Created attachment 26899 [details] Xorg.0.log from a crash I have a semi-reproducible server crash running a custom XRandR client; I suspect it may be due to heap corruption, since it happens in various different routines. I'm running Xorg 1.6.0 and xserver-xorg-video-intel 2.7.1 from Ubuntu Jaunty xupdates (but the driver doesn't seem to be involved). On the machine where we see crashes, it crashes about 50% of the time when the client makes an XRandR request. Here are two representative stacktraces: Backtrace: 0: /usr/bin/X11/X(xorg_backtrace+0x26) [0x4f1b66] 1: /usr/bin/X11/X(xf86SigHandler+0x41) [0x485a61] 2: /lib/libc.so.6 [0x7fced2df9040] 3: /lib/libc.so.6(memset+0xacb) [0x7fced2e4961b] 4: /usr/bin/X11/X(dixAllocatePrivate+0x146) [0x434706] 5: /usr/bin/X11/X(dixSetPrivate+0x53) [0x4347a3] 6: /usr/bin/X11/X(xf86SetCursor+0x1a0) [0x4b8520] 7: /usr/bin/X11/X [0x4b793f] 8: /usr/bin/X11/X [0x4b7b95] 9: /usr/bin/X11/X [0x4b55ef] 10: /usr/bin/X11/X(ProcRRSetScreenSize+0x176) [0x524c96] 11: /usr/bin/X11/X(Dispatch+0x364) [0x44e304] 12: /usr/bin/X11/X(main+0x3bd) [0x433d8d] 13: /lib/libc.so.6(__libc_start_main+0xe6) [0x7fced2de45a6] 14: /usr/bin/X11/X [0x433219] Saw signal 11. Server aborting. Backtrace: 0: /usr/bin/X11/X(xorg_backtrace+0x26) [0x4f1b66] 1: /usr/bin/X11/X(xf86SigHandler+0x41) [0x485a61] 2: /lib/libc.so.6 [0x7fad593f0040] 3: /lib/libc.so.6(cfree+0x25) [0x7fad59437225] 4: /usr/bin/X11/X(dixFreePrivates+0x88) [0x434598] 5: /usr/bin/X11/X(FreeCursor+0x59) [0x443699] 6: /usr/bin/X11/X [0x4afba0] 7: /usr/bin/X11/X [0x4b7912] 8: /usr/bin/X11/X(miPointerUpdateSprite+0x1f1) [0x4db711] 9: /usr/bin/X11/X [0x4db8f7] 10: /usr/bin/X11/X [0x506c8a] 11: /usr/bin/X11/X [0x536f2d] 12: /usr/bin/X11/X [0x457967] 13: /usr/bin/X11/X(ProcChangeActivePointerGrab+0x110) [0x457fd0] 14: /usr/bin/X11/X(Dispatch+0x364) [0x44e304] 15: /usr/bin/X11/X(main+0x3bd) [0x433d8d] 16: /lib/libc.so.6(__libc_start_main+0xe6) [0x7fad593db5a6] 17: /usr/bin/X11/X [0x433219] Saw signal 11. Server aborting. We're attempting to reduce the (highly layered, portable) client to a standalone testcase. (It's a frontend for a virtual desktop product in which the guest is empowered to change the host's display resolution). It's quite likely that the X client sent cursor changes -- possibly with bizarre sizes -- and XRandR requests in quick succession (though I haven't managed to trace a crash yet) and perhaps it's triggering some sort of race condition? Here's a chunk of an xtrace from the client doing a resize that didn't crash. 1244544067 000:<:0226: 16: Request(2): ChangeWindowAttributes window=0x01200023 value-list={background-pixel=0x00000000} 1244544067 001:<:0789: 8: Request(60): FreeGC gc=0x01400093 1244544067 000:<:0227: 16: Request(2): ChangeWindowAttributes window=0x01200022 value-list={background-pixel=0x00000000} 1244544067 001:<:078a: 16: Request(53): CreatePixmap depth=0x18 pid=0x01400099 drawable=0x01400006 width=32 height=32 1244544067 000:<:0228: 16: Request(2): ChangeWindowAttributes window=0x01200022 value-list={background-pixmap=None(0x00000000)} 1244544067 001:<:078b: 16: Request(55): CreateGC cid=0x0140009a drawable=0x01400099 values={} 1244544067 000:<:0229: 28: Request(12): ConfigureWindow window=0x01200024 values={x=15 y=128 width=16 height=1024} 1244544067 001:<:078c: 16: Request(53): CreatePixmap depth=0x18 pid=0x0140009b drawable=0x01400006 width=32 height=32 1244544067 000:<:022a: 16: Request(2): ChangeWindowAttributes window=0x01200022 value-list={background-pixel=0x00000000} 1244544067 001:<:078d: 16: Request(55): CreateGC cid=0x0140009c drawable=0x0140009b