Bug 61780 - SIGSEGV in fast_composite_src_memcpy
Summary: SIGSEGV in fast_composite_src_memcpy
Status: RESOLVED FIXED
Alias: None
Product: xorg
Classification: Unclassified
Component: Driver/VMWare (show other bugs)
Version: unspecified
Hardware: x86-64 (AMD64) Linux (All)
: medium critical
Assignee: Jakob Bornecrantz
QA Contact: Xorg Project Team
URL:
Whiteboard:
Keywords: have-backtrace, regression
: 63170 (view as bug list)
Depends on:
Blocks:
 
Reported: 2013-03-04 08:01 UTC by Vinson Lee
Modified: 2013-04-12 09:34 UTC (History)
11 users (show)

See Also:
i915 platform:
i915 features:


Attachments
Xorg.0.log (33.95 KB, text/plain)
2013-03-05 01:10 UTC, Vinson Lee
no flags Details
X.log w/ acceleration "on" (26.30 KB, text/plain)
2013-04-09 02:20 UTC, Marco
no flags Details
X.log w/ acceleration "off" (26.07 KB, text/plain)
2013-04-09 02:21 UTC, Marco
no flags Details
proposed patch (723 bytes, patch)
2013-04-10 21:50 UTC, Loïc Yhuel
no flags Details | Splinter Review

Description Vinson Lee 2013-03-04 08:01:45 UTC
pixman: pixman-0.28.0-3.fc19.x86_64
xorg: xorg-x11-server-Xorg-1.13.99.902-1.20130215.fc19.x86_64

On Fedora rawhide, /usr/bin/Xorg crashes whenever I try to open an icon.

Log into GNOME desktop.
Click Activities.
Click Firefox.
GNOME crashes.

(gdb) bt
#0  __memcpy_ssse3_back ()
    at ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:2072
#1  0x000000306b64c746 in memcpy (__len=6, __src=0xffefffff, 
    __dest=<optimized out>) at /usr/include/bits/string3.h:51
#2  fast_composite_src_memcpy (imp=<optimized out>, info=<optimized out>)
    at pixman-fast-path.c:1208
#3  0x000000306b60b063 in pixman_image_composite32 (op=<optimized out>, 
    op@entry=PIXMAN_OP_SRC, src=src@entry=0x1dec6c0, mask=mask@entry=0x0, 
    dest=<optimized out>, src_x=src_x@entry=0, src_y=src_y@entry=0, 
    mask_x=mask_x@entry=0, mask_y=mask_y@entry=0, dest_x=dest_x@entry=0, 
    dest_y=dest_y@entry=0, width=width@entry=6, height=height@entry=10)
    at pixman.c:703
#4  0x000000306b64cc50 in pixman_glyph_cache_insert (cache=0x1f91580, 
    font_key=font_key@entry=0x1c748e0, glyph_key=glyph_key@entry=0x0, 
    origin_x=-1, origin_y=10, image=image@entry=0x1dec6c0)
    at pixman-glyph.c:286
#5  0x00007f4d8b8d939c in fbGlyphs (op=<optimized out>, pSrc=0x1db60d0, 
    pDst=0x1dec0f0, maskFormat=0x1984528, xSrc=<optimized out>, 
    ySrc=<optimized out>, nlist=<optimized out>, list=0x7fff1033b770, 
    glyphs=0x7fff1033bb78) at fbpict.c:156
#6  0x000000000051fed6 in damageGlyphs (op=<optimized out>, pSrc=0x1db60d0, 
    pDst=0x1dec0f0, maskFormat=0x1984528, xSrc=<optimized out>, 
    ySrc=<optimized out>, nlist=1, list=0x7fff1033b770, glyphs=0x7fff1033bb70)
    at damage.c:629
#7  0x0000000000519a8e in ProcRenderCompositeGlyphs (client=0x1d6d5a0)
    at render.c:1390
#8  0x0000000000436b97 in Dispatch () at dispatch.c:432
#9  0x00000000004261c5 in main (argc=12, argv=0x7fff1033c558, 
    envp=<optimized out>) at main.c:295
Comment 1 Søren Sandmann Pedersen 2013-03-04 21:41:03 UTC
Thanks for the bug report.

Can you attach the X log file from a crashing run, please?
Comment 2 Søren Sandmann Pedersen 2013-03-04 22:09:05 UTC
Also, since you have gdb attached to the X server, if you can print the contents of the "image" parameter to pixman_glyph_cache_insert(). That is, something like

   (gdb) up <four times>
   (gdb) print *image

that would be helpful.

The source pointer given to memcpy() is __src=0xffefffff, looks very suspicious, and the instruction that crashes is one that tries to read from it, so I'm guessing that the server is passing a bogus image to pixman_glyph_cache_insert().
Comment 3 Vinson Lee 2013-03-05 01:02:52 UTC
(gdb) frame 4
#4  0x000000306b64cc50 in pixman_glyph_cache_insert (cache=0x11e7430, 
    font_key=font_key@entry=0x117edc0, glyph_key=glyph_key@entry=0x0, 
    origin_x=-1, origin_y=10, image=image@entry=0x11e7200)
    at pixman-glyph.c:286
286	    pixman_image_composite32 (PIXMAN_OP_SRC,
(gdb) print *image
$2 = {type = BITS, common = {type = BITS, ref_count = 1, clip_region = {
      extents = {x1 = 0, y1 = 0, x2 = 0, y2 = 0}, 
      data = 0x306b681810 <pixman_region32_empty_data_>}, alpha_count = 0, 
    have_clip_region = 0, client_clip = 0, clip_sources = 1, dirty = 0, 
    transform = 0x0, repeat = PIXMAN_REPEAT_NONE, 
    filter = PIXMAN_FILTER_NEAREST, filter_params = 0x0, n_filter_params = 0, 
    alpha_map = 0x0, alpha_origin_x = -526345, alpha_origin_y = -526345, 
    component_alpha = 0, 
    property_changed = 0x306b6168b0 <bits_image_property_changed>, 
    destroy_func = 0x0, destroy_data = 0x0, flags = 34032255, 
    extended_format_code = PIXMAN_a8}, bits = {common = {type = BITS, 
      ref_count = 1, clip_region = {extents = {x1 = 0, y1 = 0, x2 = 0, 
          y2 = 0}, data = 0x306b681810 <pixman_region32_empty_data_>}, 
      alpha_count = 0, have_clip_region = 0, client_clip = 0, 
      clip_sources = 1, dirty = 0, transform = 0x0, 
      repeat = PIXMAN_REPEAT_NONE, filter = PIXMAN_FILTER_NEAREST, 
      filter_params = 0x0, n_filter_params = 0, alpha_map = 0x0, 
      alpha_origin_x = -526345, alpha_origin_y = -526345, component_alpha = 0, 
      property_changed = 0x306b6168b0 <bits_image_property_changed>, 
      destroy_func = 0x0, destroy_data = 0x0, flags = 34032255, 
      extended_format_code = PIXMAN_a8}, format = PIXMAN_a8, indexed = 0x0, 
    width = 6, height = 10, bits = 0xffefffff, free_me = 0x0, rowstride = 2, 
    fetch_scanline_32 = 0x306b60d400 <fetch_scanline_a8>, 
---Type <return> to continue, or q <return> to quit---
    fetch_pixel_32 = 0x306b60d480 <fetch_pixel_a8>, 
    store_scanline_32 = 0x306b60d440 <store_scanline_a8>, 
    fetch_scanline_float = 0x306b610130 <fetch_scanline_generic_float>, 
    fetch_pixel_float = 0x306b6100e0 <fetch_pixel_generic_float>, 
    store_scanline_float = 0x306b610160 <store_scanline_generic_float>, 
    read_func = 0x0, write_func = 0x0}, gradient = {common = {type = BITS, 
      ref_count = 1, clip_region = {extents = {x1 = 0, y1 = 0, x2 = 0, 
          y2 = 0}, data = 0x306b681810 <pixman_region32_empty_data_>}, 
      alpha_count = 0, have_clip_region = 0, client_clip = 0, 
      clip_sources = 1, dirty = 0, transform = 0x0, 
      repeat = PIXMAN_REPEAT_NONE, filter = PIXMAN_FILTER_NEAREST, 
      filter_params = 0x0, n_filter_params = 0, alpha_map = 0x0, 
      alpha_origin_x = -526345, alpha_origin_y = -526345, component_alpha = 0, 
      property_changed = 0x306b6168b0 <bits_image_property_changed>, 
      destroy_func = 0x0, destroy_data = 0x0, flags = 34032255, 
      extended_format_code = PIXMAN_a8}, n_stops = 134316032, stops = 0x0}, 
  linear = {common = {common = {type = BITS, ref_count = 1, clip_region = {
          extents = {x1 = 0, y1 = 0, x2 = 0, y2 = 0}, 
          data = 0x306b681810 <pixman_region32_empty_data_>}, alpha_count = 0, 
        have_clip_region = 0, client_clip = 0, clip_sources = 1, dirty = 0, 
        transform = 0x0, repeat = PIXMAN_REPEAT_NONE, 
