Ubuntu
xorg-server package

Xorg crashed with SIGABRT in ResFindAllRes()

Bug #1060059 reported by Michael Blennerhassett
72
This bug affects 13 people
Affects Status Importance Assigned to Milestone
X.Org X server
Fix Released
Medium
xorg-server (Ubuntu)
Fix Released
High
Timo Aaltonen
Ubuntu quantal-updates
Quantal
Invalid
High
Timo Aaltonen
Ubuntu quantal-updates

Bug Description

Crashed as soon as xrestop is run

ProblemType: Crash
DistroRelease: Ubuntu 12.10
Package: xserver-xorg-core 2:1.13.0-0ubuntu5
ProcVersionSignature: Ubuntu 3.5.0-16.25-generic 3.5.4
Uname: Linux 3.5.0-16-generic x86_64
.tmp.unity.support.test.0:

ApportVersion: 2.5.3-0ubuntu1
Architecture: amd64
CompizPlugins: No value set for `/apps/compiz-1/general/screen0/options/active_plugins'
CompositorRunning: compiz
CrashCounter: 1
Date: Tue Oct 2 17:43:30 2012
DistUpgraded: Fresh install
DistroCodename: quantal
DistroVariant: ubuntu
ExecutablePath: /usr/bin/Xorg
ExecutableTimestamp: 1348785641
GraphicsCard:
 Advanced Micro Devices [AMD] nee ATI RV730XT [Radeon HD 4670] [1002:9490] (prog-if 00 [VGA controller])
   Subsystem: Giga-byte Technology Device [1458:21b2]
InstallationMedia: Ubuntu 12.10 "Quantal Quetzal" - Alpha amd64 (20120905.2)
MachineType: Gigabyte Technology Co., Ltd. GA-MA780G-UD3H
ProcCmdline: /usr/bin/X :0 -core -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch -background none
ProcCwd: /etc/X11
ProcEnviron:

ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.5.0-16-generic root=UUID=e9e28db6-3c36-4e13-bea1-017b97bd28d8 ro quiet splash vt.handoff=7
Signal: 6
SourcePackage: xorg-server
StacktraceTop:
 ?? ()
 FindAllClientResources ()
 ?? ()
 ?? ()
 ?? ()
Title: Xorg crashed with SIGABRT in FindAllClientResources()
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups:

dmi.bios.date: 12/30/2008
dmi.bios.vendor: Award Software International, Inc.
dmi.bios.version: F1
dmi.board.name: GA-MA780G-UD3H
dmi.board.vendor: Gigabyte Technology Co., Ltd.
dmi.board.version: x.x
dmi.chassis.type: 3
dmi.chassis.vendor: Gigabyte Technology Co., Ltd.
dmi.modalias: dmi:bvnAwardSoftwareInternational,Inc.:bvrF1:bd12/30/2008:svnGigabyteTechnologyCo.,Ltd.:pnGA-MA780G-UD3H:pvr:rvnGigabyteTechnologyCo.,Ltd.:rnGA-MA780G-UD3H:rvrx.x:cvnGigabyteTechnologyCo.,Ltd.:ct3:cvr:
dmi.product.name: GA-MA780G-UD3H
dmi.sys.vendor: Gigabyte Technology Co., Ltd.
version.compiz: compiz 1:0.9.8.2+bzr3377-0ubuntu1
version.ia32-libs: ia32-libs N/A
version.libdrm2: libdrm2 2.4.39-0ubuntu1
version.libgl1-mesa-dri: libgl1-mesa-dri 9.0~git20120917.7cfd42ce-0ubuntu3
version.libgl1-mesa-dri-experimental: libgl1-mesa-dri-experimental N/A
version.libgl1-mesa-glx: libgl1-mesa-glx 9.0~git20120917.7cfd42ce-0ubuntu3
version.xserver-xorg-core: xserver-xorg-core 2:1.13.0-0ubuntu5
version.xserver-xorg-input-evdev: xserver-xorg-input-evdev 1:2.7.3-0ubuntu1
version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:6.99.99~git20120913.8637f772-0ubuntu1
version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.20.9-0ubuntu1
version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.2-0ubuntu2

