[Hardy AMD64] xorg unrecoverable crash when closing a Firefox tab with Flash inside

Bug #241145 reported by Riccardo Pellegrini
106
This bug affects 7 people
Affects Status Importance Assigned to Milestone
X.Org X server
Confirmed
Critical
flashplugin-nonfree (Ubuntu)
Undecided
Unassigned
nspluginwrapper (Ubuntu)
Undecided
Unassigned
xorg-server (Ubuntu)
High
Unassigned

Bug Description

Binary package hint: xserver-xorg

Ubuntu version is Hardy AMD64.
This is a very strange bug, but very annoying. In an intensive use of Firefox 3 on Flash sites (when Flash is only for ads too) and many opened tabs, X server crashes when closing a Firefox tab by middle mouse button.
Crash is unrecoverable: display goes in text mode and shows latest started deamons and an unmovable graphical mouse cursor (!!!), gdm doesn't restart. The only way to interact with the system is to open a text console with ALT+CTRL+Fx or restart the system by CTRL+ALT+DEL. Mouse cursor is shown in usplash shutdown procedure too.
This is the ending part of Xorg.0.log:

Backtrace:
0: /usr/bin/X(xf86SigHandler+0x6a) [0x48402a]
1: /lib/libc.so.6 [0x7f2960675100]
2: /usr/lib/xorg/modules//libxaa.so [0x7f295dbe4c9c]
3: /usr/lib/xorg/modules//libxaa.so [0x7f295dbe4e96]
4: /usr/bin/X [0x527ea2]
5: /usr/bin/X [0x515c3f]
6: /usr/bin/X(Dispatch+0x2ef) [0x44eaaf]
7: /usr/bin/X(main+0x47d) [0x436b9d]
8: /lib/libc.so.6(__libc_start_main+0xf4) [0x7f29606611c4]
9: /usr/bin/X(FontFileCompleteXLFD+0x279) [0x435ed9]

Fatal server error:
Caught signal 11. Server aborting

(II) AIGLX: Suspending AIGLX clients for VT switch

I've been able to reproduce the bug a couple of times, but only with Compiz enabled.
To try to reproduce the bug open Firefox and go to www.hwupgrade.it (this site has three or so Flash ads). Click many times (about twenty) on upper left Home link with middle button (you must open the same home page many times). Let it load for about four seconds.
Now click quickly on the left tab with middle button, closing all opened tabs.
In a normal use, bug appears only after an intensive use of Flash enabled sites, particularly if you need to open many tabs with some Flash ads in each page (eg image gallery hostings).

I'm using ATI driver shipping in Hardy (8.47.3).
I think it could be related to nspluginwrapper too.
[lspci]
00:00.0 Host bridge: Intel Corporation 82P965/G965 Memory Controller Hub (rev 02)
     Subsystem: ABIT Computer Corp. Unknown device 1073
01:00.0 VGA compatible controller: ATI Technologies Inc RV370 5B60 [Radeon X300 (PCIE)] (prog-if 00 [VGA controller])
     Subsystem: PC Partner Limited Unknown device 0450

Revision history for this message
In , Raul Sanchez Siles (rasasi78) wrote :

Created an attachment (id=9569)
Xorg log for the crash.

Revision history for this message
In , Raul Sanchez Siles (rasasi78) wrote :

Created an attachment (id=9570)
Xorg configuration file

Revision history for this message
In , Raul Sanchez Siles (rasasi78) wrote :

I forgot to say that I own a Dell 510m laptop with a intel855GM video card.
0:02.0 VGA compatible controller: Intel Corporation 82852/855GM Integrated Graphics Device (rev 02)
00:02.1 Display controller: Intel Corporation 82852/855GM Integrated Graphics Device (rev 02)

00:02.0 0300: 8086:3582 (rev 02)
00:02.1 0380: 8086:3582 (rev 02)

Revision history for this message
In , Michel-tungstengraphics (michel-tungstengraphics) wrote :

Can you get a log file (or even better, a gdb backtrace) with the xserver-xorg-core-dbg package installed?

Revision history for this message
In , Raul Sanchez Siles (rasasi78) wrote :

I reproduce the crash with the xserver-xorg-core-dbg package installed and the log I got is quite the same, anyway I attach it.

