22340 – Xorg SEGV with display resizes (and cursor changes?)

Bug 22340 - Xorg SEGV with display resizes (and cursor changes?)

Summary: Xorg SEGV with display resizes (and cursor changes?)

Status:	RESOLVED INVALID

Alias:	None

Product:	xorg
Classification:	Unclassified
Component:	Server/General (show other bugs)
Version:	7.4 (2008.09)
Hardware:	x86-64 (AMD64) Linux (All)

Importance:	medium normal
Assignee:	Xorg Project Team
QA Contact:	Xorg Project Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2009-06-17 18:17 UTC by Andy Isaacson
Modified:	2018-06-12 18:43 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments
Xorg.0.log from a crash (24.67 KB, text/plain) 2009-06-17 18:17 UTC, Andy Isaacson	no flags	Details
View All

Description Andy Isaacson 2009-06-17 18:17:53 UTC

Created attachment 26899 [details]
Xorg.0.log from a crash

I have a semi-reproducible server crash running a custom XRandR client; I suspect it may be due to heap corruption, since it happens in various different routines.  I'm running Xorg 1.6.0 and xserver-xorg-video-intel 2.7.1 from Ubuntu Jaunty xupdates (but the driver doesn't seem to be involved).

On the machine where we see crashes, it crashes about 50% of the time when the client makes an XRandR request.

Here are two representative stacktraces:

Backtrace:
0: /usr/bin/X11/X(xorg_backtrace+0x26) [0x4f1b66]
1: /usr/bin/X11/X(xf86SigHandler+0x41) [0x485a61]
2: /lib/libc.so.6 [0x7fced2df9040]
3: /lib/libc.so.6(memset+0xacb) [0x7fced2e4961b]
4: /usr/bin/X11/X(dixAllocatePrivate+0x146) [0x434706]
5: /usr/bin/X11/X(dixSetPrivate+0x53) [0x4347a3]
6: /usr/bin/X11/X(xf86SetCursor+0x1a0) [0x4b8520]
7: /usr/bin/X11/X [0x4b793f]
8: /usr/bin/X11/X [0x4b7b95]
9: /usr/bin/X11/X [0x4b55ef]
10: /usr/bin/X11/X(ProcRRSetScreenSize+0x176) [0x524c96]
11: /usr/bin/X11/X(Dispatch+0x364) [0x44e304]
12: /usr/bin/X11/X(main+0x3bd) [0x433d8d]
13: /lib/libc.so.6(__libc_start_main+0xe6) [0x7fced2de45a6]
14: /usr/bin/X11/X [0x433219]
Saw signal 11. Server aborting.

Backtrace:
0: /usr/bin/X11/X(xorg_backtrace+0x26) [0x4f1b66]
1: /usr/bin/X11/X(xf86SigHandler+0x41) [0x485a61]
2: /lib/libc.so.6 [0x7fad593f0040]
3: /lib/libc.so.6(cfree+0x25) [0x7fad59437225]
4: /usr/bin/X11/X(dixFreePrivates+0x88) [0x434598]
5: /usr/bin/X11/X(FreeCursor+0x59) [0x443699]
6: /usr/bin/X11/X [0x4afba0]
7: /usr/bin/X11/X [0x4b7912]
8: /usr/bin/X11/X(miPointerUpdateSprite+0x1f1) [0x4db711]
9: /usr/bin/X11/X [0x4db8f7]
10: /usr/bin/X11/X [0x506c8a]
11: /usr/bin/X11/X [0x536f2d]
12: /usr/bin/X11/X [0x457967]
13: /usr/bin/X11/X(ProcChangeActivePointerGrab+0x110) [0x457fd0]
14: /usr/bin/X11/X(Dispatch+0x364) [0x44e304]
15: /usr/bin/X11/X(main+0x3bd) [0x433d8d]
16: /lib/libc.so.6(__libc_start_main+0xe6) [0x7fad593db5a6]
17: /usr/bin/X11/X [0x433219]
Saw signal 11. Server aborting.

