I am running Xserver 1.3.99.0 with pixman 0.9.4. While playing with Compiz on r300, I got the following crash: #0 0xb7ebf2df in pixman_blt_mmx (src_bits=0xa5f56070, dst_bits=0xa80e5070, src_stride=5564, dst_stride=1400, src_bpp=32, dst_bpp=32, src_x=0, src_y=970, dst_x=1408, dst_y=997, width=1274, height=17) at ../../pixman/pixman-mmx.c:2816 w = 5096 s = (uint8_t *) 0xa647bac8 "ööö" d = (uint8_t *) 0xa86397d0 <Address 0xa86397d0 out of bounds> src_bytes = (uint8_t *) 0xa647bac8 "ööö" dst_bytes = (uint8_t *) 0xa86397d0 <Address 0xa86397d0 out of bounds> byte_width = 5096 #1 0xb7eaf175 in pixman_blt (src_bits=0xa5f56070, dst_bits=0xa80e5070, src_stride=1391, dst_stride=1400, src_bpp=32, dst_bpp=32, src_x=0, src_y=970, dst_x=1408, dst_y=997, width=1274, height=18) at ../../pixman/pixman-utils.c:76 No locals. #2 0xb7946da7 in fbCopyNtoN (pSrcDrawable=0xa5f56008, pDstDrawable=0x8614468, pGC=0x95d5bf8, pbox=0x8449b48, nbox=3, dx=-1408, dy=-27, reverse=0, upsidedown=0, bitplane=0, closure=0x0) at ../../fb/fbcopy.c:64 _pPix = <value optimized out> alu = 3 '\003' pm = 4294967295 src = (FbBits *) 0xa5f56070 srcStride = 1391 srcBpp = 32 srcXoff = 0 srcYoff = 0 dst = (FbBits *) 0xa80e5070 dstStride = 1400 dstBpp = 32 dstXoff = -1400 dstYoff = -23 #3 0xb792cadf in exaCopyNtoN (pSrcDrawable=0xa5f56008, pDstDrawable=0x8614468, pGC=0x95d5bf8, pbox=0x8449b48, nbox=3, dx=-1408, dy=-27, reverse=0, upsidedown=0, bitplane=0, closure=0x0) at ../../exa/exa_accel.c:441 pExaScr = (ExaScreenPrivPtr) 0x8e7fc70 pSrcPixmap = <value optimized out> pDstPixmap = <value optimized out> src_off_x = <value optimized out> src_off_y = <value optimized out> dst_off_x = <value optimized out> dst_off_y = <value optimized out> pixmaps = {{as_dst = 1, as_src = 0, pPix = 0xa80e5008}, {as_dst = 0, as_src = 1, pPix = 0xa5f56008}} fallback = -1081396356 #4 0xb7945cb5 in fbCopyRegion (pSrcDrawable=0xa5f56008, pDstDrawable=0x8614468, pGC=0x95d5bf8, pDstRegion=0xbf8b3430, dx=-1408, dy=-27, copyProc=0xb792c950 <exaCopyNtoN>, bitPlane=0, closure=0x0) at ../../fb/fbcopy.c:396 reverse = 0 upsidedown = 0 pbox = (BoxPtr) 0x8449b48 nbox = 3 pboxNew1 = <value optimized out> pboxNew2 = <value optimized out> pboxBase = (BoxPtr) 0xb795737c pboxNext = (BoxPtr) 0x3f8 pboxTmp = <value optimized out> #5 0xb79462df in fbDoCopy (pSrcDrawable=0xa5f56008, pDstDrawable=0x8614468, pGC=0x95d5bf8, xIn=0, yIn=0, widthSrc=1391, heightSrc=989, xOut=1408, yOut=27, copyProc=0xb792c950 <exaCopyNtoN>, bitPlane=0, closure=0x0) at ../../fb/fbcopy.c:596 pBox = <value optimized out> cclip = <value optimized out> prgnSrcClip = (RegionPtr) 0x0 freeSrcClip = 0 prgnExposed = <value optimized out> rgnDst = {extents = {x1 = 1408, y1 = 27, x2 = 2798, y2 = 1015}, data = 0x8449b40} dx = -1408 dy = -27 box_x1 = <value optimized out> box_y1 = 0 box_x2 = <value optimized out> box_y2 = 1016 fastSrc = 1 fastDst = 0 fastExpose = 1 #6 0xb792c94c in exaCopyArea (pSrcDrawable=0xa5f56008, pDstDrawable=0x8614468, pGC=0x95d5bf8, srcx=0, srcy=0, width=1391, height=989, dstx=8, dsty=4) at ../../exa/exa_accel.c:479 No locals. #7 0x0816eba6 in damageCopyArea (pSrc=0xa5f56008, pDst=0x8614468, pGC=0x95d5bf8, srcx=0, srcy=0, width=1391, height=989, dstx=8, dsty=4) at ../../../miext/damage/damage.c:834 box = {x1 = 1408, y1 = 27, x2 = 2798, y2 = 1015} ret = <value optimized out> pGCPriv = (DamageGCPrivPtr) 0x95d5c80 oldFuncs = (GCFuncs *) 0x81df280 #8 0x0808af37 in ProcCopyArea (client=0x9964068) at ../../dix/dispatch.c:1802 pDst = (DrawablePtr) 0xa647bac8 pSrc = (DrawablePtr) 0xa5f56008 