[gm45] X crash in libfb.so(fbCopyNtoN+0x1bf) on X200s

Bug #449440 reported by Luka Renko on 2009-10-12
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
xf86-video-intel
Fix Released
Medium
xserver-xorg-video-intel (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: xserver-xorg-video-intel

HW: ThinkPad X200s with gm45 card
SW: Kubuntu Karmic up-to-date, not using compositing

I get crash of X server during normal operation (Kontact, Chromium browser):

0: /usr/bin/X(xorg_backtrace+0x26) [0x4f00c6]
1: /usr/bin/X(xf86SigHandler+0x41) [0x4852c1]
2: /lib/libc.so.6 [0x7f4a0a9a0530]
3: /usr/lib/libpixman-1.so.0 [0x7f4a0bc825e4]
4: /usr/lib/xorg/modules//libfb.so(fbCopyNtoN+0x1bf) [0x7f4a0875432f]
5: /usr/lib/xorg/modules//libfb.so(fbCopyRegion+0x29d) [0x7f4a0875336d]
6: /usr/lib/xorg/modules//libfb.so(fbDoCopy+0x44a) [0x7f4a0875387a]
7: /usr/lib/xorg/modules//libfb.so(fbCopyArea+0x4c) [0x7f4a087539fc]
8: /usr/lib/xorg/modules/drivers//intel_drv.so [0x7f4a091dd0a1]
9: /usr/bin/X [0x53a49c]
10: /usr/bin/X(ProcPutImage+0x147) [0x44b7f7]
11: /usr/bin/X(Dispatch+0x394) [0x44e174]
12: /usr/bin/X(main+0x3b5) [0x434085]
13: /lib/libc.so.6(__libc_start_main+0xfd) [0x7f4a0a98babd]
14: /usr/bin/X [0x433509]
Saw signal 11. Server aborting.

ProblemType: Bug
Architecture: amd64
Date: Mon Oct 12 13:02:10 2009
DistroRelease: Ubuntu 9.10
MachineType: LENOVO 74705HG
Package: xserver-xorg-video-intel 2:2.9.0-1ubuntu1
ProcCmdLine: BOOT_IMAGE=/vmlinuz-2.6.31-13-generic root=/dev/mapper/plain-root ro quiet splash
ProcEnviron:
 LANGUAGE=
 PATH=(custom, user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-13.44-generic
RelatedPackageVersions:
 xserver-xorg 1:7.4+3ubuntu5
 libgl1-mesa-glx 7.6.0-1ubuntu2
 libdrm2 2.4.14-1ubuntu1
 xserver-xorg-video-intel 2:2.9.0-1ubuntu1
 xserver-xorg-video-ati 1:6.12.99+git20090825.fc74e119-0ubuntu3
SourcePackage: xserver-xorg-video-intel
Uname: Linux 2.6.31-13-generic x86_64
XorgConf: Error: [Errno 2] No such file or directory: '/etc/X11/xorg.conf'
XsessionErrors: (chromium-browser:2731): Gdk-WARNING **: XID collision, trouble ahead
dmi.bios.date: 12/19/2008
dmi.bios.vendor: LENOVO
dmi.bios.version: 6DET38WW (2.02 )
dmi.board.name: 74705HG
dmi.board.vendor: LENOVO
dmi.board.version: Not Available
dmi.chassis.asset.tag: No Asset Information
dmi.chassis.type: 10
dmi.chassis.vendor: LENOVO
dmi.chassis.version: Not Available
dmi.modalias: dmi:bvnLENOVO:bvr6DET38WW(2.02):bd12/19/2008:svnLENOVO:pn74705HG:pvrThinkPadX200s:rvnLENOVO:rn74705HG:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
dmi.product.name: 74705HG
dmi.product.version: ThinkPad X200s
dmi.sys.vendor: LENOVO
fglrx: Not loaded
system:
 distro: Ubuntu
 architecture: x86_64kernel: 2.6.31-13-generic

[lspci]
00:02.0 VGA compatible controller [0300]: Intel Corporation Mobile 4 Series Chipset Integrated Graphics Controller [8086:2a42] (rev 07)
     Subsystem: Lenovo Device [17aa:20e4]

Aaron told me it could be related to bug #12015 which has been fixed today in Xserver master by commit 32666d77227fcd2c066de16bf3c07366f92b0457. I am trying to reproduce the problem with this patch (I couldn't so far). I'll close the bug if I can't reproduce within a day or so.

Still couldn't reproduce the problem, so I guess 32666d77227fcd2c066de16bf3c07366f92b0457 is the fix.

It doesn't seem to have been backported into xserver-1.4-branch, it should be.

Unfortunately, I was wrong, I finally got another crash in pixman_blt with Aaron's patch applied. I didn't have gdb attached but the backtrace looks the same.