We're attempting to reduce the (highly layered, portable) client to a standalone testcase.  (It's a frontend for a virtual desktop product in which the guest is empowered to change the host's display resolution).  It's quite likely that the X client sent cursor changes -- possibly with bizarre sizes -- and XRandR requests in quick succession (though I haven't managed to trace a crash yet) and perhaps it's triggering some sort of race condition?

Here's a chunk of an xtrace from the client doing a resize that didn't crash.

1244544067 000:<:0226: 16: Request(2): ChangeWindowAttributes window=0x01200023  value-list={background-pixel=0x00000000}
1244544067 001:<:0789:  8: Request(60): FreeGC gc=0x01400093
1244544067 000:<:0227: 16: Request(2): ChangeWindowAttributes window=0x01200022  value-list={background-pixel=0x00000000}
1244544067 001:<:078a: 16: Request(53): CreatePixmap depth=0x18 pid=0x01400099 drawable=0x01400006 width=32 height=32
1244544067 000:<:0228: 16: Request(2): ChangeWindowAttributes window=0x01200022  value-list={background-pixmap=None(0x00000000)}
1244544067 001:<:078b: 16: Request(55): CreateGC cid=0x0140009a drawable=0x01400099  values={}
1244544067 000:<:0229: 28: Request(12): ConfigureWindow window=0x01200024  values={x=15 y=128 width=16 height=1024}
1244544067 001:<:078c: 16: Request(53): CreatePixmap depth=0x18 pid=0x0140009b drawable=0x01400006 width=32 height=32
1244544067 000:<:022a: 16: Request(2): ChangeWindowAttributes window=0x01200022  value-list={background-pixel=0x00000000}
1244544067 001:<:078d: 16: Request(55): CreateGC cid=0x0140009c drawable=0x0140009b  values={}
1244544067 000:<:022b: 12: RANDR-Request(150,9): RandrGetOutputInfo output=0x0000003b config-timestamp=0x01e7d2cc
1244544067 001:<:078e:4120: Request(72): PutImage format=ZPixmap(0x02) drawable=0x01400099 gc=0x0140009a width=32 height=32 dst-x=0 dst-y=0 left-pad=0x00 depth=0x18
1244544067 001:<:078f:4120: Request(72): PutImage format=ZPixmap(0x02) drawable=0x0140009b gc=0x0140009c width=32 height=32 dst-x=0 dst-y=0 left-pad=0x00 depth=0x18
1244544067 001:<:0790: 40: MIT-SHM-Request(140,3): ShmPutImage drawable=0x01400006 gc=0x01400007 total-width=1024 total-height=768 src-x=0 src-y=0 src-width=16 src-height=16 dst-x=0 dst-y=0 depth=24 format=ZPixmap(0x02) send-event=false(0
x00) shmseg=0x01400098 offset=0x00000000
1244544067 001:>:0790: Event ConfigureNotify(22) event=0x01200023 window=0x01200023 above-sibling=0x01200024 x=128 y=16 width=1024 height=768 border-width=0 override-redirect=false(0x00)
1244544067 001:>:0790: Event Expose(12) window=0x01400006 x=0 y=732 width=1024 height=36 count=0x0000
1244544067 000:>:022b: Event ConfigureNotify(22) event=0x01200023 window=0x01200023 above-sibling=0x01200024 x=128 y=16 width=1024 height=768 border-width=0 override-redirect=false(0x00)
1244544067 000:>:022b: Event Expose(12) window=0x01200022 x=117 y=34 width=11 height=732 count=0x0001
1244544067 000:>:022b: Event Expose(12) window=0x01200022 x=1152 y=34 width=11 height=732 count=0x0000
1244544067 000:>:022b: Event ConfigureNotify(22) event=0x01200024 window=0x01200024 above-sibling=None(0x00000000) x=128 y=16 width=1024 height=768 border-width=0 override-redirect=false(0x00)
1244544067 000:>:0x022b:48: Reply to RandrGetOutputInfo: timestamp=0x01e7d2cc current connected crtc=0x00000000 width[mm]=0 height[mm]=0 connection=Disconnected(0x01) subpixel-order=0x0200  crtcs=0x00000039,0x0000003a;  modes=; preferred 
