Bug 36855

Summary: SIGSEGV when opening email - Address out of bounds in RADEONUploadToScreenCS
Product: xorg Reporter: Bryce Harrington <bryce>
Component: Server/GeneralAssignee: Xorg Project Team <xorg-team>
Status: RESOLVED INVALID QA Contact: Xorg Project Team <xorg-team>
Severity: major    
Priority: high CC: biguphpc
Version: 7.6 (2010.12)   
Hardware: x86 (IA32)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Attachments:
Description Flags
BootDmesg.txt
none
CurrentDmesg.txt
none
CurrentDmesg.txt
none
XorgLog.txt
none
Xorg.0.log.old
none
gdb-Xorg3.txt
none
valgring xserver log
none
new valgrind log none

Description Bryce Harrington 2011-05-04 14:10:33 UTC
Forwarding this bug from Ubuntu reporter Laurent Marchal:
http://bugs.launchpad.net/ubuntu/+source/xserver-xorg-video-ati/+bug/766440

[Problem]
Invalid address causes segfault in RADEONCopySwap() called from RADEONUploadToScreenCS().  Reproducible crash opening an email attachment that is a large image.  Only occurs when compositing is enabled.

[Original Description]
When I open an image with a big picture as attachment, Xorg segfault and restart EVERY time I open the same email..

Program received signal SIGSEGV, Segmentation fault.
0x0003000e in ?? ()
(gdb) backtrace full
#5  0x080b201e in FatalError (f=0x81e9e74 "%s: VT_WAITACTIVE failed: %s\n") at ../../os/log.c:569
        args = 0xbf889464 "\341\236\036\b\335\025i\267\005"
        beenhere = 1
#6  0x08172326 in switch_to (vt=7, from=0x81e9ee1 "xf86CloseConsole") at ../../../../../hw/xfree86/os-support/linux/lnx_init.c:70
No locals.
#7  0x08172b3f in xf86CloseConsole () at ../../../../../hw/xfree86/os-support/linux/lnx_init.c:296
        vts = {v_active = 8, v_signal = 27476, v_state = 383}
        VT = {mode = 0 '\000', waitv = 0 '\000', relsig = 10, acqsig = 10, frsig = 0}
#8  0x080b6155 in ddxSigGiveUp (signo=7) at ../../../../hw/xfree86/common/xf86Init.c:915
        i = <value optimized out>
#9  0x080b6236 in SigAbortDDX (signo=7) at ../../../../hw/xfree86/common/xf86Init.c:988
        i = <value optimized out>
#10 0x080b1ea8 in SigAbortServer (signo=7) at ../../os/log.c:412
No locals.
#11 0x080b2941 in FatalSignal (signo=7) at ../../os/log.c:541
        beenhere = 1
#12 0x080a7b61 in OsSigHandler (signo=7, sip=0xbf8895cc, unused=0xbf88964c) at ../../os/osinit.c:154
No locals.
#13 <signal handler called>
No symbol table info available.
#14 __memcpy_ssse3 () at ../sysdeps/i386/i686/multiarch/memcpy-ssse3.S:195
No locals.
#15 0xb7316853 in RADEONCopySwap (dst=0xaefd6000 <Address 0xaefd6000 out of bounds>, 
    src=0xb67d8020 "\031\036\034\377\032\037\035\377\033 \037\377\033 \037\377\033 \037\377\033 \037\377\033 \036\377\033 \036\377\034\"\035\377\030\036\031\377\034\"\035\377\032\037\035\377\024\031\027\377\031\035\036\377\034 !\377\032\033\037\377\033\035\036\377\035\034\036\377\035\035\035\377\035\035\035\377 \036\035\377\036\034\033\377\034\035\031\377\037 \034\377\034\"\035\377\034\"\035\377\034!\037\377\032\037\035\377\031\036\035\377\031\036\035\377\034\036\036\377\036  \377\035\" \377\036#!\377\034! \377\035\"!\377\032\037 \377\030\035\036\377\033! \377\034\"!\377\033\"\037\377\037&#\377\036% \377\027\036\031\377\026\034\027\377\032 \033\377\032\037\035\377\030\033\031\377\037\037\037\377!\037\037\377"..., size=12288, swap=0) at /usr/include/bits/string3.h:52
No locals.
#16 0xb73979f1 in RADEONUploadToScreenCS (pDst=0x89e2998, x=0, y=0, w=3072, h=21, src=<value optimized out>, src_pitch=12288) at ../../src/radeon_exa_funcs.c:543
        pScreen = <value optimized out>
        pScrn = 0x84d77b8
        info = 0x84cc5d0
        driver_priv = 0x8a3c150
        scratch = <value optimized out>
        copy_dst = 0x8a188c8
        dst = <value optimized out>
        size = <value optimized out>
        datatype = 0
        dst_domain = 4
        dst_pitch_offset = <value optimized out>
        bpp = 144583064
        scratch_pitch = 12288
        copy_pitch = 12288
        ret = <value optimized out>
        flush = <value optimized out>
        r = 1
        i = <value optimized out>
        tiling_flags = 0
        pitch = 0
        __func__ = "RADEONUploadToScreenCS"