0: /usr/bin/X(xf86SigHandler+0x7e) [0x80c610e]
1: [0xffffe420]
2: /usr/lib/libpixman-1.so.0(pixman_blt+0x75) [0xb7e53175]
3: /usr/lib/xorg/modules//libfb.so(fbCopyNtoN+0x227) [0xb78eada7]
4: /usr/lib/xorg/modules//libexa.so(exaCopyNtoN+0x18f) [0xb78d0adf]
5: /usr/lib/xorg/modules//libfb.so(fbCopyRegion+0x95) [0xb78e9cb5]
6: /usr/lib/xorg/modules//libfb.so(fbDoCopy+0x46f) [0xb78ea2df]
7: /usr/lib/xorg/modules//libexa.so(exaCopyArea+0xdc) [0xb78d094c]
8: /usr/bin/X [0x816eba6]
9: /usr/bin/X(ProcCopyArea+0x1a7) [0x808af37]
10: /usr/bin/X [0x814cc71]
11: /usr/bin/X(Dispatch+0x2bb) [0x808ce7b]
12: /usr/bin/X(main+0x495) [0x8074545]
13: /lib/libc.so.6(__libc_start_main+0xe0) [0xb7c89050]
14: /usr/bin/X(FontFileCompleteXLFD+0x205) [0x8073881]

I had a similar problem every time i opened http://www.garfield.com/comics/comics_todays.html with the flash-plugin for mozilla. It boiled down to the combination of regions and dx/dy parameters of fbCopyNtoN addressing pixels outside the supplied drawables.

Created an attachment (id=12189)
Patch to add clipping to some fbCopy functions for the Pixmap case

Is this still an issue with the xserver 1.5 branch? If so, I think it would be better if it could be handled at an intermediate level like fbDoCopy or fbCopyRegion, otherwise it'll have to be done in every other low level implementation like exaCopyNtoN as well.

I haven't tried to reproduce lately, I'll report back once I'll get 1.5-rc* + mesa 7.1-rc1 installed (hopefully within a couple days).

(In reply to comment #7)
> I haven't tried to reproduce lately, I'll report back once I'll get 1.5-rc* +
> mesa 7.1-rc1 installed (hopefully within a couple days).

ping -- is this still an issue?

I do not have reliable way to reproduce this, but it looks like I got similar crash today on up-to-date Kubuntu Karmic:
https://launchpad.net/bugs/449440

Luka Renko (lure) wrote :

Binary package hint: xserver-xorg-video-intel

HW: ThinkPad X200s with gm45 card
SW: Kubuntu Karmic up-to-date, not using compositing

I get crash of X server during normal operation (Kontact, Chromium browser):

0: /usr/bin/X(xorg_backtrace+0x26) [0x4f00c6]
1: /usr/bin/X(xf86SigHandler+0x41) [0x4852c1]
2: /lib/libc.so.6 [0x7f4a0a9a0530]
3: /usr/lib/libpixman-1.so.0 [0x7f4a0bc825e4]
4: /usr/lib/xorg/modules//libfb.so(fbCopyNtoN+0x1bf) [0x7f4a0875432f]
5: /usr/lib/xorg/modules//libfb.so(fbCopyRegion+0x29d) [0x7f4a0875336d]
6: /usr/lib/xorg/modules//libfb.so(fbDoCopy+0x44a) [0x7f4a0875387a]
7: /usr/lib/xorg/modules//libfb.so(fbCopyArea+0x4c) [0x7f4a087539fc]
8: /usr/lib/xorg/modules/drivers//intel_drv.so [0x7f4a091dd0a1]
9: /usr/bin/X [0x53a49c]
10: /usr/bin/X(ProcPutImage+0x147) [0x44b7f7]
11: /usr/bin/X(Dispatch+0x394) [0x44e174]
12: /usr/bin/X(main+0x3b5) [0x434085]
13: /lib/libc.so.6(__libc_start_main+0xfd) [0x7f4a0a98babd]
14: /usr/bin/X [0x433509]
Saw signal 11. Server aborting.