values={} 1244544067 000:<:022b: 12: RANDR-Request(150,9): RandrGetOutputInfo output=0x0000003b config-timestamp=0x01e7d2cc 1244544067 001:<:078e:4120: Request(72): PutImage format=ZPixmap(0x02) drawable=0x01400099 gc=0x0140009a width=32 height=32 dst-x=0 dst-y=0 left-pad=0x00 depth=0x18 1244544067 001:<:078f:4120: Request(72): PutImage format=ZPixmap(0x02) drawable=0x0140009b gc=0x0140009c width=32 height=32 dst-x=0 dst-y=0 left-pad=0x00 depth=0x18 1244544067 001:<:0790: 40: MIT-SHM-Request(140,3): ShmPutImage drawable=0x01400006 gc=0x01400007 total-width=1024 total-height=768 src-x=0 src-y=0 src-width=16 src-height=16 dst-x=0 dst-y=0 depth=24 format=ZPixmap(0x02) send-event=false(0 x00) shmseg=0x01400098 offset=0x00000000 1244544067 001:>:0790: Event ConfigureNotify(22) event=0x01200023 window=0x01200023 above-sibling=0x01200024 x=128 y=16 width=1024 height=768 border-width=0 override-redirect=false(0x00) 1244544067 001:>:0790: Event Expose(12) window=0x01400006 x=0 y=732 width=1024 height=36 count=0x0000 1244544067 000:>:022b: Event ConfigureNotify(22) event=0x01200023 window=0x01200023 above-sibling=0x01200024 x=128 y=16 width=1024 height=768 border-width=0 override-redirect=false(0x00) 1244544067 000:>:022b: Event Expose(12) window=0x01200022 x=117 y=34 width=11 height=732 count=0x0001 1244544067 000:>:022b: Event Expose(12) window=0x01200022 x=1152 y=34 width=11 height=732 count=0x0000 1244544067 000:>:022b: Event ConfigureNotify(22) event=0x01200024 window=0x01200024 above-sibling=None(0x00000000) x=128 y=16 width=1024 height=768 border-width=0 override-redirect=false(0x00) 1244544067 000:>:0x022b:48: Reply to RandrGetOutputInfo: timestamp=0x01e7d2cc current connected crtc=0x00000000 width[mm]=0 height[mm]=0 connection=Disconnected(0x01) subpixel-order=0x0200 crtcs=0x00000039,0x0000003a; modes=; preferred modes=0 clonecount=0 name='VGA' 1244544067 000:<:022c: 12: RANDR-Request(150,9): RandrGetOutputInfo output=0x0000003c config-timestamp=0x01e7d2cc 1244544067 001:<:0791: 8: Request(3): GetWindowAttributes window=0x01200023 1244544067 001:<:0792: 8: Request(14): GetGeometry drawable=0x01200023 1244544067 001:>:0x0791:44: Reply to GetWindowAttributes: backing-store=NotUseful(0x00) visual=0x00000021 class=InputOutput(0x0001) bit-gravity=NorthWest(0x01) win-gravity=NorthWest(0x01) backing-planes=0xffffffff backing-pixel=0x00000000 save-under=false(0x00) map-is-installed=true(0x01) map-state=Viewable(0x02) override-redirect=false(0x00) colormap=0x00000020 all-event-masks=ButtonPress,ButtonRelease,EnterWindow,LeaveWindow,PointerMotion,Exposure,VisibilityChange,Struc tureNotify,FocusChange,PropertyChange your-event-mask=ButtonPress,ButtonRelease,EnterWindow,LeaveWindow,PointerMotion,VisibilityChange,StructureNotify,FocusChange,PropertyChange do-not-propagate-mask=KeyPress,KeyRelease,LeaveWindow,Pointe rMotion unused=0x0000 1244544067 001:>:0x0792:32: Reply to GetGeometry: depth=0x18 root=0x000000aa x=128 y=16 width=1024 height=768 border-width=0 1244544067 000:>:0x022c:120: Reply to RandrGetOutputInfo: timestamp=0x01e7d2cc current connected crtc=0x0000003a width[mm]=331 height[mm]=207 connection=Connected(0x00) subpixel-order=0x0101 crtcs=0x0000003a; modes=0x0000003d,0x0000003e ,0x0000003f,0x00000040,0x00000041,0x00000042,0x00000043,0x00000044,0x00000045,0x00000046,0x00000047,0x00000048,0x00000049,0x0000004a,0x0000004b,0x0000004c,0x0000004d,0x0000004e,0x0000004f; preferred modes=1 clonecount=0 name='LVDS' 1244544067 000:<:022d: 4: Request(43): GetInputFocus 1244544067 000:>:0x022d:32: Reply to GetInputFocus: revert-to=Parent(0x02) focus=0x01200006 