Ubuntu
xserver-xorg-video-intel package

Bug #696957
Activity log

Activity log for bug #696957

Date	Who	What changed	Old value	New value	Message
2011-01-03 20:34:10	liam2	bug			added bug
2011-01-04 16:08:56	bugbot	tags		maverick
2011-01-25 21:46:12	Bryce Harrington	xserver-xorg-video-intel (Ubuntu): status	New	Incomplete
2011-01-25 21:59:05	Bryce Harrington	xserver-xorg-video-intel (Ubuntu): status	Incomplete	New
2011-01-25 22:02:21	Bryce Harrington	xserver-xorg-video-intel (Ubuntu): importance	Undecided	Medium
2011-01-25 22:02:21	Bryce Harrington	xserver-xorg-video-intel (Ubuntu): status	New	Incomplete
2011-01-25 22:15:10	Bryce Harrington	bug watch added		http://bugs.freedesktop.org/show_bug.cgi?id=29430
2011-01-25 22:15:10	Bryce Harrington	attachment added		fix_assert.patch https://bugs.launchpad.net/ubuntu/+source/xserver-xorg-video-intel/+bug/696957/+attachment/1806818/+files/fix_assert.patch
2011-01-25 22:20:27	Bryce Harrington	bug task added		xserver-xorg-video-intel
2011-01-25 23:34:37	Bryce Harrington	description	Binary package hint: xserver-xorg-video-intel Problem: If I disable font antialiasing and attempt to access http://launchpadlibrarian.net/29956668/crash.html in firefox my xserver aborts. This should not happen. The webpage should simply display the words "GOODBYE WORLD!" in very large text. Note: text does not need to be very large. For example http://joe-editor.sourceforge.net/ also triggers the bug. Description: Ubuntu 10.10 Release: 10.10 xserver-xorg-video-intel: Installed: 2:2.12.0-1ubuntu5.1 Candidate: 2:2.12.0-1ubuntu5.1 Version table: *** 2:2.12.0-1ubuntu5.1 0 500 http://gb.archive.ubuntu.com/ubuntu/ maverick-updates/main i386 Packages 100 /var/lib/dpkg/status 2:2.12.0-1ubuntu5 0 500 http://gb.archive.ubuntu.com/ubuntu/ maverick/main i386 Packages Backtrace: #0 0x00681416 in __kernel_vsyscall () No symbol table info available. #1 0x00298941 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 resultvar = <value optimised out> pid = 3960820 selftid = 1949 #2 0x0029be42 in abort () at abort.c:92 act = {__sigaction_handler = {sa_handler = 0x468, sa_sigaction = 0x468}, sa_mask = {__val = {3966032, 120, 3965888, 3960820, 3965888, 108, 3212918176, 3010141, 198339232, 3960820, 3960820, 109, 3212918376, 2944968, 198339336, 198339336, 108, 198339232, 0, 4222451712, 198339336, 198339437, 198339336, 198339336, 198339444, 198339636, 198339336, 198339636, 0, 0, 0, 0}}, sa_flags = 0, sa_restorer = 0x4} sigs = {__val = {32, 0 <repeats 31 times>}} #3 0x002918e8 in __assert_fail ( assertion=0x200098 "uxa_pixmap_is_offscreen(src_pixmap)", file=0x200080 "../../uxa/uxa-glyphs.c", line=986, function=0x200124 "uxa_glyphs_via_mask") at assert.c:81 buf = 0xbd26c38 "X: ../../uxa/uxa-glyphs.c:986: uxa_glyphs_via_mask: Assertion `uxa_pixmap_is_offscreen(src_pixmap)' failed.\n" #4 0x001ef988 in uxa_glyphs_via_mask (op=3 '\003', pSrc=0xbb11b58, pDst=0xbb366a8, maskFormat=0xb2bb7f0, xSrc=8, ySrc=77, nlist=1, list=0xbf814570, glyphs=0xbf814170) at ../../uxa/uxa-glyphs.c:986 src_pixmap = 0xbd26440 src_x = 0 glyph = 0xbb34bb8 src_y = 0 priv = 0xbd26440 screen = 0x9c01750 mask = 0xbd26a48 y = 52 pixmap = 0xbd26938 width = <value optimised out> dst_off_x = 6 dst_off_y = 25 box = {x1 = 6, y1 = 25, x2 = 145, y2 = 93} component_alpha = 0 glyph_atlas = <value optimised out> x = 2 height = <value optimised out> error = 0 #5 uxa_glyphs (op=3 '\003', pSrc=0xbb11b58, pDst=0xbb366a8, maskFormat=0xb2bb7f0, xSrc=8, ySrc=77, nlist=1, list=0xbf814570, glyphs=0xbf814170) at ../../uxa/uxa-glyphs.c:1151 screen = 0x9c01750 uxa_screen = <value optimised out> xDst = 2 yDst = 198338872 extents = {x1 = 0, y1 = 0, x2 = 0, y2 = 0} width = 0 height = 0 ret = <value optimised out> localDst = 0x8 #6 0x08122ae9 in damageGlyphs (op=6 '\006', pSrc=0xbb11b58, pDst=0xbb366a8, maskFormat=0xb2bb7f0, xSrc=<value optimised out>, ySrc=<value optimised out>, nlist=1, list=0xbf814570, glyphs=0xbf814170) at ../../../miext/damage/damage.c:718 pScreen = <value optimised out> #7 0x081bea90 in CompositeGlyphs (op=0 '\000', pSrc=0xbb11b58, pDst=0xbb366a8, maskFormat=0xb2bb7f0, xSrc=<value optimised out>, ySrc=<value optimised out>, nlist=1, lists=0xbf814570, glyphs=0xbf814170) at ../../render/glyph.c:604 No locals. #8 0x0811c463 in ProcRenderCompositeGlyphs (client=0xb62e338) at ../../render/render.c:1435 glyphSet = 0xb72e468 pSrc = 0xbb11b58 pDst = 0xbb366a8 pFormat = 0xb2bb7f0 listsLocal = {{xOff = 8, yOff = 77, len = 6 '\006', format = 0xb2bb7f0}, {xOff = 0, yOff = 0, len = 0 '\000', format = 0x0} <repeats 52 times>, {xOff = 24081, yOff = 2064, len = 0 '\000', format = 0x0}, {xOff = 0, yOff = 0, len = 0 '\000', format = 0x0}, {xOff = 0, yOff = 0, len = 0 '\000', format = 0xb62e338}, {xOff = 0, yOff = 0, len = 0 '\000', format = 0x0}, {xOff = 4084, yOff = 2079, len = 8 '\b', format = 0xb303cf0}, {xOff = 18536, yOff = -16511, len = 102 'f', format = 0x8202544}, {xOff = 0, yOff = 0, len = 136 '\210', format = 0x0}, {xOff = 0, yOff = 0, len = 0 '\000', format = 0x0}, {xOff = 14369, yOff = 2055, len = 0 '\000', format = 0x0}, {xOff = 0, yOff = 0, len = 244 '\364', format = 0xb62e338}, {xOff = 9536, yOff = 2080, len = 184 '\270', format = 0x8104a2e}} lists = 0xbf81457c listsBase = 0xbf814570 glyphsLocal = {0xbb34bb8, 0xb9f2868, 0xb78ace0, 0xbaf1088, 0xbaf1088, 0xbaf1088, 0x0 <repeats 250 times>} glyph = <value optimised out> glyphs = 0xbf814188 glyphsBase = 0xbf814170 buffer = <value optimised out> end = 0xba105b0 "\225\021\003" nglyph = -1082048120 nlist = 1 space = <value optimised out> size = <value optimised out> rc = <value optimised out> #9 0x08118293 in ProcRenderDispatch (client=0x6) at ../../render/render.c:2051 No locals. #10 0x0806e087 in Dispatch () at ../../dix/dispatch.c:432 result = <value optimised out> client = 0xb62e338 nready = 0 start_tick = 260 #11 0x080625ba in main (argc=6, argv=0xbf814a04, envp=0xbf814a20) at ../../dix/main.c:291 i = 1 alwaysCheckForInput = {0, 1} Tracked bug down to uxa/uxa-glyphs.c in the xserver-xorg-video-intel driver. I looked at the latest git of the driver and knocked together the following patch which seems to work. Not sure of the quality of the code though: --- a/uxa/uxa-glyphs.c 2010-06-24 21:29:37.000000000 +0100 +++ b/uxa/uxa-glyphs.c 2010-12-31 19:51:49.000000000 +0000 @@ -164,8 +164,12 @@ INTEL_CREATE_PIXMAP_TILING_X); if (!pixmap) goto bail; - assert (uxa_pixmap_is_offscreen(pixmap)); - + if (!uxa_pixmap_is_offscreen(pixmap)) { + /* Presume shadow is in-effect */ + pScreen->DestroyPixmap(pixmap); + uxa_unrealize_glyph_caches(pScreen); + return TRUE; + } component_alpha = NeedsComponent(pPictFormat->format); picture = CreatePicture(0, &pixmap->drawable, pPictFormat, CPComponentAlpha, &component_alpha, @@ -780,9 +784,8 @@ mask_pixmap = uxa_get_drawable_pixmap(this_atlas->pDrawable); - assert (uxa_pixmap_is_offscreen(mask_pixmap)); - - if (!uxa_screen->info->prepare_composite(op, + if (!uxa_pixmap_is_offscreen(mask_pixmap) \|\| + !uxa_screen->info->prepare_composite(op, localSrc, this_atlas, pDst, src_pixmap, mask_pixmap, dst_pixmap)) return -1; @@ -983,9 +986,8 @@ src_pixmap = uxa_get_drawable_pixmap(this_atlas->pDrawable); - assert (uxa_pixmap_is_offscreen(src_pixmap)); - - if (!uxa_screen->info->prepare_composite(PictOpAdd, + if (!uxa_pixmap_is_offscreen(src_pixmap) \|\| + !uxa_screen->info->prepare_composite(PictOpAdd, this_atlas, NULL, mask, src_pixmap, NULL, pixmap)) return -1;	[Impact] On certain affected hardware, results in X server crash when looking at certain kinds of large images. [Development Solution] Upstream fixed this bug in the 2.13.x version of -intel that we are shipping in natty. [Stable Solution] The attached patch is a cherrypick from the upstream tree that applies to the 2.12.x version of -intel in maverick. This patch is also the listed solution on the upstream bug report. [Test Case] On affected hardware, disable font antialiasing and load http://launchpadlibrarian.net/29956668/crash.html in firefox. This will cause a segfault of the X server. The fix will prevent this segfault from occuring, and instead firefox will display the words "GOODBYE WORLD!" [Regression Potential] Essentially none. This changes what happens when the uxa_pixmap_is_offscreen() call returns False. Before, it would fail the assertion test and terminate the X server. Pretty much any other behavior besides that is going to be an improvement! That said, there are two subsequent commits on top of this one (which is why the patch in the description of this bug is different than that proposed). Near as I can tell these address other unrelated issues and so I'm omitting them for now. It is conceivable though that this patch provides an incomplete solution and those other patches should be backported too. But one step at a time; if this patch alone is sufficient to solve the issue it is the least risk way to go. [Original Report] Problem: If I disable font antialiasing and attempt to access http://launchpadlibrarian.net/29956668/crash.html in firefox my xserver aborts. This should not happen. The webpage should simply display the words "GOODBYE WORLD!" in very large text. Note: text does not need to be very large. For example http://joe-editor.sourceforge.net/ also triggers the bug. Description: Ubuntu 10.10 Release: 10.10 xserver-xorg-video-intel: Installed: 2:2.12.0-1ubuntu5.1 Candidate: 2:2.12.0-1ubuntu5.1 Version table: *** 2:2.12.0-1ubuntu5.1 0 500 http://gb.archive.ubuntu.com/ubuntu/ maverick-updates/main i386 Packages 100 /var/lib/dpkg/status 2:2.12.0-1ubuntu5 0 500 http://gb.archive.ubuntu.com/ubuntu/ maverick/main i386 Packages