Bug 51240 - [uxa] crash in damageRegionProcessPending on login
Summary: [uxa] crash in damageRegionProcessPending on login
Status: RESOLVED WONTFIX
Alias: None
Product: xorg
Classification: Unclassified
Component: Driver/intel (show other bugs)
Version: unspecified
Hardware: Other All
: low normal
Assignee: Chris Wilson
QA Contact: Xorg Project Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-06-19 11:33 UTC by Maarten Lankhorst
Modified: 2012-07-05 12:47 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments
full valgrind log of the X session (126.52 KB, text/plain)
2012-06-19 11:33 UTC, Maarten Lankhorst 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Maarten Lankhorst 2012-06-19 11:33:33 UTC 
Created attachment 63235 [details]
full valgrind log of the X session

After trying to log in on a laptop I immediately get logged out due to X.org crashing, running with valgrind produces the following crash:

==1688== Invalid read of size 8
==1688==    at 0x21BACE: getDrawableDamageRef (privates.h:117)
==1688==    by 0x21FAC7: damagePolyFillRect (damage.c:1283)
==1688==    by 0x271B0F: miPaintWindow (miexpose.c:674)
==1688==    by 0x271CC1: miWindowExposures (miexpose.c:501)
==1688==    by 0x288D67: miHandleValidateExposures (miwindow.c:236)
==1688==    by 0x1827BF: UnmapWindow (window.c:2970)
==1688==    by 0x18281A: DeleteWindow (window.c:1007)
==1688==    by 0x177491: doFreeResource (resource.c:571)
==1688==    by 0x1781C9: FreeClientResources (resource.c:853)
==1688==    by 0x155C29: CloseDownClient (dispatch.c:3477)
==1688==    by 0x1567B5: Dispatch (dispatch.c:454)
==1688==    by 0x1456A9: main (main.c:287)
==1688==  Address 0xbad12f0 is 32 bytes inside a block of size 96 free'd
==1688==    at 0x4C2A82E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1688==    by 0x957DB65: fbDestroyPixmap (fbpixmap.c:102)
==1688==    by 0x8A1844E: intel_uxa_destroy_pixmap (intel_uxa.c:1143)
==1688==    by 0x21CF7F: damageDestroyPixmap (damage.c:1652)
==1688==    by 0x1F2829: ShmDestroyPixmap (shm.c:276)
==1688==    by 0x8A30FC8: I830DRI2DestroyBuffer (intel_dri.c:519)
==1688==    by 0x87FA97A: DRI2DrawableGone (dri2.c:309)
==1688==    by 0x177491: doFreeResource (resource.c:571)
==1688==    by 0x1781C9: FreeClientResources (resource.c:853)
==1688==    by 0x155C29: CloseDownClient (dispatch.c:3477)
==1688==    by 0x1567B5: Dispatch (dispatch.c:454)
==1688==    by 0x1456A9: main (main.c:287)
Comment 1 Chris Wilson 2012-06-19 12:34:56 UTC 
Isn't this just a re-occurrence of http://cgit.freedesktop.org/~ickle/xserver/commit/?id=d1146f555ebc713d09dd3d0a7a63e9240d37bdbb ?
Comment 2 Maarten Lankhorst 2012-06-19 13:31:48 UTC 
Hm seems you may be on to something, switching to x 1.12 works but that patch alone is not enough to fix it. I'll try to bisect it.
Comment 3 Maarten Lankhorst 2012-06-20 14:26:45 UTC 
seems to be due to me using shadowfb
Comment 4 Chris Wilson 2012-06-20 16:31:51 UTC 
The bug in the xserver is exposed by the behaviour of the shadow... It's the same old bug, viz rotate using a stale Damage after a modeset.
Comment 5 Chris Wilson 2012-06-29 04:44:43 UTC 
Note that this bug only affects uxa (shadow) now.
Comment 6 Chris Wilson 2012-07-05 12:47:59 UTC 
I'm planning on killing shadow, and its replacement Shadow-on-Steroids is not susceptible to this bug. Closing now as you are only hitting this because you have a broken pre-production chip...

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct.