Bug 89956

Summary: Server crashes when drawing filled arcs that open up or down with xlib
Product: xorg Reporter: Knut Olav Bøhmer <bohmer>
Component: Server/GeneralAssignee: Xorg Project Team <xorg-team>
Status: RESOLVED FIXED QA Contact: Xorg Project Team <xorg-team>
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description Knut Olav Bøhmer 2015-04-08 14:44:05 UTC
(this is just a copy of https://bugs.archlinux.org/task/43937 )


Description: I'm taking an online AI class where the first project was to modify a python pacman game. The game would crash the xserver whenever it tried to draw pacman facing up or down. Multiple Arch users reported this bug as well across multiple desktop environments and at least xf86-video-intel (HD4000) and xf86-videeo-nouveau (GeForce 6100). Python was using the Tk interface. This Tk script will cause the crash. (Run with "wish <file name>". It will work as expected with -start 10 or -start 190 but will crash with -start 100 or -start 280. I was able to run an XCB program that drew arcs that open up and down as expected, but I don't know if that means anything..

#!/usr/bin/wish

canvas .myCanvas -background red -width 100 -height 100
pack .myCanvas
.myCanvas create arc 10 10 80 80 -fill yellow -start 100 -extent 340

-----
Xorg crash log
-----

(EE) [mi] EQ overflow continuing. 1000 events have been dropped.
(EE) [mi] No further overflow reports will be reported until the clog is cleared.
(EE)
(EE) Backtrace:
(EE) 0: /usr/lib/xorg-server/Xorg (QueuePointerEvents+0x52) [0x450382]
(EE) 1: /usr/lib/xorg/modules/input/evdev_drv.so (_init+0x2ef7) [0x7f9b2be02977]
(EE) 2: /usr/lib/xorg/modules/input/evdev_drv.so (_init+0x363d) [0x7f9b2be03c3d]
(EE) 3: /usr/lib/xorg-server/Xorg (DPMSSupported+0xe8) [0x476c98]
(EE) 4: /usr/lib/xorg-server/Xorg (xf86SerialModemClearBits+0x277) [0x4a05a7]
(EE) 5: /usr/lib/libc.so.6 (__restore_rt+0x0) [0x7f9b33b6453f]
(EE) 6: /usr/lib/libpthread.so.0 (__pthread_once_slow+0xc2) [0x7f9b33921e82]
(EE) 7: /usr/lib/libc.so.6 (backtrace+0x9c) [0x7f9b33c2636c]
(EE) 8: /usr/lib/libc.so.6 (backtrace_and_maps+0x2e) [0x7f9b33b50b25]
(EE) 9: /usr/lib/libc.so.6 (__libc_message+0x2ce) [0x7f9b33ba298e]
(EE) 10: /usr/lib/libc.so.6 (malloc_printerr+0x9e) [0x7f9b33ba7dee]
(EE) 11: /usr/lib/libc.so.6 (_int_malloc+0x3af) [0x7f9b33ba964f]
(EE) 12: /usr/lib/libc.so.6 (__libc_malloc+0x6e) [0x7f9b33bab81e]
(EE) 13: /lib64/ld-linux-x86-64.so.2 (_dl_scope_free+0x8c) [0x7f9b35a4185c]
(EE) 13: /lib64/ld-linux-x86-64.so.2 (_dl_scope_free+0x8c) [0x7f9b35a4185c]
(EE) 14: /lib64/ld-linux-x86-64.so.2 (_dl_map_object_deps+0xc8f) [0x7f9b35a3c7ef]
(EE) 15: /lib64/ld-linux-x86-64.so.2 (dl_open_worker+0xff) [0x7f9b35a424cf]
(EE) 16: /lib64/ld-linux-x86-64.so.2 (_dl_catch_error+0x74) [0x7f9b35a3e0a4]
(EE) 17: /lib64/ld-linux-x86-64.so.2 (_dl_open+0xc3) [0x7f9b35a41e53]
(EE) 18: /usr/lib/libc.so.6 (do_dlopen+0x3d) [0x7f9b33c4e1fd]
(EE) 19: /lib64/ld-linux-x86-64.so.2 (_dl_catch_error+0x74) [0x7f9b35a3e0a4]
(EE) 20: /usr/lib/libc.so.6 (dlerror_run+0x2f) [0x7f9b33c4e28f]
(EE) 21: /usr/lib/libc.so.6 (__libc_dlopen_mode+0x31) [0x7f9b33c4e301]
(EE) 22: /usr/lib/libc.so.6 (init+0x15) [0x7f9b33c26255]
(EE) 23: /usr/lib/libpthread.so.0 (__pthread_once_slow+0x7b) [0x7f9b33921e3b]
(EE) 24: /usr/lib/libc.so.6 (backtrace+0x9c) [0x7f9b33c2636c]
(EE) 25: /usr/lib/libc.so.6 (backtrace_and_maps+0x2e) [0x7f9b33b50b25]
(EE) 26: /usr/lib/libc.so.6 (__libc_message+0x2ce) [0x7f9b33ba298e]
(EE) 27: /usr/lib/libc.so.6 (malloc_printerr+0x9e) [0x7f9b33ba7dee]
(EE) 28: /usr/lib/libc.so.6 (_int_free+0x12b) [0x7f9b33ba85cb]
(EE) 29: /usr/lib/xorg-server/Xorg (miPolyFillArc+0x320) [0x574dc0]
(EE) 30: /usr/lib/xorg/modules/drivers/intel_drv.so (_init+0x3a2f4) [0x7f9b2e77a374]
(EE) 31: /usr/lib/xorg-server/Xorg (DamageRegionAppend+0x1597) [0x51ba57]
(EE) 32: /usr/lib/xorg-server/Xorg (SendGraphicsExpose+0xd64) [0x436114]
(EE) 33: /usr/lib/xorg-server/Xorg (SendErrorToClient+0x2f7) [0x438a97]
(EE) 34: /usr/lib/xorg-server/Xorg (remove_fs_handlers+0x41b) [0x43cbcb]
(EE) 35: /usr/lib/libc.so.6 (__libc_start_main+0xf0) [0x7f9b33b51800]
(EE) 36: /usr/lib/xorg-server/Xorg (_start+0x29) [0x427039]
(EE) 37: ? (?+0x29) [0x29]
(EE)
Comment 1 Chris Wilson 2015-04-08 16:12:44 UTC
It's a bug in miPolyFillArc. It is also hit by xts.
Comment 2 Knut Olav Bøhmer 2015-04-08 20:42:01 UTC
This patch fixes it for me.

