[Xcb] Bug#700013: libxcb1: libxcb crashes on systems with Mali graphics

Thu Feb 7 04:02:59 PST 2013

Package: libxcb1
Version: 1.8.1-2
Severity: important

Hello,

running es2_info on a system with mali graphics causes crash.

The Mali EGL library uses thread internally.

The interface to the user program should be single-threaded, however.

ldd es2_info
        libGLESv2.so => /usr/lib/arm-linux-gnueabihf/libGLESv2.so (0xb6f12000)
        libm.so.6 => /lib/arm-linux-gnueabihf/libm.so.6 (0xb6ea6000)
        libX11.so.6 => /usr/lib/arm-linux-gnueabihf/libX11.so.6 (0xb6dbd000)
        libXext.so.6 => /usr/lib/arm-linux-gnueabihf/libXext.so.6 (0xb6dab000)
        libc.so.6 => /lib/arm-linux-gnueabihf/libc.so.6 (0xb6cc6000)
        libUMP.so => /usr/lib/arm-linux-gnueabihf/libUMP.so (0xb6cb9000)
        libpthread.so.0 => /lib/arm-linux-gnueabihf/libpthread.so.0 (0xb6c9d000)
        libdl.so.2 => /lib/arm-linux-gnueabihf/libdl.so.2 (0xb6c92000)
        libgcc_s.so.1 => /lib/arm-linux-gnueabihf/libgcc_s.so.1 (0xb6c6e000)
        /lib/ld-linux-armhf.so.3 (0xb6fe1000)
        libxcb.so.1 => /usr/lib/arm-linux-gnueabihf/libxcb.so.1 (0xb6c53000)
        libdri2.so.1 => /usr/lib/arm-linux-gnueabihf/libdri2.so.1 (0xb6c49000)
        libdrm.so.2 => /usr/lib/arm-linux-gnueabihf/libdrm.so.2 (0xb6c38000)
        libXfixes.so.3 => /usr/lib/arm-linux-gnueabihf/libXfixes.so.3 (0xb6c2c000)
        libXau.so.6 => /usr/lib/arm-linux-gnueabihf/libXau.so.6 (0xb6c22000)
        libXdmcp.so.6 => /usr/lib/arm-linux-gnueabihf/libXdmcp.so.6 (0xb6c17000)
        librt.so.1 => /lib/arm-linux-gnueabihf/librt.so.1 (0xb6c09000)

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/arm-linux-gnueabihf/libthread_db.so.1".
[xcb] Unknown request in queue while appending request
[xcb] Most likely this is a multi-threaded client and XInitThreads has not been called
[xcb] Aborting, sorry about that.
[New Thread 0xb6c0d470 (LWP 11163)]
[New Thread 0xb640d470 (LWP 11164)]
[New Thread 0xb5c0d470 (LWP 11165)]

Program received signal SIGSEGV, Segmentation fault.
_int_malloc (av=0xb6dab258, bytes=100) at malloc.c:4439
4439	malloc.c: No such file or directory.
#0  _int_malloc (av=0xb6dab258, bytes=100) at malloc.c:4439
        iters = <optimized out>
        nb = 104
        idx = 13
        bin = <optimized out>
        victim = 0x18308
        size = 16392
        victim_index = <optimized out>
        remainder = <optimized out>
        remainder_size = <optimized out>
        block = <optimized out>
        bit = <optimized out>
        map = <optimized out>
        fwd = <optimized out>
        bck = 0x10004
        errstr = 0x0
        __func__ = "_int_malloc"
#1  0xb6d1fd68 in __GI___libc_malloc (bytes=100) at malloc.c:3660
        ar_ptr = 0xb6dab258
        victim = <optimized out>
        hook = <optimized out>
        __func__ = "__libc_malloc"
#2  0xb6d1560e in _IO_vasprintf (result_ptr=0xbefff9e4, format=0xb6d93008 "%s%s%s:%u: %s%sAssertion `%s' failed.\n", args=...) at vasprintf.c:52
        string = <optimized out>
        sf = {_sbf = {_f = {_flags = 1298088780, _IO_read_ptr = 0x41535345 <Address 0x41535345 out of bounds>, _IO_read_end = 0x2f534547 <Address 0x2f534547 out of bounds>, _IO_read_base = 0x6362696c <Address 0x6362696c out of bounds>, _IO_write_base = 0x6f6d2e <Address 0x6f6d2e out of bounds>, _IO_write_ptr = 0xb6cea723 "F\327\370\224", _IO_write_end = 0xb6dad2e8 "U\200\312\266", _IO_buf_base = 0xffffffff <Address 0xffffffff out of bounds>, _IO_buf_end = 0xbeff0043 "", _IO_save_base = 0xb6cea9c7 "\346\376\367\364\373\003x\004FC+\030\277\064F\177\364\257\256cx", _IO_backup_base = 0xb6ff548c "symbol=%s;  lookup in file=%s [%lu]\n", _IO_save_end = 0xb6dc4df8 "", _markers = 0x0, _chain = 0x0, _fileno = 0, _flags2 = 357, _old_offset = -1224756536, _cur_column = 11, _vtable_offset = 0 '\000', _shortbuf = "", _lock = 0x4, _offset = 3070194880, _codecvt = 0x0, _wide_data = 0x0, _freeres_list = 0xb6d92ea8, _freeres_buf = 0xb6d92ec0, _freeres_size = 3204446448, _mode = -1227186176, _u
 nused2 = "\"\000\000\000\250.\331\266\005\000\000\000\020\371\377\276\377\377\377\377\000\000\000\000\"\000\000\000\005\000\000\000\b0\331\266\000\000\000"}, vtable = 0xb6ff74c0}, _s = {_allocate_buffer = 0x5, _free_buffer = 0xa4}}
        ret = <optimized out>
        needed = <optimized out>
        allocated = <optimized out>
#3  0xb6d01858 in ___asprintf (string_ptr=<optimized out>, format=0xb6d93008 "%s%s%s:%u: %s%sAssertion `%s' failed.\n") at asprintf.c:37
        arg = {__ap = 0xbefff9c0}
        done = 268435456
#4  0xb6ce9224 in __GI___assert_fail (assertion=0xb6e369b4 "!xcb_xlib_unknown_req_pending", file=0xb6e368b0 "../../src/xcb_io.c", line=164, function=<optimized out>) at assert.c:59
        buf = <optimized out>
#5  0xb6deaee4 in append_pending_request (dpy=0xb6e36770, sequence=<optimized out>) at ../../src/xcb_io.c:162
        xcb_xlib_unknown_req_pending = 1
        node = <optimized out>
        __PRETTY_FUNCTION__ = "append_pending_request"
#6  0xb6deb7a0 in _XReply (dpy=0x12008, rep=0xbefffa40, extra=0, discard=1) at ../../src/xcb_io.c:584
        error = <optimized out>
        c = 0xb6e369b4
        reply = <optimized out>
        current = <optimized out>
        __PRETTY_FUNCTION__ = "_XReply"
#7  0xb6de56ae in XQueryExtension (dpy=0x12008, name=<optimized out>, major_opcode=0xbefffa84, first_event=0xbefffa88, first_error=0xbefffa8c) at ../../src/QuExt.c:48
        rep = {type = 0 '\000', pad1 = 0 '\000', sequenceNumber = 0, length = 3067496925, present = 0 '\000', major_opcode = 0 '\000', first_event = 0 '\000', first_error = 0 '\000', pad3 = 16, pad4 = 3, pad5 = 3067781120, pad6 = 3066729261, pad7 = 5}
        req = 0x18310
#8  0xb6dde5aa in XInitExtension (dpy=0x12008, name=0xb6fcfde8 "DRI2") at ../../src/InitExt.c:47
        codes = {extension = 0, major_opcode = 0, first_event = 275560, first_error = -1227752087}
        ext = <optimized out>
#9  0xb6db7212 in XextAddDisplay (extinfo=0x43468, dpy=0x12008, ext_name=0xb6fcfde8 "DRI2", hooks=0xb6fcfdf0, nevents=0, data=0x0) at ../../src/extutil.c:110
        dpyinfo = 0x4c008
#10 0xb6f725b6 in DRI2FindDisplay () from /usr/lib/arm-linux-gnueabihf/libGLESv2.so
No symbol table info available.
#11 0xb6f7288e in DRI2DestroyDrawable () from /usr/lib/arm-linux-gnueabihf/libGLESv2.so
No symbol table info available.
#12 0xb6f714be in __egl_platform_destroy_surface () from /usr/lib/arm-linux-gnueabihf/libGLESv2.so
No symbol table info available.
#13 0xb6f6dea8 in __egl_release_surface () from /usr/lib/arm-linux-gnueabihf/libGLESv2.so
No symbol table info available.
#14 0xb6f6df5e in _egl_destroy_surface_internal () from /usr/lib/arm-linux-gnueabihf/libGLESv2.so
No symbol table info available.
#15 0xb6f381ca in __egl_make_current_release_surface () from /usr/lib/arm-linux-gnueabihf/libGLESv2.so
No symbol table info available.
#16 0xb6f6b212 in _egl_make_current () from /usr/lib/arm-linux-gnueabihf/libGLESv2.so
No symbol table info available.
#17 0xb6f6b694 in __egl_free_all_displays () from /usr/lib/arm-linux-gnueabihf/libGLESv2.so
No symbol table info available.
#18 0xb6f6c524 in mali_egl_cleanup_internal () from /usr/lib/arm-linux-gnueabihf/libGLESv2.so
No symbol table info available.
#19 0xb6fec0dc in ?? () from /lib/ld-linux-armhf.so.3
No symbol table info available.
#20 0x00000000 in ?? ()
No symbol table info available.

