Bug 1390 - Server crash under specific operation
Summary: Server crash under specific operation
Alias: None
Product: xorg
Classification: Unclassified
Component: * Other (show other bugs)
Version: 6.8.0
Hardware: x86 (IA32) Linux (All)
: highest critical
Assignee: Xorg Project Team
QA Contact:
Depends on:
Reported: 2004-09-15 07:10 UTC by J. Scott Berg
Modified: 2011-10-15 15:55 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:

host.def file used to build server (17.28 KB, text/plain)
2004-09-15 07:11 UTC, J. Scott Berg
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description J. Scott Berg 2004-09-15 07:10:20 UTC
Server 6.8.0, built with gcc-3.4.2 (same result with 3.4.1).  Using the mga
driver.  I'm attaching my host.def.  The server crashes when, under gnome-2.6
using yelp-2.6.3 (the help browser), I get to a point where it has a table of
contents with arrows on the left (try Desktop->User Guide).  Enter the arrow,
then leave; the server segfaults on exiting the arrow.  The readable part of the
backtrace is

#53 0x0819f70d in miComputeCompositeClip ()
#54 0x0815a22f in damagePolylines ()
#55 0x080bcadc in ProcPolyLine ()
#56 0x080c0bf1 in Dispatch ()
#57 0x080cca4c in main ()
Comment 1 J. Scott Berg 2004-09-15 07:11:46 UTC
Created attachment 913 [details]
host.def file used to build server
Comment 2 J. Scott Berg 2004-09-15 09:00:15 UTC
Almost forgot: the bug disappears when I run the server with -nolisten local.
Comment 3 J. Scott Berg 2004-09-16 06:24:13 UTC
The bug does not appear to be driver-dependent; I built it with the same setup
on a machine with a Radeon card, and had exactly the same result.
Comment 4 Andrew Church 2005-01-03 01:31:27 UTC
I've gotten what seems to be the same bug in 6.8.1; in my case, it's triggered
by clicking the fold/unfold arrow next to "Folders" in the Preferences dialog of
Gimp 2.2.1 (GTK 2.4.14).  The meaningful part of the backtrace looks like

#0  0x086cb540 in ?? ()
#1  0x667f3bcc in ?? ()
#2  0x3fd6a09e in ?? ()
#65 0x080c57aa in TryClientEvents (client=0x52, pEvents=0x3, count=0, mask=464,
filter=464, grab=0xbffff2ac) at events.c:1572
#66 0x0815ace9 in damagePolylines (pDrawable=0x8957550, pGC=0x8923b88, mode=0,
npt=4, ppt=0x896ba50) at damage.c:918
#67 0x080bcc91 in ProcPolyLine (client=0x8923700) at dispatch.c:1863
#68 0x080c0d7d in Dispatch () at dispatch.c:455
#69 0x080ccd28 in main (argc=2, argv=0xbffff9d4, envp=0x1d0) at main.c:442

but I think everything before ProcPolyLine() is bogus--when I disabled Damage,
the routine before it changed to malloc_set_state() at times and ValidateGC() at
other times, and sometimes I couldn't even get a backtrace at all.

The crash itself happens in xaaWideSegment() (xaaWideLine.c:416):

        if (projectRight) {
            double xap = xa + projectXoff;
            double yap = ya + projectYoff;
            bottomy = miPolyBuildEdge (xap, yap, xap * dx + yap * dy,
                                       -dy, dx, x2, y2, dx < 0, bottom);
            maxy = -ya + projectYoff;
        } else {
            bottomy = miPolyBuildEdge (xa, ya, 0.0,
                                        -dy, dx, x2, y2, dx < 0, bottom);
>>>>>       maxy = -ya;

and 0x86cb540 corresponds to

     c21:       e8 fc ff ff ff          call   c22 <XAAWideSegment+0x72e>
     c26:       f2 0f 10 8d 48 ff ff    movsd  0xffffff48(%ebp),%xmm1
     c2d:       ff 
     c2e:       89 c1                   mov    %eax,%ecx
>>>>>c30:       66 0f 57 0d 10 00 00    xorpd  0x10,%xmm1
     c37:       00 
     c38:       e9 e3 fe ff ff          jmp    b20 <XAAWideSegment+0x62c>
     c3d:       8b 95 24 ff ff ff       mov    0xffffff24(%ebp),%edx
     c43:       31 c0                   xor    %eax,%eax

where the 0x10 is a reference to a bitmask that (presumably) reverses the sign
of a double-precision value.  The problem seems to be that that 0x10 is
relocated to 0x86ca8a8, which is not 16-byte aligned and therefore generates a
GP fault, so I suspect the module loader may be at fault.

Compiling libxaa without optimizations (or, presumably, compiling with
-mno-sse2, though I haven't tried that yet) makes the bug go away.
Comment 5 Adam Jackson 2005-03-22 13:18:00 UTC
hm, very interesting.  i'll assume it's an elfloader bug for the moment.  do you
get the same crash when using dlloader?  you can enable dlloader modules by saying

#define MakeDllModules YES

in your host.def
Comment 6 J. Scott Berg 2005-03-22 14:52:49 UTC
Sorry, I had forgotten about this bug.  As far as I can tell the problem was a
gcc optimizer bug.  I've been building servers under gcc-3.4.3 up through 6.8.1
without problems.  Well, not without problems, but without THIS problem.  If
gcc-3.4.3 works for Andrew, then I think this should become NOTOURBUG.
Comment 7 Adam Jackson 2005-06-08 19:35:00 UTC
sounds like a gcc bug to me then.  please reopen if this resurfaces.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct.