[Bug 1390] Server crash under specific operation

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Mon Jan 3 01:31:27 PST 2005 

Please do not reply to this email: if you want to comment on the bug, go to          
the URL shown below and enter yourcomments there.   
 
https://bugs.freedesktop.org/show_bug.cgi?id=1390        
   




------- Additional Comments From xzilla at achurch.org  2005-01-03 01:31 -------
I've gotten what seems to be the same bug in 6.8.1; in my case, it's triggered
by clicking the fold/unfold arrow next to "Folders" in the Preferences dialog of
Gimp 2.2.1 (GTK 2.4.14).  The meaningful part of the backtrace looks like

#0  0x086cb540 in ?? ()
#1  0x667f3bcc in ?? ()
#2  0x3fd6a09e in ?? ()
[...]
#65 0x080c57aa in TryClientEvents (client=0x52, pEvents=0x3, count=0, mask=464,
filter=464, grab=0xbffff2ac) at events.c:1572
#66 0x0815ace9 in damagePolylines (pDrawable=0x8957550, pGC=0x8923b88, mode=0,
npt=4, ppt=0x896ba50) at damage.c:918
#67 0x080bcc91 in ProcPolyLine (client=0x8923700) at dispatch.c:1863
#68 0x080c0d7d in Dispatch () at dispatch.c:455
#69 0x080ccd28 in main (argc=2, argv=0xbffff9d4, envp=0x1d0) at main.c:442

but I think everything before ProcPolyLine() is bogus--when I disabled Damage,
the routine before it changed to malloc_set_state() at times and ValidateGC() at
other times, and sometimes I couldn't even get a backtrace at all.

The crash itself happens in xaaWideSegment() (xaaWideLine.c:416):

        if (projectRight) {
            double xap = xa + projectXoff;
            double yap = ya + projectYoff;
            bottomy = miPolyBuildEdge (xap, yap, xap * dx + yap * dy,
                                       -dy, dx, x2, y2, dx < 0, bottom);
            maxy = -ya + projectYoff;
        } else {
            bottomy = miPolyBuildEdge (xa, ya, 0.0,
                                        -dy, dx, x2, y2, dx < 0, bottom);
>>>>>       maxy = -ya;
        }

and 0x86cb540 corresponds to

     c21:       e8 fc ff ff ff          call   c22 <XAAWideSegment+0x72e>
     c26:       f2 0f 10 8d 48 ff ff    movsd  0xffffff48(%ebp),%xmm1
     c2d:       ff 
     c2e:       89 c1                   mov    %eax,%ecx
>>>>>c30:       66 0f 57 0d 10 00 00    xorpd  0x10,%xmm1
     c37:       00 
     c38:       e9 e3 fe ff ff          jmp    b20 <XAAWideSegment+0x62c>
     c3d:       8b 95 24 ff ff ff       mov    0xffffff24(%ebp),%edx
     c43:       31 c0                   xor    %eax,%eax

where the 0x10 is a reference to a bitmask that (presumably) reverses the sign
of a double-precision value.  The problem seems to be that that 0x10 is
relocated to 0x86ca8a8, which is not 16-byte aligned and therefore generates a
GP fault, so I suspect the module loader may be at fault.

Compiling libxaa without optimizations (or, presumably, compiling with
-mno-sse2, though I haven't tried that yet) makes the bug go away.        
   
   
--         
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email       
   
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the xorg-bugzilla-noise mailing list