29310 – X server crash in vblank code on GL client close

Bug 29310 - X server crash in vblank code on GL client close

Summary: X server crash in vblank code on GL client close

Status:	RESOLVED DUPLICATE of bug 29065

Alias:	None

Product:	xorg
Classification:	Unclassified
Component:	Driver/Radeon (show other bugs)
Version:	git
Hardware:	Other All

Importance:	medium normal
Assignee:	xf86-video-ati maintainers
QA Contact:	Xorg Project Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2010-07-29 19:10 UTC by Christopher James Halse Rogers
Modified:	2010-08-10 00:41 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments

Description Christopher James Halse Rogers 2010-07-29 19:10:36 UTC

I'm getting easily reproducible X server crashes when flipping between GL screensavers in gnome-screensaver-properties with 6.13.1 & Xserver 1.8.1.902.  I've also seen this under Xserver 1.8.99.905.

The first problem is that when the screensaver client goes away it seems that radeon_dri2_frame_event_handler gets called with a NULL event->back field.  This obviously then crashes dereferencing src_buffer->driverPrivate in radeon_dri2_copy_region.

This is clearly not the full story, though.  After applying the trivial patch below to work around this, I still get an Xserver crash, this time in miDoCopy.

--- xserver-xorg-video-ati.orig/src/radeon_dri2.c	2010-07-30 10:28:39.784413424 +1000
+++ xserver-xorg-video-ati/src/radeon_dri2.c	2010-07-30 10:46:39.652899888 +1000
@@ -373,6 +373,10 @@
     switch (event->type) {
     case DRI2_FLIP:
     case DRI2_SWAP:
+        /* It seems we can be called after a client has quit and the back
+	   buffer is NULL.  In this case, bail. */
+        if (!event->back && !event->front)
+	    break;
         box.x1 = 0;
         box.y1 = 0;
         box.x2 = drawable->width;

Backtrace after applying the patch:

Program received signal SIGSEGV, Segmentation fault.
0x00007fdd3d4baf11 in pixman_region_intersect (new_reg=0x7fff261613a0, reg1=0x7fff261613a0, reg2=0x119f7e0) at ../../pixman/pixman-region.c:1168
1168    ../../pixman/pixman-region.c: No such file or directory.
        in ../../pixman/pixman-region.c
(gdb) bt
#0  0x00007fdd3d4baf11 in pixman_region_intersect (new_reg=0x7fff261613a0, reg1=0x7fff261613a0, reg2=0x119f7e0) at ../../pixman/pixman-region.c:1168
#1  0x000000000054e5ca in miDoCopy (pSrcDrawable=0x119f790, pDstDrawable=0x114f870, pGC=0xbf6a80, xIn=33, yIn=0, widthSrc=<value optimised out>,
    heightSrc=300, xOut=0, yOut=0, copyProc=0x7fdd39dc6450 <exaCopyNtoN>, bitPlane=0, closure=0x0) at ../../mi/micopy.c:324
#2  0x00007fdd39dc5827 in exaCopyArea (pSrcDrawable=0x119f790, pDstDrawable=0x114f870, pGC=0xbf6a80, srcx=0, srcy=<value optimised out>,
    width=<value optimised out>, height=300, dstx=0, dsty=0) at ../../exa/exa_accel.c:608
#3  0x00000000004da818 in damageCopyArea (pSrc=0x119f790, pDst=0x114f870, pGC=0xbf6a80, srcx=<value optimised out>, srcy=<value optimised out>,
    width=480, height=300, dstx=0, dsty=0) at ../../../miext/damage/damage.c:949
#4  0x00007fdd3aae3f9a in radeon_dri2_copy_region (drawable=<value optimised out>, region=0x7fff26161590, dest_buffer=<value optimised out>,
    src_buffer=<value optimised out>) at ../../src/radeon_dri2.c:320
#5  0x00007fdd3aae465c in radeon_dri2_frame_event_handler (frame=333722, tv_sec=1280451378, tv_usec=394655, event_data=<value optimised out>)
    at ../../src/radeon_dri2.c:385
#6  0x00007fdd3b124c13 in drmHandleEvent (fd=9, evctx=0xbb0780) at ../xf86drmMode.c:787
#7  0x0000000000435d7b in WakeupHandler (result=1, pReadmask=0x7e2a20) at ../../dix/dixutils.c:403
#8  0x000000000045f337 in WaitForSomething (pClientsReady=<value optimised out>) at ../../os/WaitFor.c:232
#9  0x0000000000430802 in Dispatch () at ../../dix/dispatch.c:375
#10 0x000000000042616a in main (argc=8, argv=0x7e1be8, envp=<value optimised out>) at ../../dix/main.c:286
(gdb) print new_reg
$1 = (region_type_t *) 0x7fff261613a0
(gdb) print *new_reg
$2 = {extents = {x1 = 33, y1 = 0, x2 = 513, y2 = 300}, data = 0x0}
(gdb) print *reg1
$3 = {extents = {x1 = 33, y1 = 0, x2 = 513, y2 = 300}, data = 0x0}
(gdb) print *reg2
$4 = {extents = {x1 = 0, y1 = 0, x2 = 11, y2 = 0}, data = 0x400000a00}
(gdb) set pagination 0
(gdb) bt full
#0  0x00007fdd3d4baf11 in pixman_region_intersect (new_reg=0x7fff261613a0, reg1=0x7fff261613a0, reg2=0x119f7e0) at ../../pixman/pixman-region.c:1168
No locals.
#1  0x000000000054e5ca in miDoCopy (pSrcDrawable=0x119f790, pDstDrawable=0x114f870, pGC=0xbf6a80, xIn=33, yIn=0, widthSrc=<value optimised out>, height
Src=300, xOut=0, yOut=0, copyProc=0x7fdd39dc6450 <exaCopyNtoN>, bitPlane=0, closure=0x0) at ../../mi/micopy.c:324
        prgnSrcClip = 0x119f7e0
        freeSrcClip = 0
        prgnExposed = <value optimised out>
        rgnDst = {extents = {x1 = 33, y1 = 0, x2 = 513, y2 = 300}, data = 0x0}
        dx = -455
        dy = <value optimised out>
        box_x1 = <value optimised out>
        box_y1 = 0
        box_x2 = <value optimised out>
        box_y2 = 0
        fastSrc = <value optimised out>
        fastDst = <value optimised out>
        fastExpose = 0
#2  0x00007fdd39dc5827 in exaCopyArea (pSrcDrawable=0x119f790, pDstDrawable=0x114f870, pGC=0xbf6a80, srcx=0, srcy=<value optimised out>, width=<value optimised out>, height=300, dstx=0, dsty=0) at ../../exa/exa_accel.c:608
No locals.
#3  0x00000000004da818 in damageCopyArea (pSrc=0x119f790, pDst=0x114f870, pGC=0xbf6a80, srcx=<value optimised out>, srcy=<value optimised out>, width=480, height=300, dstx=0, dsty=0) at ../../../miext/damage/damage.c:949
        ret = <value optimised out>
        pGCPriv = 0xbf4200
        oldFuncs = 0x7cd140
#4  0x00007fdd3aae3f9a in radeon_dri2_copy_region (drawable=<value optimised out>, region=0x7fff26161590, dest_buffer=<value optimised out>, src_buffer=<value optimised out>) at ../../src/radeon_dri2.c:320
        src_private = <value optimised out>
        dst_private = 0x124fec0
        pScreen = <value optimised out>
        pScrn = 0xbabfa0
        src_drawable = 0x0
        dst_drawable = 0x114f870
        copy_clip = <value optimised out>
        gc = 0xbf6a80
        info = 0xbafab0
        vsync = 0
#5  0x00007fdd3aae465c in radeon_dri2_frame_event_handler (frame=333722, tv_sec=1280451378, tv_usec=394655, event_data=<value optimised out>) at ../../src/radeon_dri2.c:385
        event = 0x1247730
        drawable = 0x114f870
        scrn = <value optimised out>
        status = <value optimised out>
        region = {extents = {x1 = 0, y1 = 0, x2 = 480, y2 = 300}, data = 0x0}
        __func__ = "radeon_dri2_frame_event_handler"
#6  0x00007fdd3b124c13 in drmHandleEvent (fd=9, evctx=0xbb0780) at ../xf86drmMode.c:787
        buffer = "\001\000\000\000 \000\000\000\060w$\001\000\000\000\000\062#RL\237\005\006\000\232\027\005", '\000' <repeats 13 times>, "\032", '\000' <repeats 19 times>, "\001\000\000\000\000\000\000\000\001", '\000' <repeats 27 times>, "\001\000\000\000\000\000\000\000\237\206\200:\335\177\000\000\000\006", '\000' <repeats 14 times>, "\004", '\000' <repeats 11 times>"\335, \177\000\000\000\000\000\000\000\000\000\000\275\001\000\000\000\000\000\000\260\372\272\000\000\000\000\000\a\000\000\000\000\000\000\000\000P\000\000\000\000\000\000\034\062\255:\335\177\000\000\000\000\000\000\000\000\000\000\340\345\271\000\000\000\000\000\260\372\272\000\000\000\000\000\220s\273\000\000\000\000\000\220s\273\000\000\000\000\000\240\277\272\000\000\000\000\000\260\372\272\000\000\000\000\000\004\000\000\000\000\000\000\000\000\027\026&\377\177\000\000\246"...
        len = 32
        i = <value optimised out>
        e = 0x7fff261615e0
#7  0x0000000000435d7b in WakeupHandler (result=1, pReadmask=0x7e2a20) at ../../dix/dixutils.c:403
        i = 0
#8  0x000000000045f337 in WaitForSomething (pClientsReady=<value optimised out>) at ../../os/WaitFor.c:232
        i = 18479072
        waittime = {tv_sec = 299, tv_usec = 980893}
        wt = 0x7fff26161c90
        timeout = <value optimised out>
        clientsReadable = {fds_bits = {0 <repeats 16 times>}}
        clientsWritable = {fds_bits = {140733832371152, 4415724, 5247488, 140733832371204, 46138226, 15634432, 140733832371400, 140588185890368, 18088392, 140588185890368, 18088392, 46138226, 8217344, 0, 18088392, 140588182737059}}
        selecterr = 11
        nready = <value optimised out>
        devicesReadable = {fds_bits = {0 <repeats 11 times>, 4977383, 0, 12478032, 12478000, 8252592}}
        now = <value optimised out>
        someReady = 0
#9  0x0000000000430802 in Dispatch () at ../../dix/dispatch.c:375
        result = <value optimised out>
        client = 0xee9000
        nready = -1
        start_tick = 3480
#10 0x000000000042616a in main (argc=8, argv=0x7e1be8, envp=<value optimised out>) at ../../dix/main.c:286
        i = 1
        alwaysCheckForInput = {0, 1}

Comment 1 Michel Dänzer 2010-08-04 08:45:56 UTC

This could be the same as or at least related to bug 29065.

Comment 2 Christopher James Halse Rogers 2010-08-10 00:41:06 UTC

Yup, that looks exactly like what I've been seeing, right down to the random data in the structures.  I'll mark this as a duplicate.

Bugzilla search fail.

*** This bug has been marked as a duplicate of bug 29065 ***

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.