The following issue occurs on my Kubuntu 11.10 system (Lenovo T420s w/ Intel HD Graphics 3000).
With KWin desktop effects enabled, Xorg crashes on each second login.
$ uname -a
Linux orion 3.1.0-0301rc10-generic #201110181253 SMP Tue Oct 18 12:57:33 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
$ lspci -vv
00:02.0 VGA compatible controller: Intel Corporation 2nd Generation Core Processor Family Integrated Graphics Controller (rev 09) (prog-if 00 [VGA controller])
Subsystem: Lenovo Device 21d2
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B+ ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0
Interrupt: pin A routed to IRQ 49
Region 0: Memory at f0000000 (64-bit, non-prefetchable) [size=4M]
Region 2: Memory at e0000000 (64-bit, prefetchable) [size=256M]
Region 4: I/O ports at 4000 [size=64]
Expansion ROM at <unassigned> [disabled] Capabilities: <access denied>
Kernel driver in use: i915
Kernel modules: i915
Full backtrace (based on commit 2608a367acba7247e50754c3daeed09ba2e97d05):
-- 8< --
#0 0x00007fcbf4fa63a5 in __GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
resultvar = 0
pid = <optimized out>
selftid = <optimized out>
#1 0x00007fcbf4fa9b0b in __GI_abort () at abort.c:92
save_stage = 2
act = {__sigaction_handler = {sa_handler = 0x4, sa_sigaction = 0x4}, sa_mask = {__val = {5, 140735046524302, 10, 140513966347903, 3, 140735046516714, 6, 140513966347907, 2, 140735046516734, 2, 140513966338901, 1, 140513966347903, 3, 140735046516708}}, sa_flags = 12, sa_restorer = 0x7fcbf50cd683}
sigs = {__val = {32, 0 <repeats 15 times>}}
#2 0x00007fcbf4fde113 in __libc_message (do_abort=2,
fmt=0x7fcbf50cf0d8 "*** glibc detected *** %s: %s: 0x%s ***\n")
at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fff6e748960, reg_save_area = 0x7fff6e748870}}
ap_copy = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0x7fff6e748960, reg_save_area = 0x7fff6e748870}}
fd = 2
on_2 = <optimized out>
list = <optimized out>
nlist = <optimized out>
cp = <optimized out>
written = <optimized out>
#3 0x00007fcbf4fe8a96 in malloc_printerr (action=3, str=0x7fcbf50cf278 "double free or corruption (!prev)",
ptr=<optimized out>) at malloc.c:6283
buf = "0000000002bf2230"
cp = <optimized out>
#4 0x00007fcbf4fecd7c in __GI___libc_free (mem=<optimized out>) at malloc.c:3738
ar_ptr = 0x7fcbf530a1c0
p = <optimized out>
hook = <optimized out>
#5 0x00007fcbf31ae5de in i830_dri2_frame_event_drawable_gone (data=0x2bf2230, id=29360131)
at ../../src/intel_dri.c:678
resource = 0x2bf2230
#6 0x000000000044ea5c in FreeClientResources (client=0x2d01c10) at ../../dix/resource.c:854
rtype = <optimized out>
resources = <optimized out>
this = 0x2f4b0c0
j = <optimized out>
#7 0x000000000042f05a in CloseDownClient (client=0x2d01c10) at ../../dix/dispatch.c:3461 really_close_down = <optimized out>
#8 0x000000000042fb9e in Dispatch () at ../../dix/dispatch.c:441
clientReady = 0x29f4830
result = <optimized out>
client = 0x2d01c10
nready = 0
icheck = 0x7f1470
start_tick = 680
#9 0x00000000004232fe in main (argc=8, argv=<optimized out>, envp=<optimized out>) at ../../dix/main.c:287
i = <optimized out> alwaysCheckForInput = {0, 1}
-- 8< --
I bi-sected xserver-xorg-video-intel (as available at git://git.debian.org/git/pkg-xorg/driver/xserver-xorg-video-intel, which is what the Ubuntu packages are based on). The first bad commit is:
commit 2608a367acba7247e50754c3daeed09ba2e97d05
Author: Chris Wilson <email address hidden>
Date: Mon Jul 11 16:28:15 2011 +0100
dri: Prevent abuse of the Resource database
The Resource database is only designed to store a single value for a
particular type associated with an XID. Due to the asynchronous nature
of the vblank/flip requests, we would often associate multiple frame
events with a particular drawable/client. Upon freeing the resource, we
would not necessarily decouple the right value, leaving a stale pointer
behind. Later when the client disappeared, we would write through that
stale pointer upsetting valgrind and causing memory corruption. MDK.
Instead, we need to implement an extra layer for tracking multiple
frames within a single Resource.
The following issue occurs on my Kubuntu 11.10 system (Lenovo T420s w/ Intel HD Graphics 3000).
With KWin desktop effects enabled, Xorg crashes on each second login.
$ uname -a generic #201110181253 SMP Tue Oct 18 12:57:33 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
Linux orion 3.1.0-0301rc10-
$ lspci -vv
Capabilities: <access denied>
00:02.0 VGA compatible controller: Intel Corporation 2nd Generation Core Processor Family Integrated Graphics Controller (rev 09) (prog-if 00 [VGA controller])
Subsystem: Lenovo Device 21d2
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B+ ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0
Interrupt: pin A routed to IRQ 49
Region 0: Memory at f0000000 (64-bit, non-prefetchable) [size=4M]
Region 2: Memory at e0000000 (64-bit, prefetchable) [size=256M]
Region 4: I/O ports at 4000 [size=64]
Expansion ROM at <unassigned> [disabled]
Kernel driver in use: i915
Kernel modules: i915
Full backtrace (based on commit 2608a367acba724 7e50754c3daeed0 9ba2e97d05) : sysdeps/ unix/sysv/ linux/raise. c:64 handler = {sa_handler = 0x4, sa_sigaction = 0x4}, sa_mask = {__val = {5,
140735046524302 , 10, 140513966347903, 3, 140735046516714, 6, 140513966347907, 2,
140735046516734 , 2, 140513966338901, 1, 140513966347903, 3, 140735046516708}}, sa_flags = 12,
sa_restorer = 0x7fcbf50cd683} 0x7fcbf50cf0d8 "*** glibc detected *** %s: %s: 0x%s ***\n") unix/sysv/ linux/libc_ fatal.c: 189
reg_ save_area = 0x7fff6e748870}}
reg_ save_area = 0x7fff6e748870}} frame_event_ drawable_ gone (data=0x2bf2230, id=29360131) intel_dri. c:678 resource. c:854 dispatch. c:3461
really_ close_down = <optimized out> dispatch. c:441 main.c: 287
alwaysCheckFor Input = {0, 1}
-- 8< --
#0 0x00007fcbf4fa63a5 in __GI_raise (sig=6) at ../nptl/
resultvar = 0
pid = <optimized out>
selftid = <optimized out>
#1 0x00007fcbf4fa9b0b in __GI_abort () at abort.c:92
save_stage = 2
act = {__sigaction_
sigs = {__val = {32, 0 <repeats 15 times>}}
#2 0x00007fcbf4fde113 in __libc_message (do_abort=2,
fmt=
at ../sysdeps/
ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fff6e748960,
ap_copy = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0x7fff6e748960,
fd = 2
on_2 = <optimized out>
list = <optimized out>
nlist = <optimized out>
cp = <optimized out>
written = <optimized out>
#3 0x00007fcbf4fe8a96 in malloc_printerr (action=3, str=0x7fcbf50cf278 "double free or corruption (!prev)",
ptr=<optimized out>) at malloc.c:6283
buf = "0000000002bf2230"
cp = <optimized out>
#4 0x00007fcbf4fecd7c in __GI___libc_free (mem=<optimized out>) at malloc.c:3738
ar_ptr = 0x7fcbf530a1c0
p = <optimized out>
hook = <optimized out>
#5 0x00007fcbf31ae5de in i830_dri2_
at ../../src/
resource = 0x2bf2230
#6 0x000000000044ea5c in FreeClientResources (client=0x2d01c10) at ../../dix/
rtype = <optimized out>
resources = <optimized out>
this = 0x2f4b0c0
j = <optimized out>
#7 0x000000000042f05a in CloseDownClient (client=0x2d01c10) at ../../dix/
#8 0x000000000042fb9e in Dispatch () at ../../dix/
clientReady = 0x29f4830
result = <optimized out>
client = 0x2d01c10
nready = 0
icheck = 0x7f1470
start_tick = 680
#9 0x00000000004232fe in main (argc=8, argv=<optimized out>, envp=<optimized out>) at ../../dix/
i = <optimized out>
-- 8< --
I bi-sected xserver- xorg-video- intel (as available at git://git. debian. org/git/ pkg-xorg/ driver/ xserver- xorg-video- intel, which is what the Ubuntu packages are based on). The first bad commit is:
commit 2608a367acba724 7e50754c3daeed0 9ba2e97d05
Author: Chris Wilson <email address hidden>
Date: Mon Jul 11 16:28:15 2011 +0100
dri: Prevent abuse of the Resource database
The Resource database is only designed to store a single value for a
particular type associated with an XID. Due to the asynchronous nature
of the vblank/flip requests, we would often associate multiple frame
events with a particular drawable/client. Upon freeing the resource, we
would not necessarily decouple the right value, leaving a stale pointer
behind. Later when the client disappeared, we would write through that
stale pointer upsetting valgrind and causing memory corruption. MDK.
Instead, we need to implement an extra layer for tracking multiple
frames within a single Resource.
Bugzilla: https:/ /bugs.freedeskt op.org/ show_bug. cgi?id= 37700
Signed-off-by: Chris Wilson <email address hidden>