modes=0 clonecount=0  name='VGA'
1244544067 000:<:022c: 12: RANDR-Request(150,9): RandrGetOutputInfo output=0x0000003c config-timestamp=0x01e7d2cc
1244544067 001:<:0791:  8: Request(3): GetWindowAttributes window=0x01200023
1244544067 001:<:0792:  8: Request(14): GetGeometry drawable=0x01200023
1244544067 001:>:0x0791:44: Reply to GetWindowAttributes: backing-store=NotUseful(0x00) visual=0x00000021 class=InputOutput(0x0001) bit-gravity=NorthWest(0x01) win-gravity=NorthWest(0x01) backing-planes=0xffffffff backing-pixel=0x00000000
 save-under=false(0x00) map-is-installed=true(0x01) map-state=Viewable(0x02) override-redirect=false(0x00) colormap=0x00000020 all-event-masks=ButtonPress,ButtonRelease,EnterWindow,LeaveWindow,PointerMotion,Exposure,VisibilityChange,Struc
tureNotify,FocusChange,PropertyChange your-event-mask=ButtonPress,ButtonRelease,EnterWindow,LeaveWindow,PointerMotion,VisibilityChange,StructureNotify,FocusChange,PropertyChange do-not-propagate-mask=KeyPress,KeyRelease,LeaveWindow,Pointe
rMotion unused=0x0000
1244544067 001:>:0x0792:32: Reply to GetGeometry: depth=0x18 root=0x000000aa x=128 y=16 width=1024 height=768 border-width=0
1244544067 000:>:0x022c:120: Reply to RandrGetOutputInfo: timestamp=0x01e7d2cc current connected crtc=0x0000003a width[mm]=331 height[mm]=207 connection=Connected(0x00) subpixel-order=0x0101  crtcs=0x0000003a;  modes=0x0000003d,0x0000003e
,0x0000003f,0x00000040,0x00000041,0x00000042,0x00000043,0x00000044,0x00000045,0x00000046,0x00000047,0x00000048,0x00000049,0x0000004a,0x0000004b,0x0000004c,0x0000004d,0x0000004e,0x0000004f; preferred modes=1 clonecount=0  name='LVDS'
1244544067 000:<:022d:  4: Request(43): GetInputFocus 
1244544067 000:>:0x022d:32: Reply to GetInputFocus: revert-to=Parent(0x02) focus=0x01200006
1244544067 000:<:022e: 12: RANDR-Request(150,20): RandrGetCrtcInfo crtc=0x00000039 config-timestamp=0x01e7d2cc
1244544067 000:>:0x022e:36: Reply to RandrGetCrtcInfo: status=Success(0x00) timestamp=0x01e7d2cc x=0 y=0 width=0 height=0 mode=0x00000000 current rr=Rotate_0 possible rr=Rotate_0,Rotate_90,Rotate_180,Rotate_270,Reflect_X,Reflect_Y  output
s=;  possible outputs=0x0000003b;
1244544067 000:<:022f: 12: RANDR-Request(150,20): RandrGetCrtcInfo crtc=0x0000003a config-timestamp=0x01e7d2cc
1244544067 000:>:0x022f:44: Reply to RandrGetCrtcInfo: status=Success(0x00) timestamp=0x01e7d2cc x=0 y=0 width=1280 height=800 mode=0x0000003d current rr=Rotate_0 possible rr=Rotate_0,Rotate_90,Rotate_180,Rotate_270,Reflect_X,Reflect_Y  o
utputs=0x0000003c;  possible outputs=0x0000003b,0x0000003c;
1244544067 000:<:0230: 12: RANDR-Request(150,9): RandrGetOutputInfo output=0x0000003b config-timestamp=0x01e7d2cc
1244544067 000:>:0x0230:48: Reply to RandrGetOutputInfo: timestamp=0x01e7d2cc current connected crtc=0x00000000 width[mm]=0 height[mm]=0 connection=Disconnected(0x01) subpixel-order=0x0200  crtcs=0x00000039,0x0000003a;  modes=; preferred 
modes=0 clonecount=0  name='VGA'
1244544067 000:<:0231: 12: RANDR-Request(150,9): RandrGetOutputInfo output=0x0000003c config-timestamp=0x01e7d2cc
1244544067 000:>:0x0231:120: Reply to RandrGetOutputInfo: timestamp=0x01e7d2cc current connected crtc=0x0000003a width[mm]=331 height[mm]=207 connection=Connected(0x00) subpixel-order=0x0101  crtcs=0x0000003a;  modes=0x0000003d,0x0000003e