pGC = (GC *) 0x95d5bf8 pRgn = <value optimized out> rc = 5096 #9 0x0814cc71 in XaceCatchDispatchProc (client=0x9964068) at ../../Xext/xace.c:281 major = 62 #10 0x0808ce7b in Dispatch () at ../../dix/dispatch.c:502 result = <value optimized out> client = (ClientPtr) 0x9964068 nready = 0 start_tick = 17902300 #11 0x08074545 in main (argc=9, argv=0xbf8b3ad4, envp=0xf6f6f6) at ../../dix/main.c:452 pScreen = <value optimized out> i = <value optimized out> error = 136141792 xauthfile = <value optimized out> alwaysCheckForInput = {0, 1} I might have seen this crash twice today (I didn't have Xserver 1.3.99.0 before): I got another crash of the server in pixman, but I didn't have gdb attached at this point. It does not look easy to reproduce, but might well be related to CPU/GPU intensive Compiz effects (I was rotating the cube while the water/rain plugin was running, and it was getting very slow).
Aaron told me it could be related to bug #12015 which has been fixed today in Xserver master by commit 32666d77227fcd2c066de16bf3c07366f92b0457. I am trying to reproduce the problem with this patch (I couldn't so far). I'll close the bug if I can't reproduce within a day or so.
Still couldn't reproduce the problem, so I guess 32666d77227fcd2c066de16bf3c07366f92b0457 is the fix. It doesn't seem to have been backported into xserver-1.4-branch, it should be.
Unfortunately, I was wrong, I finally got another crash in pixman_blt with Aaron's patch applied. I didn't have gdb attached but the backtrace looks the same. 0: /usr/bin/X(xf86SigHandler+0x7e) [0x80c610e] 1: [0xffffe420] 2: /usr/lib/libpixman-1.so.0(pixman_blt+0x75) [0xb7e53175] 3: /usr/lib/xorg/modules//libfb.so(fbCopyNtoN+0x227) [0xb78eada7] 4: /usr/lib/xorg/modules//libexa.so(exaCopyNtoN+0x18f) [0xb78d0adf] 5: /usr/lib/xorg/modules//libfb.so(fbCopyRegion+0x95) [0xb78e9cb5] 6: /usr/lib/xorg/modules//libfb.so(fbDoCopy+0x46f) [0xb78ea2df] 7: /usr/lib/xorg/modules//libexa.so(exaCopyArea+0xdc) [0xb78d094c] 8: /usr/bin/X [0x816eba6] 9: /usr/bin/X(ProcCopyArea+0x1a7) [0x808af37] 10: /usr/bin/X [0x814cc71] 11: /usr/bin/X(Dispatch+0x2bb) [0x808ce7b] 12: /usr/bin/X(main+0x495) [0x8074545] 13: /lib/libc.so.6(__libc_start_main+0xe0) [0xb7c89050] 14: /usr/bin/X(FontFileCompleteXLFD+0x205) [0x8073881]
I had a similar problem every time i opened http://www.garfield.com/comics/comics_todays.html with the flash-plugin for mozilla. It boiled down to the combination of regions and dx/dy parameters of fbCopyNtoN addressing pixels outside the supplied drawables.
Created attachment 12189 [details] Patch to add clipping to some fbCopy functions for the Pixmap case
Is this still an issue with the xserver 1.5 branch? If so, I think it would be better if it could be handled at an intermediate level like fbDoCopy or fbCopyRegion, otherwise it'll have to be done in every other low level implementation like exaCopyNtoN as well.
I haven't tried to reproduce lately, I'll report back once I'll get 1.5-rc* + mesa 7.1-rc1 installed (hopefully within a couple days).
(In reply to comment #7) > I haven't tried to reproduce lately, I'll report back once I'll get 1.5-rc* + > mesa 7.1-rc1 installed (hopefully within a couple days). ping -- is this still an issue?
I do not have reliable way to reproduce this, but it looks like I got similar crash today on up-to-date Kubuntu Karmic: https://launchpad.net/bugs/449440
This issue is fixed, so I'm closing. If you have new issues, please open a new bug with a new backtrace, etc.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.