Thread 4 (Thread 0xb5c0d470 (LWP 11165)):
#0  0xb6d56448 in ioctl () at ../sysdeps/unix/syscall-template.S:82
No locals.
#1  0xb6f75ca8 in mali_driver_ioctl () from /usr/lib/arm-linux-gnueabihf/libGLESv2.so
No symbol table info available.
#2  0xb6f76016 in arch_worker_thread () from /usr/lib/arm-linux-gnueabihf/libGLESv2.so
No symbol table info available.
#3  0xb6ca6ebc in start_thread (arg=0xb5c0d470) at pthread_create.c:306
        pd = 0xb5c0d470
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {-1245653904, -1228215588, 1, -1245655560, 0, 0, 0, -1245653340, -1245655560, -1228247399, 0 <repeats 54 times>}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = 0
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
        __PRETTY_FUNCTION__ = "start_thread"
#4  0xb6d5b7f8 in ?? () at ../ports/sysdeps/unix/sysv/linux/arm/nptl/../clone.S:116 from /lib/arm-linux-gnueabihf/libc.so.6
No locals.
#5  0xb6d5b7f8 in ?? () at ../ports/sysdeps/unix/sysv/linux/arm/nptl/../clone.S:116 from /lib/arm-linux-gnueabihf/libc.so.6
No locals.
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

