[Wayland-bugs] [Bug 73566] SIGSEGV: vt-switching + logind + multi-head crashes weston
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Tue Jan 21 17:46:44 PST 2014
https://bugs.freedesktop.org/show_bug.cgi?id=73566
--- Comment #9 from Bryce Harrington <b.harrington at samsung.com> ---
The other two backtraces show a crash in drm_output_set_cursor()
stride = wl_shm_buffer_get_stride(buffer->shm_buffer);
s = wl_shm_buffer_get_data(buffer->shm_buffer);
wl_shm_buffer_begin_access(buffer->shm_buffer);
for (i = 0; i < ev->surface->height; i++)
memcpy(buf + i * 64, s + i * stride,
ev->surface->width * 4);
But both s and stride appear to be invalid here:
#1 0x00007f31e46dd58f in drm_output_set_cursor (output=0x13f20f0) at
compositor-drm.c:1007
ev = 0x142e810
buffer = 0x7f31e5cb8a88 <main_arena+808>
stride = -439645528
buf = {0 <repeats 4096 times>}
x = 4223888
c = 0x1291940
handle = 0
bo = 0x12a8ea0
s = 0x7f31cb971560 <Address 0x7f31cb971560 out of bounds>
i = 0
y = 32561
In the other stacktrace, s looks ok, but stride looks invalid still:
#1 0x00007fc70e76a506 in drm_output_set_cursor (output=0x1685ef0) at
compositor-drm.c:1004
ev = 0x182d7f0
buffer = 0x7fc70fd45a88 <main_arena+808>
stride = 265575080
buf = {0 <repeats 4096 times>}
x = 4223888
c = 0x166e940
handle = 0
bo = 0x17cec50
s = 0x1685ef0 ""
i = 0
y = 32711
My guess would be that buffer->shm_buffer is uninitialized when this code gets
hit, or has been partially destroyed. If this is relatively easily reproduced,
perhaps instrumenting the wl_shm_buffer creation and destruction routines would
reveal something. Maybe also check reference counts in shm_pool_unref().
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/wayland-bugs/attachments/20140122/9aaa3a08/attachment-0001.html>
More information about the Wayland-bugs
mailing list