Server 6.8.0, built with gcc-3.4.2 (same result with 3.4.1). Using the mga driver. I'm attaching my host.def. The server crashes when, under gnome-2.6 using yelp-2.6.3 (the help browser), I get to a point where it has a table of contents with arrows on the left (try Desktop->User Guide). Enter the arrow, then leave; the server segfaults on exiting the arrow. The readable part of the backtrace is #53 0x0819f70d in miComputeCompositeClip () #54 0x0815a22f in damagePolylines () #55 0x080bcadc in ProcPolyLine () #56 0x080c0bf1 in Dispatch () #57 0x080cca4c in main ()
Created attachment 913 [details] host.def file used to build server
Almost forgot: the bug disappears when I run the server with -nolisten local.
The bug does not appear to be driver-dependent; I built it with the same setup on a machine with a Radeon card, and had exactly the same result.
I've gotten what seems to be the same bug in 6.8.1; in my case, it's triggered by clicking the fold/unfold arrow next to "Folders" in the Preferences dialog of Gimp 2.2.1 (GTK 2.4.14). The meaningful part of the backtrace looks like #0 0x086cb540 in ?? () #1 0x667f3bcc in ?? () #2 0x3fd6a09e in ?? () [...] #65 0x080c57aa in TryClientEvents (client=0x52, pEvents=0x3, count=0, mask=464, filter=464, grab=0xbffff2ac) at events.c:1572 #66 0x0815ace9 in damagePolylines (pDrawable=0x8957550, pGC=0x8923b88, mode=0, npt=4, ppt=0x896ba50) at damage.c:918 #67 0x080bcc91 in ProcPolyLine (client=0x8923700) at dispatch.c:1863 #68 0x080c0d7d in Dispatch () at dispatch.c:455 #69 0x080ccd28 in main (argc=2, argv=0xbffff9d4, envp=0x1d0) at main.c:442 but I think everything before ProcPolyLine() is bogus--when I disabled Damage, the routine before it changed to malloc_set_state() at times and ValidateGC() at other times, and sometimes I couldn't even get a backtrace at all. The crash itself happens in xaaWideSegment() (xaaWideLine.c:416): if (projectRight) { double xap = xa + projectXoff; double yap = ya + projectYoff; bottomy = miPolyBuildEdge (xap, yap, xap * dx + yap * dy, -dy, dx, x2, y2, dx < 0, bottom); maxy = -ya + projectYoff; } else { bottomy = miPolyBuildEdge (xa, ya, 0.0, -dy, dx, x2, y2, dx < 0, bottom); >>>>> maxy = -ya; } and 0x86cb540 corresponds to c21: e8 fc ff ff ff call c22 <XAAWideSegment+0x72e> c26: f2 0f 10 8d 48 ff ff movsd 0xffffff48(%ebp),%xmm1 c2d: ff c2e: 89 c1 mov %eax,%ecx >>>>>c30: 66 0f 57 0d 10 00 00 xorpd 0x10,%xmm1 c37: 00 c38: e9 e3 fe ff ff jmp b20 <XAAWideSegment+0x62c> c3d: 8b 95 24 ff ff ff mov 0xffffff24(%ebp),%edx c43: 31 c0 xor %eax,%eax where the 0x10 is a reference to a bitmask that (presumably) reverses the sign of a double-precision value. The problem seems to be that that 0x10 is relocated to 0x86ca8a8, which is not 16-byte aligned and therefore generates a GP fault, so I suspect the module loader may be at fault. Compiling libxaa without optimizations (or, presumably, compiling with -mno-sse2, though I haven't tried that yet) makes the bug go away.
hm, very interesting. i'll assume it's an elfloader bug for the moment. do you get the same crash when using dlloader? you can enable dlloader modules by saying #define MakeDllModules YES in your host.def
Sorry, I had forgotten about this bug. As far as I can tell the problem was a gcc optimizer bug. I've been building servers under gcc-3.4.3 up through 6.8.1 without problems. Well, not without problems, but without THIS problem. If gcc-3.4.3 works for Andrew, then I think this should become NOTOURBUG.
sounds like a gcc bug to me then. please reopen if this resurfaces.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.