Backtrace: #0 0x00681416 in __kernel_vsyscall () No symbol table info available. #1 0x00298941 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 resultvar = <value optimised out> pid = 3960820 selftid = 1949 #2 0x0029be42 in abort () at abort.c:92 act = {__sigaction_handler = {sa_handler = 0x468, sa_sigaction = 0x468}, sa_mask = {__val = {3966032, 120, 3965888, 3960820, 3965888, 108, 3212918176, 3010141, 198339232, 3960820, 3960820, 109, 3212918376, 2944968, 198339336, 198339336, 108, 198339232, 0, 4222451712, 198339336, 198339437, 198339336, 198339336, 198339444, 198339636, 198339336, 198339636, 0, 0, 0, 0}}, sa_flags = 0, sa_restorer = 0x4} sigs = {__val = {32, 0 <repeats 31 times>}} #3 0x002918e8 in __assert_fail ( assertion=0x200098 "uxa_pixmap_is_offscreen(src_pixmap)", file=0x200080 "../../uxa/uxa-glyphs.c", line=986, function=0x200124 "uxa_glyphs_via_mask") at assert.c:81 buf = 0xbd26c38 "X: ../../uxa/uxa-glyphs.c:986: uxa_glyphs_via_mask: Assertion `uxa_pixmap_is_offscreen(src_pixmap)' failed.\n" #4 0x001ef988 in uxa_glyphs_via_mask (op=3 '\003', pSrc=0xbb11b58, pDst=0xbb366a8, maskFormat=0xb2bb7f0, xSrc=8, ySrc=77, nlist=1, list=0xbf814570, glyphs=0xbf814170) at ../../uxa/uxa-glyphs.c:986 src_pixmap = 0xbd26440 src_x = 0 glyph = 0xbb34bb8 src_y = 0 priv = 0xbd26440 screen = 0x9c01750 mask = 0xbd26a48 y = 52 pixmap = 0xbd26938 width = <value optimised out> dst_off_x = 6 dst_off_y = 25 box = {x1 = 6, y1 = 25, x2 = 145, y2 = 93} component_alpha = 0 glyph_atlas = <value optimised out> x = 2 height = <value optimised out> error = 0 #5 uxa_glyphs (op=3 '\003', pSrc=0xbb11b58, pDst=0xbb366a8, maskFormat=0xb2bb7f0, xSrc=8, ySrc=77, nlist=1, list=0xbf814570, glyphs=0xbf814170) at ../../uxa/uxa-glyphs.c:1151 screen = 0x9c01750 uxa_screen = <value optimised out> xDst = 2 yDst = 198338872 extents = {x1 = 0, y1 = 0, x2 = 0, y2 = 0} width = 0 height = 0 ret = <value optimised out> localDst = 0x8 #6 0x08122ae9 in damageGlyphs (op=6 '\006', pSrc=0xbb11b58, pDst=0xbb366a8, maskFormat=0xb2bb7f0, xSrc=<value optimised out>, ySrc=<value optimised out>, nlist=1, list=0xbf814570, glyphs=0xbf814170) at ../../../miext/damage/damage.c:718 pScreen = <value optimised out> #7 0x081bea90 in CompositeGlyphs (op=0 '\000', pSrc=0xbb11b58, pDst=0xbb366a8, maskFormat=0xb2bb7f0, xSrc=<value optimised out>, ySrc=<value optimised out>, nlist=1, lists=0xbf814570, glyphs=0xbf814170) at ../../render/glyph.c:604 No locals. #8 0x0811c463 in ProcRenderCompositeGlyphs (client=0xb62e338) at ../../render/render.c:1435 glyphSet = 0xb72e468 pSrc = 0xbb11b58 pDst = 0xbb366a8 pFormat = 0xb2bb7f0 listsLocal = {{xOff = 8, yOff = 77, len = 6 '\006', format = 0xb2bb7f0}, {xOff = 0, yOff = 0, len = 0 '\000', format = 0x0} <repeats 52 times>, {xOff = 24081, yOff = 2064, len = 0 '\000', format = 0x0}, {xOff = 0, yOff = 0, len = 0 '\000', format = 0x0}, {xOff = 0, yOff = 0, len = 0 '\000', format = 0xb62e338}, {xOff = 0, yOff = 0, len = 0 '\000', format = 0x0}, {xOff = 4084, yOff = 2079, len = 8 '\b', format = 0xb303cf0}, {xOff = 18536, yOff = -16511, len = 102 'f', format = 0x8202544}, {xOff = 0, yOff = 0, len = 136 '\210', format = 0x0}, {xOff = 0, yOff = 0, len = 0 '\000', format = 0x0}, {xOff = 14369, yOff = 2055, len = 0 '\000', format = 0x0}, {xOff = 0, yOff = 0, len = 244 '\364', format = 0xb62e338}, {xOff = 9536, yOff = 2080, len = 184 '\270', format = 0x8104a2e}} lists = 0xbf81457c listsBase = 0xbf814570 glyphsLocal = {0xbb34bb8, 0xb9f2868, 0xb78ace0, 0xbaf1088, 0xbaf1088, 0xbaf1088, 0x0 <repeats 250 times>} glyph = <value optimised out> glyphs = 0xbf814188 glyphsBase = 0xbf814170 buffer = <value optimised out> end = 0xba105b0 "\225\021\003" nglyph = -1082048120 nlist = 1 space = <value optimised out> size = <value optimised out> rc = <value optimised out> #9 0x08118293 in ProcRenderDispatch (client=0x6) at ../../render/render.c:2051 No locals. #10 0x0806e087 in Dispatch () at ../../dix/dispatch.c:432 result = <value optimised out> client = 0xb62e338 nready = 0 start_tick = 260 #11 0x080625ba in main (argc=6, argv=0xbf814a04, envp=0xbf814a20) at ../../dix/main.c:291 i = 1 alwaysCheckForInput = {0, 1} Tracked bug down to uxa/uxa-glyphs.c in the xserver-xorg-video-intel driver. I looked at the latest git of the driver and knocked together the following patch which seems to work. Not sure of the quality of the code though: --- a/uxa/uxa-glyphs.c 2010-06-24 21:29:37.000000000 +0100 +++ b/uxa/uxa-glyphs.c 2010-12-31 19:51:49.000000000 +0000 @@ -164,8 +164,12 @@ INTEL_CREATE_PIXMAP_TILING_X); if (!pixmap) goto bail; - assert (uxa_pixmap_is_offscreen(pixmap)); - + if (!uxa_pixmap_is_offscreen(pixmap)) { + /* Presume shadow is in-effect */ + pScreen->DestroyPixmap(pixmap); + uxa_unrealize_glyph_caches(pScreen); + return TRUE; + } component_alpha = NeedsComponent(pPictFormat->format); picture = CreatePicture(0, &pixmap->drawable, pPictFormat, CPComponentAlpha, &component_alpha, @@ -780,9 +784,8 @@ mask_pixmap = uxa_get_drawable_pixmap(this_atlas->pDrawable); - assert (uxa_pixmap_is_offscreen(mask_pixmap)); - - if (!uxa_screen->info->prepare_composite(op, + if (!uxa_pixmap_is_offscreen(mask_pixmap) \|\| + !uxa_screen->info->prepare_composite(op, localSrc, this_atlas, pDst, src_pixmap, mask_pixmap, dst_pixmap)) return -1; @@ -983,9 +986,8 @@ src_pixmap = uxa_get_drawable_pixmap(this_atlas->pDrawable); - assert (uxa_pixmap_is_offscreen(src_pixmap)); - - if (!uxa_screen->info->prepare_composite(PictOpAdd, + if (!uxa_pixmap_is_offscreen(src_pixmap) \|\| + !uxa_screen->info->prepare_composite(PictOpAdd, this_atlas, NULL, mask, src_pixmap, NULL, pixmap)) return -1;
2011-01-25 23:36:28	Bryce Harrington	xserver-xorg-video-intel (Ubuntu): importance	Medium	High
2011-01-25 23:36:28	Bryce Harrington	xserver-xorg-video-intel (Ubuntu): status	Incomplete	Triaged
2011-01-25 23:36:57	Bryce Harrington	summary	Large non-antialiased text causes xserver to abort	[SRU] Large non-antialiased text causes xserver to abort
2011-01-25 23:37:12	Bryce Harrington	nominated for series		Ubuntu Maverick
2011-01-25 23:37:12	Bryce Harrington	bug task added		xserver-xorg-video-intel (Ubuntu Maverick)
2011-01-25 23:37:12	Bryce Harrington	nominated for series		Ubuntu Natty
2011-01-25 23:37:12	Bryce Harrington	bug task added		xserver-xorg-video-intel (Ubuntu Natty)
2011-01-25 23:37:23	Bryce Harrington	xserver-xorg-video-intel (Ubuntu Maverick): status	New	Triaged
2011-01-25 23:37:28	Bryce Harrington	xserver-xorg-video-intel (Ubuntu Maverick): importance	Undecided	High
2011-01-25 23:39:16	Bryce Harrington	bug			added subscriber Ubuntu Stable Release Updates Team
2011-01-25 23:43:36	Bug Watch Updater	xserver-xorg-video-intel: status	Unknown	Fix Released
2011-01-26 04:38:02	liam2	tags	maverick	apport-collected maverick
2011-01-26 04:38:05	liam2	description	[Impact] On certain affected hardware, results in X server crash when looking at certain kinds of large images. [Development Solution] Upstream fixed this bug in the 2.13.x version of -intel that we are shipping in natty. [Stable Solution] The attached patch is a cherrypick from the upstream tree that applies to the 2.12.x version of -intel in maverick. This patch is also the listed solution on the upstream bug report. [Test Case] On affected hardware, disable font antialiasing and load http://launchpadlibrarian.net/29956668/crash.html in firefox. This will cause a segfault of the X server. The fix will prevent this segfault from occuring, and instead firefox will display the words "GOODBYE WORLD!" [Regression Potential] Essentially none. This changes what happens when the uxa_pixmap_is_offscreen() call returns False. Before, it would fail the assertion test and terminate the X server. Pretty much any other behavior besides that is going to be an improvement! That said, there are two subsequent commits on top of this one (which is why the patch in the description of this bug is different than that proposed). Near as I can tell these address other unrelated issues and so I'm omitting them for now. It is conceivable though that this patch provides an incomplete solution and those other patches should be backported too. But one step at a time; if this patch alone is sufficient to solve the issue it is the least risk way to go. [Original Report] Problem: If I disable font antialiasing and attempt to access http://launchpadlibrarian.net/29956668/crash.html in firefox my xserver aborts. This should not happen. The webpage should simply display the words "GOODBYE WORLD!" in very large text. Note: text does not need to be very large. For example http://joe-editor.sourceforge.net/ also triggers the bug. Description: Ubuntu 10.10 Release: 10.10 xserver-xorg-video-intel: Installed: 2:2.12.0-1ubuntu5.1 Candidate: 2:2.12.0-1ubuntu5.1 Version table: *** 2:2.12.0-1ubuntu5.1 0 500 http://gb.archive.ubuntu.com/ubuntu/ maverick-updates/main i386 Packages 100 /var/lib/dpkg/status 2:2.12.0-1ubuntu5 0 500 http://gb.archive.ubuntu.com/ubuntu/ maverick/main i386 Packages Backtrace: #0 0x00681416 in __kernel_vsyscall () No symbol table info available. #1 0x00298941 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 resultvar = <value optimised out> pid = 3960820 selftid = 1949 #2 0x0029be42 in abort () at abort.c:92 act = {__sigaction_handler = {sa_handler = 0x468, sa_sigaction = 0x468}, sa_mask = {__val = {3966032, 120, 3965888, 3960820, 3965888, 108, 3212918176, 3010141, 198339232, 3960820, 3960820, 109, 3212918376, 2944968, 198339336, 198339336, 108, 198339232, 0, 4222451712, 198339336, 198339437, 198339336, 198339336, 198339444, 198339636, 198339336, 198339636, 0, 0, 0, 0}}, sa_flags = 0, sa_restorer = 0x4} sigs = {__val = {32, 0 <repeats 31 times>}} #3 0x002918e8 in __assert_fail ( assertion=0x200098 "uxa_pixmap_is_offscreen(src_pixmap)", file=0x200080 "../../uxa/uxa-glyphs.c", line=986, function=0x200124 "uxa_glyphs_via_mask") at assert.c:81 buf = 0xbd26c38 "X: ../../uxa/uxa-glyphs.c:986: uxa_glyphs_via_mask: Assertion `uxa_pixmap_is_offscreen(src_pixmap)' failed.