When the composite extension is enabled, X crashes when logging out of a second display. The problem is also described here: https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/119635. There seems to be some similar bugs in xorg bugzilla, but at present none of these mentions the freeze is when logging out, hence the new bug. The backtrace of the crash is the following: Program terminated with signal 6, Aborted. #0 0xb7f48410 in __kernel_vsyscall () (gdb) bt #0 0xb7f48410 in ?? () #1 0xbfb0a3d8 in ?? () #2 0x00000006 in ?? () #3 0x00002f67 in ?? () #4 0xb7ccb101 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #5 0xb7ccc988 in *__GI_abort () at abort.c:88 #6 0xb7d01d5b in __libc_message (do_abort=2, fmt=0xb7db69c8 <Address 0xb7db69c8 out of bounds>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:170 #7 0xb7d07aa0 in malloc_printerr (action=2, str=0xb7db6ac0 <Address 0xb7db6ac0 out of bounds>, ptr=<value optimized out>) at malloc.c:5887 #8 0xb7d09799 in *__GI___libc_free (mem=0x8254c90) at malloc.c:3622 #9 0xaf89f83b in _mesa_free (ptr=0x8254c90) at imports.c:116 #10 0xaf986a71 in XMesaDestroyVisual (v=0x8254c90) at xm_api.c:1486 #11 0xaf986697 in __glXMesaScreenDestroy (screen=0x820dab0) at xf86glx.c:286 #12 0xb7bfe43a in glxSuspendClients () at glxext.c:415 #13 0xb7bfd693 in __glXDispSwap_QueryServerString (cl=0x8256560, pc=0xbfb0a810 "04 1116038 /lib/ld-2.6.1.so\nb7f64000-b7f65000 rw-p 0001a000 fd:04 1116038 /lib/ld-2.6.1.so\nbfaf8000-bfb0e000 rw-p bfaf8000 00:00 0 [stack]\n /lib/libpthread-2.6.1.so\nb7f1d000-b7f1e000 "...) at glxcmdsswap.c:421 #14 0x0809979a in CloseDownExtensions () at extension.c:293 #15 0x08076914 in main (argc=2, argv=0xbfb0ad34, envp=Cannot access memory at address 0x2f6f ) at main.c:451 (gdb)
Created attachment 12723 [details] Patch that eliminates discepancy in allocated sizes So, X seems to be freeing memory that it did not allocate. Actually the problem is xorg-server-1.3.0.0/GL/mesa/X/xf86glx.c. On line 326, pXMesaVisual is allocated of size screen->base.numVisuals * sizeof(XMesaVisual). Later, it is used up till and size pScreen->numVisuals. Using a debugger, it is easy to see that these numbers need not be the same, in my case they are 8 and 9.
Created attachment 12724 [details] Fix potential out-of-bounds error The routine init_screen_visuals() has even more dodgy bits: i is incremented even if no visual is used. Because of that, there seems to be no guarantee that i is not incremented to beyond the end of the array. This small patch fixes that
BTW, the instruction on reproducing this on launchpad are a bit complicated. An easier way is: 1) boot the system 2) from a command-line use "startx /usr/bin/xterm -- :1" to open a new display 3) in the xterm that was just created, type "exit" and return
I'm running xorg-server-1.3.0.0-r1 and mesa-6.5.2-r1 on Gentoo.
-- GitLab Migration Automatic Message -- This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/mesa/mesa/issues/52.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.