Maybe I should have also said that I'm using transparencies and translucencies on kde, yet the yakuake use transparent backgroun, at least kind of.

Revision history for this message
In , Raul Sanchez Siles (rasasi78) wrote :

Created an attachment (id=9575)
Xorg log for the crash with debugging package installed.

Revision history for this message
In , Raul Sanchez Siles (rasasi78) wrote :

I managed to get a somewhat meaningful backtrace of the crash. Here you are:
#0 0xb7ef9410 in __kernel_vsyscall ()
#1 0xb7d1a791 in raise () from /lib/i686/cmov/libc.so.6
#2 0xb7d1c008 in abort () from /lib/i686/cmov/libc.so.6
#3 0x080a0be6 in ddxGiveUp () at ../../../../hw/xfree86/common/xf86Init.c:1234
#4 0x081bdaa3 in AbortServer () at ../../os/log.c:407
#5 0x081bdfb7 in FatalError (
    f=0x81c8d7c "Caught signal %d. Server aborting\n") at ../../os/log.c:553
#6 0x080c20e7 in xf86SigHandler (signo=11)
    at ../../../../hw/xfree86/common/xf86Events.c:1460
#7 <signal handler called>
#8 0x08172b92 in cwGetBackingPicture (pPicture=0x879cb18, x_off=0xbfc359c0,
    y_off=0xbfc359bc) at ../../../miext/cw/cw_render.c:129
#9 0x08172e4c in cwGlyphs (op=3 '\003', pSrcPicture=0x8bb84d8,
    pDstPicture=0x879cb18, maskFormat=0x8219728, xSrc=0, ySrc=0, nlists=1,
    lists=0xbfc35f08, glyphs=0xbfc35b08) at ../../../miext/cw/cw_render.c:297
#10 0x0816f325 in damageGlyphs (op=3 '\003', pSrc=0x8bb84d8, pDst=0x879cb18,
    maskFormat=0x8219728, xSrc=0, ySrc=0, nlist=1, list=0xbfc35f08,
    glyphs=0xbfc35b08) at ../../../miext/damage/damage.c:654
#11 0x0815588a in CompositeGlyphs (op=3 '\003', pSrc=0x8bb84d8,
    pDst=0x879cb18, maskFormat=0x8219728, xSrc=0, ySrc=0, nlist=1,
    lists=0xbfc35f08, glyphs=0xbfc35b08) at ../../render/picture.c:1824
#12 0x0815d468 in ProcRenderCompositeGlyphs (client=0x8515a08)
    at ../../render/render.c:1401
#13 0x08158915 in ProcRenderDispatch (client=0x0) at ../../render/render.c:1999
#14 0x0814bd0e in XaceCatchExtProc (client=0x8515a08) at ../../Xext/xace.c:299
#15 0x080883cb in Dispatch () at ../../dix/dispatch.c:457
#16 0x080701f9 in main (argc=8, argv=0xbfc36784, envp=
Cannot access memory at address 0x8
) at ../../dix/main.c:477

Revision history for this message
In , Raul Sanchez Siles (rasasi78) wrote :
Download full text (6.3 KiB)

Maybe according to the backtrace this hasn't been, strictly speaking, a problem with the driver, but I didn't have the same problem with the previous i810 driver.

There's a major difference when I use the KDE translucencies graphical effects and when I don't. And the difference is that when I don't use mean the problem is not repeatable. I don't exactly know what using translucencies could mean in Xorg using features, but what I know is that in the translucencies mode, a composite manager is used. Also yaluake is using the konsole settings which, in turn shows the bacground desktop image transparency-like.

Since this is a complicated problem to repeat not because of its lack of repeatibility, but because of the amount of especifical programs needed I decided to used the core dump file I have from the crash to get more information.

