Xorg crashed with SIGSEGV in pixman_image_set_has_client_clip()

Bug #705078 reported by Mario Limonciello on 2011-01-19
274
This bug affects 53 people
Affects Status Importance Assigned to Milestone
xf86-video-intel
Confirmed
High
xorg-server (Debian)
Fix Released
Unknown
xorg-server (Ubuntu)
Critical
Bryce Harrington

Bug Description

I was doing an installation from ubiquity and during the file copy phase X crashed.

#1 DisableDevice ()
#2 0x08067bb3 in RemoveDevice ()
#3 0x080c2128 in DeleteInputDeviceRequest ()
#4 0x08063e43 in ?? ()
#5 0x08064457 in ?? ()
#6 0x080af9c0 in ?? ()
#7 0x080b0561 in ?? ()
#8 0x080a554d in ?? ()
#9 <signal handler called>
#10 pixman_image_set_has_client_clip () from /usr/lib/libpixman-1.so.0
#11 ?? () from /usr/lib/xorg/modules/libfb.so
#12 fbComposite () from /usr/lib/xorg/modules/libfb.so
#13 ?? () from /usr/lib/xorg/modules/drivers/intel_drv.so
#14 ?? () from /usr/lib/xorg/modules/drivers/intel_drv.so
#15 ?? ()
#16 CompositePicture ()

ProblemType: Crash
DistroRelease: Ubuntu 11.04
Package: xserver-xorg-core 2:1.9.0.902-1ubuntu4
ProcVersionSignature: Ubuntu 2.6.37-12.26-generic 2.6.37
Uname: Linux 2.6.37-12-generic i686
Architecture: i386
CompizPlugins: No value set for `/apps/compiz-1/general/allscreens/options/active_plugins'
DRM.card0.DP.1:
 status: disconnected
 enabled: disabled
 dpms: Off
 modes:
 edid-base64:
DRM.card0.LVDS.1:
 status: connected
 enabled: enabled
 dpms: On
 modes: 1366x768
 edid-base64: AP///////wBMo0FUAAAAAAASAQOQIhN4Cof1lFdPjCcnUFQAAAABAQEBAQEBAQEBAQEBAQEBQRxWoFAAFjAwICUAYcYQAAAaQRxWoFAAFjAwICUAWMIQAAAaAAAA/gBSODAxSoAxNTZBVAogAAAAAAAAAAAAAAAAAAEBCiAgADY=
DRM.card0.VGA.1:
 status: disconnected
 enabled: disabled
 dpms: Off
 modes:
 edid-base64:
Date: Wed Jan 19 19:24:41 2011
DistUpgraded: Fresh install
DistributionChannelDescriptor:
 # This is a distribution channel descriptor
 # For more information see http://wiki.ubuntu.com/DistributionChannelDescriptor
 canonical-oem-somerville-natty-20110119-0
DistroCodename: natty
DistroVariant: ubuntu
ExecutablePath: /usr/bin/Xorg
GdmLog1: Not present
GdmLog2: Not present
GraphicsCard:
 Subsystem: Dell Device [1028:02aa]
   Subsystem: Dell Device [1028:02aa]
LiveMediaBuild: Ubuntu "Natty" - Build i386 LIVE Binary 20110119-02:31
MachineType: Dell Inc. Inspiron 1545
ProcCmdline: X -br -ac -noreset -nolisten tcp -nr vt7 :0
ProcCwd: /etc/X11
ProcEnviron:
 LANGUAGE=
 PATH=(custom, no user)
 LANG=en_US.UTF-8
ProcKernelCmdLine: noprompt cdrom-detect/try-usb=true initrd=/casper/initrd.lz boot=casper automatic-ubiquity only-ubiquity file=/cdrom/install/preseed.cfg quiet splash username=hostname hostname=hostname union=aufs BOOT_IMAGE=/casper/vmlinuz
ProcKernelCmdLine_: noprompt cdrom-detect/try-usb=true initrd=/casper/initrd.lz boot=casper automatic-ubiquity only-ubiquity file=/cdrom/install/preseed.cfg quiet splash username=hostname hostname=hostname union=aufs BOOT_IMAGE=/casper/vmlinuz
Renderer: Unknown
SegvAnalysis:
 Segfault happened at: 0x813311e: movb $0x23,(%eax)
 PC (0x0813311e) ok
 source "$0x23" ok
 destination "(%eax)" (0x00000000) not located in a known VMA region (needed writable region)!
SegvReason: writing NULL VMA
Signal: 11
SourcePackage: xorg-server
StacktraceTop:
 pixman_image_set_has_client_clip () from /usr/lib/libpixman-1.so.0
 ?? () from /usr/lib/xorg/modules/libfb.so
 fbComposite () from /usr/lib/xorg/modules/libfb.so
 ?? () from /usr/lib/xorg/modules/drivers/intel_drv.so
 ?? () from /usr/lib/xorg/modules/drivers/intel_drv.so
Title: Xorg crashed with SIGSEGV in pixman_image_set_has_client_clip()
UserGroups:

dmi.bios.date: 12/07/2009
dmi.bios.vendor: Dell Inc.
dmi.bios.version: A14
dmi.board.name: 0G848F
dmi.board.vendor: Dell Inc.
dmi.chassis.type: 8
dmi.chassis.vendor: Dell Inc.
dmi.modalias: dmi:bvnDellInc.:bvrA14:bd12/07/2009:svnDellInc.:pnInspiron1545:pvr:rvnDellInc.:rn0G848F:rvr:cvnDellInc.:ct8:cvr:
dmi.product.name: Inspiron 1545
dmi.sys.vendor: Dell Inc.
version.libdrm2: libdrm2 2.4.22-2ubuntu1
version.libgl1-mesa-glx: libgl1-mesa-glx 7.9+repack-1ubuntu3
version.xserver-xorg: xserver-xorg 1:7.5+6ubuntu7
version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:6.13.2-1ubuntu2
version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.13.901-2ubuntu2
version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:0.0.16+git20100805+b96170a-0ubuntu1

Mario Limonciello (superm1) wrote :

StacktraceTop:
 XISendDeviceHierarchyEvent (flags=0xbfcccf9c)
 DisableDevice (dev=0xaaa8e70, sendevent=1 '\001')
 ?? ()

Changed in xorg-server (Ubuntu):
importance: Undecided → Medium
tags: removed: need-i386-retrace
summary: - Xorg crashed with SIGSEGV in pixman_image_set_has_cleint_clip%28%29
+ Xorg crashed with SIGSEGV in pixman_image_set_has_client_clip
summary: - Xorg crashed with SIGSEGV in pixman_image_set_has_client_clip
+ Xorg crashed with SIGSEGV in pixman_image_set_has_client_clip()
Bryce Harrington (bryce) on 2011-01-20
Changed in xorg-server (Ubuntu):
importance: Medium → High
Bryce Harrington (bryce) wrote :

Hrm, unfortunately it looks like the apport retracer is choking, so the interpreted backtrace isn't valid.

However, poking around through the X logs, I notice it prints out a bunch of this:

[ 40.000] (II) Dell WMI hotkeys: Device reopened after 1 attempts.
[ 45.264] (II) AIGLX: Suspending AIGLX clients for VT switch
[ 62.004] (WW) intel(0): intel_uxa_prepare_access: bo map failed: Cannot allocate memory
[ 62.005] (WW) intel(0): intel_uxa_prepare_access: bo map failed: Cannot allocate memory
[ 62.005] (WW) intel(0): intel_uxa_prepare_access: bo map failed: Cannot allocate memory
... repeating ...
[ 62.616] (WW) intel(0): intel_uxa_prepare_access: bo map failed: Cannot allocate memory
[ 62.616] (WW) intel(0): intel_uxa_prepare_access: bo map failed: Cannot allocate memory
[ 62.617] (WW) intel(0): intel_uxa_prepare_access: bo map failed: Cannot allocate memory
[ 62.617]
Backtrace:
[ 62.617] 0: X (xorg_backtrace+0x3b) [0x80e83bb]
[ 62.617] 1: X (0x8048000+0x5d4f8) [0x80a54f8]
[ 62.617] 2: (vdso) (__kernel_rt_sigreturn+0x0) [0x6e240c]
[ 62.617] 3: /usr/lib/xorg/modules/libfb.so (0x7e5000+0x16ff0) [0x7fbff0]
[ 62.617] 4: /usr/lib/xorg/modules/libfb.so (fbComposite+0x121) [0x7fc241]
[ 62.617] 5: /usr/lib/xorg/modules/drivers/intel_drv.so (0x240000+0x2fc66) [0x26fc66]
[ 62.617] 6: /usr/lib/xorg/modules/drivers/intel_drv.so (0x240000+0x2c4a0) [0x26c4a0]
[ 62.617] 7: X (0x8048000+0xdb0f2) [0x81230f2]
[ 62.617] 8: X (CompositePicture+0x22b) [0x811822b]
[ 62.617] 9: X (0x8048000+0xd3d39) [0x811bd39]
[ 62.617] 10: X (0x8048000+0xd0a33) [0x8118a33]
[ 62.617] 11: X (0x8048000+0x276c7) [0x806f6c7]
[ 62.617] 12: X (0x8048000+0x1a64c) [0x806264c]
[ 62.617] 13: /lib/libc.so.6 (__libc_start_main+0xe6) [0xd0fce6]
[ 62.617] 14: X (0x8048000+0x1a241) [0x8062241]
[ 62.617] Segmentation fault at address 0x20

visibility: private → public
Bryce Harrington (bryce) wrote :

The above is making me wonder if this is just a symptom of something that changed in the kernel.

Could you please provide a bit more context behind this crash? Was this the first time you tested natty livecd install on this hw, or have you been doing regular test installs up until now and it only regressed on this version? Have you experienced other instances of this X crash but only these two triggered apport? Have you run ubuntu on this hw previously, meaning that this is a regression - if so what version(s) successfully ran on it? Were you able to complete this particular installation, and if so what did you do to work around it? If not, have you attempted installation of a different snapshot? Any other information you can provide which may help narrow down the source of this issue?

Changed in xorg-server (Ubuntu):
status: New → Incomplete
Mario Limonciello (superm1) wrote :

Hi Bryce,

Natty live CD install's haven't been functional for about a week, but they were working fine on both of the pieces of hardware that i've filed bugs on.

Ubuntu's ran successfully with previous versions (10.10 and 10.04) on both pieces of hardware. I was able to complete the installation by forcing it to run in vesa and nomodeset.

Mario Limonciello (superm1) wrote :

And to be clear (probably should have reread before posting).

* Natty live cds from a week ago worked, but there haven't been any live cds up until a few days ago

* I was able to successfully install 10.10 and 10.04 on both pieces of hardware without workarounds. Same as the natty builds from ~1 week ago. It's very recent that I have to use xforcevesa/nomodeset

On Thu, Jan 20, 2011 at 08:25:26PM -0000, Mario Limonciello wrote:
> * Natty live cds from a week ago worked, but there haven't been any live
> cds up until a few days ago

Hmm, ok that's very interesting information.

There was a fix to mesa I posted to mesa for bug 681915 within the past
week, but otherwise there haven't been any significant X changes in this
time period.

Might be some change elsewhere in the system is triggering the X crash?
Sure would be nice to have a more complete backtrace.

Is there any chance we could have you do a reinstall and hook gdb to X
to get a full backtrace on this? If not, I've posted a bug to apport
to get the retracer issue investigated.

Mario Limonciello (superm1) wrote :

Bryce:

I can reproduce this at will by scrolling text in windows or dragging windows around even on a live session. What exactly are you looking for with gdb attached? I tried to attach gdb to the running X process, but the box hung when I did that. Could you give me a particular set of steps to follow?

Mario Limonciello (superm1) wrote :

Well managed to get it to crash over SSH, but doesn't look too useful to me without ddeb's installed.

(gdb) backtrace full
#0 0x00491004 in ?? () from /usr/lib/xorg/modules/drivers/intel_drv.so
No symbol table info available.
#1 0x081183f8 in CompositeRects ()
No symbol table info available.
#2 0x0811c690 in ?? ()
No symbol table info available.
#3 0x08118a33 in ?? ()
No symbol table info available.
#4 0x0806f6c7 in ?? ()
No symbol table info available.
#5 0x0806264c in _start ()
No symbol table info available.
(gdb) info registers
eax 0xbfe6326c -1075432852
ecx 0x3063c0 3171264
edx 0xbc01098 197136536
ebx 0x4abff4 4898804
esp 0xbfe631f0 0xbfe631f0
ebp 0xbfe63298 0xbfe63298
esi 0xbc0b3a8 197178280
edi 0x0 0
eip 0x491004 0x491004
eflags 0x213246 [ PF ZF IF #12 #13 RF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb) x/16i $pc
=> 0x491004: mov (%edi),%eax
   0x491006: mov %eax,(%esp)
   0x491009: call 0x488420
   0x49100e: mov -0x6c(%ebp),%edx
   0x491011: test %eax,%eax
   0x491013: mov %eax,%ecx
   0x491015: je 0x4912c7
   0x49101b: mov %edi,-0x58(%ebp)
   0x49101e: mov -0x4c(%ebp),%edi
   0x491021: mov (%edi),%eax
   0x491023: mov -0x54(%ebp),%edi
   0x491026: mov %ecx,0x10(%esp)
   0x49102a: mov -0x58(%ebp),%ecx
   0x49102d: mov %edx,(%esp)
   0x491030: mov %edx,-0x6c(%ebp)
   0x491033: mov %edi,0x18(%esp)
(gdb) thread apply all backtrace

Thread 1 (Thread 0xb77887c0 (LWP 6289)):
#0 0x00491004 in ?? () from /usr/lib/xorg/modules/drivers/intel_drv.so
#1 0x081183f8 in CompositeRects ()
#2 0x0811c690 in ?? ()
#3 0x08118a33 in ?? ()
#4 0x0806f6c7 in ?? ()
#5 0x0806264c in _start ()

Mario Limonciello (superm1) wrote :

Here we go, here's a better one with -dbg symbols installed:

Program received signal SIGSEGV, Segmentation fault.
0x00228004 in uxa_solid_rects (op=<value optimized out>, dst=0xbe38080, color=0xbdb73c0, num_rects=4, rects=0xbdb73c8) at ../../uxa/uxa-render.c:1070
1070 ../../uxa/uxa-render.c: No such file or directory.
 in ../../uxa/uxa-render.c
(gdb) backtrace full
#0 0x00228004 in uxa_solid_rects (op=<value optimized out>, dst=0xbe38080, color=0xbdb73c0, num_rects=4, rects=0xbdb73c8) at ../../uxa/uxa-render.c:1070
        solid = 0x0
        src_off_x = 135352438
        src_off_y = -1075839992
        error = 199458944
        screen = <value optimized out>
        dst_pixmap = 0xbe37f88
        src_pixmap = 0x0
        region = {extents = {x1 = 28, y1 = 102, x2 = 313, y2 = 143}, data = 0xbe37cd0}
        boxes = 0xbe37cd8
        extents = <value optimized out>
        src = 0x0
        dst_x = 0
        dst_y = 0
        num_boxes = 4
#1 0x081183f8 in CompositeRects (op=3 '\003', pDst=0xbe38080, color=0xbdb73c0, nRect=4, rects=0xbdb73c8) at ../../render/picture.c:1734
        ps = <value optimized out>
#2 0x0811c690 in ProcRenderFillRectangles (client=0xb22e528) at ../../render/render.c:1475
        pDst = 0xbe38080
        things = <value optimized out>
        stuff = 0xbdb73b4
#3 0x08118a33 in ProcRenderDispatch (client=0xb22e528) at ../../render/render.c:2051
        stuff = <value optimized out>
#4 0x0806f6c7 in Dispatch () at ../../dix/dispatch.c:432
        clientReady = 0xb3fa048
        result = <value optimized out>
        client = 0xb22e528
        nready = 0
        icheck = 0x8204138
        start_tick = 30960
#5 0x0806264c in main (argc=8, argv=0xbfdffe54, envp=0xbfdffe78) at ../../dix/main.c:291
        i = <value optimized out>
        alwaysCheckForInput = {0, 1}

Bryce Harrington (bryce) wrote :

Perfect mario, that points to the cause of the crash:

#0 0x00228004 in uxa_solid_rects (op=<value optimized out>, dst=0xbe38080, color=0xbdb73c0, num_rects=4, rects=0xbdb73c8) at ../../uxa/uxa-render.c:1070
        solid = 0x0
        src = 0x0

Code at this location is:

                 solid = uxa_acquire_solid(screen, src->pSourcePict);
                        FreePicture(src, 0);

                        src = solid;
                        src_pixmap = uxa_get_offscreen_pixmap(src->pDrawable,
                                                              &src_off_x, &src_off_y);

uxa_acquire_solid() can return 0 for all manner of different reasons, if it could not create a solid picture. Yet the return value isn't checked before dereferencing it. Looks like this code has been there for a while, and doesn't appear to have been fixed in the upstream codebase (at least, there's no null pointer check).

Changed in xorg-server (Ubuntu):
assignee: nobody → Bryce Harrington (bryce)
status: Incomplete → Triaged
Bryce Harrington (bryce) wrote :

This adds the missing null pointer checks.

Bryce Harrington (bryce) wrote :

I've set up a PPA with the patch at https://launchpad.net/~bryce/+archive/bug705078

Hopefully there should be a .deb there for you in a few hours. Give it a go, let me know how it works.

While the check for the null pointer seems obviously needed, it's not clear why it got a null in the first place. Something deeper may be at work.

affects: xorg-server (Ubuntu) → xserver-xorg-video-intel (Ubuntu)
Changed in xserver-xorg-video-intel (Ubuntu):
status: Triaged → In Progress
tags: added: patch
bugbot (bugbot) on 2011-01-23
tags: added: crash
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xserver-xorg-video-intel - 2:2.13.901-2ubuntu3

---------------
xserver-xorg-video-intel (2:2.13.901-2ubuntu3) natty; urgency=low

  * Add 107_solid_null_ptr.patch: uxa_acquire_solid() can return NULL
    under some circumstances, so check for this when called.
    (LP: #705078)
 -- Bryce Harrington <email address hidden> Fri, 21 Jan 2011 19:17:34 -0800

Changed in xserver-xorg-video-intel (Ubuntu):
status: In Progress → Fix Released
Bryce Harrington (bryce) wrote :

Well maybe this is hard for you to test given that it shows up during installation from a livecd.

Since the patch is just a simple null pointer check it's quite safe. So for your testing convenience I'll go ahead and push it to the archive. Please snag tomorrow's livecd image and test it to see what happens.

Bryce Harrington (bryce) wrote :

Famous last words, I know.

Anyway, reopen bug if for some reason this does not fix the crash.

I expect that there is a chance this is papering over a deeper problem, and that the livecd will still fail but in some new and more exciting way. If that does happen please file a new bug report (either via automatic apport reporting, or with 'ubuntu-bug xorg') and we'll go from there.

Erick Brunzell (lbsolost) wrote :

Just had this appear iso-testing i386 Alpha 2. It appeared along with bug 652916 and bug 702898 during installation just as the Keyboard layout screen opened.

No idea if the three are in any way related.

I can confirm this on x86_64 architecture too

Bryce Harrington (bryce) on 2011-02-02
Changed in xserver-xorg-video-intel (Ubuntu):
status: Fix Released → Confirmed
Erick Brunzell (lbsolost) wrote :

I've not been able to reproduce this bug with the rebuilt image this AM.

Bryce Harrington (bryce) wrote :

Ah, excellent, alright re-closing. If it regresses please open the bug.

Changed in xserver-xorg-video-intel (Ubuntu):
status: Confirmed → Fix Released
tags: added: iso-testing
jerrylamos (jerrylamos) wrote :

Natty 20110201 today's build installing from USB onto an Aspire one D255E and got this bug.

Was running Unity 3D fine on the -12 kernel. Updated to kernel -18 and will not run Unity 3D so since the USB booted into Unity 3D O.K. tried an install. So the failure occurred on 2 Feb with the latest daily build 1 Feb.

Will try again on the next daily build.

Jerry

Bryce Harrington (bryce) wrote :

As luck would have it, I reproduced this bug myself while booting the livecd on one of my systems.

Changed in xserver-xorg-video-intel (Ubuntu):
status: Fix Released → Confirmed
Bryce Harrington (bryce) wrote :

Mine is bug #712866. However even though apport showed the error, I didn't actually notice a crash of X... things seemed to come up fine in the LiveCD environment.

Changed in xserver-xorg-video-intel (Ubuntu):
status: Confirmed → Triaged
Bryce Harrington (bryce) wrote :

Bumping to critical since this appears to be a widespread crash reproducible on the livecd.

description: updated
Changed in xserver-xorg-video-intel (Ubuntu):
importance: High → Critical
description: updated
Bryce Harrington (bryce) wrote :

I'm noticing the crash appears in a libpixman call, the source code of which is trivial:

PIXMAN_EXPORT void
pixman_image_set_has_client_clip (pixman_image_t *image,
                                  pixman_bool_t client_clip)
{
    image->common.client_clip = client_clip;
}

Looks like it could segfault if image was NULL.

Bryce Harrington (bryce) wrote :
Download full text (6.1 KiB)

Aha progress.

(gdb) bt full
#0 XISendDeviceHierarchyEvent (flags=0xbfb2d73c) at ../../Xi/xichangehierarchy.c:73
        ev = 0x0
        info = <value optimized out>
        dummyDev = {public = {devicePrivate = 0x0, processInputProc = 0, realInputProc = 0, enqueueInputProc = 0,
            on = 0}, next = 0x0, startup = 0, deviceProc = 0, inited = 0, enabled = 0, coreEvents = 0, deviceGrab = {
            grabTime = {months = 0, milliseconds = 0}, fromPassiveGrab = 0, implicitGrab = 0, activeGrab = {
              next = 0x0, resource = 0, device = 0x0, window = 0x0, ownerEvents = 0, keyboardMode = 0,
              pointerMode = 0, grabtype = GRABTYPE_CORE, type = 0 '\000', modifiersDetail = {exact = 0, pMask = 0x0},
              modifierDevice = 0x0, detail = {exact = 0, pMask = 0x0}, confineTo = 0x0, cursor = 0x0, eventMask = 0,
              deviceMask = 0, xi2mask = {"\000\000" <repeats 42 times>}}, grab = 0x0, activatingKey = 0 '\000',
            ActivateGrab = 0, DeactivateGrab = 0, sync = {frozen = 0, state = 0, other = 0x0, event = 0x0}},
          type = 0, xinput_type = 0, name = 0x0, id = 0, key = 0x0, valuator = 0x0, button = 0x0, focus = 0x0,
          proximity = 0x0, absolute = 0x0, kbdfeed = 0x0, ptrfeed = 0x0, intfeed = 0x0, stringfeed = 0x0, bell = 0x0,
          leds = 0x0, xkb_interest = 0x0, config_info = 0x0, unused_classes = 0x0, saved_master_id = 0,
          devPrivates = 0x0, unwrapProc = 0, spriteInfo = 0x0, u = {master = 0x0, lastSlave = 0x0}, last = {
            valuators = {0 <repeats 36 times>}, remainder = {0 <repeats 36 times>}, numValuators = 0, slave = 0x0},
          properties = {properties = 0x0, handlers = 0x0}, transform = {m = {{0, 0, 0}, {0, 0, 0}, {0,
                1.5236786157049496e-285, 2.179289842072959e-311}}}, xtest_master_id = 150345912}
        dev = <value optimized out>
        i = <value optimized out>
#1 0x08085b04 in DisableDevice (dev=0xa6e0830, sendevent=1 '\001') at ../../dix/devices.c:507
        prev = <value optimized out>
        other = <value optimized out>
        enabled = 0 '\000'
        flags = {0, 0, 0, 0, 128, 0 <repeats 35 times>}
#2 0x08085d33 in RemoveDevice (dev=0xa6e0830, sendevent=1 '\001') at ../../dix/devices.c:1057
        prev = <value optimized out>
        tmp = <value optimized out>
        next = <value optimized out>
        ret = 8
        screen = <value optimized out>
        deviceid = 4
        initialized = 1
        flags = {0 <repeats 40 times>}
#3 0x080bd6fd in DeleteInputDeviceRequest (pDev=0xa6e0830) at ../../../../hw/xfree86/common/xf86Xinput.c:961
        pInfo = 0x0
        drv = 0x0
        isMaster = <value optimized out>
#4 0x08082bb3 in CloseDeviceList (listHead=0x8208104) at ../../dix/devices.c:966
        freedIds = {0, 0, 1, 1, 1, 0 <repeats 35 times>}
        dev = <value optimized out>
        i = <value optimized out>
#5 0x080831e7 in CloseDownDevices () at ../../dix/devices.c:994
        dev = 0x0
#6 0x0809dbd0 in SigAbortServer (signo=11) at ../../os/log.c:411
No locals.
#7 0x0809e671 in FatalSignal (signo=11) at ../../os/log.c:541
        beenhere = 1
#8 0x080a4bfd in OsSigHandler (signo=11, sip=0xbfb2da...

Read more...

Bryce Harrington (bryce) wrote :

While not precisely the same crash, deb #596155 and fdo #28882 bugs are all faulting on the same bit of code. create_bits_picture() attempts to instantiate an image via a call to pixman_image_create_bits(), however that call can fail under a variety of circumstances and return a NULL image pointer. This is then passed unchecked to pixman_image_set_has_client_clip() where it is dereferenced and generates a seg fault as a result.

Bryce Harrington (bryce) wrote :

Adds trivial check for null pointer

affects: xserver-xorg-video-intel (Ubuntu) → xorg-server (Ubuntu)
Bryce Harrington (bryce) wrote :

xorg-server (2:1.9.99.901+git20110131.be3be758-0ubuntu3) natty; urgency=low

  * Restore 208_switch_on_release.diff - the patch does not appear to be
    upstream actually. Users confirm the fix regressed without it.
    (LP: #711842)
  * Add 210_pixman_null_ptr_check.patch: pixman_image_create_bits() can
    return NULL under a variety of circumstances, thus needs checked
    before dereferencing it in the pixman_image_set_has_client_clip()
    call.
    (LP: #705078, deb: 596155, fdo: 28882)

 -- Bryce Harrington <email address hidden> Thu, 03 Feb 2011 22:42:52 -0800

Changed in xorg-server (Ubuntu):
status: Triaged → Fix Released
Bryce Harrington (bryce) wrote :

Please test tomorrow's ISO with this fix and reopen if it still occurs.

Changed in xorg-server (Debian):
status: Unknown → New
Changed in xserver-xorg-video-intel:
importance: Unknown → High
status: Unknown → Confirmed
Bryce Harrington (bryce) wrote :

The previous patch seems to still be relevant, so I've pushed it upstream here:
https://bugs.freedesktop.org/show_bug.cgi?id=33892

Daniel Manrique (roadmr) wrote :

Hi, visiting from bug 708744. I managed to collect a crash report of one of our failed systems (a Dell Vostro 3400), which I'm attaching, hopefully it will help confirm what Bryce found. This happens during the live install process, stopping the installation and dropping the user into a LiveCD environment/session.

I'll also try the submitted fix on all our systems, though I can't do that until monday.

Here's the backtrace as requested, the attached .crash file has additional information.

[ 141.371] 0: X (xorg_backtrace+0x3b) [0x80ef99b]
 [ 141.371] 1: X (0x8048000+0x5cba8) [0x80a4ba8]
 [ 141.371] 2: (vdso) (__kernel_rt_sigreturn+0x0) [0x1bc40c]
 [ 141.371] 3: /usr/lib/xorg/modules/libfb.so (0x183000+0x16a38) [0x199a38]
 [ 141.371] 4: /usr/lib/xorg/modules/libfb.so (fbComposite+0x121) [0x199c81]
 [ 141.372] 5: /usr/lib/xorg/modules/drivers/intel_drv.so (0x3d4000+0x2fb86) [0x403b86]
 [ 141.372] 6: /usr/lib/xorg/modules/drivers/intel_drv.so (0x3d4000+0x2c3b0) [0x4003b0]
 [ 141.372] 7: X (0x8048000+0xe4312) [0x812c312]
 [ 141.372] 8: X (CompositePicture+0x22b) [0x8127c0b]
 [ 141.372] 9: X (0x8048000+0xd7f79) [0x811ff79]
 [ 141.372] 10: X (0x8048000+0xd4c63) [0x811cc63]
 [ 141.372] 11: X (0x8048000+0x28ab7) [0x8070ab7]
 [ 141.372] 12: X (0x8048000+0x1a84c) [0x806284c]
 [ 141.372] 13: /lib/libc.so.6 (__libc_start_main+0xe6) [0x1d3ce6]
 [ 141.372] 14: X (0x8048000+0x1a441) [0x8062441]
 [ 141.372] Segmentation fault at address 0x20

Bryce Harrington (bryce) wrote :

Hi Daniel, yes that looks like the same crash.

h.tornatzky (h-tornatzky) wrote :

Hi i'm from 709508.

>Bryce Harrington wrote on 2011-02-04: #7
>Were you able to successfully install after running into this crash?
Yes i was. But the system is somewhat "strange" (don't know how to describe). I'll test it with todays build and report if the problem isn't solved (on my Laptop).

Best regards
H.T

Bryce Harrington (bryce) wrote :

Btw, resolution was that there was an out-of-memory situation which led to the X crash.

So if anyone still finds there are other kinds of problems during installation, you might want to analyze it as a memory bug...

Daniel Manrique (roadmr) wrote :

Bryce, thanks so much for this fix.

I'm still experiencing issues during installation. Admittedly it appears to happen in a different section of code though the symptoms look similar. I observed this using the 20110207 images that contain the fix for this bug, and I was able to reproduce it on several systems.

I filed bug 714829 regarding this new problem, just commenting here in case it might be related (maybe the same out-of-memory thing you mention?).

Regards, - Daniel

Changed in xorg-server (Debian):
status: New → Confirmed
Changed in xorg-server (Debian):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.