Thread 3 (Thread 0xb640d470 (LWP 11164)):
#0  __libc_do_syscall () at ../ports/sysdeps/unix/sysv/linux/arm/eabi/libc-do-syscall.S:43
No locals.
#1  0xb6ca9fea in __pthread_cond_wait (cond=0x1eea8, mutex=0x1ee8c) at pthread_cond_wait.c:153
        _a2tmp = 128
        _a2 = <optimized out>
        _nametmp = 240
        _a3tmp = 1
        _a3 = <optimized out>
        _a1 = <optimized out>
        _a4tmp = 0
        _a1tmp = 126636
        _a4 = <optimized out>
        _name = <optimized out>
        futex_val = 1
        buffer = {__routine = 0xb6ca9df5 <__condvar_cleanup>, __arg = 0xb640cd68, __canceltype = 0, __prev = 0x0}
        cbuffer = {oldtype = 0, cond = 0x1eea8, mutex = 0x1ee8c, bc_seq = 0}
        err = <optimized out>
        pshared = 0
        val = <optimized out>
        seq = 0
#2  0xb6d648f2 in __pthread_cond_wait (cond=<optimized out>, mutex=<optimized out>) at forward.c:139
        __p = <optimized out>
#3  0xb6f757fe in _mali_osu_lock_wait () from /usr/lib/arm-linux-gnueabihf/libGLESv2.so
No symbol table info available.
#4  0xb6f70096 in __egl_worker_thread () from /usr/lib/arm-linux-gnueabihf/libGLESv2.so
No symbol table info available.
#5  0xb6ca6ebc in start_thread (arg=0xb640d470) at pthread_create.c:306
        pd = 0xb640d470
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {-1237265296, -1228215588, 1, -1237266952, 0, 0, 0, -1237264732, -1237266952, -1228247399, 0 <repeats 54 times>}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = 0
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
        __PRETTY_FUNCTION__ = "start_thread"
#6  0xb6d5b7f8 in ?? () at ../ports/sysdeps/unix/sysv/linux/arm/nptl/../clone.S:116 from /lib/arm-linux-gnueabihf/libc.so.6
No locals.
#7  0xb6d5b7f8 in ?? () at ../ports/sysdeps/unix/sysv/linux/arm/nptl/../clone.S:116 from /lib/arm-linux-gnueabihf/libc.so.6
No locals.
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

Thread 2 (Thread 0xb6c0d470 (LWP 11163)):
#0  __libc_do_syscall () at ../ports/sysdeps/unix/sysv/linux/arm/eabi/libc-do-syscall.S:43
No locals.
#1  0xb6ca9fea in __pthread_cond_wait (cond=0x1ed38, mutex=0x1ed1c) at pthread_cond_wait.c:153
        _a2tmp = 128
        _a2 = <optimized out>
        _nametmp = 240
        _a3tmp = 1
        _a3 = <optimized out>
        _a1 = <optimized out>
        _a4tmp = 0
        _a1tmp = 126268
        _a4 = <optimized out>
        _name = <optimized out>
        futex_val = 1
        buffer = {__routine = 0xb6ca9df5 <__condvar_cleanup>, __arg = 0xb6c0cd68, __canceltype = 5, __prev = 0x0}
        cbuffer = {oldtype = 0, cond = 0x1ed38, mutex = 0x1ed1c, bc_seq = 0}
        err = <optimized out>
        pshared = 0
        val = <optimized out>
        seq = 0
#2  0xb6d648f2 in __pthread_cond_wait (cond=<optimized out>, mutex=<optimized out>) at forward.c:139
        __p = <optimized out>
#3  0xb6f757fe in _mali_osu_lock_wait () from /usr/lib/arm-linux-gnueabihf/libGLESv2.so
No symbol table info available.
#4  0xb6f70096 in __egl_worker_thread () from /usr/lib/arm-linux-gnueabihf/libGLESv2.so
No symbol table info available.
#5  0xb6ca6ebc in start_thread (arg=0xb6c0d470) at pthread_create.c:306
        pd = 0xb6c0d470
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {-1228876688, -1228215588, 1, -1228878344, 0, 0, 0, -1228876124, -1228878344, -1228247399, 0 <repeats 54 times>}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = 0
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
        __PRETTY_FUNCTION__ = "start_thread"
#6  0xb6d5b7f8 in ?? () at ../ports/sysdeps/unix/sysv/linux/arm/nptl/../clone.S:116 from /lib/arm-linux-gnueabihf/libc.so.6
No locals.
#7  0xb6d5b7f8 in ?? () at ../ports/sysdeps/unix/sysv/linux/arm/nptl/../clone.S:116 from /lib/arm-linux-gnueabihf/libc.so.6
No locals.
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

