[SRU] Large non-antialiased text causes xserver to abort

Bug #696957 reported by liam2 on 2011-01-03
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
xf86-video-intel
Fix Released
High
xserver-xorg-video-intel (Ubuntu)
High
Unassigned
Maverick
High
Unassigned
Natty
High
Unassigned

Bug Description

[Impact]
On certain affected hardware, results in X server crash when looking at certain kinds of large images.

[Development Solution]
Upstream fixed this bug in the 2.13.x version of -intel that we are shipping in natty.

[Stable Solution]
The attached patch is a cherrypick from the upstream tree that applies to the 2.12.x version of -intel in maverick. This patch is also the listed solution on the upstream bug report.

[Test Case]
On affected hardware, disable font antialiasing and load http://launchpadlibrarian.net/29956668/crash.html in firefox.
This will cause a segfault of the X server.

The fix will prevent this segfault from occuring, and instead firefox will display the words "GOODBYE WORLD!"

[Regression Potential]
Essentially none. This changes what happens when the uxa_pixmap_is_offscreen() call returns False. Before, it would fail the assertion test and terminate the X server. Pretty much any other behavior besides that is going to be an improvement!

That said, there are two subsequent commits on top of this one (which is why the patch in the description of this bug is different than that proposed). Near as I can tell these address other unrelated issues and so I'm omitting them for now. It is conceivable though that this patch provides an incomplete solution and those other patches should be backported too. But one step at a time; if this patch alone is sufficient to solve the issue it is the least risk way to go.

[Original Report]
Problem:
If I disable font antialiasing and attempt to access
http://launchpadlibrarian.net/29956668/crash.html in firefox my xserver aborts. This should not happen. The webpage should simply display the words "GOODBYE WORLD!" in very large text.

Note: text does not need to be very large. For example http://joe-editor.sourceforge.net/ also triggers the bug.

Description: Ubuntu 10.10
Release: 10.10

xserver-xorg-video-intel:
  Installed: 2:2.12.0-1ubuntu5.1
  Candidate: 2:2.12.0-1ubuntu5.1
  Version table:
 *** 2:2.12.0-1ubuntu5.1 0
        500 http://gb.archive.ubuntu.com/ubuntu/ maverick-updates/main i386 Packages
        100 /var/lib/dpkg/status
     2:2.12.0-1ubuntu5 0
        500 http://gb.archive.ubuntu.com/ubuntu/ maverick/main i386 Packages