        filter = PIXMAN_FILTER_NEAREST, filter_params = 0x0, 
        n_filter_params = 0, alpha_map = 0x0, alpha_origin_x = -526345, 
---Type <return> to continue, or q <return> to quit---
        alpha_origin_y = -526345, component_alpha = 0, 
        property_changed = 0x306b6168b0 <bits_image_property_changed>, 
        destroy_func = 0x0, destroy_data = 0x0, flags = 34032255, 
        extended_format_code = PIXMAN_a8}, n_stops = 134316032, stops = 0x0}, 
    p1 = {x = 6, y = 10}, p2 = {x = -1048577, y = 0}}, conical = {common = {
      common = {type = BITS, ref_count = 1, clip_region = {extents = {x1 = 0, 
            y1 = 0, x2 = 0, y2 = 0}, 
          data = 0x306b681810 <pixman_region32_empty_data_>}, alpha_count = 0, 
        have_clip_region = 0, client_clip = 0, clip_sources = 1, dirty = 0, 
        transform = 0x0, repeat = PIXMAN_REPEAT_NONE, 
        filter = PIXMAN_FILTER_NEAREST, filter_params = 0x0, 
        n_filter_params = 0, alpha_map = 0x0, alpha_origin_x = -526345, 
        alpha_origin_y = -526345, component_alpha = 0, 
        property_changed = 0x306b6168b0 <bits_image_property_changed>, 
        destroy_func = 0x0, destroy_data = 0x0, flags = 34032255, 
        extended_format_code = PIXMAN_a8}, n_stops = 134316032, stops = 0x0}, 
    center = {x = 6, y = 10}, angle = 2.121477725092553e-314}, radial = {
    common = {common = {type = BITS, ref_count = 1, clip_region = {extents = {
            x1 = 0, y1 = 0, x2 = 0, y2 = 0}, 
          data = 0x306b681810 <pixman_region32_empty_data_>}, alpha_count = 0, 
        have_clip_region = 0, client_clip = 0, clip_sources = 1, dirty = 0, 
        transform = 0x0, repeat = PIXMAN_REPEAT_NONE, 
        filter = PIXMAN_FILTER_NEAREST, filter_params = 0x0, 
---Type <return> to continue, or q <return> to quit---
        n_filter_params = 0, alpha_map = 0x0, alpha_origin_x = -526345, 
        alpha_origin_y = -526345, component_alpha = 0, 
        property_changed = 0x306b6168b0 <bits_image_property_changed>, 
        destroy_func = 0x0, destroy_data = 0x0, flags = 34032255, 
        extended_format_code = PIXMAN_a8}, n_stops = 134316032, stops = 0x0}, 
    c1 = {x = 6, y = 10, radius = -1048577}, c2 = {x = 0, y = 0, radius = 0}, 
    delta = {x = 2, y = 0, radius = 1801507840}, a = 1.0274586116403114e-312, 
    inva = 1.0274586113241094e-312, mindr = 1.0274586681614213e-312}, solid = {
    common = {type = BITS, ref_count = 1, clip_region = {extents = {x1 = 0, 
          y1 = 0, x2 = 0, y2 = 0}, 
        data = 0x306b681810 <pixman_region32_empty_data_>}, alpha_count = 0, 
      have_clip_region = 0, client_clip = 0, clip_sources = 1, dirty = 0, 
      transform = 0x0, repeat = PIXMAN_REPEAT_NONE, 
      filter = PIXMAN_FILTER_NEAREST, filter_params = 0x0, 
      n_filter_params = 0, alpha_map = 0x0, alpha_origin_x = -526345, 
      alpha_origin_y = -526345, component_alpha = 0, 
      property_changed = 0x306b6168b0 <bits_image_property_changed>, 
      destroy_func = 0x0, destroy_data = 0x0, flags = 34032255, 
      extended_format_code = PIXMAN_a8}, color = {red = 32768, green = 2049, 
      blue = 48, alpha = 0}, color_32 = 0, color_float = {a = 0, 
      r = 8.40779079e-45, g = 1.40129846e-44, b = -nan(0x6fffff)}}}
Comment 4 Vinson Lee 2013-03-05 01:10:17 UTC
Created attachment 75933 [details]
Xorg.0.log
Comment 5 Søren Sandmann Pedersen 2013-03-05 05:52:03 UTC
As far as I can tell, the vmware driver has created a glyph pixmap with a data pointer of 0xffefffff, which the fb layer then wrapped in a pixman image, and tried to upload to a glyph cache.

