XV race condition with xf86XVReputImage, Expose events and Unichrome driver

Luc Verhaegen libv at skynet.be
Thu May 10 21:16:44 PDT 2007


On Thu, May 10, 2007 at 03:34:43PM +0100, Barry Scott wrote:
> I'm sending this report from Simon Farnsworth to the list.
> I'll raise a bug report about this unless you don't want one raised.
> 
> I've been tracking down an X server crash in our system, which
> appears to be triggered by bugs in xf86xv.c.
> 
> Our hardware is a VIA EPIA M10000 (CLE266 graphics), using the
> driver from unichrome.sf.net, xorg-server 1.3.0, and Linux 2.6.
> We have a single instance of Xine running, using the xv output driver.
> 
> When we tell xine to stop playing one movie and to start playing
> another movie we see the following sequence of events:
> 
> xf86XVClipNotify is called, and the test at line 1135
> succeeds as visible is set to 0. This causes pPriv->pDraw
> to be set to NULL (line 1143). Trapping X here in the
> debugger for a couple of minutes is sufficient to fix the bug.
> 
> If we don't stall X, the next call is to
> xf86XVWindowExposures; this ends up calling
> xf86XVReputImage (line 1082).
> 
> xf86XVReputImage assumes that pPriv->pDraw is not NULL,
> resulting in a SIGSEGV when it dereferences it (line 871 in an optimised 
> build).
> 
> If we stall X in xf86XVClipNotify for long enough, the next call
> we see is to xf86XVStopVideo, which closes down Xv, ensuring
> that we don't see the crash.
> 
> For our system, the workaround is to remove ReputImage support
> from the device driver, which prevents the call to xf86XVReputImage,
> and thus avoids the crash.
> -- 
> Simon Farnsworth
> 

This seems awfully related to:
https://bugs.freedesktop.org/show_bug.cgi?id=4653

Luc Verhaegen.



More information about the xorg mailing list