DistroRelease: Ubuntu 11.04
Package: xorg 1:7.6+4ubuntu3
ProcVersionSignature: Ubuntu 2.6.38-8.42-generic-pae 2.6.38.2
Uname: Linux 2.6.38-8-generic-pae i686
Architecture: i386
CompizPlugins: [core,bailer,detection,composite,opengl,decor,mousepoll,vpswitch,regex,animation,snap,expo,move,compiztoolbox,place,grid,imgpng,gnomecompat,wall,ezoom,workarounds,staticswitcher,resize,fade,unitymtgrabhandles,scale,session,unityshell]
CompositorRunning: None
DRM.card0.LVDS.1:
status: connected
enabled: enabled
dpms: On
modes: 1440x900 1280x854 1280x800 1280x720 1152x768 1024x768 800x600 848x480 720x480 640x480
edid-base64: AP///////wAGr0cRAAAAAAEQAQOAHhN4Cof1lFdPjCcnUFQAAAABAQEBAQEBAQEBAQEBAQEBHCqgElKEDDBAIDMAL70QAAAYAAAADwAAAAAAAAAAAAAAAAAgAAAA/gBBVU8KICAgICAgICAgAAAA/gBCMTQxUFcwMSBWMSAKANE=
DRM.card0.VGA.1:
status: disconnected
enabled: disabled
dpms: Off
modes:
edid-base64:
Date: Tue Apr 19 14:24:17 2011
DistUpgraded: Log time: 2011-04-18 08:53:20.924956
DistroCodename: natty
DistroVariant: ubuntu
DkmsStatus: virtualbox-ose, 4.0.4, 2.6.38-8-generic-pae, i686: installed
GraphicsCard:
ATI Technologies Inc M64-S [Mobility Radeon X2300] [1002:7188] (prog-if 00 [VGA controller])
Subsystem: Hewlett-Packard Company 6910p [103c:30c1]
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Beta i386 (20100318)
MachineType: Hewlett-Packard HP Compaq 6910p
PccardctlStatus:
Socket 0:
no card
Socket 1:
3.3V 16-bit PC Card
Subdevice 0 (function 0) bound to driver "pata_pcmcia"
ProcEnviron:
LANGUAGE=en_US:en
PATH=(custom, user)
LANG=en_US.UTF-8
SHELL=/bin/zsh
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-2.6.38-8-generic-pae root=UUID=ab190d60-22a0-4e2c-8662-496481d3fce8 ro vt.handoff=7
Renderer: Unknown
SourcePackage: xorg
UpgradeStatus: Upgraded to natty on 2011-04-18 (1 days ago)
version.compiz: compiz 1:0.9.4+bzr20110415-0ubuntu2
version.libdrm2: libdrm2 2.4.23-1ubuntu6
version.libgl1-mesa-dri: libgl1-mesa-dri 7.10.2-0ubuntu2
version.libgl1-mesa-dri-experimental: libgl1-mesa-dri-experimental N/A
version.libgl1-mesa-glx: libgl1-mesa-glx 7.10.2-0ubuntu2
version.xserver-xorg: xserver-xorg 1:7.6+4ubuntu3
version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:6.14.0-0ubuntu4
version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.14.0-4ubuntu7
version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:0.0.16+git20110107+b795ca6e-0ubuntu7
Comment 1 Bryce Harrington 2011-05-04 14:10:54 UTC
Created attachment 46333 [details]
BootDmesg.txt
Comment 2 Bryce Harrington 2011-05-04 14:11:14 UTC
Created attachment 46334 [details]
CurrentDmesg.txt
Comment 3 Bryce Harrington 2011-05-04 14:11:49 UTC
Created attachment 46335 [details]
CurrentDmesg.txt