,0x0000003f,0x00000040,0x00000041,0x00000042,0x00000043,0x00000044,0x00000045,0x00000046,0x00000047,0x00000048,0x00000049,0x0000004a,0x0000004b,0x0000004c,0x0000004d,0x0000004e,0x0000004f; preferred modes=1 clonecount=0  name='LVDS'
1244544067 000:<:0232: 28: RANDR-Request(150,21): RandrSetCrtcConfig crtc=0x0000003a timestamp=0x00000000 config timestamp=0x01e7d2cc x=0 y=0 mode=0x00000000 rr=Rotate_0 outputs=;
1244544067 001:<:0793: 40: MIT-SHM-Request(140,3): ShmPutImage drawable=0x01400006 gc=0x01400007 total-width=1024 total-height=768 src-x=0 src-y=732 src-width=1024 src-height=36 dst-x=0 dst-y=732 depth=24 format=ZPixmap(0x02) send-event=false(0x00) shmseg=0x01400098 offset=0x00000000
1244544067 001:<:0794: 40: MIT-SHM-Request(140,3): ShmPutImage drawable=0x01400006 gc=0x01400007 total-width=1024 total-height=768 src-x=0 src-y=0 src-width=64 src-height=32 dst-x=0 dst-y=0 depth=24 format=ZPixmap(0x02) send-event=false(0x00) shmseg=0x01400098 offset=0x00000000
1244544067 001:<:0795: 40: MIT-SHM-Request(140,3): ShmPutImage drawable=0x01400006 gc=0x01400007 total-width=1024 total-height=768 src-x=912 src-y=0 src-width=64 src-height=32 dst-x=912 dst-y=0 depth=24 format=ZPixmap(0x02) send-event=false(0x00) shmseg=0x01400098 offset=0x00000000
1244544067 001:<:0796:  8: Request(54): FreePixmap drawable=0x01400099
1244544067 001:<:0797:  8: Request(60): FreeGC gc=0x0140009a
1244544067 001:<:0798:  8: Request(54): FreePixmap drawable=0x0140009b
1244544067 001:<:0799:  8: Request(60): FreeGC gc=0x0140009c
1244544067 001:<:079a: 16: Request(53): CreatePixmap depth=0x18 pid=0x0140009d drawable=0x01400006 width=32 height=32
1244544067 001:<:079b: 16: Request(55): CreateGC cid=0x0140009e drawable=0x0140009d  values={}
1244544067 001:<:079c: 16: Request(53): CreatePixmap depth=0x18 pid=0x0140009f drawable=0x01400006 width=32 height=32
1244544067 001:<:079d: 16: Request(55): CreateGC cid=0x014000a0 drawable=0x0140009f  values={}
1244544067 001:<:079e:4120: Request(72): PutImage format=ZPixmap(0x02) drawable=0x0140009d gc=0x0140009e width=32 height=32 dst-x=0 dst-y=0 left-pad=0x00 depth=0x18
1244544067 001:<:079f:4120: Request(72): PutImage format=ZPixmap(0x02) drawable=0x0140009f gc=0x014000a0 width=32 height=32 dst-x=0 dst-y=0 left-pad=0x00 depth=0x18
1244544067 001:<:07a0: 40: MIT-SHM-Request(140,3): ShmPutImage drawable=0x01400006 gc=0x01400007 total-width=1024 total-height=768 src-x=0 src-y=720 src-width=1024 src-height=48 dst-x=0 dst-y=720 depth=24 format=ZPixmap(0x02) send-event=false(0x00) shmseg=0x01400098 offset=0x00000000
1244544067 001:<:07a1: 28: Request(62): CopyArea src-drawable=0x0140009d dst-drawable=0x01400006 gc=0x01400008 src-x=0 src-y=0 dst-x=502 dst-y=374 width=32 height=32
1244544067 001:<:07a2: 28: Request(62): CopyArea src-drawable=0x0140009f dst-drawable=0x01400006 gc=0x01400009 src-x=0 src-y=0 dst-x=502 dst-y=374 width=32 height=32
1244544067 001:<:07a3: 40: MIT-SHM-Request(140,3): ShmPutImage drawable=0x01400006 gc=0x01400007 total-width=1024 total-height=768 src-x=0 src-y=0 src-width=1024 src-height=704 dst-x=0 dst-y=0 depth=24 format=ZPixmap(0x02) send-event=false(0x00) shmseg=0x01400098 offset=0x00000000
1244544067 001:<:07a4: 40: MIT-SHM-Request(140,3): ShmPutImage drawable=0x01400006 gc=0x01400007 total-width=1024 total-height=768 src-x=0 src-y=720 src-width=1024 src-height=48 dst-x=0 dst-y=720 depth=24 format=ZPixmap(0x02) send-event=false(0x00) shmseg=0x01400098 offset=0x00000000