I've inspected the variables values from the core file using gdb:

The crash happens exactly on the macro cwDstPictureDecl in the cwGlyphs function. Here are the backtrace and some useful variable information:

Frame #9:
#9 0x0817270d in cwGlyphs (op=3 '\003', pSrcPicture=0x8973ab8,
    pDstPicture=0x91c1ef0, maskFormat=0x8219610, xSrc=0, ySrc=0, nlists=1,
    lists=0xbfa25fe8, glyphs=0xbfa25be8) at ../../../miext/cw/cw_render.c:297

p *pSrcPicture
$3 = {pDrawable = 0x86fb3d8, pFormat = 0x8219610, format = PICT_a8r8g8b8,
  refcnt = 1, id = 35651999, pNext = 0x0, repeat = 1, graphicsExposures = 0,
  subWindowMode = 0, polyEdge = 0, polyMode = 0, freeCompClip = 1,
  clientClipType = 0, componentAlpha = 0, repeatType = 1, unused = 2090695,
  alphaMap = 0x0, alphaOrigin = {x = 0, y = 0}, clipOrigin = {x = 0, y = 0},
  clientClip = 0x0, dither = 0, stateChanges = 0, serialNumber = 9719,
  pCompositeClip = 0x86fc908, devPrivates = 0x8973b0c, transform = 0x0,
  filter = 0, filter_params = 0x0, filter_nparams = 0, pSourcePict = 0x0}
p *pDstPicture
$4 = {pDrawable = 0x8f26d68, pFormat = 0x8219670, format = PICT_x8r8g8b8,
  refcnt = 1, id = 35672205, pNext = 0x0, repeat = 0, graphicsExposures = 0,
  subWindowMode = 0, polyEdge = 0, polyMode = 0, freeCompClip = 0,
  clientClipType = 0, componentAlpha = 0, repeatType = 0, unused = 12064,
  alphaMap = 0x0, alphaOrigin = {x = 0, y = 0}, clipOrigin = {x = 0, y = 0},
  clientClip = 0x0, dither = 0, stateChanges = 0, serialNumber = 4021270,
  pCompositeClip = 0x8f26d94, devPrivates = 0x91c1f44, transform = 0x0,
  filter = 0, filter_params = 0x0, filter_nparams = 0, pSourcePict = 0x0}

p *lists
$6 = {xOff = 101, yOff = 60, len = 4 '\004', format = 0x8219610}

p *lists->format
$7 = {id = 54, format = 166024, type = 1 '\001', depth = 32 ' ', direct = {
    red = 16, redMask = 255, green = 8, greenMask = 255, blue = 0,
    blueMask = 255, alpha = 24, alphaMask = 255}, index = {vid = 0,
    pColormap = 0x0, nvalues = 0, pValues = 0x0, devPrivate = 0x0}}

p **glyphs
$10 = {refcnt = 8, devPrivates = 0x0, size = 192, info = {width = 5,
    height = 9, x = -1, y = 9, xOff = 7, yOff = 0}}

PictureScreenPrivateIndex=7
p pDstPicture->pDrawable->pScreen->devPrivates[7].ptr
$17 = (pointer) 0x8218268

cwScreenIndex=13
p pDstPicture->pDrawable->pScreen->devPrivates[13].ptr
$19 = (pointer) 0x82...

Read more...

Revision history for this message
In , rysiek (mikiwoz) wrote :

well reproducible both on ATI Radeon9600 running the open-sorce radeon driver and on nVidia GeForce7600 running the nVidia's proprietary driver; only happens when using either compiz or beryl (happened to me on both), haven't tried the KDE effects though.

on "normal" KDE desktop (no translucency/3d effects) the crash does not occur (at least to me).

cheers
mike

Revision history for this message
In , Jesse Barnes (jbarnes-virtuousgeek) wrote :

Changing this to a generic server bug, since it happens with radeon as well.

Raul, can you try again with a more recent xserver and update the "version" field if the bug still exists?

Revision history for this message
In , Raul Sanchez Siles (rasasi78) wrote :

Hello.

Just tried again with the latest Debian unstable xserver package and got to the same fault. This is version 1.3 of Xorg(Xserver?) but I'm not sure about how versions are working in Xorg, sorry.

Maybe it will be clearer in the Xorg log I attach which include the crash backtrace.

Revision history for this message
In , Raul Sanchez Siles (rasasi78) wrote :

Created an attachment (id=11091)
Freshes Xorg log (with 1.3 version of the protocol)

Revision history for this message
In , Bugs-freedesktop-org-eternaldusk (bugs-freedesktop-org-eternaldusk) wrote :

I can recreate this same bug with an nVidia 7600GT under Kubuntu 7.04 & 7.10 AMD64, with the additional considerations:

To consistently recreate the bug, I have to open a second Yakuake tab - and have some app scrolling text in the (hidden) first.

