Bug 9006

Summary: fbFetch() calls function ptr fetch even if NULL, crashing server
Product: xorg Reporter: Anonymous Helper <anonymous>
Component: * OtherAssignee: Xorg Project Team <xorg-team>
Status: RESOLVED FIXED QA Contact: Xorg Project Team <xorg-team>
Severity: normal    
Priority: high Keywords: have-backtrace
Version: 6.9.0   
Hardware: x86 (IA32)   
OS: FreeBSD   
Whiteboard:
i915 platform: i915 features:
Bug Depends on:    
Bug Blocks: 10101    

Description Anonymous Helper 2006-11-13 10:25:39 UTC
How to repeat:  x11perf -aa4trap1

Note that fetchProcForPicture returns a NULL function pointer.

(gdb) break fbFetch
Breakpoint 1 at 0x295050dd: file fbcompose.c, line 2629.
(gdb) c
Continuing.

Breakpoint 1, fbFetch (pict=0x83f5700, x=0, y=0, width=600, buffer=0xff000000)
    at fbcompose.c:2629
2629        fetchProc fetch = fetchProcForPicture(pict);
(gdb) n
2630        miIndexedPtr indexed = (miIndexedPtr) pict->pFormat->index.devPrivate;
(gdb) p fetch
$1 = 0
(gdb) p pict
$2 = 0x83f5700
(gdb) p *pict
$3 = {pDrawable = 0x84d0000, pFormat = 0x8231060, format = 134299648,
  refcnt = 1, id = 14680073, pNext = 0x0, repeat = 0, graphicsExposures = 0,
  subWindowMode = 0, polyEdge = 0, polyMode = 0, freeCompClip = 1,
  clientClipType = 0, componentAlpha = 0, repeatType = 0, unused = 19360,
  alphaMap = 0x0, alphaOrigin = {x = 0, y = 0}, clipOrigin = {x = 0, y = 0},
  clientClip = 0x0, dither = 0, stateChanges = 0, serialNumber = 351,
  pCompositeClip = 0x8405480, devPrivates = 0x83f5754, transform = 0x0,
  filter = 0, filter_params = 0x0, filter_nparams = 0, pSourcePict = 0x0}
(gdb) p/x *pict
$4 = {pDrawable = 0x84d0000, pFormat = 0x8231060, format = 0x8014000,
  refcnt = 0x1, id = 0xe00009, pNext = 0x0, repeat = 0x0,
  graphicsExposures = 0x0, subWindowMode = 0x0, polyEdge = 0x0,
  polyMode = 0x0, freeCompClip = 0x1, clientClipType = 0x0,
  componentAlpha = 0x0, repeatType = 0x0, unused = 0x4ba0, alphaMap = 0x0,
  alphaOrigin = {x = 0x0, y = 0x0}, clipOrigin = {x = 0x0, y = 0x0},
  clientClip = 0x0, dither = 0x0, stateChanges = 0x0, serialNumber = 0x15f,
  pCompositeClip = 0x8405480, devPrivates = 0x83f5754, transform = 0x0,
  filter = 0x0, filter_params = 0x0, filter_nparams = 0x0, pSourcePict = 0x0}
(gdb)
Comment 1 Anonymous Helper 2006-11-13 10:26:25 UTC
Also turns out to be reported on a Debian list back in February:
http://lists.debian.org/debian-x/2006/02/msg00938.html
Comment 2 Daniel Stone 2007-02-27 01:34:39 UTC
Sorry about the phenomenal bug spam, guys.  Adding xorg-team@ to the QA contact so bugs don't get lost in future.
Comment 3 Adam Jackson 2008-02-24 21:46:54 UTC
Pretty sure this is already fixed, but want to make sure it's looked at for 7.4.
Comment 4 Adam Jackson 2008-03-24 17:31:58 UTC
Trying to repro this with Xephyr gave me the delightful:

% DISPLAY=:7 x11perf -aa4trap1
x11perf: can't get visual info of default visual

With Xvfb, I do slightly better, in that the client crashes.  So we're doing better but not good.
Comment 5 Adam Jackson 2008-05-06 10:22:33 UTC
Trying again with a more recent build, I can't repro this in Xvfb.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.