1244544067 000:<:022e: 12: RANDR-Request(150,20): RandrGetCrtcInfo crtc=0x00000039 config-timestamp=0x01e7d2cc 1244544067 000:>:0x022e:36: Reply to RandrGetCrtcInfo: status=Success(0x00) timestamp=0x01e7d2cc x=0 y=0 width=0 height=0 mode=0x00000000 current rr=Rotate_0 possible rr=Rotate_0,Rotate_90,Rotate_180,Rotate_270,Reflect_X,Reflect_Y output s=; possible outputs=0x0000003b; 1244544067 000:<:022f: 12: RANDR-Request(150,20): RandrGetCrtcInfo crtc=0x0000003a config-timestamp=0x01e7d2cc 1244544067 000:>:0x022f:44: Reply to RandrGetCrtcInfo: status=Success(0x00) timestamp=0x01e7d2cc x=0 y=0 width=1280 height=800 mode=0x0000003d current rr=Rotate_0 possible rr=Rotate_0,Rotate_90,Rotate_180,Rotate_270,Reflect_X,Reflect_Y o utputs=0x0000003c; possible outputs=0x0000003b,0x0000003c; 1244544067 000:<:0230: 12: RANDR-Request(150,9): RandrGetOutputInfo output=0x0000003b config-timestamp=0x01e7d2cc 1244544067 000:>:0x0230:48: Reply to RandrGetOutputInfo: timestamp=0x01e7d2cc current connected crtc=0x00000000 width[mm]=0 height[mm]=0 connection=Disconnected(0x01) subpixel-order=0x0200 crtcs=0x00000039,0x0000003a; modes=; preferred modes=0 clonecount=0 name='VGA' 1244544067 000:<:0231: 12: RANDR-Request(150,9): RandrGetOutputInfo output=0x0000003c config-timestamp=0x01e7d2cc 1244544067 000:>:0x0231:120: Reply to RandrGetOutputInfo: timestamp=0x01e7d2cc current connected crtc=0x0000003a width[mm]=331 height[mm]=207 connection=Connected(0x00) subpixel-order=0x0101 crtcs=0x0000003a; modes=0x0000003d,0x0000003e ,0x0000003f,0x00000040,0x00000041,0x00000042,0x00000043,0x00000044,0x00000045,0x00000046,0x00000047,0x00000048,0x00000049,0x0000004a,0x0000004b,0x0000004c,0x0000004d,0x0000004e,0x0000004f; preferred modes=1 clonecount=0 name='LVDS' 1244544067 000:<:0232: 28: RANDR-Request(150,21): RandrSetCrtcConfig crtc=0x0000003a timestamp=0x00000000 config timestamp=0x01e7d2cc x=0 y=0 mode=0x00000000 rr=Rotate_0 outputs=; 1244544067 001:<:0793: 40: MIT-SHM-Request(140,3): ShmPutImage drawable=0x01400006 gc=0x01400007 total-width=1024 total-height=768 src-x=0 src-y=732 src-width=1024 src-height=36 dst-x=0 dst-y=732 depth=24 format=ZPixmap(0x02) send-event=false(0x00) shmseg=0x01400098 offset=0x00000000 1244544067 001:<:0794: 40: MIT-SHM-Request(140,3): ShmPutImage drawable=0x01400006 gc=0x01400007 total-width=1024 total-height=768 src-x=0 src-y=0 src-width=64 src-height=32 dst-x=0 dst-y=0 depth=24 format=ZPixmap(0x02) send-event=false(0x00) shmseg=0x01400098 offset=0x00000000 1244544067 001:<:0795: 40: MIT-SHM-Request(140,3): ShmPutImage drawable=0x01400006 gc=0x01400007 total-width=1024 total-height=768 src-x=912 src-y=0 src-width=64 src-height=32 dst-x=912 dst-y=0 depth=24 format=ZPixmap(0x02) send-event=false(0x00) shmseg=0x01400098 offset=0x00000000 1244544067 001:<:0796: 8: Request(54): FreePixmap drawable=0x01400099 1244544067 001:<:0797: 8: Request(60): FreeGC gc=0x0140009a 1244544067 001:<:0798: 8: Request(54): FreePixmap drawable=0x0140009b 1244544067 001:<:0799: 8: Request(60): FreeGC gc=0x0140009c 1244544067 001:<:079a: 16: Request(53): CreatePixmap depth=0x18 pid=0x0140009d drawable=0x01400006 width=32 height=32 1244544067 001:<:079b: 16: Request(55): CreateGC cid=0x0140009e drawable=0x0140009d values={} 1244544067 001:<:079c: 16: Request(53): CreatePixmap depth=0x18 pid=0x0140009f drawable=0x01400006 width=32 height=32 1244544067 001:<:079d: 16: Request(55): CreateGC cid=0x014000a0 drawable=0x0140009f values={} 1244544067 001:<:079e:4120: Request(72): PutImage format=ZPixmap(0x02) drawable=0x0140009d gc=0x0140009e width=32 height=32 dst-x=0 