xscreensaver triggers X server to crash
Janne Huttunen
jahuttun at gmail.com
Tue Aug 9 00:55:50 PDT 2011
Hi!
I have a highly repeatable use-case, where xscreensaver causes the X server to
crash. To be exact, it doesn't seem to be the screensaver itself, but the unlock
dialog it shows when it is deactivated. The crash itself is actually a SIGABRT
raised by malloc() due to corrupted memory.
The memory corruption seems to happen like this:
==7560== Invalid write of size 8
==7560== at 0x4C2A22E: memcpy (mc_replace_strmem.c:635)
==7560== by 0x8BF8FF6: RADEONDownloadFromScreenCS (radeon_exa_funcs.c:667)
==7560== by 0x989DE6E: exaCopyDirty (exa_migration_classic.c:220)
==7560== by 0x98A0B01: exaPrepareAccessReg_mixed (exa_migration_mixed.c:247)
==7560== by 0x98AB318: ExaCheckPolyGlyphBlt (exa_unaccel.c:342)
==7560== by 0x4C4589: damageText (damage.c:1489)
==7560== by 0x4C86C2: damagePolyText8 (damage.c:1507)
==7560== by 0x444824: doPolyText (dixfonts.c:1368)
==7560== by 0x4457B8: PolyText (dixfonts.c:1437)
==7560== by 0x435328: ProcPolyText (dispatch.c:2260)
==7560== by 0x437EE8: Dispatch (dispatch.c:431)
==7560== by 0x421A7D: main (main.c:287)
==7560== Address 0x113b1040 is 0 bytes after a block of size 4,915,200 alloc'd
==7560== at 0x4C28FAC: malloc (vg_replace_malloc.c:236)
==7560== by 0x98A0B43: exaPrepareAccessReg_mixed (exa_migration_mixed.c:203)
==7560== by 0x98AB318: ExaCheckPolyGlyphBlt (exa_unaccel.c:342)
==7560== by 0x4C4589: damageText (damage.c:1489)
==7560== by 0x4C86C2: damagePolyText8 (damage.c:1507)
==7560== by 0x444824: doPolyText (dixfonts.c:1368)
==7560== by 0x4457B8: PolyText (dixfonts.c:1437)
==7560== by 0x435328: ProcPolyText (dispatch.c:2260)
==7560== by 0x437EE8: Dispatch (dispatch.c:431)
==7560== by 0x421A7D: main (main.c:287)
As far as I can tell, the reason seems to be that when the system buffer is
allocated in exaPrepareAccessReg_mixed, for some reason the pixmap
width is 1600 (the width of my display) and bpp is 32, but sys_pitch is only
4096. The allocated buffer won't then be big enough for the data and
the memcpy ends up overwriting some adjacent data structure.
Do you have any idea whether this has already been corrected in
a newer version, or if it isn't what other information should I provide
to help finding and solving the problem?
I am currently running Ubuntu 11.04 on x86_64 with the vendor
provided kernel and Xorg packages:
linux-image-2.6.38-10-generic 2.6.38-10.46
xserver-xorg-core 2:1.10.1-1ubuntu1.1
xserver-xorg-video-radeon 1:6.14.0-0ubuntu4.1
My hardware is a Thinkpad T60 with Radeon Mobility X1400:
01:00.0 VGA compatible controller: ATI Technologies Inc Radeon
Mobility X1400 (prog-if 00 [VGA controller])
Subsystem: Lenovo Thinkpad T60 model 2007
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR+ FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort-
<TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0, Cache Line Size: 64 bytes
Interrupt: pin A routed to IRQ 46
Region 0: Memory at d8000000 (32-bit, prefetchable) [size=128M]
Region 1: I/O ports at 2000 [size=256]
Region 2: Memory at ee100000 (32-bit, non-prefetchable) [size=64K]
[virtual] Expansion ROM at ee120000 [disabled] [size=128K]
Capabilities: <access denied>
Kernel driver in use: radeon
Kernel modules: radeon
The display is an external 1600x1200 LCD attached via DVI.
More information about the xorg
mailing list