Revision history for this message
Michael Blennerhassett (mjblenner) wrote :
Revision history for this message
Apport retracing service (apport) wrote :

StacktraceTop:
 ResFindAllRes (value=0x7f1e670c5870, id=84, type=<optimized out>, cdata=0x7f1e6791d0c0) at ../../Xext/xres.c:277
 FindAllClientResources (client=0x7f1e6707c9f0, func=func@entry=0x7f1e65ef7e10 <ResFindAllRes>, cdata=cdata@entry=0x7f1e6791d0c0) at ../../dix/resource.c:1027
 ProcXResQueryClientResources (client=0x7f1e6791d950) at ../../Xext/xres.c:299
 Dispatch () at ../../dix/dispatch.c:428
 main (argc=11, argv=0x7fff2f2121d8, envp=<optimized out>) at ../../dix/main.c:295

Revision history for this message
Apport retracing service (apport) wrote : Stacktrace.txt
Revision history for this message
Apport retracing service (apport) wrote : StacktraceSource.txt
Revision history for this message
Apport retracing service (apport) wrote : ThreadStacktrace.txt
Changed in xorg-server (Ubuntu):
importance: Undecided → Medium
summary: - Xorg crashed with SIGABRT in FindAllClientResources()
+ Xorg crashed with SIGABRT in ResFindAllRes()
tags: removed: need-amd64-retrace
Bryce Harrington (bryce)
visibility: private → public
Bryce Harrington (bryce)
Changed in xorg-server (Ubuntu):
importance: Medium → High
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in xorg-server (Ubuntu):
status: New → Confirmed
Bryce Harrington (bryce)
Changed in xorg-server (Ubuntu):
status: Confirmed → Triaged
Sebastien Bacher (seb128)
Changed in xorg-server (Ubuntu Quantal):
milestone: none → quantal-updates
Revision history for this message
Michael Vogt (mvo) wrote :

It happend for me as well, but I got a segfault. I attach my logfile. Unity is running, up-to-date 12.10. Machine was upgraded a couple of times and suspsened/resumed a bunch of times too.

Bryce Harrington (bryce)
Changed in xorg-server (Ubuntu Quantal):
assignee: nobody → Canonical X.org (canonical-x)
Revision history for this message
Michael Vogt (mvo) wrote :

Funny fact:
$ Xvfb :99
[different terminal]
$ DISPLAY=:99 gnome-session (or gedit/emacs/gnome-terminal)
does not crash

Revision history for this message
Bryce Harrington (bryce) wrote :

Timo, please forward this upstream. Maybe doublecheck that you can reproduce it as well.

Changed in xorg-server (Ubuntu Quantal):
assignee: Canonical X.org (canonical-x) → Timo Aaltonen (tjaalton)
Revision history for this message
Edward Donovan (edward.donovan) wrote :

FWIW, this is perfectly reproducible on my installation; I've tried xrestop numerous times under Quantal, and every time the X session has crashed.

Revision history for this message
Pirouette Cacahuète (lissyx) wrote :

I'm reproducing it as well here, up-to-date quantal, ThinkPad T420s with only Intel HD enabled.

Revision history for this message
In , Knut-petersen (knut-petersen) wrote :

Hardware
========
AOpen i915GMm-HFS, Pentium M Dothan, 2GB RAM

Software
==========
openSuSE 12.1 with kernel 3.6.7, fresh Xorg and xrestop

Problem
=======
Starting xrestop in a terminal window immediately kills Xorg.
Keyboard and mouse dead, screen frozen.
Login via ssh is possible, absolutely nothing related in dmesg and Xorg.0.log
Restarting Xorg via ssh works fine and reanimates screen/keyboard/mouse.

Starting xrestop via ssh -X from another system works fine.

cu,
 Knut

Revision history for this message
Jakob Eriksson (b-jakob-v) wrote :

Thinkpad T420, (Intel Core i7) only Intel graphics enabled in BIOS.

Ubuntu 12.10

Linux version 3.5.0-18-generic

Revision history for this message
In , Knut-petersen (knut-petersen) wrote :

Forget about "Starting xrestop via ssh -X from another system works fine."
That does inspect the xserver on the wrong system.

cu,
 Knut

Revision history for this message
In , Timo Aaltonen (tjaalton) wrote :

an example of a stacktrace

https://launchpadlibrarian.net/118094777/Stacktrace.txt

from ubuntu bug https://bugs.launchpad.net/ubuntu/quantal/+source/xorg-server/+bug/1060059

Revision history for this message
Dave Gilbert (ubuntu-treblig) wrote :

It's interesting, I can't trigger this in either my quantal or raring vm, but I've had it happen on two different quantal machines; one Intel graphics one ATI (open driver).

Revision history for this message
In , Freedesktop-treblig (freedesktop-treblig) wrote :

Since everything useful was optimised out, I added some debug:

....

FindAllClientResources: i=19
FindAllClientResources: resources loop: this=0x7ffe7b0cc420 next=(nil) this->value=0x7ffe7b0cc380 id=52 type=21
ResFindAllRes: value=0x7ffe7b0cc380 id=82 type=21 TypeMask=1fffffff counts=0x7ffe7bc0e950
FindAllClientResources: i=20
FindAllClientResources: resources loop: this=0x7ffe7b0cd840 next=(nil) this->value=0x7ffe7b0cd7d0 id=55 type=19
ResFindAllRes: value=0x7ffe7b0cd7d0 id=85 type=19 TypeMask=1fffffff counts=0x7ffe7bc0e950
FindAllClientResources: i=21
FindAllClientResources: resources loop: this=0x7ffe7b76a600 next=0x7ffe7b0cd610 this->value=0x7ffe7b76ae80 id=193 type=44
ResFindAllRes: value=0x7ffe7b76ae80 id=403 type=44 TypeMask=1fffffff counts=0x7ffe7bc0e950
FindAllClientResources: resources loop: this=0x7ffe7b0cd610 next=(nil) this->value=0x7ffe7b0cd5b0 id=54 type=0
ResFindAllRes: value=0x7ffe7b0cd5b0 id=84 type=0 TypeMask=1fffffff counts=0x7ffe7bc0e950

Revision history for this message
In , Freedesktop-treblig (freedesktop-treblig) wrote :

OK, a bit more;

xres.c ResFindAllRes doesn't handle the case where the type is 0 (it uses type-1 as an index into an array); it's trivial to fix that with an

if ((type & TypeMask)!=0)

the question is should that ever happen?

I can see that dix/resource.c:AddResource is getting called (once) with a type of 0 - is that legal?

Revision history for this message
In , Freedesktop-treblig (freedesktop-treblig) wrote :

and my final one for tonight:
The case where AddResource is being called with a 0 type is internal to the server:

No locals.
#1 0x00005555555ccce2 in AddResource (id=84, type=0, value=0x5555559ddaa0) at ../../dix/resource.c:799
        client = <optimised out>
        rrec = <optimised out>
        res = <optimised out>
        head = <optimised out>
#2 0x000055555566e5ce in RRProviderCreate (pScreen=0x5555559b5a80, name=0x5555559bd550 "radeon", nameLength=6) at ../../randr/rrprovider.c:361
        provider = 0x5555559ddaa0
        pScrPriv = 0x5555559d9a50
line 361:
    if (!AddResource (provider->id, RRProviderType, (pointer) provider))
        return NULL;

RRProviderType set in RRProviderInit
#3 0x000055555562ab04 in xf86RandR12CreateObjects12 (pScreen=0x5555559b5a80) at ../../../../hw/xfree86/modes/xf86RandR12.c:1572
        pScrn = 0x5555559b7c80
        config = 0x5555559ba040
        c = <optimised out>
        o = <optimised out>
#4 xf86RandR12Init12 (pScreen=0x5555559b5a80) at ../../../../hw/xfree86/modes/xf86RandR12.c:1929
        pScrn = <optimised out>
        rp = 0x5555559d9a50
        randrp = 0x7ffff6343ac0 <_IO_stdfile_2_lock>
        i = <optimised out>
#5 xf86RandR12Init (pScreen=0x5555559b5a80) at ../../../../hw/xfree86/modes/xf86RandR12.c:897
        rp = 0x38
        randrp = <optimised out>
#6 0x000055555561e596 in xf86CrtcScreenInit (screen=0x5555559b5a80) at ../../../../hw/xfree86/modes/xf86Crtc.c:778
        scrn = <optimised out>
        config = 0x5555559ba040
        c = <optimised out>
#7 0x00007ffff4c15625 in ?? () from /usr/lib/xorg/modules/drivers/radeon_drv.so
No symbol table info available.
#8 0x00005555555a9d25 in AddScreen (pfnInit=0x7ffff4c15150, argc=1, argv=0x7fffffffe678) at ../../dix/dispatch.c:3830
        i = 0
        pScreen = 0x5555559b5a80
        ret = <optimised out>
#9 0x00005555555eb4c3 in InitOutput (pScreenInfo=0x5555555e40c0 <xf86SetDGAMode>, argc=1, argv=0x7fffffffe678) at ../../../../hw/xfree86/common/xf86Init.c:913
        i = <optimised out>
        j = <optimised out>
        k = <optimised out>
        scr_index = <optimised out>
        modulelist = <optimised out>
        optionlist = 0x5555559a4040
        screenpix24 = <optimised out>
        pix24 = <optimised out>
        pix24From = <optimised out>
        pix24Fail = 0

as far as I can tell 'RRProviderType' is never initialised, because as far as I can tell RRProviderInit in randr/RRProviderInit is never called, and neither can I see where it's supposed to be called.

So I think there are three fixes that are needed here:

   1) Xext/xres.c ResFindAllRes
change

   counts[(type & TypeMask) -1]++
to
   if ((type & TypeMask)!=0) counts[(type & TypeMask) - 1]++;

   2) If it's not legal to have a 0-type'd resource, then dix/resource.c:AddResource should check for it and reject it.

   3) fix either randr/rrprovider.c or whatever should be calling RRProviderInit to call it before hand.

Revision history for this message
Dave Gilbert (ubuntu-treblig) wrote :

I've just put a load of comments on the upstream bug

The short story is that a patch to
   Xext/xres.c ResFindAllRes
to change

   counts[(type & TypeMask) -1]++
to
   if ((type & TypeMask)!=0) counts[(type & TypeMask) - 1]++;

stops the crash.

The longer story is, I don't think that case of a 0 type should be reached, but I don't know about the innards of X to be sure.
I've commented one case on the upstream bug and how to stop it, and also a suggestion to make it safer to stop it triggering.

Bug Watch Updater (bug-watch-updater)
Changed in xorg-server:
importance: Unknown → Medium
status: Unknown → Confirmed
Revision history for this message
In , Airlied-freedesktop (airlied-freedesktop) wrote :

Created attachment 70823
call rrprovider init where it should be called

this implements option 3, no idae where this hunk got lost.

Revision history for this message
In , anarsoul (anarsoul) wrote :

(In reply to comment #6)
> Created attachment 70823 [details] [review]
> call rrprovider init where it should be called
>
> this implements option 3, no idae where this hunk got lost.

This patch fixes crash for me, thanks!

Revision history for this message
In , Knut-petersen (knut-petersen) wrote :

(In reply to comment #6)
> Created attachment 70823 [details] [review]
> call rrprovider init where it should be called
>
> this implements option 3, no idae where this hunk got lost.

Works here, thanks!

cu,
 Knut

Revision history for this message
In , Knut-petersen (knut-petersen) wrote :

Dave did it ...

Bug Watch Updater (bug-watch-updater)
Changed in xorg-server:
status: Confirmed → Fix Released
Revision history for this message
In , Alan Coopersmith (alan-coopersmith) wrote :

Fix pushed to git master for 1.14:
http://lists.x.org/archives/xorg-devel/2012-November/034609.html

Revision history for this message
In , Freedesktop-treblig (freedesktop-treblig) wrote :

Thanks Dave!

Do you think it would be worth adding the check in to cover (1) and a printf for (2).
Someone else is bound to screw up and try registering a type 0 resource somewhere ?

Dave

Michael Blennerhassett (mjblenner)
Changed in xorg-server (Ubuntu):
status: Triaged → Fix Released
Changed in xorg-server (Ubuntu Quantal):
status: Triaged → Invalid
To post a comment you must log in.