I have only had this crash while Beryl or Compiz are loaded.

Revision history for this message
In , kelvie (kelvie) wrote :

(In reply to comment #13)
> I can recreate this same bug with an nVidia 7600GT under Kubuntu 7.04 & 7.10
> AMD64, with the additional considerations:
>
> To consistently recreate the bug, I have to open a second Yakuake tab - and
> have some app scrolling text in the (hidden) first.
>
> I have only had this crash while Beryl or Compiz are loaded.
>

I can reproduce this also, I use xorg-server-1.4 (that's xorg-x11-7.3) on x86_64/gentoo and x86/gentoo as well.

Revision history for this message
In , kelvie (kelvie) wrote :

Program received signal SIGSEGV, Segmentation fault.
0xb7a42ac2 in miInitializeCompositeWrapper ()
   from /usr/lib/xorg/modules//libxaa.so
(gdb) bt
#0 0xb7a42ac2 in miInitializeCompositeWrapper ()
   from /usr/lib/xorg/modules//libxaa.so
#1 0xb7a42d7c in miInitializeCompositeWrapper ()
   from /usr/lib/xorg/modules//libxaa.so
#2 0x081715fa in DamageDamageRegion ()
#3 0x081588ca in CompositeGlyphs ()
#4 0x081601e2 in PanoramiXRenderReset ()
#5 0x0815b605 in AllocatePicturePrivate ()
#6 0x0814ee3e in XaceHook ()
#7 0x0808d7a0 in Dispatch ()
#8 0x08074c05 in main ()

Here;s ny backtrace -- looks more useful than the previous one.

To reproduce, run "yes" on one tab. Open up another one. Close Yakuake.

Crashes every time.

Revision history for this message
In , Martin-marsark (martin-marsark) wrote :

I can recreate this same bug with an nVidia 7600GT, x86/gentoo, kde 3.5.7, compiz-fusion 0.6.0 and Yakuake 2.8.

X will hit every time as described before.

Revision history for this message
In , Marcel Partap (empee584) wrote :

Yes, this is the one I've been hitting since .. very long time. As I use yakuake intensively everytime in the last 1-2 years I tried switching on the KWin kompmgr translucency stuff, within minutes I triggered this crash and switched it off again. Now this time, I left it on and tried to trakc it down but without much success. I am running gent0o and compiled xorg-server-1.4-r2 with -ggdb and nostrip, however the backtrace in the Xorg.0.log.old only gives
Backtrace:
0: /usr/bin/X(xf86SigHandler+0x6a) [0x48167a]
1: /lib/libc.so.6 [0x2b0de52881f0]
2: /usr/lib64/xorg/modules//libxaa.so [0x2b0de82cf99c]
3: /usr/lib64/xorg/modules//libxaa.so [0x2b0de82cfd03]
4: /usr/bin/X [0x523d35]
5: /usr/lib64/xorg/modules/drivers//nvidia_drv.so(_nv000961X+0x93) [0x2b0de7828df3]

Fatal server error:
Caught signal 11. Server aborting
although libxaa is not stripped. Also the core files I tried to produce didn't quite yield any result. But I think the problem has already been pinned down by the other backtraces, no?

Revision history for this message
In , Brice Goglin (brice-goglin) wrote :

Matthias Berndt reported the same problem in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=453069
using Xserver 1.4.

To reproduce, he does:
1. enable compositing for kwin (to do this, run "kcmshell kwinoptions" and
enable Tranparency and drop shadows there).
2. start yakuake (a quake-style terminal emulator for KDE).
3. in a yakuake terminal, start mplayer with some audio file.
4. Open a new tab in yakuake (Ctrl-Alt-N).
5. hide yakuake (by pressing F12).
Xorg now crashes.

He also provided a full debug gdb backtrace at http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=22;filename=stack.txt;att=1;bug=453069

Revision history for this message
In , Matthias (matthias-berndt) wrote :

So, how is this coming along?