xorg.conf specifies a Virtual rez
Comment 4 Bryce Harrington 2011-05-04 14:12:09 UTC
Created attachment 46336 [details]
XorgLog.txt
Comment 5 Bryce Harrington 2011-05-04 14:12:36 UTC
Created attachment 46337 [details]
Xorg.0.log.old
Comment 6 Bryce Harrington 2011-05-04 14:12:51 UTC
Created attachment 46338 [details]
gdb-Xorg3.txt
Comment 7 Michel Dänzer 2011-05-05 02:02:13 UTC
Is it possible that __memcpy_ssse3 accesses the destination beyond its bounds? Looks like it's a scratch BO exactly covering 63 pages...

Reproducing the problem with the X server running in valgrind might help clarify this.
Comment 8 Laurent Marchal 2011-05-17 08:41:43 UTC
Here's the valgrind log. The Xorg server don't crash under valgrind but I guess that's normal.
Comment 9 Laurent Marchal 2011-05-17 08:42:19 UTC
Created attachment 46818 [details]
valgring xserver log
Comment 10 Michel Dänzer 2011-05-17 09:20:33 UTC
(In reply to comment #8)
> Here's the valgrind log. The Xorg server don't crash under valgrind but I guess
> that's normal.

Yes, but the valgrind output doesn't mention RADEONUploadToScreenCS at all. The only thing that seems possibly related to the crash is the invalid read below; it looks like the X server or pixman is prematurely freeing memory still in use by other parts of the X server, which could cause all kinds of problems.

It might be useful if you could get another valgrind log with libpixman-1-0-dbg installed.

==6143== Invalid read of size 1
==6143==    at 0x40351DF: RecordAReply (record.c:613)
==6143==    by 0x8074E1D: _CallCallbacks (dixutils.c:743)
==6143==    by 0x80A7606: WriteToClient (callback.h:86)
==6143==    by 0x4034135: RecordFlushReplyBuffer (record.c:253)
==6143==    by 0x40341E3: RecordFlushAllContexts (record.c:870)
==6143==    by 0x8074E1D: _CallCallbacks (dixutils.c:743)
==6143==    by 0x80A76E7: FlushAllOutput (callback.h:86)
==6143==    by 0x80A7830: FlushIfCriticalOutputPending (io.c:711)
==6143==    by 0x806FF12: Dispatch (dispatch.c:364)
==6143==    by 0x806281B: main (main.c:287)
==6143==  Address 0x5d6cfc8 is 48 bytes inside a block of size 188 free'd
==6143==    at 0x4025BF0: free (vg_replace_malloc.c:366)
==6143==    by 0x4100AA9: pixman_image_unref (in /usr/lib/libpixman-1.so.0.20.2)
==6143==    by 0x49AD630: free_pixman_pict (fbpict.c:362)
==6143==    by 0x49B29D9: fbRasterizeTrapezoid (fbtrap.c:65)
==6143==    by 0x49C7676: exaTrapezoids (exa_render.c:1175)
==6143==    by 0x811CC47: CompositeTrapezoids (picture.c:1746)
==6143==    by 0x8122B50: ProcRenderTrapezoids (render.c:783)
==6143==    by 0x811D182: ProcRenderDispatch (render.c:2057)
==6143==    by 0x8070166: Dispatch (dispatch.c:431)
==6143==    by 0x806281B: main (main.c:287)
Comment 11 Laurent Marchal 2011-06-09 13:46:52 UTC
I added the libpixman-1-0-dbg and re-traced unsing valgrind. here's the log
Comment 12 Laurent Marchal 2011-06-09 13:47:39 UTC
Created attachment 47791 [details]
new valgrind log

new valgrind log
Comment 13 Michel Dänzer 2011-06-15 04:41:30 UTC
(In reply to comment #11)
> I added the libpixman-1-0-dbg and re-traced unsing valgrind. here's the log

Thanks. This log doesn't reference pixman anymore. Maybe the problem is actually with the record extension code using memory that has been freed / reallocated.
Comment 14 Adam Jackson 2018-06-12 18:43:14 UTC
Mass closure: This bug has been untouched for more than six years, and is not obviously still valid. Please file a new report if you continue to experience issues with a current server.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.