xscreensaver triggers X server to crash
Michel Dänzer
michel at daenzer.net
Tue Aug 9 01:24:25 PDT 2011
On Die, 2011-08-09 at 10:55 +0300, Janne Huttunen wrote:
> Hi!
>
> I have a highly repeatable use-case, where xscreensaver causes the X server to
> crash. To be exact, it doesn't seem to be the screensaver itself, but the unlock
> dialog it shows when it is deactivated. The crash itself is actually a SIGABRT
> raised by malloc() due to corrupted memory.
>
> The memory corruption seems to happen like this:
>
> ==7560== Invalid write of size 8
> ==7560== at 0x4C2A22E: memcpy (mc_replace_strmem.c:635)
> ==7560== by 0x8BF8FF6: RADEONDownloadFromScreenCS (radeon_exa_funcs.c:667)
> ==7560== by 0x989DE6E: exaCopyDirty (exa_migration_classic.c:220)
> ==7560== by 0x98A0B01: exaPrepareAccessReg_mixed (exa_migration_mixed.c:247)
> ==7560== by 0x98AB318: ExaCheckPolyGlyphBlt (exa_unaccel.c:342)
> ==7560== by 0x4C4589: damageText (damage.c:1489)
> ==7560== by 0x4C86C2: damagePolyText8 (damage.c:1507)
> ==7560== by 0x444824: doPolyText (dixfonts.c:1368)
> ==7560== by 0x4457B8: PolyText (dixfonts.c:1437)
> ==7560== by 0x435328: ProcPolyText (dispatch.c:2260)
> ==7560== by 0x437EE8: Dispatch (dispatch.c:431)
> ==7560== by 0x421A7D: main (main.c:287)
> ==7560== Address 0x113b1040 is 0 bytes after a block of size 4,915,200 alloc'd
> ==7560== at 0x4C28FAC: malloc (vg_replace_malloc.c:236)
> ==7560== by 0x98A0B43: exaPrepareAccessReg_mixed (exa_migration_mixed.c:203)
> ==7560== by 0x98AB318: ExaCheckPolyGlyphBlt (exa_unaccel.c:342)
> ==7560== by 0x4C4589: damageText (damage.c:1489)
> ==7560== by 0x4C86C2: damagePolyText8 (damage.c:1507)
> ==7560== by 0x444824: doPolyText (dixfonts.c:1368)
> ==7560== by 0x4457B8: PolyText (dixfonts.c:1437)
> ==7560== by 0x435328: ProcPolyText (dispatch.c:2260)
> ==7560== by 0x437EE8: Dispatch (dispatch.c:431)
> ==7560== by 0x421A7D: main (main.c:287)
>
> As far as I can tell, the reason seems to be that when the system buffer is
> allocated in exaPrepareAccessReg_mixed, for some reason the pixmap
> width is 1600 (the width of my display) and bpp is 32, but sys_pitch is only
> 4096. The allocated buffer won't then be big enough for the data and
> the memcpy ends up overwriting some adjacent data structure.
>
> Do you have any idea whether this has already been corrected in
> a newer version, or if it isn't what other information should I provide
> to help finding and solving the problem?
>
> I am currently running Ubuntu 11.04 on x86_64 with the vendor
> provided kernel and Xorg packages:
>
> linux-image-2.6.38-10-generic 2.6.38-10.46
> xserver-xorg-core 2:1.10.1-1ubuntu1.1
> xserver-xorg-video-radeon 1:6.14.0-0ubuntu4.1
Does the xserver patch below help?
diff --git a/exa/exa_mixed.c b/exa/exa_mixed.c
index fd1afb2..ff9f30e 100644
--- a/exa/exa_mixed.c
+++ b/exa/exa_mixed.c
@@ -185,11 +185,12 @@ exaModifyPixmapHeader_mixed(PixmapPtr pPixmap, int width, int height, int depth,
RegionEmpty(&pExaPixmap->validFB);
}
+ pExaPixmap->sys_pitch = PixmapBytePad(width, depth);
+
/* Need to re-create system copy if there's also a GPU copy */
if (has_gpu_copy && pExaPixmap->sys_ptr) {
free(pExaPixmap->sys_ptr);
pExaPixmap->sys_ptr = NULL;
- pExaPixmap->sys_pitch = PixmapBytePad(width, depth);
DamageUnregister(&pPixmap->drawable, pExaPixmap->pDamage);
DamageDestroy(pExaPixmap->pDamage);
pExaPixmap->pDamage = NULL;
--
Earthling Michel Dänzer | http://www.amd.com
Libre software enthusiast | Debian, X and DRI developer
More information about the xorg
mailing list