Bug 99034 - Xorg crashes with SIGSEV in ProcXFixesGetCursorImageAndName
Summary: Xorg crashes with SIGSEV in ProcXFixesGetCursorImageAndName
Status: RESOLVED DUPLICATE of bug 100721
Alias: None
Product: xorg
Classification: Unclassified
Component: Server/General (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Xorg Project Team
QA Contact: Xorg Project Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-12-09 14:07 UTC by gvrb
Modified: 2017-04-28 06:17 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments

Description gvrb 2016-12-09 14:07:13 UTC 
(gdb) bt
#0  0x00007ff5ce7cefdf in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:58
#1  0x00007ff5ce7d040a in __GI_abort () at abort.c:89
#2  0x00005621e274bb5e in OsAbort () at ../../os/utils.c:1408
#3  0x00005621e2623b5c in ddxGiveUp (error=error@entry=EXIT_ERR_ABORT) at ../../../../hw/xfree86/common/xf86Init.c:1066
#4  0x00005621e2623c0a in AbortDDX (error=error@entry=EXIT_ERR_ABORT) at ../../../../hw/xfree86/common/xf86Init.c:1110
#5  0x00005621e27517d2 in AbortServer () at ../../os/log.c:874
#6  0x00005621e27525dd in FatalError (f=f@entry=0x5621e2781eb0 "Caught signal %d (%s). Server aborting\n") at ../../os/log.c:1015
#7  0x00005621e27493de in OsSigHandler (signo=11, sip=<optimized out>, unused=<optimized out>) at ../../os/osinit.c:150
#8  0x00007ff5ce7cf040 in <signal handler called> () at /lib/x86_64-linux-gnu/libc.so.6
#9  0x00007ff5ce81c496 in strlen () at ../sysdeps/x86_64/strlen.S:106
#10 0x00005621e2671f4b in ProcXFixesGetCursorImageAndName (client=0x5621e3a5ade0) at ../../xfixes/cursor.c:512
#11 0x00005621e25df06f in Dispatch () at ../../dix/dispatch.c:430
#12 0x00005621e25e3073 in dix_main (argc=12, argv=0x7ffd89f5b358, envp=<optimized out>) at ../../dix/main.c:300
#13 0x00007ff5ce7bc2b1 in __libc_start_main (main=0x5621e25ccfb0 <main>, argc=12, argv=0x7ffd89f5b358, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd89f5b348)
    at ../csu/libc-start.c:291
#14 0x00005621e25ccfea in _start ()
(gdb) f 10
#10 0x00005621e2671f4b in ProcXFixesGetCursorImageAndName (client=0x5621e3a5ade0) at ../../xfixes/cursor.c:512
512	../../xfixes/cursor.c: No such file or directory.
(gdb)
Comment 1 gvrb 2016-12-09 14:07:29 UTC 
root@unstable:~# dpkg -l | grep -i xserver | awk '{ print $2, $3}' | column -t
x11-xserver-utils             7.7+7
xserver-common                2:1.19.0-2
xserver-xephyr                2:1.18.4-2
xserver-xorg                  1:7.7+18
xserver-xorg-core             2:1.18.4-2
xserver-xorg-core-dbg         2:1.18.4-2
xserver-xorg-dev              2:1.19.0-2
xserver-xorg-input-all        1:7.7+18
xserver-xorg-input-evdev      1:2.10.3-1
xserver-xorg-input-libinput   0.20.0-1
xserver-xorg-input-mouse      1:1.9.1-1+b1
xserver-xorg-input-synaptics  1.8.3-2
xserver-xorg-input-vmmouse    1:13.1.0-1+b1
xserver-xorg-input-wacom      0.33.0-1
xserver-xorg-video-all        1:7.7+18
xserver-xorg-video-amdgpu     1.1.2-1
xserver-xorg-video-ati        1:7.7.1-1
xserver-xorg-video-fbdev      1:0.4.4-1+b4
xserver-xorg-video-intel      2:2.99.917+git20160706-1
xserver-xorg-video-nouveau    1:1.0.13-1
xserver-xorg-video-qxl        0.1.4-3+b1
xserver-xorg-video-radeon     1:7.7.1-1
xserver-xorg-video-vesa       1:2.3.4-1+b1
xserver-xorg-video-vmware     1:13.1.0-2+b1
Comment 2 gvrb 2016-12-09 14:10:36 UTC 
This was on the latest gnome. Crash occurred when I was using the "Gromit Annotations" plugin in Totem Media Player ( via Ctrl+D, draw, Ctrl+E etc ), when a movie was playing. ( Refer: https://help.gnome.org/users/totem/stable/totem-plugins.html.en#totem-plugins-gromit )

root@unstable:~# gnome-shell --version
GNOME Shell 3.22.2

root@unstable:~# uname -a
Linux unstable 4.8.0-1-amd64 #1 SMP Debian 4.8.7-1 (2016-11-13) x86_64 GNU/Linux
Comment 3 gvrb 2016-12-09 19:15:47 UTC 
(gdb) f 10
#10 0x00005621e2671f4b in ProcXFixesGetCursorImageAndName (client=0x5621e3a5ade0) at ../../xfixes/cursor.c:512
512	in ../../xfixes/cursor.c

(gdb) p *client
$9 = {
  requestBuffer = 0x5621e49b6150, 
  osPrivate = 0x5621e3a5a990, 
  clientAsMask = 6291456, 
  index = 3, 
  majorOp = 138 '\212', 
  minorOp = 25 '\031', 
  swapped = 0, 
  local = 1, 
  big_requests = 1, 
  clientGone = 0, 
  closeDownMode = 0, 
  clientState = 1, 
  smart_priority = 20 '\024', 
  noClientException = 0, 
  priority = 10, 
  pSwapReplyFunc = 0x5621e2605c70 <CopySwap32Write>, 
  errorValue = 6340699, 
  sequence = 2291173, 
  ignoreCount = 0, 
  numSaved = 17, 
  saveSet = 0x5621e442f1b0, 
  requestVector = 0x5621e29d76e0 <ProcVector>, 
  req_len = 1, 
  replyBytesRemaining = 0, 
  devPrivates = 0x5621e3a5ae68, 
  xkbClientFlags = 32769, 
  mapNotifyMask = 255, 
  newKeyboardNotifyMask = 65535, 
  vMajor = 1, 
  vMinor = 0, 
  minKC = 8 '\b', 
  maxKC = 255 '\377', 
  smart_start_tick = 1162645, 
  smart_stop_tick = 1162645, 
  clientPtr = 0x5621e3a3c8e0, 
  clientIds = 0x5621e3a5a9c0, 
  req_fds = 0
}

(gdb) info locals
rep = <optimized out>
pCursor = 0x5621e438a1f0
image = <optimized out>
npixels = 0
name = <optimized out>
width = 22049
height = 0
rc = 0
x = 0
y = 215

(gdb) p *pCursor
$10 = {
  bits = 0x5621e508b730, 
  foreRed = 8080, 
  foreGreen = 58600, 
  foreBlue = 22049, 
  backRed = 0, 
  backGreen = 256, 
  backBlue = 0, 
  refcnt = 33024, 
  devPrivates = 0x381c0000181c0, 
  id = 492016, 
  serialNumber = 1048560, 
  name = 2097148
}
(gdb) p/x pCursor->name
$11 = 0x1ffffc

(gdb) p (char*) pCursor->name
$12 = 0x1ffffc <error: Cannot access memory at address 0x1ffffc>
Comment 4 Michel Dänzer 2017-04-28 06:17:50 UTC 

*** This bug has been marked as a duplicate of bug 100721 ***

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.