Thread 1 (Thread 0xb6ff7000 (LWP 11160)):
#0  _int_malloc (av=0xb6dab258, bytes=100) at malloc.c:4439
        iters = <optimized out>
        nb = 104
        idx = 13
        bin = <optimized out>
        victim = 0x18308
        size = 16392
        victim_index = <optimized out>
        remainder = <optimized out>
        remainder_size = <optimized out>
        block = <optimized out>
        bit = <optimized out>
        map = <optimized out>
        fwd = <optimized out>
        bck = 0x10004
        errstr = 0x0
        __func__ = "_int_malloc"
#1  0xb6d1fd68 in __GI___libc_malloc (bytes=100) at malloc.c:3660
        ar_ptr = 0xb6dab258
        victim = <optimized out>
        hook = <optimized out>
        __func__ = "__libc_malloc"
#2  0xb6d1560e in _IO_vasprintf (result_ptr=0xbefff9e4, format=0xb6d93008 "%s%s%s:%u: %s%sAssertion `%s' failed.\n", args=...) at vasprintf.c:52
        string = <optimized out>
        sf = {_sbf = {_f = {_flags = 1298088780, _IO_read_ptr = 0x41535345 <Address 0x41535345 out of bounds>, _IO_read_end = 0x2f534547 <Address 0x2f534547 out of bounds>, _IO_read_base = 0x6362696c <Address 0x6362696c out of bounds>, _IO_write_base = 0x6f6d2e <Address 0x6f6d2e out of bounds>, _IO_write_ptr = 0xb6cea723 "F\327\370\224", _IO_write_end = 0xb6dad2e8 "U\200\312\266", _IO_buf_base = 0xffffffff <Address 0xffffffff out of bounds>, _IO_buf_end = 0xbeff0043 "", _IO_save_base = 0xb6cea9c7 "\346\376\367\364\373\003x\004FC+\030\277\064F\177\364\257\256cx", _IO_backup_base = 0xb6ff548c "symbol=%s;  lookup in file=%s [%lu]\n", _IO_save_end = 0xb6dc4df8 "", _markers = 0x0, _chain = 0x0, _fileno = 0, _flags2 = 357, _old_offset = -1224756536, _cur_column = 11, _vtable_offset = 0 '\000', _shortbuf = "", _lock = 0x4, _offset = 3070194880, _codecvt = 0x0, _wide_data = 0x0, _freeres_list = 0xb6d92ea8, _freeres_buf = 0xb6d92ec0, _freeres_size = 3204446448, _mode = -1227186176, _u
 nused2 = "\"\000\000\000\250.\331\266\005\000\000\000\020\371\377\276\377\377\377\377\000\000\000\000\"\000\000\000\005\000\000\000\b0\331\266\000\000\000"}, vtable = 0xb6ff74c0}, _s = {_allocate_buffer = 0x5, _free_buffer = 0xa4}}
        ret = <optimized out>
        needed = <optimized out>
        allocated = <optimized out>
#3  0xb6d01858 in ___asprintf (string_ptr=<optimized out>, format=0xb6d93008 "%s%s%s:%u: %s%sAssertion `%s' failed.\n") at asprintf.c:37
        arg = {__ap = 0xbefff9c0}
        done = 268435456
#4  0xb6ce9224 in __GI___assert_fail (assertion=0xb6e369b4 "!xcb_xlib_unknown_req_pending", file=0xb6e368b0 "../../src/xcb_io.c", line=164, function=<optimized out>) at assert.c:59
        buf = <optimized out>
#5  0xb6deaee4 in append_pending_request (dpy=0xb6e36770, sequence=<optimized out>) at ../../src/xcb_io.c:162
        xcb_xlib_unknown_req_pending = 1
        node = <optimized out>
        __PRETTY_FUNCTION__ = "append_pending_request"
