<html>
<head>
<base href="https://bugs.freedesktop.org/" />
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_NEW "
title="NEW - xserver crash in gtk+ application"
href="https://bugs.freedesktop.org/show_bug.cgi?id=90940#c6">Comment # 6</a>
on <a class="bz_bug_link
bz_status_NEW "
title="NEW - xserver crash in gtk+ application"
href="https://bugs.freedesktop.org/show_bug.cgi?id=90940">bug 90940</a>
from <span class="vcard"><a class="email" href="mailto:chris@chris-wilson.co.uk" title="Chris Wilson <chris@chris-wilson.co.uk>"> <span class="fn">Chris Wilson</span></a>
</span></b>
<pre>Definitely looks like if we overflow the rects_embedded array we would cause
that crash. Can you apply
diff --git a/src/sna/sna_tiling.c b/src/sna/sna_tiling.c
index 308efc0..e4796ec 100644
--- a/src/sna/sna_tiling.c
+++ b/src/sna/sna_tiling.c
@@ -334,6 +334,7 @@ sna_tiling_composite_spans_box(struct sna *sna,
struct sna_tile_state *tile = op->base.priv;
struct sna_tile_span *a;
+ ErrorF("%s(%d/%d)\n", __func__, tile->rect_count, tile->rect_size);
if (tile->rect_count == tile->rect_size) {
int newsize = tile->rect_size * 2;
@@ -582,6 +583,9 @@ sna_tiling_composite_spans(uint32_t op,
tile->rect_count = 0;
tile->rect_size = ARRAY_SIZE(tile->rects_embedded);
+ ErrorF("%s: sizeof(tile->rects_embedded)=%d, sizeof(span_box)=%d\n",
+ __func__, sizeof(tile->rects_embedded), sizeof(struct
sna_tile_span));
+
tmp->box = sna_tiling_composite_spans_box;
tmp->boxes = sna_tiling_composite_spans_boxes;
tmp->done = sna_tiling_composite_spans_done;
and attach the new Xorg.0.log?</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the QA Contact for the bug.</li>
</ul>
</body>
</html>