Revision history for this message
In , Abhinay Mukunthan (lexxonnet) wrote :

Hello there,

There exists a similar bug report on Launchpad for Ubuntu Distros. I'm adding a link to that bug report here, and a link to this one there.

https://bugs.launchpad.net/ubuntu/+source/linux-restricted-modules-2.6.24/+bug/165093

Revision history for this message
In , Uber-cow (uber-cow) wrote :

(In reply to comment #18)
> Matthias Berndt reported the same problem in
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=453069
> using Xserver 1.4.
>
> To reproduce, he does:
> 1. enable compositing for kwin (to do this, run "kcmshell kwinoptions" and
> enable Tranparency and drop shadows there).
> 2. start yakuake (a quake-style terminal emulator for KDE).
> 3. in a yakuake terminal, start mplayer with some audio file.
> 4. Open a new tab in yakuake (Ctrl-Alt-N).
> 5. hide yakuake (by pressing F12).
> Xorg now crashes.
>
> He also provided a full debug gdb backtrace at
> http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=22;filename=stack.txt;att=1;bug=453069
>

Reproducible here too, x86_64 gentoo with xorg 7.3 and intel drivers. I have a very similar backtrace to the onen above. This also seems to happen with some other actions, but (I think) only when something is running in a yakuake terminal.

Revision history for this message
Riccardo Pellegrini (cionci) wrote : AMD64 xorg unrecoverable crash when closing a Firefox tab with Flash inside

Binary package hint: xserver-xorg

Ubuntu version is Hardy AMD64.
This is a very strange bug, but very annoying. In an intensive use of Firefox 3 on Flash sites (when Flash is only for ads too) and many opened tabs, X server crashes when closing a Firefox tab by middle mouse button.
Crash is unrecoverable: display goes in text mode and shows latest started deamons and an unmovable graphical mouse cursor (!!!), gdm doesn't restart. The only way to interact with the system is to open a text console with ALT+CTRL+Fx or restart the system by CTRL+ALT+DEL. Mouse cursor is shown in usplash shutdown procedure too.
This is the ending part of Xorg.0.log:

Backtrace:
0: /usr/bin/X(xf86SigHandler+0x6a) [0x48402a]
1: /lib/libc.so.6 [0x7f2960675100]
2: /usr/lib/xorg/modules//libxaa.so [0x7f295dbe4c9c]
3: /usr/lib/xorg/modules//libxaa.so [0x7f295dbe4e96]
4: /usr/bin/X [0x527ea2]
5: /usr/bin/X [0x515c3f]
6: /usr/bin/X(Dispatch+0x2ef) [0x44eaaf]
7: /usr/bin/X(main+0x47d) [0x436b9d]
8: /lib/libc.so.6(__libc_start_main+0xf4) [0x7f29606611c4]
9: /usr/bin/X(FontFileCompleteXLFD+0x279) [0x435ed9]

Fatal server error:
Caught signal 11. Server aborting

(II) AIGLX: Suspending AIGLX clients for VT switch

I've been able to reproduce the bug a couple of times, but only with Compiz enabled.
To try to reproduce the bug open Firefox and go to www.hwupgrade.it (this site has three or so Flash ads). Click many times (about twenty or so) on upper left Home link with middle button (you must open the same home page many times). Let it load for about thirty seconds, if you have a fast connection.
Now click quickly on the left tab with middle button, closing all opened tabs.
In a normal use, bug appear only after an intensive use of Flash enabled sites, particularly if you need to open many tabs with some Flash ads in each page (eg image gallery hostings).

I'm using ATI driver shipping in Hardy (8.47.3).
I think it could be related to nspluginwrapper too.

Revision history for this message
Riccardo Pellegrini (cionci) wrote :
Revision history for this message
Riccardo Pellegrini (cionci) wrote :

I'm trying "NoTrapSignals" now on.

Revision history for this message
Riccardo Pellegrini (cionci) wrote :

Linux cionci-desktop 2.6.24-19-generic #1 SMP Wed Jun 4 15:10:52 UTC 2008 x86_64 GNU/Linux

description: updated
Revision history for this message
Riccardo Pellegrini (cionci) wrote :

Using NoTrapSignals in xorg.conf leads to a black screen instead of text screen.