ProblemType: Bug
Architecture: amd64
Date: Mon Oct 12 13:02:10 2009
DistroRelease: Ubuntu 9.10
MachineType: LENOVO 74705HG
Package: xserver-xorg-video-intel 2:2.9.0-1ubuntu1
ProcCmdLine: BOOT_IMAGE=/vmlinuz-2.6.31-13-generic root=/dev/mapper/plain-root ro quiet splash
ProcEnviron:
 LANGUAGE=
 PATH=(custom, user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-13.44-generic
RelatedPackageVersions:
 xserver-xorg 1:7.4+3ubuntu5
 libgl1-mesa-glx 7.6.0-1ubuntu2
 libdrm2 2.4.14-1ubuntu1
 xserver-xorg-video-intel 2:2.9.0-1ubuntu1
 xserver-xorg-video-ati 1:6.12.99+git20090825.fc74e119-0ubuntu3
SourcePackage: xserver-xorg-video-intel
Uname: Linux 2.6.31-13-generic x86_64
XorgConf: Error: [Errno 2] No such file or directory: '/etc/X11/xorg.conf'
XsessionErrors: (chromium-browser:2731): Gdk-WARNING **: XID collision, trouble ahead
dmi.bios.date: 12/19/2008
dmi.bios.vendor: LENOVO
dmi.bios.version: 6DET38WW (2.02 )
dmi.board.name: 74705HG
dmi.board.vendor: LENOVO
dmi.board.version: Not Available
dmi.chassis.asset.tag: No Asset Information
dmi.chassis.type: 10
dmi.chassis.vendor: LENOVO
dmi.chassis.version: Not Available
dmi.modalias: dmi:bvnLENOVO:bvr6DET38WW(2.02):bd12/19/2008:svnLENOVO:pn74705HG:pvrThinkPadX200s:rvnLENOVO:rn74705HG:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
dmi.product.name: 74705HG
dmi.product.version: ThinkPad X200s
dmi.sys.vendor: LENOVO
fglrx: Not loaded
system:
 distro: Ubuntu
 architecture: x86_64kernel: 2.6.31-13-generic

Luka Renko (lure) wrote :
tags: added: crash gm45 karmic kubuntu
Luka Renko (lure) wrote :

Similar stack trace reports I have found with Google:
- Debian:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539548
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=432101
- Fedora:
  https://bugzilla.redhat.com/show_bug.cgi?id=473076
  https://bugzilla.redhat.com/show_bug.cgi?id=502252

There is also very old Ubuntu bug 8579 (closed as unreproducible) with similar stack trace.

It does not look like that this bug is related/specific to Intel chipset as other reports are also on nvidia and ati.

Changed in xserver-xorg-video-intel:
status: Unknown → Confirmed
Brian Havard (brian-havard) wrote :

I've seen a similar looking crash several times. Seems to happen mostly when playing Solitaire, dragging cards around.
Current Karmic 32 bit, Intel 965GM

Backtrace:
0: /usr/bin/X(xorg_backtrace+0x3b) [0x8133d6b]
1: /usr/bin/X(xf86SigHandler+0x55) [0x80c7d35]
2: [0x64d400]
3: /usr/lib/xorg/modules//libfb.so(fbCopyNtoN+0x24c) [0x7f27cc]
4: /usr/lib/xorg/modules/drivers//intel_drv.so(uxa_copy_n_to_n+0x74a) [0x2e79fa]
5: /usr/lib/xorg/modules//libfb.so(fbCopyRegion+0x21b) [0x7f176b]
6: /usr/lib/xorg/modules//libfb.so(fbDoCopy+0x44d) [0x7f1c8d]
7: /usr/lib/xorg/modules/drivers//intel_drv.so(uxa_copy_area+0x98) [0x2e7258]
8: /usr/bin/X [0x8181593]
9: /usr/bin/X(ProcCopyArea+0x165) [0x808b4c5]
10: /usr/bin/X(Dispatch+0x35f) [0x808d17f]
11: /usr/bin/X(main+0x395) [0x8072515]
12: /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe6) [0x337b56]
13: /usr/bin/X [0x80719c1]
Saw signal 11. Server aborting.

Brian Havard (brian-havard) wrote :
Download full text (3.8 KiB)

I've now got a full backtrace by attaching gdb. Hope this helps.

#0 0x009db6ff in fbBlt (srcLine=0xacd92480, srcStride=16, srcX=0, dstLine=0x147f, dstStride=16, dstX=0, width=17,
    height=45, alu=3, pm=<value optimized out>, bpp=1, reverse=0, upsidedown=0) at ../../fb/fbblt.c:213
        __xor = <value optimized out>
        src = <value optimized out>
        dst = 0x0
        leftShift = 64
        rightShift = 5247
        startmask = 0
        endmask = 131071
        bits = <value optimized out>
        bits1 = <value optimized out>
        nmiddle = <value optimized out>
        destInvarient = 1
        startbyte = 0
        endbyte = 16
        _ca1 = 0
        _cx1 = 0
        _ca2 = 0
        _cx2 = 0
#1 0x009de7cc in fbCopyNtoN (pSrcDrawable=0xbc3fa18, pDstDrawable=0xe0e4e80, pGC=0xc25dee8, pbox=0xbfd1f454, nbox=1,
    dx=0, dy=0, reverse=0, upsidedown=0, bitplane=0, closure=0x0) at ../../fb/fbcopy.c:77
        alu = 3 '\003'
        pm = 4294967295
        src = 0xacd91000
        srcStride = 16
        srcBpp = 1
        srcXoff = 0
        srcYoff = 0
        dst = 0xffffffff
        dstStride = 16
        dstBpp = <value optimized out>
        dstXoff = 0
        dstYoff = 0
#2 0x005239fa in uxa_copy_n_to_n (pSrcDrawable=0xbc3fa18, pDstDrawable=0xe0e4e80, pGC=0xc25dee8, pbox=0xbfd1f454,
    nbox=1, dx=0, dy=0, reverse=0, upsidedown=0, bitplane=0, closure=0x0) at ../../uxa/uxa-accel.c:484
        src_off_x = <value optimized out>
        src_off_y = <value optimized out>
        dst_off_x = <value optimized out>
        dst_off_y = <value optimized out>
        pSrcPixmap = 0xbc3fa18
        pDstPixmap = 0xe0e4e80
        __FUNCTION__ = "uxa_copy_n_to_n"
#3 0x009dd76b in fbCopyRegion (pSrcDrawable=0xbc3fa18, pDstDrawable=0xe0e4e80, pGC=0xc25dee8, pDstRegion=0xbfd1f454,
    dx=0, dy=0, copyProc=0x5232b0 <uxa_copy_n_to_n>, bitPlane=0, closure=0x0) at ../../fb/fbcopy.c:396
        reverse = 134688935
        upsidedown = 13697024
        pbox = <value optimized out>
        nbox = 1
        pboxNew1 = 0x81f3a34
        pboxNew2 = <value optimized out>
        pboxBase = <value optimized out>
        pboxNext = <value optimized out>
        pboxTmp = <value optimized out>
#4 0x009ddc8d in fbDoCopy (pSrcDrawable=0xbc3fa18, pDstDrawable=0xe0e4e80, pGC=0xc25dee8, xIn=0, yIn=0, widthSrc=81,
    heightSrc=127, xOut=0, yOut=0, copyProc=0x5232b0 <uxa_copy_n_to_n>, bitPlane=0, closure=0x0) at ../../fb/fbcopy.c:596
        prgnSrcClip = 0x0
        freeSrcClip = 0
        prgnExposed = <value optimized out>
        rgnDst = {extents = {x1 = 0, y1 = 82, x2 = 17, y2 = 127}, data = 0x0}
        dx = 0
        dy = 0
        box_x1 = 0
        box_y1 = 127
        box_x2 = <value optimized out>
        box_y2 = <value optimized out>
        fastSrc = 1
        fastDst = 1
        fastExpose = 1
#5 0x00523258 in uxa_copy_area (pSrcDrawable=0xbc3fa18, pDstDrawable=0xe0e4e80, pGC=0xc25dee8, srcx=0, srcy=0,
    width=81, height=127, dstx=0, dsty=0) at ../../uxa/uxa-accel.c:503
No locals.
#6 0x08181593 in damageCopyArea (pSrc=0xbc3fa18, pDst=0xe0e4e80, pGC=0xc25dee8, srcx=0, srcy=0, width=81, height=127,
    dstx=0, dsty=0) at ../../...

Read more...

Bryce Harrington (bryce) on 2010-02-09
description: updated
Vikram Dhillon (dhillon-v10) wrote :

This issue was reported against karmic, so can you confirm if this issue exists with the most recent Lucid Lynx 10.04 Alpha release? ISO CD images are available at http://cdimage.ubuntu.com/releases/lucid/ . Thanks in advance.

Changed in xserver-xorg-video-intel (Ubuntu):
status: New → Incomplete
Bryce Harrington (bryce) on 2010-03-02
summary: - [gm45] X crash in libfb.so(fbCopyNtoN+0x1bf) on X200s
+ [g45] [gm45] X crash in libfb.so(fbCopyNtoN+0x1bf) on X200s
Bryce Harrington (bryce) on 2010-03-02
summary: - [g45] [gm45] X crash in libfb.so(fbCopyNtoN+0x1bf) on X200s
+ [gm45] X crash in libfb.so(fbCopyNtoN+0x1bf) on X200s
Changed in xserver-xorg-video-intel:
importance: Unknown → Medium
Changed in xserver-xorg-video-intel:
importance: Medium → Unknown
Changed in xserver-xorg-video-intel:
importance: Unknown → Medium
Changed in xserver-xorg-video-intel:
status: Confirmed → Fix Released
Bryce Harrington (bryce) wrote :

Upstream indicates this was fixed some time ago, so I'll go ahead and close it out.
If this is incorrect and you can still reproduce the crash on oneiric (or newer), please reopen this bug report.

Changed in xserver-xorg-video-intel (Ubuntu):
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.