Binary package hint: xorg
Short way to reproduce:
Log in to "Recovery Console" session.
In terminal cd to directory with a git branch.
Run 'git citool' (git-gui package required).
Backtrace attached.
ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: xorg 1:7.6+4ubuntu3.1
ProcVersionSignature: Ubuntu 2.6.38-10.44-generic-pae 2.6.38.7
Uname: Linux 2.6.38-10-generic-pae i686
NonfreeKernelModules: nvidia
.proc.driver.nvidia.gpus.0: Error: [Errno 21] Is a directory: '/proc/driver/nvidia/gpus/0'
.proc.driver.nvidia.registry: Binary: ""
.proc.driver.nvidia.version:
NVRM version: NVIDIA UNIX x86 Kernel Module 270.41.19 Mon May 16 23:31:36 PDT 2011
GCC version: gcc version 4.5.2 (Ubuntu/Linaro 4.5.2-8ubuntu4)
Architecture: i386
CompizPlugins: No value set for `/apps/compiz-1/general/screen0/options/active_plugins'
CompositorRunning: None
Date: Thu Jun 9 09:58:55 2011
DistUpgraded: Log time: 2011-05-02 09:42:28.404543
DistroCodename: natty
DistroVariant: ubuntu
DkmsStatus:
nvidia-current, 270.41.19, 2.6.38-10-generic, i686: installed
nvidia-current, 270.41.19, 2.6.38-10-generic-pae, i686: installed
vboxhost, 4.0.8, 2.6.38-10-generic, i686: installed
vboxhost, 4.0.8, 2.6.38-10-generic-pae, i686: installed
GraphicsCard:
nVidia Corporation G86 [Quadro NVS 290] [10de:042f] (rev a1) (prog-if 00 [VGA controller])
Subsystem: nVidia Corporation Device [10de:0492]
InstallationMedia: Ubuntu 9.10 "Karmic Koala" - Release i386 (20091028.2)
JockeyStatus:
kmod:nvidia_current - nvidia_current (Proprietary, Enabled, Not in use)
kmod:nvidia_173 - NVIDIA binary Xorg driver, kernel module and VDPAU library (Proprietary, Disabled, Not in use)
MachineType: Hewlett-Packard HP Compaq 8000 Elite CMT PC
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-2.6.38-10-generic-pae root=UUID=0da0139d-a8bc-456d-9a4b-e1809439c5e7 ro quiet splash vt.handoff=7
Renderer: Unknown
SourcePackage: xorg
UpgradeStatus: Upgraded to natty on 2011-05-02 (37 days ago)
dmi.bios.date: 10/22/2009
dmi.bios.vendor: Hewlett-Packard
dmi.bios.version: 786G7 v01.02
dmi.board.asset.tag: CZC044D3H7
dmi.board.name: 3647h
dmi.board.vendor: Hewlett-Packard
dmi.chassis.asset.tag: CZC044D3H7
dmi.chassis.type: 6
dmi.chassis.vendor: Hewlett-Packard
dmi.modalias: dmi:bvnHewlett-Packard:bvr786G7v01.02:bd10/22/2009:svnHewlett-Packard:pnHPCompaq8000EliteCMTPC:pvr:rvnHewlett-Packard:rn3647h:rvr:cvnHewlett-Packard:ct6:cvr:
dmi.product.name: HP Compaq 8000 Elite CMT PC
dmi.sys.vendor: Hewlett-Packard
version.compiz: compiz 1:0.9.4+bzr20110606-0ubuntu1~natty1
version.libdrm2: libdrm2 2.4.23-1ubuntu6
version.libgl1-mesa-dri: libgl1-mesa-dri 7.10.2-0ubuntu2
version.libgl1-mesa-dri-experimental: libgl1-mesa-dri-experimental 7.10.2-0ubuntu2
version.libgl1-mesa-glx: libgl1-mesa-glx 7.10.2-0ubuntu2
version.nvidia-graphics-drivers: nvidia-graphics-drivers N/A
version.xserver-xorg: xserver-xorg 1:7.6+4ubuntu3.1
version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:6.14.0-0ubuntu4
version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.14.0-4ubuntu7.1
version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:0.0.16+git20110107+b795ca6e-0ubuntu7
Doing some investigation of this reported crash whilst using xserver 1.9.2 with xfs: http:// cygwin. com/ml/ cygwin- xfree/2010- 11/msg00008. html, I'm able to reproduce this crash with the following sequence of actions:
X & r:7100
xterm &
xset fp+ tcp/myfontserve
xlsfonts
Program received signal SIGSEGV, Segmentation fault. liases (client=0x125fdc0, c=0x120fce8) at dixfonts.c:611 list[c- >current. current_ fpe]; 000\000ed- medium- r-normal- -24-230- 75-75-c- 240-jisx0208. 1983-0\ va▒\207\ va\000\ 000\000\ 000▒▒ \0019\017\ 000\000\ b\000\000\ 000\000\ 000\000\ 000|▒%a\ 000\000\ 000\000\ 001\000\ 000\000\ 001\000\ 000\000▒ \207\va\ 220▒\va@ ▒\va\000\ 000\000\ 000\030▒ \001\t\ 017\000\ 000\t\000\ 000\000\ 024\004\ 000\000▒ ▒%a\000\ 000\000\ 000\000\ 000\000\ 000\001\ 000\000\ 000\020\ 231\va▒ \227\va▒ \207\va\ 000\000\ 000\000H▒ \001▒\016\ 000\000\ v\000\000\ 000\024\ 004\000\ 000▒▒%a\ 000\000\ 000\000\ 000\000\ 000\000\ 001\000\ 000\000" ..., patlen = 62, current_fpe = 5, max_names = 3, list_started = 0, private = 0x12df550}, 000\000\ 001\000\ 000\000\ 020\231\ va▒\227\ va▒\207\ va\000\ 000\000\ 000▒&\001i\ 017\000\ 000\005\ 000\000\ 000\024\ 004\000\ 000|▒#a\ 000\000\ 000\000\ 000\000\ 000\000\ 001\000\ 000\000\ 020\231\ va▒\227\ va▒\207\ va\000\ 000\000\ 000▒▒ \0019\017\ 000\000\ b\000\000\ 000\000\ 000\000\ 000|▒%a\ 000\000\ 000\000\ 001\000\ 000\000\ 001\000\ 000\000▒ \207\va\ 220▒\va@ ▒\va\000\ 000\000\ 000\030▒ \001\t\ 017\000\ 000\t\000\ 000\000\ 024\004\ 000\000▒ ▒%a\000\ 000\000\ 000\000\ 000\000\ 000\001\ 000\000\ 000\020\ 231\va▒ \227\va▒ \207\va\ 000\000\ 000\000H▒ \001▒\016\ 000\000\ v\000\000\ 000\024\ 004\000\ 000▒▒%a\ 000\000\ 000\000\ 000\000\ 000\000\ 001\000\ 000\000" ..., patlen = 1, current_fpe = 0, max_names = 65535, list_started = 1, private = 0x125fb10}, medium- r-normal- -24-230- 75-75-c- 240-jisx0208. 1983-0" ,
[Switching to thread 4712.0x1220]
0x005b2e29 in doListFontsAndA
611 fpe = c->fpe_
(gdb) p c
$1 = (LFclosurePtr) 0x120fce8
(gdb) p *c
$2 = {client = 0x120fce0, num_fpes = 18939104, fpe_list = 0x0, names = 0x0, current = {
pattern = "▒W a\002\000\
saved = {
pattern = "*\000\
haveSaved = 1, savedName = 0x12df338 "-jis-fixed-
savedNameLen = 64}
(gdb)
On further investigation, the reason for the closure c being corrupt seems to be related to the changes added in commit 3ab6cd31 to fix bug #3040.
In doListFontsAndA liases( ), if we get a Suspended result when the client is already sleeping with the same closure (I don't really understand enough what the code is doing to know if that's expected or not), then the xinerama_sleep code frees() the closure c, so when it next wakes, the closure c is being used after being freed.
Being a use after free bug possibly explains why the original reporter is able to avoid the crash by changing the sequence of actions slightly.
The crash is not observed after reverting the noted commit, or with xserver 1.8.2