Gdb backtrace log (attached also):

#0 0x00007fc7ce1d0c9c in cwGetBackingPicture ()
   from /usr/lib/xorg/modules//libxaa.so
No symbol table info available.
#1 0x00007fc7ce1d0e96 in cwComposite () from /usr/lib/xorg/modules//libxaa.so
No symbol table info available.
#2 0x0000000000527ea2 in ?? ()
No symbol table info available.
#3 0x0000000000515c3f in ?? ()
No symbol table info available.
#4 0x000000000044eaaf in ?? ()
No symbol table info available.
#5 0x0000000000436b9d in ?? ()
No symbol table info available.

Revision history for this message
Riccardo Pellegrini (cionci) wrote :

This time Xorg.0.log doesn't report trace of error.

Revision history for this message
Riccardo Pellegrini (cionci) wrote :
Revision history for this message
Riccardo Pellegrini (cionci) wrote :

I attach xsession-errors also, but there's no trace of error because log is full. I had to do many times the above procedure to reproduce the bug and so I had many npviewer massages in log. I'll look for it the next time.

Revision history for this message
Riccardo Pellegrini (cionci) wrote :

This time xsession-errors is not full.

Revision history for this message
Riccardo Pellegrini (cionci) wrote :

I've tried to remove all proposed repository upgrades, but the issue is still present.

Revision history for this message
Bryce Harrington (bryce) wrote :

Thanks for reporting this bug to help make Ubuntu better, unfortunately there's not enough information to troubleshoot it. You mention that this bug results in an Xorg crash; could you please collect a full backtrace (see http://wiki.ubuntu.com/X/Backtracing for directions).

Changed in xorg:
status: New → Incomplete
Revision history for this message
Riccardo Pellegrini (cionci) wrote :

You mean an strace log ? I've attached a "backtrace full" gdb command log some posts above. The output of the command is only what I've posted.

Revision history for this message
Robie Basak (racb) wrote :

I am having the same problem. On Hardy on x86_64, using 2.6.22-14-generic (2.6.24 has problems with suspend on my machine). It only happens when flashplugin-nonfree is installed, but seems to happen randomly, not necessarily when I'm interacting with flash. X just restarts and I get a login page. My Xorg.0.log.old is attached. I didn't have this problem with Gutsy.

Backtrace:
0: /usr/bin/X(xf86SigHandler+0x6a) [0x48402a]
1: /lib/libc.so.6 [0x2b7bda1f7100]
2: /usr/lib/xorg/modules//libxaa.so [0x2b7bdd265c9c]
3: /usr/lib/xorg/modules//libxaa.so [0x2b7bdd265e96]
4: /usr/bin/X [0x527ea2]
5: /usr/bin/X [0x515c3f]
6: /usr/bin/X(Dispatch+0x2ef) [0x44eaaf]
7: /usr/bin/X(main+0x47d) [0x436b9d]
8: /lib/libc.so.6(__libc_start_main+0xf4) [0x2b7bda1e31c4]
9: /usr/bin/X(FontFileCompleteXLFD+0x279) [0x435ed9]

Revision history for this message
Robie Basak (racb) wrote :

I have generated a full backtrace, which is attached.

Changed in xorg:
status: Incomplete → Confirmed
Revision history for this message
In , Robie Basak (racb) wrote :

I think I'm seeing the same bug, except that in my case it seems to be related to the Adobe (binary) flash plugin for Firefox - of course no user application (binary or not) should be able to cause the X server to crash.

This is with xserver-xorg on Ubuntu (Hardy) 1:7.3+10ubuntu10.2 on x86_64 on an "Intel Corporation Mobile 945GM/GMS, 943/940GML Express Integrated Graphics Controller (rev 03)" (Chipset: "945GM")

The Ubuntu bug for my problem is here:

https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/241145

Just so that it's all in one place, the other Ubuntu bug that I think this is the same as is here:

https://bugs.launchpad.net/ubuntu/+source/linux-restricted-modules-2.6.24/+bug/165093

