Crash in X server [with Patch]

Andreas Hartmetz ahartmetz at gmail.com
Thu Oct 23 15:09:55 PDT 2014 

Hello,

(I am not subscrided)

it looks like 6e50bfa706cd3ab884c933bf1f17c221a6208aa4 in
xserver is faulty. The X server used to crash every couple of hours 
here, with backtraces as follows (some other messages included for 
context):

[    54.054] (II) RADEON(0): Modeline "1280x1024"x0.0  108.00  1280 1328 
1440 1688  1024 1025 1028 1066 +hsync +vsync (64.0 kHz e)
[    54.054] (II) RADEON(0): Modeline "1440x900"x0.0   88.75  1440 1488 
1520 1600  900 903 909 926 +hsync -vsync (55.5 kHz e)
[    54.054] (II) RADEON(0): Modeline "1600x1200"x0.0  162.00  1600 1664 
1856 2160  1200 1201 1204 1250 +hsync +vsync (75.0 kHz e)
[    54.054] (II) RADEON(0): Modeline "1680x1050"x0.0  119.00  1680 1728 
1760 1840  1050 1053 1059 1080 +hsync -vsync (64.7 kHz e)
[    54.054] (II) RADEON(0): Modeline "1920x1080"x60.0  172.80  1920 
2040 2248 2576  1080 1081 1084 1118 -hsync +vsync (67.1 kHz e)
[    81.990] (WW) RADEON(0): radeon_dri2_flip_event_handler: Pageflip 
completion event has impossible msc 4758 < target_msc 4759
[   265.465] (WW) RADEON(0): radeon_dri2_flip_event_handler: Pageflip 
completion event has impossible msc 15748 < target_msc 15749
[   425.104] (WW) RADEON(0): radeon_dri2_flip_event_handler: Pageflip 
completion event has impossible msc 25311 < target_msc 25312
[   425.120] (WW) RADEON(0): radeon_dri2_flip_event_handler: Pageflip 
completion event has impossible msc 25311 < target_msc 25312
[   761.224] (WW) RADEON(0): radeon_dri2_flip_event_handler: Pageflip 
completion event has impossible msc 45446 < target_msc 45447
[   972.308] (WW) RADEON(0): radeon_dri2_flip_event_handler: Pageflip 
completion event has impossible msc 58091 < target_msc 58092
[   989.809] (EE) 
[   989.809] (EE) Backtrace:
[   989.813] (EE) 0: /opt/xorg/bin/Xorg (OsSigHandler+0x29) [0x594149]
[   989.815] (EE) 1: /lib/x86_64-linux-gnu/libpthread.so.0 
(__restore_rt+0x0) [0x7f4df0db7c8f]
[   989.816] (EE) 2: /lib/x86_64-linux-gnu/libc.so.6 (strerror_l+0x6a0) 
[0x7f4df0a7c080]
[   989.821] (EE) 3: /opt/xorg/lib/dri/radeonsi_dri.so 
(memcpy_texture.isra.1+0x166) [0x7f4deb94fcc6]
[   989.825] (EE) 4: /opt/xorg/lib/dri/radeonsi_dri.so 
(_mesa_texstore+0x457) [0x7f4deb950927]
[   989.830] (EE) 5: /opt/xorg/lib/dri/radeonsi_dri.so 
(store_texsubimage+0x1ba) [0x7f4deb9514ea]
[   989.835] (EE) 6: /opt/xorg/lib/dri/radeonsi_dri.so 
(st_TexSubImage+0x10f) [0x7f4deb9a7b5f]
[   989.841] (EE) 7: /opt/xorg/lib/dri/radeonsi_dri.so 
(texsubimage+0x477) [0x7f4deb940817]
[   989.847] (EE) 8: /opt/xorg/lib/dri/radeonsi_dri.so 
(_mesa_TexSubImage2D+0x3f) [0x7f4deb9447ff]
[   989.853] (EE) 9: /opt/xorg/lib/xorg/modules/libglamoregl.so 
(__glamor_upload_pixmap_to_texture+0x1de) [0x7f4def40894e]
[   989.855] (EE) 10: /opt/xorg/lib/xorg/modules/libglamoregl.so 
(_glamor_upload_bits_to_pixmap_texture+0x2b9) [0x7f4def408e49]
[   989.857] (EE) 11: /opt/xorg/lib/xorg/modules/libglamoregl.so 
(glamor_upload_sub_pixmap_to_texture+0x4c9) [0x7f4def409f79]
[   989.858] (EE) 12: /opt/xorg/lib/xorg/modules/libglamoregl.so 
(glamor_upload_pixmap_to_texture+0x63) [0x7f4def40ad13]
[   989.860] (EE) 13: /opt/xorg/lib/xorg/modules/libglamoregl.so 
(glamor_composite_choose_shader+0xfa4) [0x7f4def3fb724]
[   989.862] (EE) 14: /opt/xorg/lib/xorg/modules/libglamoregl.so 
(glamor_composite_with_shader+0xce) [0x7f4def3fb9be]
[   989.864] (EE) 15: /opt/xorg/lib/xorg/modules/libglamoregl.so 
(glamor_composite_clipped_region+0x46c) [0x7f4def3fcaac]
[   989.867] (EE) 16: /opt/xorg/lib/xorg/modules/libglamoregl.so 
(_glamor_composite+0x7ac) [0x7f4def3fd7ac]
[   989.869] (EE) 17: /opt/xorg/lib/xorg/modules/libglamoregl.so 
(glamor_composite+0x3b) [0x7f4def3fdcab]
[   989.870] (EE) 18: /opt/xorg/bin/Xorg (damageComposite+0x141) 
[0x516d51]
[   989.872] (EE) 19: /opt/xorg/lib/xorg/modules/libglamoregl.so 
(glamor_trapezoids+0x2d6) [0x7f4def4069d6]
[   989.873] (EE) 20: /opt/xorg/bin/Xorg (ProcRenderTrapezoids+0x16c) 
[0x50d6cc]
[   989.873] (EE) 21: /opt/xorg/bin/Xorg (Dispatch+0x277) [0x438167]
[   989.873] (EE) 22: /opt/xorg/bin/Xorg (dix_main+0x3db) [0x43c30b]
[   989.876] (EE) 23: /lib/x86_64-linux-gnu/libc.so.6 
(__libc_start_main+0xf5) [0x7f4df0a04ec5]
[   989.876] (EE) 24: /opt/xorg/bin/Xorg (_start+0x29) [0x42679e]
[   989.878] (EE) 25: ? (?+0x29) [0x29]
[   989.879] (EE) 
[   989.879] (EE) Segmentation fault at address 0x7f4de1950010
[   989.879] (EE) 
Fatal server error:
[   989.879] (EE) Caught signal 11 (Segmentation fault). Server aborting

The proposed fix is:

commit bbcc084afc1396d3df42516baafea5839c95a488
Author: Andreas Hartmetz <ahartmetz at gmail.com>
Date:   Sat Oct 4 18:13:04 2014 +0200

    glamor: Don't free memory we are going to use.
    
    glamor_color_convert_to_bits() returns its second argument on
    success, NULL on error, and need_free_bits already makes sure that
    "bits" aliasing converted_bits is freed in the success case.     
    Looks like the memory leak that was supposed to be fixed in
    6e50bfa706cd3ab884c933bf1f17c221a6208aa4 only occurred in the error
    case.

diff --git a/glamor/glamor_pixmap.c b/glamor/glamor_pixmap.c
index 355fe4b..7c9bf26 100644
--- a/glamor/glamor_pixmap.c
+++ b/glamor/glamor_pixmap.c
@@ -774,8 +774,8 @@ _glamor_upload_bits_to_pixmap_texture(PixmapPtr 
pixmap, GLenum format,
             return FALSE;
         bits = glamor_color_convert_to_bits(bits, converted_bits, w, h,
                                             stride, no_alpha, revert, 
swap_rb);
-        free(converted_bits);
         if (bits == NULL) {
+            free(converted_bits);
             ErrorF("Failed to convert pixmap no_alpha %d,"
                    "revert mode %d, swap mode %d\n", no_alpha, revert, 
swap_rb);
             return FALSE;

I've already, a week or two ago, sent this to Michel a who reviewed it 
(no idea how to forward that, guess I'll need another review from 
whoever volunteers) and OK'd it.

Cheers,
Andreas Hartmetz

More information about the xorg-devel mailing list