dst-y=0 left-pad=0x00 depth=0x18 1244544067 001:<:079f:4120: Request(72): PutImage format=ZPixmap(0x02) drawable=0x0140009f gc=0x014000a0 width=32 height=32 dst-x=0 dst-y=0 left-pad=0x00 depth=0x18 1244544067 001:<:07a0: 40: MIT-SHM-Request(140,3): ShmPutImage drawable=0x01400006 gc=0x01400007 total-width=1024 total-height=768 src-x=0 src-y=720 src-width=1024 src-height=48 dst-x=0 dst-y=720 depth=24 format=ZPixmap(0x02) send-event=false(0x00) shmseg=0x01400098 offset=0x00000000 1244544067 001:<:07a1: 28: Request(62): CopyArea src-drawable=0x0140009d dst-drawable=0x01400006 gc=0x01400008 src-x=0 src-y=0 dst-x=502 dst-y=374 width=32 height=32 1244544067 001:<:07a2: 28: Request(62): CopyArea src-drawable=0x0140009f dst-drawable=0x01400006 gc=0x01400009 src-x=0 src-y=0 dst-x=502 dst-y=374 width=32 height=32 1244544067 001:<:07a3: 40: MIT-SHM-Request(140,3): ShmPutImage drawable=0x01400006 gc=0x01400007 total-width=1024 total-height=768 src-x=0 src-y=0 src-width=1024 src-height=704 dst-x=0 dst-y=0 depth=24 format=ZPixmap(0x02) send-event=false(0x00) shmseg=0x01400098 offset=0x00000000 1244544067 001:<:07a4: 40: MIT-SHM-Request(140,3): ShmPutImage drawable=0x01400006 gc=0x01400007 total-width=1024 total-height=768 src-x=0 src-y=720 src-width=1024 src-height=48 dst-x=0 dst-y=720 depth=24 format=ZPixmap(0x02) send-event=false(0x00) shmseg=0x01400098 offset=0x00000000
Here's another backtrace that shows up at a similar spot, although under different circumstances: Backtrace: 0: /usr/bin/X11/X(xorg_backtrace+0x26) [0x4f1b66] 1: /usr/bin/X11/X(xf86SigHandler+0x41) [0x485a61] 2: /lib/libc.so.6 [0x7fea3fcef040] 3: /usr/lib/libdrm_intel.so.1(drm_intel_bo_reference+0) [0x7fea3dcfd790] 4: /usr/lib/xorg/modules/drivers//intel_drv.so(i830_set_pixmap_bo+0x98) [0x7fea3df54088] 5: /usr/lib/xorg/modules/drivers//intel_drv.so [0x7fea3df2f9cc] 6: /usr/bin/X11/X [0x4b53f6] 7: /usr/bin/X11/X(ProcRRSetScreenSize+0x176) [0x524c96] 8: /usr/bin/X11/X(Dispatch+0x364) [0x44e304] 9: /usr/bin/X11/X(main+0x3bd) [0x433d8d] 10: /lib/libc.so.6(__libc_start_main+0xe6) [0x7fea3fcda5a6] 11: /usr/bin/X11/X [0x433219] Saw signal 11. Server aborting. Note that there are two active X clients at this time -- one bitblitting to the screen using SHM and another modifying the CRTC config using RandR. It's also possible that the drawing process is changing the cursor. I'll try to get a trace from both processes now that I have a reliable reproduction testcase -- I'd appreciate suggestions of what kind of trace would be useful. (I'll start with xtrace, but it doesn't seem to understand all XRandR requests.)
Does the original crash still happen with xserver 1.7.x?
(In reply to comment #2) > Does the original crash still happen with xserver 1.7.x? We've worked around the original crash by avoiding the failure case; to quote from the workaround commit message: > Ungrab before changing video mode with xrandr, then regrab > afterwards. > > When PROG1 invokes XRRSetScreenSize while PROG2 has the > X pointer grab, X seems to complain by: > - always: showing the X cursor inappropriately > - sometimes: segv'ing > > If PROG2 relinquishes the pointer grab before the XRR > call, neither of these seems to happen. (I've redacted internal unreleased codenames to PROG1 and PROG2 above.) I'll try removing the workaround to see if I can reproduce with the current codebase.
Mass closure: This bug has been untouched for more than six years, and is not obviously still valid. Please file a new report if you continue to experience issues with a current server.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.