Xorg.0.log(.old):
Backtrace:
0: /usr/bin/X(xf86SigHandler+0x6a) [0x48402a]
1: /lib/libc.so.6 [0x2b7bda1f7100]
2: /usr/lib/xorg/modules//libxaa.so [0x2b7bdd265c9c]
3: /usr/lib/xorg/modules//libxaa.so [0x2b7bdd265e96]
4: /usr/bin/X [0x527ea2]
5: /usr/bin/X [0x515c3f]
6: /usr/bin/X(Dispatch+0x2ef) [0x44eaaf]
7: /usr/bin/X(main+0x47d) [0x436b9d]
8: /lib/libc.so.6(__libc_start_main+0xf4) [0x2b7bda1e31c4]
9: /usr/bin/X(FontFileCompleteXLFD+0x279) [0x435ed9]

Full backtrace:
#0 0x00002aae2ef15c9c in cwGetBackingPicture (pPicture=0x2601310,
    x_off=0x7fff803e24c4, y_off=0x7fff803e24c0)
    at ../../../miext/cw/cw_render.c:128
 pPixmap = (PixmapPtr) 0x0
#1 0x00002aae2ef15e96 in cwComposite (op=3 '\003',
    pSrcPicture=<value optimized out>, pMskPicture=0x2ec0090,
    pDstPicture=0x2601310, xSrc=0, ySrc=0, xMsk=0, yMsk=0, xDst=0, yDst=256,
    width=256, height=24) at ../../../miext/cw/cw_render.c:271
 ps = (PictureScreenPtr) 0x83e540
 pCwScreen = (cwScreenPtr) 0x854a90
 src_picture_x_off = 0
 src_picture_y_off = 0
 pBackingSrcPicture = (PicturePtr) 0x3906850
 msk_picture_x_off = 0
 msk_picture_y_off = 0
 pBackingMskPicture = (PicturePtr) 0x2ec0090
 dst_picture_x_off = 0
 dst_picture_y_off = 16
 pBackingDstPicture = <value optimized out>
#2 0x0000000000527ea2 in damageComposite (op=16 '\020', pSrc=0x3906850,
    pMask=0x2ec0090, pDst=0x2601310, xSrc=-11168, ySrc=-9664, xMask=-2,
    yMask=<value optimized out>, xDst=<value optimized out>,
    yDst=<value optimized out>, width=<value optimized out>,
    height=<value optimized out>) at ../../../miext/damage/damage.c:580
 ps = (PictureScreenPtr) 0x83e540
 pScrPriv = (DamageScrPrivPtr) 0x8540e0
#3 0x0000000000515c3f in ProcRenderComposite (client=0x905230)
    at ../../render/render.c:758
 pSrc = (PicturePtr) 0x7fff803e24c4
 pMask = (PicturePtr) 0x2
 pDst = (PicturePtr) 0x0
#4 0x000000000044eaaf in Dispatch () at ../../dix/dispatch.c:502
 clientReady = <value optimized out>
 result = <value optimized out>
 client = (ClientPtr) 0x2eb3200
 nready = 0
 start_tick = 15200
#5 0x0000000000436b9d in main (argc=10, argv=0x7fff803e2bd8,
    envp=<value optimized out>) at ../../dix/main.c:452
 i = 1
 error = 0
 xauthfile = <value optimized out>
 alwaysCheckForInput = {0, 1}

Revision history for this message
Robie Basak (racb) wrote :
Revision history for this message
In , Robie Basak (racb) wrote :

Setting severity blocker as this is a server crash (I'm following the instructions on XorgTriage).

The problem seems to be a null dereference on pPixmap in cwGetBackingPicture.

I don't understand what this function is meant to do, but I've looked at it. Should:
  DrawablePtr pDrawable = pPicture->pDrawable;
actually be:
  DrawablePtr pDrawable = pPicturePrivate->pDrawable;
? As I say...I don't know what this function does, but I don't see why pPicturePrivate is being tested for if pPicture is used immediately after. Some comments would have been nice!

Revision history for this message
Riccardo Pellegrini (cionci) wrote :

Last three comments of launchpad bug linked above are surely related to this bug, but all previous comments seem to describe another bug.
I'll try to install Flash 10 beta player.

Revision history for this message
JeffV (jeff-launchpad-tanasity) wrote :

Ditto this bug. Been happening for a while, intermittently. Finally driven to do something about it because I spent a most frustrating day continually having crashes.

Originally I thought it was the ati fglrx driver most likely at fault. Can confirm tha upgrading to the 8.7 catalyst does nothing to stop this.

