Bug 47281 - xorg crashes on specific xrandr
xorg crashes on specific xrandr
Status: RESOLVED FIXED
Product: xorg
Classification: Unclassified
Component: Server/Input/Core
git
x86-64 (AMD64) Linux (All)
: medium major
Assigned To: Peter Hutterer
Xorg Project Team
:
: 48174 (view as bug list)
Depends on:
Blocks: xserver-1.13
  Show dependency treegraph
 
Reported: 2012-03-13 07:24 UTC by vitruss
Modified: 2012-06-10 21:03 UTC (History)
4 users (show)

See Also:
i915 platform:
i915 features:


Attachments
Xorg log (126.97 KB, text/plain)
2012-03-13 07:24 UTC, vitruss
no flags Details
Fix for xorg infinity loop. (1.03 KB, text/plain)
2012-04-26 18:03 UTC, llancelot7
no flags Details
proof debug output (3.44 KB, text/plain)
2012-04-26 18:10 UTC, llancelot7
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description vitruss 2012-03-13 07:24:55 UTC
Created attachment 58374 [details]
Xorg log

I have Archlinux (linux-3.2.9) running on Radeon 4550 using radeon with xf86-video-ati 6.14.3, xorg 1.12 and mesa 8.0.1. 
I have two monitors attached using DVI (Dell 2408WFP) and HDMI (Toshiba TV).

While running 
xrandr --output HDMI-0 --auto
xrandr --output HDMI-0 --below DVI-0
Xorg hangs.
Here is the Xorg.0.log (full log is attached):

[   730.765] BUG: triggered 'if (!dev->valuator || dev->valuator->numAxes < 2)'
[   730.765] BUG: getevents.c:843 in scale_to_desktop()
[   730.765] 
[   730.765] Backtrace:
[   730.765] 0: /usr/bin/X (xorg_backtrace+0x34) [0x5684f4]
[   730.765] 1: /usr/bin/X (0x400000+0x471e4) [0x4471e4]
[   730.765] 2: /usr/bin/X (0x400000+0x47db5) [0x447db5]
[   730.765] 3: /usr/bin/X (GetPointerEvents+0x352) [0x449452]
[   730.765] 4: /usr/bin/X (0x400000+0x152c56) [0x552c56]
[   730.766] 5: /usr/bin/X (miPointerWarpCursor+0xce) [0x55308e]
[   730.766] 6: /usr/bin/X (0x400000+0x6c532) [0x46c532]
[   730.766] 7: /usr/bin/X (0x400000+0x15357e) [0x55357e]
[   730.766] 8: /usr/bin/X (0x400000+0xf3841) [0x4f3841]
[   730.766] 9: /usr/bin/X (0x400000+0xdf2ee) [0x4df2ee]
[   730.766] 10: /usr/bin/X (RRPointerScreenConfigured+0x75) [0x4df535]
[   730.766] 11: /usr/bin/X (RRTellChanged+0x122) [0x4d9282]
[   730.766] 12: /usr/bin/X (RRCrtcSet+0x33d) [0x4da41d]
[   730.766] 13: /usr/bin/X (ProcRRSetCrtcConfig+0x3b3) [0x4db273]
[   730.767] 14: /usr/bin/X (0x400000+0x33cf9) [0x433cf9]
[   730.767] 15: /usr/bin/X (0x400000+0x2319a) [0x42319a]
[   730.767] 16: /lib/libc.so.6 (__libc_start_main+0xed) [0x2ba545a7a38d]
[   730.767] 17: /usr/bin/X (0x400000+0x234bd) [0x4234bd]

The same behaviour is seen using xf86-video-ati-git and xorg-git.
Comment 1 vitruss 2012-03-13 07:32:16 UTC
If "--below" is changed to some other "direction" it makes no difference. But It hangs only when the screens are positioned nearby, but not when showing the same area (1920x1200 on Dell and 1920x1080 on Toshiba).
Comment 2 Michel Dänzer 2012-04-02 02:27:51 UTC
*** Bug 48174 has been marked as a duplicate of this bug. ***
Comment 3 llancelot7 2012-04-26 18:03:19 UTC
Created attachment 60643 [details]
Fix for xorg infinity loop.

Xorg goes to infinity loop (delta = 548.33340590666785 and incr = 6.3659874129151343e-314). Chromium authors code not good.
Comment 4 llancelot7 2012-04-26 18:10:17 UTC
Created attachment 60645 [details]
proof debug output

I had previously launched "sleep 60 && kill -n 11 xorg_pid" and caused the freeze of xorg. And when xorg killed with SEGV, I receive this debug log. Xorg freezes in infinity loop.
Comment 5 Peter Hutterer 2012-04-26 22:47:00 UTC
the main question here is why the scroll increment is 0 (or close to 0 anyways). This is the cause of the bug and shouldn't happen.
Comment 6 llancelot7 2012-04-26 23:05:33 UTC
In any way, while is dangerous without additional checks and in this case are senseless when works only with delta, more useable break loop and fmod delta.

But why scroll increment so small, I don't know, and in this moment mouse scroll not used at all.
Comment 7 Peter Hutterer 2012-04-26 23:39:09 UTC
http://patchwork.freedesktop.org/patch/10102/
Comment 8 llancelot7 2012-04-27 01:21:46 UTC
Peter Hutterer,
your patch fix problem, but I will now always be nervous until the "while" loop will be completely safe
Comment 9 Peter Hutterer 2012-04-29 14:59:16 UTC
the loop is safe. "increment" is initialised once by the driver and that's where the server checks for and invalid increment of 0. it's read-only after that. This bug happened because of invalid memory access, there is only so much one can do against that.
Comment 10 Peter Hutterer 2012-05-02 21:57:08 UTC
commit af88b43f9e604157b74270d609c08bdfa256a792
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Fri Apr 27 16:31:17 2012 +1000

    dix: don't emulate scroll events for non-existing axes (#47281)
Comment 11 vitruss 2012-06-10 21:03:38 UTC
Thanks. 
Works for me now. 
Xorg-server 1.12.2-1 (ArchLinux)