\n" #4 0x001ef988 in uxa_glyphs_via_mask (op=3 '\003', pSrc=0xbb11b58, pDst=0xbb366a8, maskFormat=0xb2bb7f0, xSrc=8, ySrc=77, nlist=1, list=0xbf814570, glyphs=0xbf814170) at ../../uxa/uxa-glyphs.c:986 src_pixmap = 0xbd26440 src_x = 0 glyph = 0xbb34bb8 src_y = 0 priv = 0xbd26440 screen = 0x9c01750 mask = 0xbd26a48 y = 52 pixmap = 0xbd26938 width = <value optimised out> dst_off_x = 6 dst_off_y = 25 box = {x1 = 6, y1 = 25, x2 = 145, y2 = 93} component_alpha = 0 glyph_atlas = <value optimised out> x = 2 height = <value optimised out> error = 0 #5 uxa_glyphs (op=3 '\003', pSrc=0xbb11b58, pDst=0xbb366a8, maskFormat=0xb2bb7f0, xSrc=8, ySrc=77, nlist=1, list=0xbf814570, glyphs=0xbf814170) at ../../uxa/uxa-glyphs.c:1151 screen = 0x9c01750 uxa_screen = <value optimised out> xDst = 2 yDst = 198338872 extents = {x1 = 0, y1 = 0, x2 = 0, y2 = 0} width = 0 height = 0 ret = <value optimised out> localDst = 0x8 #6 0x08122ae9 in damageGlyphs (op=6 '\006', pSrc=0xbb11b58, pDst=0xbb366a8, maskFormat=0xb2bb7f0, xSrc=<value optimised out>, ySrc=<value optimised out>, nlist=1, list=0xbf814570, glyphs=0xbf814170) at ../../../miext/damage/damage.c:718 pScreen = <value optimised out> #7 0x081bea90 in CompositeGlyphs (op=0 '\000', pSrc=0xbb11b58, pDst=0xbb366a8, maskFormat=0xb2bb7f0, xSrc=<value optimised out>, ySrc=<value optimised out>, nlist=1, lists=0xbf814570, glyphs=0xbf814170) at ../../render/glyph.c:604 No locals. #8 0x0811c463 in ProcRenderCompositeGlyphs (client=0xb62e338) at ../../render/render.c:1435 glyphSet = 0xb72e468 pSrc = 0xbb11b58 pDst = 0xbb366a8 pFormat = 0xb2bb7f0 listsLocal = {{xOff = 8, yOff = 77, len = 6 '\006', format = 0xb2bb7f0}, {xOff = 0, yOff = 0, len = 0 '\000', format = 0x0} <repeats 52 times>, {xOff = 24081, yOff = 2064, len = 0 '\000', format = 0x0}, {xOff = 0, yOff = 0, len = 0 '\000', format = 0x0}, {xOff = 0, yOff = 0, len = 0 '\000', format = 0xb62e338}, {xOff = 0, yOff = 0, len = 0 '\000', format = 0x0}, {xOff = 4084, yOff = 2079, len = 8 '\b', format = 0xb303cf0}, {xOff = 18536, yOff = -16511, len = 102 'f', format = 0x8202544}, {xOff = 0, yOff = 0, len = 136 '\210', format = 0x0}, {xOff = 0, yOff = 0, len = 0 '\000', format = 0x0}, {xOff = 14369, yOff = 2055, len = 0 '\000', format = 0x0}, {xOff = 0, yOff = 0, len = 244 '\364', format = 0xb62e338}, {xOff = 9536, yOff = 2080, len = 184 '\270', format = 0x8104a2e}} lists = 0xbf81457c listsBase = 0xbf814570 glyphsLocal = {0xbb34bb8, 0xb9f2868, 0xb78ace0, 0xbaf1088, 0xbaf1088, 0xbaf1088, 0x0 <repeats 250 times>} glyph = <value optimised out> glyphs = 0xbf814188 glyphsBase = 0xbf814170 buffer = <value optimised out> end = 0xba105b0 "\225\021\003" nglyph = -1082048120 nlist = 1 space = <value optimised out> size = <value optimised out> rc = <value optimised out> #9 0x08118293 in ProcRenderDispatch (client=0x6) at ../../render/render.c:2051 No locals. #10 0x0806e087 in Dispatch () at ../../dix/dispatch.c:432 result = <value optimised out> client = 0xb62e338 nready = 0 start_tick = 260 #11 0x080625ba in main (argc=6, argv=0xbf814a04, envp=0xbf814a20) at ../../dix/main.c:291 i = 1 alwaysCheckForInput = {0, 1} Tracked bug down to uxa/uxa-glyphs.c in the xserver-xorg-video-intel driver. I looked at the latest git of the driver and knocked together the following patch which seems to work. Not sure of the quality of the code though: --- a/uxa/uxa-glyphs.c 2010-06-24 21:29:37.000000000 +0100 +++ b/uxa/uxa-glyphs.c 2010-12-31 19:51:49.000000000 +0000 @@ -164,8 +164,12 @@ INTEL_CREATE_PIXMAP_TILING_X); if (!pixmap) goto bail; - assert (uxa_pixmap_is_offscreen(pixmap)); - + if (!uxa_pixmap_is_offscreen(pixmap)) { + /* Presume shadow is in-effect */ + pScreen->DestroyPixmap(pixmap); + uxa_unrealize_glyph_caches(pScreen); + return TRUE; + } component_alpha = NeedsComponent(pPictFormat->format); picture = CreatePicture(0, &pixmap->drawable, pPictFormat, CPComponentAlpha, &component_alpha, @@ -780,9 +784,8 @@ mask_pixmap = uxa_get_drawable_pixmap(this_atlas->pDrawable); - assert (uxa_pixmap_is_offscreen(mask_pixmap)); - - if (!uxa_screen->info->prepare_composite(op, + if (!uxa_pixmap_is_offscreen(mask_pixmap) \|\| + !uxa_screen->info->prepare_composite(op, localSrc, this_atlas, pDst, src_pixmap, mask_pixmap, dst_pixmap)) return -1; @@ -983,9 +986,8 @@ src_pixmap = uxa_get_drawable_pixmap(this_atlas->pDrawable); - assert (uxa_pixmap_is_offscreen(src_pixmap)); - - if (!uxa_screen->info->prepare_composite(PictOpAdd, + if (!uxa_pixmap_is_offscreen(src_pixmap) \|\| + !uxa_screen->info->prepare_composite(PictOpAdd, this_atlas, NULL, mask, src_pixmap, NULL, pixmap)) return -1;	[Impact] On certain affected hardware, results in X server crash when looking at certain kinds of large images. [Development Solution] Upstream fixed this bug in the 2.13.x version of -intel that we are shipping in natty. [Stable Solution] The attached patch is a cherrypick from the upstream tree that applies to the 2.12.x version of -intel in maverick. This patch is also the listed solution on the upstream bug report. [Test Case] On affected hardware, disable font antialiasing and load http://launchpadlibrarian.net/29956668/crash.html in firefox. This will cause a segfault of the X server. The fix will prevent this segfault from occuring, and instead firefox will display the words "GOODBYE WORLD!" [Regression Potential] Essentially none. This changes what happens when the uxa_pixmap_is_offscreen() call returns False. Before, it would fail the assertion test and terminate the X server. Pretty much any other behavior besides that is going to be an improvement! That said, there are two subsequent commits on top of this one (which is why the patch in the description of this bug is different than that proposed). Near as I can tell these address other unrelated issues and so I'm omitting them for now. It is conceivable though that this patch provides an incomplete solution and those other patches should be backported too. But one step at a time; if this patch alone is sufficient to solve the issue it is the least risk way to go. [Original Report] Problem: If I disable font antialiasing and attempt to access http://launchpadlibrarian.net/29956668/crash.html in firefox my xserver aborts. This should not happen. The webpage should simply display the words "GOODBYE WORLD!" in very large text. Note: text does not need to be very large. For example http://joe-editor.sourceforge.net/ also triggers the bug. Description: Ubuntu 10.10 Release: 10.10 xserver-xorg-video-intel: Installed: 2:2.12.0-1ubuntu5.1 Candidate: 2:2.12.0-1ubuntu5.1 Version table: *** 2:2.12.0-1ubuntu5.1 0 500 http://gb.archive.ubuntu.com/ubuntu/ maverick-updates/main i386 Packages 100 /var/lib/dpkg/status 2:2.12.0-1ubuntu5 0 500 http://gb.archive.ubuntu.com/ubuntu/ maverick/main i386 Packages Backtrace: #0 0x00681416 in __kernel_vsyscall () No symbol table info available. #1 0x00298941 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 resultvar = <value optimised out> pid = 3960820 selftid = 1949 #2 0x0029be42 in abort () at abort.c:92 act = {__sigaction_handler = {sa_handler = 0x468, sa_sigaction = 0x468}, sa_mask = {__val = {3966032, 120, 3965888, 3960820, 3965888, 108, 3212918176, 3010141, 198339232, 3960820, 3960820, 109, 3212918376, 2944968, 198339336, 198339336, 108, 198339232, 0, 4222451712, 198339336, 198339437, 198339336, 198339336, 198339444, 198339636, 198339336, 198339636, 0, 0, 0, 0}}, sa_flags = 0, sa_restorer = 0x4} sigs = {__val = {32, 0 <repeats 31 times>}} #3 0x002918e8 in __assert_fail ( assertion=0x200098 "uxa_pixmap_is_offscreen(src_pixmap)", file=0x200080 "../../uxa/uxa-glyphs.c", line=986, function=0x200124 "uxa_glyphs_via_mask") at assert.c:81 buf = 0xbd26c38 "X: ../../uxa/uxa-glyphs.c:986: uxa_glyphs_via_mask: Assertion `uxa_pixmap_is_offscreen(src_pixmap)' failed.\n" #4 0x001ef988 in uxa_glyphs_via_mask (op=3 '\003', pSrc=0xbb11b58, pDst=0xbb366a8, maskFormat=0xb2bb7f0, xSrc=8, ySrc=77, nlist=1, list=0xbf814570, glyphs=0xbf814170) at ../../uxa/uxa-glyphs.c:986 src_pixmap = 0xbd26440 src_x = 0 glyph = 0xbb34bb8 src_y = 0 priv = 0xbd26440 screen = 0x9c01750 mask = 0xbd26a48 y = 52 pixmap = 0xbd26938 width = <value optimised out> dst_off_x = 6 dst_off_y = 25 box = {x1 = 6, y1 = 25, x2 = 145, y2 = 93} component_alpha = 0 glyph_atlas = <value optimised out> x = 2 height = <value optimised out> error = 0 #5 uxa_glyphs (op=3 '\003', pSrc=0xbb11b58, pDst=0xbb366a8, maskFormat=0xb2bb7f0, xSrc=8, ySrc=77, nlist=1, list=0xbf814570, glyphs=0xbf814170) at ../../uxa/uxa-glyphs.c:1151 screen = 0x9c01750 uxa_screen = <value optimised out> xDst = 2 yDst = 198338872 extents = {x1 = 0, y1 = 0, x2 = 0, y2 = 0} width = 0 height = 0 ret = <value optimised out> localDst = 0x8 #6 0x08122ae9 in damageGlyphs (op=6 '\006', pSrc=0xbb11b58, pDst=0xbb366a8, maskFormat=0xb2bb7f0, xSrc=<value optimised out>, ySrc=<value optimised out>, nlist=1, list=0xbf814570, glyphs=0xbf814170) at ../../../miext/damage/damage.c:718 pScreen = <value optimised out> #7 0x081bea90 in CompositeGlyphs (op=0 '\000', pSrc=0xbb11b58, pDst=0xbb366a8, maskFormat=0xb2bb7f0, xSrc=<value optimised out>, ySrc=<value optimised out>, nlist=1, lists=0xbf814570, glyphs=0xbf814170) at ../../render/glyph.c:604 No locals. #8 