<html>
    <head>
      <base href="https://bugs.freedesktop.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Xorg crashes with SIGSEGV in sna_set_cursor_position()"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=99358">99358</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Xorg crashes with SIGSEGV in sna_set_cursor_position()
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>xorg
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>git
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>x86-64 (AMD64)
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux (All)
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>major
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>Driver/intel
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>chris@chris-wilson.co.uk
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>qwerty0987654321@mail.ru
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>intel-gfx-bugs@lists.freedesktop.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=128887" name="attach_128887" title="Xorg log">attachment 128887</a> <a href="attachment.cgi?id=128887&action=edit" title="Xorg log">[details]</a></span>
Xorg log

Crash happens randomly and it could take from half an hour to 2 days.
It seems that crash happens when moving cursor.

I've used xorg-x11-drv-intel from the latest git at commit 028c946df08 but
crash happens anyway.

Here is crash backtrace:
Process 1715 (Xorg) of user 16585 dumped core.          
                Stack trace of thread 1728:
                #0  0x00007fdd4e5f0d54 sna_set_cursor_position (intel_drv.so)
                #1  0x00000000004bbea2 xf86MoveCursor (Xorg)
                #2  0x0000000000585eb3 miPointerMoveNoEvent (Xorg)
                #3  0x0000000000586cb4 miPointerSetPosition (Xorg)
                #4  0x000000000044d64e positionSprite.part.7 (Xorg)
                #5  0x000000000044de53 fill_pointer_events (Xorg)
                #6  0x000000000044f6df GetPointerEvents (Xorg)
                #7  0x000000000044fc90 QueuePointerEvents (Xorg)
                #8  0x00007fdd4c101cb5 xf86libinput_handle_motion
(libinput_drv.so)
                #9  0x00007fdd4c102880 xf86libinput_read_input
(libinput_drv.so)
                #10 0x000000000059cb1c InputReady (Xorg)
                #11 0x000000000059f181 ospoll_wait (Xorg)
                #12 0x000000000059c976 InputThreadDoWork (Xorg)
                #13 0x00007fdd530ac6ca start_thread (libpthread.so.0)
                #14 0x00007fdd52de6f7f __clone (libc.so.6)

                Stack trace of thread 1715:
                #0  0x00007fdd530b538d __lll_lock_wait (libpthread.so.0)
                #1  0x00007fdd530aeeca pthread_mutex_lock (libpthread.so.0)
                #2  0x000000000059c860 input_lock (Xorg)
                #3  0x00000000004bc386 xf86SetCursor (Xorg)
                #4  0x00000000004babf5 xf86CursorSetCursor (Xorg)
                #5  0x000000000058654b miPointerUpdateSprite (Xorg)
                #6  0x000000000058679a miPointerDisplayCursor (Xorg)
                #7  0x00000000004c9511 CursorDisplayCursor (Xorg)
                #8  0x0000000000518700 AnimCurDisplayCursor (Xorg)
                #9  0x000000000043fe48 ChangeToCursor (Xorg)
                #10 0x0000000000441287 WindowHasNewCursor (Xorg)
                #11 0x000000000046a948 ChangeWindowDeviceCursor (Xorg)
                #12 0x0000000000531dc6 ProcXIChangeCursor (Xorg)
                #13 0x0000000000437055 Dispatch (Xorg)
                #14 0x000000000043afd8 dix_main (Xorg)
                #15 0x00007fdd52cff401 __libc_start_main (libc.so.6)
                #16 0x0000000000424cfa _start (Xorg)

                Stack trace of thread 1722:
                #0  0x00007fdd530b2460 pthread_cond_wait@@GLIBC_2.3.2
(libpthread.so.0)
                #1  0x00007fdd4e634539 __run__ (intel_drv.so)
                #2  0x00007fdd530ac6ca start_thread (libpthread.so.0)
                #3  0x00007fdd52de6f7f __clone (libc.so.6)

and gdb output:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  sna_set_cursor_position (scrn=<optimized out>, x=734, y=196) at
sna_display.c:6332
6332                            int xhot = sna->cursor.ref->bits->xhot;
[Current thread is 1 (Thread 0x7fdd49af3700 (LWP 1728))]
(gdb) bt
#0  0x00007fdd4e5f0d54 in sna_set_cursor_position (scrn=<optimized out>, x=734,
y=196) at sna_display.c:6332
#1  0x00000000004bbea2 in xf86MoveCursor ()
#2  0x0000000000585eb3 in miPointerMoveNoEvent ()
#3  0x0000000000586cb4 in miPointerSetPosition ()
#4  0x000000000044d64e in positionSprite.part.7 ()
#5  0x000000000044de53 in fill_pointer_events ()
#6  0x000000000044f6df in GetPointerEvents ()
#7  0x000000000044fc90 in QueuePointerEvents ()
#8  0x00007fdd4c101cb5 in xf86libinput_handle_motion (pInfo=<optimized out>,
pInfo=<optimized out>, event=
    0x7fdd44008b40) at xf86libinput.c:1254
#9  0x00007fdd4c101cb5 in xf86libinput_handle_event
(event=event@entry=0x7fdd44008b40) at xf86libinput.c:1910
#10 0x00007fdd4c102880 in xf86libinput_read_input (pInfo=<optimized out>) at
xf86libinput.c:1995
#11 0x000000000059cb1c in InputReady ()
#12 0x000000000059f181 in ospoll_wait ()
#13 0x000000000059c976 in InputThreadDoWork ()
#14 0x00007fdd530ac6ca in start_thread () at /lib64/libpthread.so.0
#15 0x00007fdd52de6f7f in clone () at /lib64/libc.so.6

(gdb) p sna->cursor
$1 = {cursors = 0x1cc6b80, info = 0x1712d60, ref = 0x1d9c310, serial = 5871, fg
= 4294967295, bg = 4278190080, 
  size = 64, disable = false, active = true, last_x = 734, last_y = 196,
max_size = 256, use_gtt = true, 
  num_stash = 0, stash = 0x1bd3310, scratch = 0x7fdd55411010}
(gdb) p sna->cursor.ref
$2 = (CursorPtr) 0x1d9c310
(gdb) p sna->cursor.ref->bits
$3 = (CursorBitsPtr) 0x1d9c348
(gdb) p sna->cursor.ref->bits->xhot
$4 = 4
(gdb) info locals
xhot = <optimized out>
yhot = <optimized out>
v = {v = {3.6462044663083995e-321, 2.6894028653599915e-317,
1.0000000000000444}}
hot = {v = {6.9459898994898221e-310, 2147483647, 6.9459898995133397e-310}}
crtc = 0x170a7b0
sna_crtc = 0x170a5b0
cursor = 0x1cc6bc0
arg = {flags = 0, crtc_id = 45, x = -2266, y = -601, width = 29351552, height =
0, handle = 0}
xf86_config = 0x1707af0
sna = 0x7fdd55453000
sigio = 0
c = 2


Reference to Fedora BZ <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1384486">https://bugzilla.redhat.com/show_bug.cgi?id=1384486</a> with
the same issue.

According to above BZ, the issue mainly seen with docked Lenovo Thinkpads in
multi-display setups but there is report [<a href="show_bug.cgi?id=99358#c50">comment 50</a>] where it's seen on
desktop.

xorg-x11-server-Xorg-1.19.0-3.fc25.x86_64
xorg-x11-drv-libinput-0.23.0-2.fc25.x86_64

Xorg log is in attachment.</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the QA Contact for the bug.</li>
      </ul>
    </body>
</html>