6143== by 0x811CC47: CompositeTrapezoids (picture.c:1746) ==6143== by 0x8122B50: ProcRenderTrapezoids (render.c:783) ==6143== by 0x811D182: ProcRenderDispatch (render.c:2057) ==6143== by 0x8070166: Dispatch (dispatch.c:431) ==6143== by 0x806281B: main (main.c:287) I added the libpixman-1-0-dbg and re-traced unsing valgrind. here's the log Created attachment 47791 [details]
new valgrind log
new valgrind log
(In reply to comment #11) > I added the libpixman-1-0-dbg and re-traced unsing valgrind. here's the log Thanks. This log doesn't reference pixman anymore. Maybe the problem is actually with the record extension code using memory that has been freed / reallocated. Mass closure: This bug has been untouched for more than six years, and is not obviously still valid. Please file a new report if you continue to experience issues with a current server. |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.