Comment 1 Andy Isaacson 2009-07-08 14:21:53 UTC

Here's another backtrace that shows up at a similar spot, although under different circumstances:

Backtrace:
0: /usr/bin/X11/X(xorg_backtrace+0x26) [0x4f1b66]
1: /usr/bin/X11/X(xf86SigHandler+0x41) [0x485a61]
2: /lib/libc.so.6 [0x7fea3fcef040]
3: /usr/lib/libdrm_intel.so.1(drm_intel_bo_reference+0) [0x7fea3dcfd790]
4: /usr/lib/xorg/modules/drivers//intel_drv.so(i830_set_pixmap_bo+0x98) [0x7fea3df54088]
5: /usr/lib/xorg/modules/drivers//intel_drv.so [0x7fea3df2f9cc]
6: /usr/bin/X11/X [0x4b53f6]
7: /usr/bin/X11/X(ProcRRSetScreenSize+0x176) [0x524c96]
8: /usr/bin/X11/X(Dispatch+0x364) [0x44e304]
9: /usr/bin/X11/X(main+0x3bd) [0x433d8d]
10: /lib/libc.so.6(__libc_start_main+0xe6) [0x7fea3fcda5a6]
11: /usr/bin/X11/X [0x433219]
Saw signal 11.  Server aborting.

Note that there are two active X clients at this time -- one bitblitting to the screen using SHM and another modifying the CRTC config using RandR.  It's also possible that the drawing process is changing the cursor.  I'll try to get a trace from both processes now that I have a reliable reproduction testcase -- I'd appreciate suggestions of what kind of trace would be useful.  (I'll start with xtrace, but it doesn't seem to understand all XRandR requests.)

Comment 2 Michel Dänzer 2010-02-24 03:54:47 UTC

Does the original crash still happen with xserver 1.7.x?

Comment 3 Andy Isaacson 2010-02-24 10:47:31 UTC

(In reply to comment #2)
> Does the original crash still happen with xserver 1.7.x?

We've worked around the original crash by avoiding the failure case; to quote from the workaround commit message:

>        Ungrab before changing video mode with xrandr, then regrab
>        afterwards.
>
>        When PROG1 invokes XRRSetScreenSize while PROG2 has the
>        X pointer grab, X seems to complain by:
>        - always: showing the X cursor inappropriately
>        - sometimes: segv'ing
>
>        If PROG2 relinquishes the pointer grab before the XRR
>        call, neither of these seems to happen.

(I've redacted internal unreleased codenames to PROG1 and PROG2 above.)

I'll try removing the workaround to see if I can reproduce with the current codebase.

Comment 4 Adam Jackson 2018-06-12 18:43:00 UTC

Mass closure: This bug has been untouched for more than six years, and is not obviously still valid. Please file a new report if you continue to experience issues with a current server.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.