0x0811c463 in ProcRenderCompositeGlyphs (client=0xb62e338) at ../../render/render.c:1435 glyphSet = 0xb72e468 pSrc = 0xbb11b58 pDst = 0xbb366a8 pFormat = 0xb2bb7f0 listsLocal = {{xOff = 8, yOff = 77, len = 6 '\006', format = 0xb2bb7f0}, {xOff = 0, yOff = 0, len = 0 '\000', format = 0x0} <repeats 52 times>, {xOff = 24081, yOff = 2064, len = 0 '\000', format = 0x0}, {xOff = 0, yOff = 0, len = 0 '\000', format = 0x0}, {xOff = 0, yOff = 0, len = 0 '\000', format = 0xb62e338}, {xOff = 0, yOff = 0, len = 0 '\000', format = 0x0}, {xOff = 4084, yOff = 2079, len = 8 '\b', format = 0xb303cf0}, {xOff = 18536, yOff = -16511, len = 102 'f', format = 0x8202544}, {xOff = 0, yOff = 0, len = 136 '\210', format = 0x0}, {xOff = 0, yOff = 0, len = 0 '\000', format = 0x0}, {xOff = 14369, yOff = 2055, len = 0 '\000', format = 0x0}, {xOff = 0, yOff = 0, len = 244 '\364', format = 0xb62e338}, {xOff = 9536, yOff = 2080, len = 184 '\270', format = 0x8104a2e}} lists = 0xbf81457c listsBase = 0xbf814570 glyphsLocal = {0xbb34bb8, 0xb9f2868, 0xb78ace0, 0xbaf1088, 0xbaf1088, 0xbaf1088, 0x0 <repeats 250 times>} glyph = <value optimised out> glyphs = 0xbf814188 glyphsBase = 0xbf814170 buffer = <value optimised out> end = 0xba105b0 "\225\021\003" nglyph = -1082048120 nlist = 1 space = <value optimised out> size = <value optimised out> rc = <value optimised out> #9 0x08118293 in ProcRenderDispatch (client=0x6) at ../../render/render.c:2051 No locals. #10 0x0806e087 in Dispatch () at ../../dix/dispatch.c:432 result = <value optimised out> client = 0xb62e338 nready = 0 start_tick = 260 #11 0x080625ba in main (argc=6, argv=0xbf814a04, envp=0xbf814a20) at ../../dix/main.c:291 i = 1 alwaysCheckForInput = {0, 1} Tracked bug down to uxa/uxa-glyphs.c in the xserver-xorg-video-intel driver. I looked at the latest git of the driver and knocked together the following patch which seems to work. Not sure of the quality of the code though: --- a/uxa/uxa-glyphs.c 2010-06-24 21:29:37.000000000 +0100 +++ b/uxa/uxa-glyphs.c 2010-12-31 19:51:49.000000000 +0000 @@ -164,8 +164,12 @@ INTEL_CREATE_PIXMAP_TILING_X); if (!pixmap) goto bail; - assert (uxa_pixmap_is_offscreen(pixmap)); - + if (!uxa_pixmap_is_offscreen(pixmap)) { + /* Presume shadow is in-effect */ + pScreen->DestroyPixmap(pixmap); + uxa_unrealize_glyph_caches(pScreen); + return TRUE; + } component_alpha = NeedsComponent(pPictFormat->format); picture = CreatePicture(0, &pixmap->drawable, pPictFormat, CPComponentAlpha, &component_alpha, @@ -780,9 +784,8 @@ mask_pixmap = uxa_get_drawable_pixmap(this_atlas->pDrawable); - assert (uxa_pixmap_is_offscreen(mask_pixmap)); - - if (!uxa_screen->info->prepare_composite(op, + if (!uxa_pixmap_is_offscreen(mask_pixmap) \|\| + !uxa_screen->info->prepare_composite(op, localSrc, this_atlas, pDst, src_pixmap, mask_pixmap, dst_pixmap)) return -1; @@ -983,9 +986,8 @@ src_pixmap = uxa_get_drawable_pixmap(this_atlas->pDrawable); - assert (uxa_pixmap_is_offscreen(src_pixmap)); - - if (!uxa_screen->info->prepare_composite(PictOpAdd, + if (!uxa_pixmap_is_offscreen(src_pixmap) \|\| + !uxa_screen->info->prepare_composite(PictOpAdd, this_atlas, NULL, mask, src_pixmap, NULL, pixmap)) return -1; --- Architecture: i386 CurrentDmesg: [ 36.408005] eth0: no IPv6 routers present DRM.card0.DisplayPort.1: status: disconnected enabled: disabled dpms: Off modes: edid-base64: DRM.card0.DisplayPort.2: status: disconnected enabled: disabled dpms: Off modes: edid-base64: DRM.card0.HDMI_Type_A.1: status: disconnected enabled: disabled dpms: Off modes: edid-base64: DRM.card0.HDMI_Type_A.2: status: disconnected enabled: disabled dpms: Off modes: edid-base64: DRM.card0.VGA.1: status: connected enabled: enabled dpms: On modes: 1280x1024 1280x1024 1280x960 1152x864 1024x768 1024x768 1024x768 832x624 800x600 800x600 800x600 800x600 640x480 640x480 640x480 640x480 720x400 edid-base64: AP///////wBA5QYXlxMAABcPAQMMIht4LgyVolZMliUaUFS/74CBgIFAcU8AAAAAAAAAAAAAMCoAmFEAKkAwcBMAUg4RAAAeAAAAAAAAAAAAAAAAAAAAAAAAAAAA/QA4Sx9RDgAKICAgICAgAAAA/ABHTlIgVFM3MDAKICAgAJE= DistroRelease: Ubuntu 10.10 DkmsStatus: virtualbox-ose, 3.2.8, 2.6.35-24-generic, i686: installed virtualbox-ose, 3.2.8, 2.6.35-23-generic, i686: installed virtualbox-ose, 3.2.8, 2.6.32-26-generic, i686: installed InstallationMedia: Ubuntu 9.10 "Karmic Koala" - Release i386 (20091028.5) MachineType: System manufacturer System Product Name Package: xserver-xorg-video-intel 2:2.12.0-1ubuntu5.1 [modified: usr/lib/libI810XvMC.so.1.0.0 usr/lib/libIntelXvMC.so.1.0.0 usr/lib/xorg/modules/drivers/intel_drv.so] PackageArchitecture: i386 ProcCmdLine: BOOT_IMAGE=/boot/vmlinuz-2.6.35-24-generic root=UUID=8dc60281-9b37-44b9-98fe-54ce9f16b232 ro quiet splash ProcEnviron: LANG=en_GB.UTF-8 SHELL=/bin/bash ProcVersionSignature: Ubuntu 2.6.35-24.42-generic 2.6.35.8 Tags: maverick maverick maverick maverick maverick maverick Uname: Linux 2.6.35-24-generic i686 UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare video dmi.bios.date: 09/04/2008 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: 0204 dmi.board.asset.tag: To Be Filled By O.E.M. dmi.board.name: V-P5G45 dmi.board.vendor: ASUSTeK Computer INC. dmi.board.version: Rev 1.xx dmi.chassis.asset.tag: Asset-1234567890 dmi.chassis.type: 3 dmi.chassis.vendor: Chassis Manufacture dmi.chassis.version: Chassis Version dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr0204:bd09/04/2008:svnSystemmanufacturer:pnSystemProductName:pvrSystemVersion:rvnASUSTeKComputerINC.:rnV-P5G45:rvrRev1.xx:cvnChassisManufacture:ct3:cvrChassisVersion: dmi.product.name: System Product Name dmi.product.version: System Version dmi.sys.vendor: System manufacturer system: distro: Ubuntu codename: maverick architecture: i686 kernel: 2.6.35-24-generic
2011-01-26 04:38:06	liam2	attachment added		BootDmesg.txt https://bugs.edge.launchpad.net/bugs/696957/+attachment/1807466/+files/BootDmesg.txt
2011-01-26 04:38:11	liam2	attachment added		Dependencies.txt https://bugs.edge.launchpad.net/bugs/696957/+attachment/1807467/+files/Dependencies.txt
2011-01-26 04:38:14	liam2	attachment added		Lspci.txt https://bugs.edge.launchpad.net/bugs/696957/+attachment/1807468/+files/Lspci.txt
2011-01-26 04:38:16	liam2	attachment added		Lsusb.txt https://bugs.edge.launchpad.net/bugs/696957/+attachment/1807469/+files/Lsusb.txt
2011-01-26 04:38:19	liam2	attachment added		PciDisplay.txt https://bugs.edge.launchpad.net/bugs/696957/+attachment/1807470/+files/PciDisplay.txt
2011-01-26 04:38:21	liam2	attachment added		ProcCpuinfo.txt https://bugs.edge.launchpad.net/bugs/696957/+attachment/1807471/+files/ProcCpuinfo.txt
2011-01-26 04:38:24	liam2	attachment added		ProcInterrupts.txt https://bugs.edge.launchpad.net/bugs/696957/+attachment/1807472/+files/ProcInterrupts.txt
2011-01-26 04:38:28	liam2	attachment added		ProcModules.txt https://bugs.edge.launchpad.net/bugs/696957/+attachment/1807473/+files/ProcModules.txt
2011-01-26 04:38:31	liam2	attachment added		RelatedPackageVersions.txt https://bugs.edge.launchpad.net/bugs/696957/+attachment/1807474/+files/RelatedPackageVersions.txt
2011-01-26 04:38:34	liam2	attachment added		UdevDb.txt https://bugs.edge.launchpad.net/bugs/696957/+attachment/1807475/+files/UdevDb.txt
2011-01-26 04:38:38	liam2	attachment added		UdevLog.txt https://bugs.edge.launchpad.net/bugs/696957/+attachment/1807476/+files/UdevLog.txt
2011-01-26 04:38:42	liam2	attachment added		XorgLog.txt https://bugs.edge.launchpad.net/bugs/696957/+attachment/1807477/+files/XorgLog.txt
2011-01-26 04:38:43	liam2	attachment added		XorgLogOld.txt https://bugs.edge.launchpad.net/bugs/696957/+attachment/1807478/+files/XorgLogOld.txt
2011-01-26 04:38:46	liam2	attachment added		Xrandr.txt https://bugs.edge.launchpad.net/bugs/696957/+attachment/1807479/+files/Xrandr.txt
2011-01-26 04:38:49	liam2	attachment added		glxinfo.txt https://bugs.edge.launchpad.net/bugs/696957/+attachment/1807480/+files/glxinfo.txt
2011-01-26 04:38:52	liam2	attachment added		monitors.xml.txt https://bugs.edge.launchpad.net/bugs/696957/+attachment/1807481/+files/monitors.xml.txt
2011-01-26 04:38:54	liam2	attachment added		peripherals.txt https://bugs.edge.launchpad.net/bugs/696957/+attachment/1807482/+files/peripherals.txt
2011-01-26 04:38:57	liam2	attachment added		setxkbmap.txt https://bugs.edge.launchpad.net/bugs/696957/+attachment/1807483/+files/setxkbmap.txt
2011-01-26 04:39:00	liam2	attachment added		xdpyinfo.txt https://bugs.edge.launchpad.net/bugs/696957/+attachment/1807484/+files/xdpyinfo.txt
2011-01-26 04:39:03	liam2	attachment added		xkbcomp.txt https://bugs.edge.launchpad.net/bugs/696957/+attachment/1807485/+files/xkbcomp.txt
2011-01-26 16:42:20	Gianfranco Costamagna	bug			added subscriber LocutusOfBorg
2011-02-02 08:50:10	Martin Pitt	xserver-xorg-video-intel (Ubuntu Natty): status	Triaged	Fix Released
2011-02-02 08:50:31	Martin Pitt	xserver-xorg-video-intel (Ubuntu Maverick): status	Triaged	Fix Committed
2011-02-02 08:50:35	Martin Pitt	bug			added subscriber SRU Verification
2011-02-02 08:50:42	Martin Pitt	tags	apport-collected maverick	apport-collected maverick verification-needed
2011-02-02 09:21:41	Launchpad Janitor	branch linked		lp:ubuntu/maverick-proposed/xserver-xorg-video-intel
2011-02-03 22:34:54	Bug Watch Updater	xserver-xorg-video-intel: importance	Unknown	High
2011-02-24 08:46:57	Martin Pitt	tags	apport-collected maverick verification-needed	apport-collected maverick verification-done
2011-02-25 14:36:42	Launchpad Janitor	xserver-xorg-video-intel (Ubuntu Maverick): status	Fix Committed	Fix Released

Ubuntuxserver-xorg-video-intel package

Activity log for bug #696957

Ubuntu
xserver-xorg-video-intel package