[Bug 29310] New: X server crash in vblank code on GL client close

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Thu Jul 29 19:10:37 PDT 2010 

https://bugs.freedesktop.org/show_bug.cgi?id=29310

           Summary: X server crash in vblank code on GL client close
           Product: xorg
           Version: git
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: Driver/Radeon
        AssignedTo: xorg-driver-ati at lists.x.org
        ReportedBy: chalserogers at gmail.com
         QAContact: xorg-team at lists.x.org


I'm getting easily reproducible X server crashes when flipping between GL
screensavers in gnome-screensaver-properties with 6.13.1 & Xserver 1.8.1.902. 
I've also seen this under Xserver 1.8.99.905.

The first problem is that when the screensaver client goes away it seems that
radeon_dri2_frame_event_handler gets called with a NULL event->back field. 
This obviously then crashes dereferencing src_buffer->driverPrivate in
radeon_dri2_copy_region.

This is clearly not the full story, though.  After applying the trivial patch
below to work around this, I still get an Xserver crash, this time in miDoCopy.

--- xserver-xorg-video-ati.orig/src/radeon_dri2.c    2010-07-30
10:28:39.784413424 +1000
+++ xserver-xorg-video-ati/src/radeon_dri2.c    2010-07-30 10:46:39.652899888
+1000
@@ -373,6 +373,10 @@
     switch (event->type) {
     case DRI2_FLIP:
     case DRI2_SWAP:
+        /* It seems we can be called after a client has quit and the back
+       buffer is NULL.  In this case, bail. */
+        if (!event->back && !event->front)
+        break;
         box.x1 = 0;
         box.y1 = 0;
         box.x2 = drawable->width;

Backtrace after applying the patch:

Program received signal SIGSEGV, Segmentation fault.
0x00007fdd3d4baf11 in pixman_region_intersect (new_reg=0x7fff261613a0,
reg1=0x7fff261613a0, reg2=0x119f7e0) at ../../pixman/pixman-region.c:1168
1168    ../../pixman/pixman-region.c: No such file or directory.
        in ../../pixman/pixman-region.c
(gdb) bt
#0  0x00007fdd3d4baf11 in pixman_region_intersect (new_reg=0x7fff261613a0,
reg1=0x7fff261613a0, reg2=0x119f7e0) at ../../pixman/pixman-region.c:1168
#1  0x000000000054e5ca in miDoCopy (pSrcDrawable=0x119f790,
pDstDrawable=0x114f870, pGC=0xbf6a80, xIn=33, yIn=0, widthSrc=<value optimised
out>,
    heightSrc=300, xOut=0, yOut=0, copyProc=0x7fdd39dc6450 <exaCopyNtoN>,
bitPlane=0, closure=0x0) at ../../mi/micopy.c:324
#2  0x00007fdd39dc5827 in exaCopyArea (pSrcDrawable=0x119f790,
pDstDrawable=0x114f870, pGC=0xbf6a80, srcx=0, srcy=<value optimised out>,
    width=<value optimised out>, height=300, dstx=0, dsty=0) at
../../exa/exa_accel.c:608
#3  0x00000000004da818 in damageCopyArea (pSrc=0x119f790, pDst=0x114f870,
pGC=0xbf6a80, srcx=<value optimised out>, srcy=<value optimised out>,
    width=480, height=300, dstx=0, dsty=0) at
../../../miext/damage/damage.c:949
#4  0x00007fdd3aae3f9a in radeon_dri2_copy_region (drawable=<value optimised
out>, region=0x7fff26161590, dest_buffer=<value optimised out>,
    src_buffer=<value optimised out>) at ../../src/radeon_dri2.c:320
#5  0x00007fdd3aae465c in radeon_dri2_frame_event_handler (frame=333722,
tv_sec=1280451378, tv_usec=394655, event_data=<value optimised out>)
    at ../../src/radeon_dri2.c:385
#6  0x00007fdd3b124c13 in drmHandleEvent (fd=9, evctx=0xbb0780) at
../xf86drmMode.c:787
#7  0x0000000000435d7b in WakeupHandler (result=1, pReadmask=0x7e2a20) at
../../dix/dixutils.c:403
#8  0x000000000045f337 in WaitForSomething (pClientsReady=<value optimised
out>) at ../../os/WaitFor.c:232
#9  0x0000000000430802 in Dispatch () at ../../dix/dispatch.c:375
#10 0x000000000042616a in main (argc=8, argv=0x7e1be8, envp=<value optimised
out>) at ../../dix/main.c:286
(gdb) print new_reg
$1 = (region_type_t *) 0x7fff261613a0
(gdb) print *new_reg
$2 = {extents = {x1 = 33, y1 = 0, x2 = 513, y2 = 300}, data = 0x0}
(gdb) print *reg1
$3 = {extents = {x1 = 33, y1 = 0, x2 = 513, y2 = 300}, data = 0x0}
(gdb) print *reg2
$4 = {extents = {x1 = 0, y1 = 0, x2 = 11, y2 = 0}, data = 0x400000a00}
(gdb) set pagination 0
(gdb) bt full
#0  0x00007fdd3d4baf11 in pixman_region_intersect (new_reg=0x7fff261613a0,
reg1=0x7fff261613a0, reg2=0x119f7e0) at ../../pixman/pixman-region.c:1168
No locals.
#1  0x000000000054e5ca in miDoCopy (pSrcDrawable=0x119f790,
pDstDrawable=0x114f870, pGC=0xbf6a80, xIn=33, yIn=0, widthSrc=<value optimised
out>, height
Src=300, xOut=0, yOut=0, copyProc=0x7fdd39dc6450 <exaCopyNtoN>, bitPlane=0,
closure=0x0) at ../../mi/micopy.c:324
        prgnSrcClip = 0x119f7e0
        freeSrcClip = 0
        prgnExposed = <value optimised out>
        rgnDst = {extents = {x1 = 33, y1 = 0, x2 = 513, y2 = 300}, data = 0x0}
        dx = -455
        dy = <value optimised out>
        box_x1 = <value optimised out>
        box_y1 = 0
        box_x2 = <value optimised out>
        box_y2 = 0
        fastSrc = <value optimised out>
        fastDst = <value optimised out>
        fastExpose = 0
#2  0x00007fdd39dc5827 in exaCopyArea (pSrcDrawable=0x119f790,
pDstDrawable=0x114f870, pGC=0xbf6a80, srcx=0, srcy=<value optimised out>,
width=<value optimised out>, height=300, dstx=0, dsty=0) at
../../exa/exa_accel.c:608
No locals.
#3  0x00000000004da818 in damageCopyArea (pSrc=0x119f790, pDst=0x114f870,
pGC=0xbf6a80, srcx=<value optimised out>, srcy=<value optimised out>,
width=480, height=300, dstx=0, dsty=0) at ../../../miext/damage/damage.c:949
        ret = <value optimised out>
        pGCPriv = 0xbf4200
        oldFuncs = 0x7cd140
#4  0x00007fdd3aae3f9a in radeon_dri2_copy_region (drawable=<value optimised
out>, region=0x7fff26161590, dest_buffer=<value optimised out>,
src_buffer=<value optimised out>) at ../../src/radeon_dri2.c:320
        src_private = <value optimised out>
        dst_private = 0x124fec0
        pScreen = <value optimised out>
        pScrn = 0xbabfa0
        src_drawable = 0x0
        dst_drawable = 0x114f870
        copy_clip = <value optimised out>
        gc = 0xbf6a80
        info = 0xbafab0
        vsync = 0
#5  0x00007fdd3aae465c in radeon_dri2_frame_event_handler (frame=333722,
tv_sec=1280451378, tv_usec=394655, event_data=<value optimised out>) at
../../src/radeon_dri2.c:385
        event = 0x1247730
        drawable = 0x114f870
        scrn = <value optimised out>
        status = <value optimised out>
        region = {extents = {x1 = 0, y1 = 0, x2 = 480, y2 = 300}, data = 0x0}
        __func__ = "radeon_dri2_frame_event_handler"
#6  0x00007fdd3b124c13 in drmHandleEvent (fd=9, evctx=0xbb0780) at
../xf86drmMode.c:787
        buffer = "\001\000\000\000
\000\000\000\060w$\001\000\000\000\000\062#RL\237\005\006\000\232\027\005",
'\000' <repeats 13 times>, "\032", '\000' <repeats 19 times>,
"\001\000\000\000\000\000\000\000\001", '\000' <repeats 27 times>,
"\001\000\000\000\000\000\000\000\237\206\200:\335\177\000\000\000\006", '\000'
<repeats 14 times>, "\004", '\000' <repeats 11 times>"\335,
\177\000\000\000\000\000\000\000\000\000\000\275\001\000\000\000\000\000\000\260\372\272\000\000\000\000\000\a\000\000\000\000\000\000\000\000P\000\000\000\000\000\000\034\062\255:\335\177\000\000\000\000\000\000\000\000\000\000\340\345\271\000\000\000\000\000\260\372\272\000\000\000\000\000\220s\273\000\000\000\000\000\220s\273\000\000\000\000\000\240\277\272\000\000\000\000\000\260\372\272\000\000\000\000\000\004\000\000\000\000\000\000\000\000\027\026&\377\177\000\000\246"...
        len = 32
        i = <value optimised out>
        e = 0x7fff261615e0
#7  0x0000000000435d7b in WakeupHandler (result=1, pReadmask=0x7e2a20) at
../../dix/dixutils.c:403
        i = 0
#8  0x000000000045f337 in WaitForSomething (pClientsReady=<value optimised
out>) at ../../os/WaitFor.c:232
        i = 18479072
        waittime = {tv_sec = 299, tv_usec = 980893}
        wt = 0x7fff26161c90
        timeout = <value optimised out>
        clientsReadable = {fds_bits = {0 <repeats 16 times>}}
        clientsWritable = {fds_bits = {140733832371152, 4415724, 5247488,
140733832371204, 46138226, 15634432, 140733832371400, 140588185890368,
18088392, 140588185890368, 18088392, 46138226, 8217344, 0, 18088392,
140588182737059}}
        selecterr = 11
        nready = <value optimised out>
        devicesReadable = {fds_bits = {0 <repeats 11 times>, 4977383, 0,
12478032, 12478000, 8252592}}
        now = <value optimised out>
        someReady = 0
#9  0x0000000000430802 in Dispatch () at ../../dix/dispatch.c:375
        result = <value optimised out>
        client = 0xee9000
        nready = -1
        start_tick = 3480
#10 0x000000000042616a in main (argc=8, argv=0x7e1be8, envp=<value optimised
out>) at ../../dix/main.c:286
        i = 1
        alwaysCheckForInput = {0, 1}

-- 
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the xorg-driver-ati mailing list