Backtrace:
#0 0x00681416 in __kernel_vsyscall ()
No symbol table info available.
#1 0x00298941 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
        resultvar = <value optimised out>
        pid = 3960820
        selftid = 1949
#2 0x0029be42 in abort () at abort.c:92
        act = {__sigaction_handler = {sa_handler = 0x468,
            sa_sigaction = 0x468}, sa_mask = {__val = {3966032, 120, 3965888,
              3960820, 3965888, 108, 3212918176, 3010141, 198339232, 3960820,
              3960820, 109, 3212918376, 2944968, 198339336, 198339336, 108,
              198339232, 0, 4222451712, 198339336, 198339437, 198339336,
              198339336, 198339444, 198339636, 198339336, 198339636, 0, 0, 0,
              0}}, sa_flags = 0, sa_restorer = 0x4}
        sigs = {__val = {32, 0 <repeats 31 times>}}
#3 0x002918e8 in __assert_fail (
    assertion=0x200098 "uxa_pixmap_is_offscreen(src_pixmap)",
    file=0x200080 "../../uxa/uxa-glyphs.c", line=986,
    function=0x200124 "uxa_glyphs_via_mask") at assert.c:81
        buf = 0xbd26c38 "X: ../../uxa/uxa-glyphs.c:986: uxa_glyphs_via_mask: Assertion `uxa_pixmap_is_offscreen(src_pixmap)' failed.\n"
#4 0x001ef988 in uxa_glyphs_via_mask (op=3 '\003', pSrc=0xbb11b58,
    pDst=0xbb366a8, maskFormat=0xb2bb7f0, xSrc=8, ySrc=77, nlist=1,
    list=0xbf814570, glyphs=0xbf814170) at ../../uxa/uxa-glyphs.c:986
        src_pixmap = 0xbd26440
        src_x = 0
        glyph = 0xbb34bb8
        src_y = 0
        priv = 0xbd26440
        screen = 0x9c01750
        mask = 0xbd26a48
        y = 52
        pixmap = 0xbd26938
        width = <value optimised out>
        dst_off_x = 6
        dst_off_y = 25
        box = {x1 = 6, y1 = 25, x2 = 145, y2 = 93}
        component_alpha = 0
        glyph_atlas = <value optimised out>
        x = 2
        height = <value optimised out>
        error = 0
#5 uxa_glyphs (op=3 '\003', pSrc=0xbb11b58, pDst=0xbb366a8,
    maskFormat=0xb2bb7f0, xSrc=8, ySrc=77, nlist=1, list=0xbf814570,
    glyphs=0xbf814170) at ../../uxa/uxa-glyphs.c:1151
        screen = 0x9c01750
        uxa_screen = <value optimised out>
        xDst = 2
        yDst = 198338872
        extents = {x1 = 0, y1 = 0, x2 = 0, y2 = 0}
        width = 0
        height = 0
        ret = <value optimised out>
        localDst = 0x8
#6 0x08122ae9 in damageGlyphs (op=6 '\006', pSrc=0xbb11b58, pDst=0xbb366a8,
    maskFormat=0xb2bb7f0, xSrc=<value optimised out>,
    ySrc=<value optimised out>, nlist=1, list=0xbf814570, glyphs=0xbf814170)
    at ../../../miext/damage/damage.c:718
        pScreen = <value optimised out>
#7 0x081bea90 in CompositeGlyphs (op=0 '\000', pSrc=0xbb11b58,
    pDst=0xbb366a8, maskFormat=0xb2bb7f0, xSrc=<value optimised out>,
    ySrc=<value optimised out>, nlist=1, lists=0xbf814570, glyphs=0xbf814170)
    at ../../render/glyph.c:604
No locals.
#8 0x0811c463 in ProcRenderCompositeGlyphs (client=0xb62e338)
    at ../../render/render.c:1435
        glyphSet = 0xb72e468
        pSrc = 0xbb11b58
        pDst = 0xbb366a8
        pFormat = 0xb2bb7f0
        listsLocal = {{xOff = 8, yOff = 77, len = 6 '\006',
            format = 0xb2bb7f0}, {xOff = 0, yOff = 0, len = 0 '\000',
            format = 0x0} <repeats 52 times>, {xOff = 24081, yOff = 2064,
            len = 0 '\000', format = 0x0}, {xOff = 0, yOff = 0,
            len = 0 '\000', format = 0x0}, {xOff = 0, yOff = 0,
            len = 0 '\000', format = 0xb62e338}, {xOff = 0, yOff = 0,
            len = 0 '\000', format = 0x0}, {xOff = 4084, yOff = 2079,
            len = 8 '\b', format = 0xb303cf0}, {xOff = 18536, yOff = -16511,
            len = 102 'f', format = 0x8202544}, {xOff = 0, yOff = 0,
            len = 136 '\210', format = 0x0}, {xOff = 0, yOff = 0,
            len = 0 '\000', format = 0x0}, {xOff = 14369, yOff = 2055,
            len = 0 '\000', format = 0x0}, {xOff = 0, yOff = 0,
            len = 244 '\364', format = 0xb62e338}, {xOff = 9536, yOff = 2080,
            len = 184 '\270', format = 0x8104a2e}}
        lists = 0xbf81457c
        listsBase = 0xbf814570
        glyphsLocal = {0xbb34bb8, 0xb9f2868, 0xb78ace0, 0xbaf1088, 0xbaf1088,
          0xbaf1088, 0x0 <repeats 250 times>}
        glyph = <value optimised out>
        glyphs = 0xbf814188
        glyphsBase = 0xbf814170
        buffer = <value optimised out>
        end = 0xba105b0 "\225\021\003"
        nglyph = -1082048120
        nlist = 1
        space = <value optimised out>
        size = <value optimised out>
        rc = <value optimised out>
#9 0x08118293 in ProcRenderDispatch (client=0x6) at ../../render/render.c:2051
No locals.
#10 0x0806e087 in Dispatch () at ../../dix/dispatch.c:432
        result = <value optimised out>
        client = 0xb62e338
        nready = 0
        start_tick = 260
#11 0x080625ba in main (argc=6, argv=0xbf814a04, envp=0xbf814a20)
    at ../../dix/main.c:291
        i = 1
        alwaysCheckForInput = {0, 1}

Tracked bug down to uxa/uxa-glyphs.c in the xserver-xorg-video-intel driver. I looked at the latest git of the driver and knocked together the following patch which seems to work. Not sure of the quality of the code though:

--- a/uxa/uxa-glyphs.c 2010-06-24 21:29:37.000000000 +0100
+++ b/uxa/uxa-glyphs.c 2010-12-31 19:51:49.000000000 +0000
@@ -164,8 +164,12 @@
             INTEL_CREATE_PIXMAP_TILING_X);
   if (!pixmap)
    goto bail;
- assert (uxa_pixmap_is_offscreen(pixmap));
-
+ if (!uxa_pixmap_is_offscreen(pixmap)) {
+ /* Presume shadow is in-effect */
+ pScreen->DestroyPixmap(pixmap);
+ uxa_unrealize_glyph_caches(pScreen);
+ return TRUE;
+ }
   component_alpha = NeedsComponent(pPictFormat->format);
   picture = CreatePicture(0, &pixmap->drawable, pPictFormat,
      CPComponentAlpha, &component_alpha,
@@ -780,9 +784,8 @@

     mask_pixmap =
      uxa_get_drawable_pixmap(this_atlas->pDrawable);
- assert (uxa_pixmap_is_offscreen(mask_pixmap));
-
- if (!uxa_screen->info->prepare_composite(op,
+ if (!uxa_pixmap_is_offscreen(mask_pixmap) ||
+ !uxa_screen->info->prepare_composite(op,
           localSrc, this_atlas, pDst,
           src_pixmap, mask_pixmap, dst_pixmap))
      return -1;
@@ -983,9 +986,8 @@

     src_pixmap =
      uxa_get_drawable_pixmap(this_atlas->pDrawable);
- assert (uxa_pixmap_is_offscreen(src_pixmap));
-
- if (!uxa_screen->info->prepare_composite(PictOpAdd,
+ if (!uxa_pixmap_is_offscreen(src_pixmap) ||
+ !uxa_screen->info->prepare_composite(PictOpAdd,
           this_atlas, NULL, mask,
           src_pixmap, NULL, pixmap))
      return -1;

---
Architecture: i386
CurrentDmesg: [ 36.408005] eth0: no IPv6 routers present
DRM.card0.DisplayPort.1:
 status: disconnected
 enabled: disabled
 dpms: Off
 modes:
 edid-base64:
DRM.card0.DisplayPort.2:
 status: disconnected
 enabled: disabled
 dpms: Off
 modes:
 edid-base64:
DRM.card0.HDMI_Type_A.1:
 status: disconnected
 enabled: disabled
 dpms: Off
 modes:
 edid-base64:
DRM.card0.HDMI_Type_A.2:
 status: disconnected
 enabled: disabled
 dpms: Off
 modes:
 edid-base64:
DRM.card0.VGA.1:
 status: connected
 enabled: enabled
 dpms: On
 modes: 1280x1024 1280x1024 1280x960 1152x864 1024x768 1024x768 1024x768 832x624 800x600 800x600 800x600 800x600 640x480 640x480 640x480 640x480 720x400
 edid-base64: AP///////wBA5QYXlxMAABcPAQMMIht4LgyVolZMliUaUFS/74CBgIFAcU8AAAAAAAAAAAAAMCoAmFEAKkAwcBMAUg4RAAAeAAAAAAAAAAAAAAAAAAAAAAAAAAAA/QA4Sx9RDgAKICAgICAgAAAA/ABHTlIgVFM3MDAKICAgAJE=
DistroRelease: Ubuntu 10.10
DkmsStatus:
 virtualbox-ose, 3.2.8, 2.6.35-24-generic, i686: installed
 virtualbox-ose, 3.2.8, 2.6.35-23-generic, i686: installed
 virtualbox-ose, 3.2.8, 2.6.32-26-generic, i686: installed
InstallationMedia: Ubuntu 9.10 "Karmic Koala" - Release i386 (20091028.5)
MachineType: System manufacturer System Product Name
Package: xserver-xorg-video-intel 2:2.12.0-1ubuntu5.1 [modified: usr/lib/libI810XvMC.so.1.0.0 usr/lib/libIntelXvMC.so.1.0.0 usr/lib/xorg/modules/drivers/intel_drv.so]
PackageArchitecture: i386
ProcCmdLine: BOOT_IMAGE=/boot/vmlinuz-2.6.35-24-generic root=UUID=8dc60281-9b37-44b9-98fe-54ce9f16b232 ro quiet splash
ProcEnviron:
 LANG=en_GB.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.35-24.42-generic 2.6.35.8
Tags: maverick maverick maverick maverick maverick maverick
Uname: Linux 2.6.35-24-generic i686
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare video
dmi.bios.date: 09/04/2008
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: 0204
dmi.board.asset.tag: To Be Filled By O.E.M.
dmi.board.name: V-P5G45
dmi.board.vendor: ASUSTeK Computer INC.
dmi.board.version: Rev 1.xx
dmi.chassis.asset.tag: Asset-1234567890
dmi.chassis.type: 3
dmi.chassis.vendor: Chassis Manufacture
dmi.chassis.version: Chassis Version
dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr0204:bd09/04/2008:svnSystemmanufacturer:pnSystemProductName:pvrSystemVersion:rvnASUSTeKComputerINC.:rnV-P5G45:rvrRev1.xx:cvnChassisManufacture:ct3:cvrChassisVersion:
dmi.product.name: System Product Name
dmi.product.version: System Version
dmi.sys.vendor: System manufacturer
system:
 distro: Ubuntu
 codename: maverick
 architecture: i686
 kernel: 2.6.35-24-generic

bugbot (bugbot) on 2011-01-04
tags: added: maverick
liam2 (cosinusoidaly) wrote :

Couple of things I forgot to say:

* The bug affects my intel 4500hd card on my desktop machine and my i915 in my eeepc 700. I'd assume it affects every intel card considering the bug is in the uxa code.

* I disabled antialiasing in /etc/fonts/conf.d/10-antialias.conf

Bryce Harrington (bryce) wrote :

Thanks for including a full backtrace on this.

Can you please run the command 'apport-collect 696957' from a machine that exhibits this problem, so we have the hardware data in case we need it?

Also, has anyone happened to reproduce this crash on natty?

Changed in xserver-xorg-video-intel (Ubuntu):
status: New → Incomplete
Bryce Harrington (bryce) wrote :

I tested this on a maverick system, disabling font antialiasing and accessing the page in firefox. No crash occurred for me.

My guess would be that this issue relates to loading a pixmap image on a system with a small texture buffer size; we've seen other instances of similar bugs when loading a large image in firefox on some intel cards with 2k x 2k buffers.

Having the hardware data from apport as I mentioned above will be important in diagnosing this problem.

Also if possible please test this against natty; if it affects natty on the hardware too, then the issue will be higher priority for us. If you find it affects natty please run 'apport-collect 696957' on that so we get natty versions of the logs and stuff.

Changed in xserver-xorg-video-intel (Ubuntu):
status: Incomplete → New
importance: Undecided → Medium
status: New → Incomplete
Bryce Harrington (bryce) wrote :

Looks like this upstream bug, fixed with the attached patch
https://bugs.freedesktop.org/show_bug.cgi?id=29430

(Btw, attaching a patch to a bug report will improve its visibility and get it onto the reports that sponsors look at as a priority.)

Bryce Harrington (bryce) wrote :

Actually I think even without the detailed hw logs this issue is clear enough we can go ahead with the SRU.

description: updated
Changed in xserver-xorg-video-intel (Ubuntu):
importance: Medium → High
status: Incomplete → Triaged
summary: - Large non-antialiased text causes xserver to abort
+ [SRU] Large non-antialiased text causes xserver to abort
Changed in xserver-xorg-video-intel (Ubuntu Maverick):
status: New → Triaged
importance: Undecided → High
Bryce Harrington (bryce) wrote :

Adding task for SRU to maverick ; setting natty task to fix released since I confirmed the fix is already in the code we ship in natty.

Changed in xserver-xorg-video-intel:
status: Unknown → Fix Released

apport information

tags: added: apport-collected
description: updated

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

Martin Pitt (pitti) wrote :

"Upstream fixed this bug in the 2.13.x version of -intel that we are shipping in natty."

Changed in xserver-xorg-video-intel (Ubuntu Natty):
status: Triaged → Fix Released
Changed in xserver-xorg-video-intel (Ubuntu Maverick):
status: Triaged → Fix Committed
tags: added: verification-needed

Accepted xserver-xorg-video-intel into maverick-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in xserver-xorg-video-intel:
importance: Unknown → High
liam2 (cosinusoidaly) wrote :

The proposed package works for me.

Sorry I didn't test it earlier. I'd assumed you have you own test boxes.

Martin Pitt (pitti) on 2011-02-24
tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xserver-xorg-video-intel - 2:2.12.0-1ubuntu5.2

---------------
xserver-xorg-video-intel (2:2.12.0-1ubuntu5.2) maverick-proposed; urgency=low

  * Add 109_sw_fallback_large_a1_glyphs.patch: Cherrypick from upstream.
    Replaces an assert (which fails in certain cases) with a check that
    causes a fallback to software instead of crashing the server.
    (LP: #696957)
 -- Bryce Harrington <email address hidden> Tue, 25 Jan 2011 14:22:05 -0800

Changed in xserver-xorg-video-intel (Ubuntu Maverick):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.