http://marc.info/?l=freedesktop-xorg-devel&m=142850468414906&w=3
Comment 3 Adam Jackson 2018-06-12 15:41:44 UTC
datura:~/git/xserver% git describe --contains 41932dfbc841a1adc6512d41085ea3f8ebecb42c
xorg-server-1.17.99.901~152
datura:~/git/xserver% git show 41932dfbc841a1adc6512d41085ea3f8ebecb42c               
commit 41932dfbc841a1adc6512d41085ea3f8ebecb42c
Author: Keith Packard <keithp@keithp.com>
Date:   Wed Apr 8 07:45:28 2015 -0700

    mi: Partial pie-slice filled arcs may need more space for spans
    
    The mi filled arc code estimates that a filled arc will produce no
    more spans than the arc is tall. This is true for most arcs except
    for pie-slice arcs strictly between 180 and 360 degrees where the missing
    portion of the arc faces up or down such that we get two spans on some
    scanlines.
    
    For those, we need to reserve room for another height/2 spans. This
    patch just does it for all partial pie-sliced arcs to make the test
    easier to understand; it's just over-allocating a bit of memory, so
    that's safe.
    
    Signed-off-by: Keith Packard <keithp@keithp.com>
    Reviewed-by: Adam Jackson <ajax@redhat.com>

diff --git a/mi/mifillarc.c b/mi/mifillarc.c
index 246d70ff4c..888519edfa 100644
--- a/mi/mifillarc.c
+++ b/mi/mifillarc.c
@@ -660,6 +660,11 @@ miPolyFillArc(DrawablePtr pDraw, GCPtr pGC, int narcs_all, xArc * parcs)
             if (narcs && nspans + arc->height > MAX_SPANS_PER_LOOP)
                 break;
             nspans += arc->height;
+
+            /* A pie-slice arc may add another pile of spans */
+            if (pGC->arcMode == ArcPieSlice &&
+                (-FULLCIRCLE < arc->angle2 && arc->angle2 < FULLCIRCLE))
+                nspans += (arc->height + 1) >> 1;
         }
 
         pts = points = malloc (sizeof (DDXPointRec) * nspans +

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.