The image struct:

    bits = {common = {type = BITS, 
      ref_count = 1, clip_region = {extents = {x1 = 0, y1 = 0, x2 = 0, 
          y2 = 0}, data = 0x306b681810 <pixman_region32_empty_data_>}, 
      alpha_count = 0, have_clip_region = 0, client_clip = 0, 
      clip_sources = 1, dirty = 0, transform = 0x0, 
      repeat = PIXMAN_REPEAT_NONE, filter = PIXMAN_FILTER_NEAREST, 
      filter_params = 0x0, n_filter_params = 0, alpha_map = 0x0, 
      alpha_origin_x = -526345, alpha_origin_y = -526345, component_alpha = 0, 
      property_changed = 0x306b6168b0 <bits_image_property_changed>, 
      destroy_func = 0x0, destroy_data = 0x0, flags = 34032255, 
      extended_format_code = PIXMAN_a8}, format = PIXMAN_a8, indexed = 0x0, 
    width = 6, height = 10, bits = 0xffefffff, free_me = 0x0, rowstride = 2, 
                                   ^^^^^^^^^^

looks sane apart from the 0xffefffff, so it does not appear that the image memory has been corrupted.

Reassigning to the vmware driver.
Comment 6 Christian Hesse 2013-04-08 11:10:42 UTC
There was no progress here for more than a month. Is there any more information we can provide to get a fix for this?
Comment 7 Marco 2013-04-09 02:20:02 UTC
reproduced in Fedora 19 Alpha RC1 (anaconda 19.16-1)
X.Org X Server 1.14.0
Linux 3.9.0-0.rc4.git0.1.fc19.x86_64

VMWare Fusion Professional Version 5.0.3 (1040386)

attaching X.logs with VMWare 3D Acceleration On (3Don.txt) and Off (3Doff.txt)
Comment 8 Marco 2013-04-09 02:20:37 UTC
Created attachment 77644 [details]
X.log w/ acceleration "on"
Comment 9 Marco 2013-04-09 02:21:00 UTC
Created attachment 77645 [details]
X.log w/ acceleration "off"
Comment 10 Loïc Yhuel 2013-04-10 21:50:00 UTC
Created attachment 77785 [details] [review]
proposed patch

0xffefffff is SAA_INVALID_ADDRESS
saa_prepare_access_pixmap has not been called to map the pixmap before using it.

Commit 9cbcb5bd6a5360a128d15b77a02d8d3351f74366 added fbGlyphs method accessing source, destination and glyphs in software.

I see two ways to fix it :
 - wrap Glyph method like already done for some others in saa_unaccel.c
saa_prepare_access_pixmap would need to be called on source, destination, and all glyphs (even if some won't be accessed since they are in pixmap cache)
 - call miGlyphs to restore xorg 1.13 behavior
I'm not sure it's the proper way to fix the problem, but it works.
Comment 11 Christian Hesse 2013-04-11 08:36:55 UTC
I can confirm that the patch by Loïc Yhuel fixes the problem for me on ESXi and Fusion. Thanks a lot!
Comment 12 Jakob Bornecrantz 2013-04-11 09:46:57 UTC
Thanks Loïc, the patch looks good.

Loïc is it okay if I push that patch to the repository
with your author and signed-off-by (with the email-
address listed here)?

Christian Hesse, mind if add a tested-by from you (with
the email-address listed here)?

Cheers, Jakob.
Comment 13 Christian Hesse 2013-04-11 10:32:43 UTC
I am fine with that.
Thanks a lot!
Comment 14 Paul Barker 2013-04-11 13:05:37 UTC
Just tested this on Arch Linux, applying the patch over the latest version of xf86-video-vmware (13.0.0 + a couple of patches) and this backport works. I was getting immediate crashes, now xorg is usable.

For other Arch users, PKGBUILD with the backport is avaialble at https://bitbucket.org/betafive/arch/src/dde9634b26bd/extra/xf86-video-vmware?at=master
Comment 15 Jakob Bornecrantz 2013-04-11 18:51:42 UTC
*** Bug 61630 has been marked as a duplicate of this bug. ***
Comment 16 Jakob Bornecrantz 2013-04-11 18:58:32 UTC
*** Bug 63170 has been marked as a duplicate of this bug. ***
Comment 17 Loïc Yhuel 2013-04-11 23:21:36 UTC
(In reply to comment #12)
> Loïc is it okay if I push that patch to the repository
> with your author and signed-off-by (with the email-
> address listed here)?
> 
Yes !
Comment 18 Jakob Bornecrantz 2013-04-12 09:34:45 UTC
Thanks!

Pushed the fix to the repository, going to do a release in a week or so.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.