#6  0xb6deb7a0 in _XReply (dpy=0x12008, rep=0xbefffa40, extra=0, discard=1) at ../../src/xcb_io.c:584
        error = <optimized out>
        c = 0xb6e369b4
        reply = <optimized out>
        current = <optimized out>
        __PRETTY_FUNCTION__ = "_XReply"
#7  0xb6de56ae in XQueryExtension (dpy=0x12008, name=<optimized out>, major_opcode=0xbefffa84, first_event=0xbefffa88, first_error=0xbefffa8c) at ../../src/QuExt.c:48
        rep = {type = 0 '\000', pad1 = 0 '\000', sequenceNumber = 0, length = 3067496925, present = 0 '\000', major_opcode = 0 '\000', first_event = 0 '\000', first_error = 0 '\000', pad3 = 16, pad4 = 3, pad5 = 3067781120, pad6 = 3066729261, pad7 = 5}
        req = 0x18310
#8  0xb6dde5aa in XInitExtension (dpy=0x12008, name=0xb6fcfde8 "DRI2") at ../../src/InitExt.c:47
        codes = {extension = 0, major_opcode = 0, first_event = 275560, first_error = -1227752087}
        ext = <optimized out>
#9  0xb6db7212 in XextAddDisplay (extinfo=0x43468, dpy=0x12008, ext_name=0xb6fcfde8 "DRI2", hooks=0xb6fcfdf0, nevents=0, data=0x0) at ../../src/extutil.c:110
        dpyinfo = 0x4c008
#10 0xb6f725b6 in DRI2FindDisplay () from /usr/lib/arm-linux-gnueabihf/libGLESv2.so
No symbol table info available.
#11 0xb6f7288e in DRI2DestroyDrawable () from /usr/lib/arm-linux-gnueabihf/libGLESv2.so
No symbol table info available.
#12 0xb6f714be in __egl_platform_destroy_surface () from /usr/lib/arm-linux-gnueabihf/libGLESv2.so
No symbol table info available.
#13 0xb6f6dea8 in __egl_release_surface () from /usr/lib/arm-linux-gnueabihf/libGLESv2.so
No symbol table info available.
#14 0xb6f6df5e in _egl_destroy_surface_internal () from /usr/lib/arm-linux-gnueabihf/libGLESv2.so
No symbol table info available.
#15 0xb6f381ca in __egl_make_current_release_surface () from /usr/lib/arm-linux-gnueabihf/libGLESv2.so
No symbol table info available.
#16 0xb6f6b212 in _egl_make_current () from /usr/lib/arm-linux-gnueabihf/libGLESv2.so
No symbol table info available.
#17 0xb6f6b694 in __egl_free_all_displays () from /usr/lib/arm-linux-gnueabihf/libGLESv2.so
No symbol table info available.
#18 0xb6f6c524 in mali_egl_cleanup_internal () from /usr/lib/arm-linux-gnueabihf/libGLESv2.so
No symbol table info available.
#19 0xb6fec0dc in ?? () from /lib/ld-linux-armhf.so.3
No symbol table info available.
#20 0x00000000 in ?? ()
No symbol table info available.
A debugging session is active.

	Inferior 1 [process 11160] will be killed.

Quit anyway? (y or n) [answered Y; input not from terminal]

-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: armhf (armv7l)

Kernel: Linux 3.4.24+ (PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libxcb1 depends on:
ii  libc6              2.13-37
ii  libxau6            1:1.0.7-1
ii  libxdmcp6          1:1.1.1-1
ii  multiarch-support  2.13-37

libxcb1 recommends no packages.

libxcb1 suggests no packages.

-- no debconf information