Revision history for this message
Riccardo Pellegrini (cionci) wrote :

After upgrade to Flash player 10 Beta, I had no crash in normal use and no crash repeating many times the method I wrote in bug description. But I still cannot assure it's definitely gone.

I still think the bug is nor in nspluginwrapper nor in Flash player, I think it's in Xorg, but only combination of nspluginwrapper and Flash player 9 take Xorg to execute code that lead it to crash.

Revision history for this message
Riccardo Pellegrini (cionci) wrote :

I can confirm manually upgrading to Flash Player 10 Beta seems to solve the issue.

Revision history for this message
JeffV (jeff-launchpad-tanasity) wrote :

I concur: I've had 5 days without this crash when I was having at least one a day.

For those considering the change: the beta is not perfect - on my computer it frequently renders the deepest black as white, and the brightest white as black. An overflow error I presume. Nevertheless, slightly broken colour is a lot better than random crashes.

Bryce Harrington (bryce)
Changed in xorg:
importance: Undecided → High
status: Confirmed → Triaged
Changed in xorg-server:
status: Unknown → Confirmed
Revision history for this message
Riccardo Pellegrini (cionci) wrote :

I've had no crash at all.
I have the same broken colours problem with Flash 10 beta, particularly on YouTube.

Revision history for this message
In , Leon Weber (leonn) wrote :

Unfortunately, replacing
  DrawablePtr pDrawable = pPicture->pDrawable;
with
  DrawablePtr pDrawable = pPicturePrivate->pDrawable;

does not help, it doesn't even compile:

libtool: compile: i686-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I../../include -I../../hw/xfree86/os-support -DHAVE_DIX_CONFIG_H -Wall -Wpointer-arith -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -fno-strict-aliasing -D_BSD_SOURCE -DHAS_FCHOWN -DHAS_STICKY_DIR_BIT -DDBUS_API_SUBJECT_TO_CHANGE -I/usr/include/freetype2 -I/usr/include/pixman-1 -I/usr/include/hal -I/usr/include/dbus-1.0 -I/usr/lib/dbus-1.0/include -I../../include -I../../include -I../../Xext -I../../composite -I../../damageext -I../../xfixes -I../../Xi -I../../mi -I../../miext/shadow -I../../miext/damage -I../../render -I../../randr -I../../fb -O2 -march=nocona -pipe -MT cw_render.lo -MD -MP -MF .deps/cw_render.Tpo -c cw_render.c -fPIC -DPIC -o .libs/cw_render.o
cw_render.c: In function ‘cwGetBackingPicture’:
cw_render.c:124: error: ‘struct <anonymous>’ has no member named ‘pDrawable’
make[2]: *** [cw_render.lo] Error 1

Bryce Harrington (bryce)
description: updated
Revision history for this message
bigal50 (bigal50) wrote :

?? This showed up on as New on the 030509 Bug Hug Day list. It's marked as Traiged.

Revision history for this message
Chris Coulson (chrisccoulson) wrote :

It's because it has an open task against flashplugin-nonfree

Changed in flashplugin-nonfree:
status: New → Invalid
Changed in nspluginwrapper:
status: New → Invalid
Revision history for this message
Davor Cubranic (cubranic) wrote :

I get an almost identical stack dump in Xorg.log, but it only happens with wine (even winecfg will instantly trigger it).

Hardy AMD64
ATI Radeon (open-source) driver
Plain KWin, no compositing
Unmodified xorg.conf, except for a monitor section

Revision history for this message
Davor Cubranic (cubranic) wrote :

Here's also the output of 'lspci -vv'

Revision history for this message
Davor Cubranic (cubranic) wrote :

And the output of running 'WINEDEBUG=+synchronous,+relay winecfg > ~/wine.log'

Bryce Harrington (bryce)
tags: added: hardy
Revision history for this message
Bryce Harrington (bryce) wrote :

This is a dupe of bug #319402, which I fixed with patch 172_cwgetbackingpicture_nullptr_check.patch in 2:1.6.0-0ubuntu7. I see the last comment on this bug is from before I applied that patch so presumably there's been no trouble since.

Changed in xorg-server (Ubuntu):
status: Triaged → Fix Released
Changed in xorg-server:
importance: Unknown → Critical
Changed in xorg-server:
importance: Critical → Unknown
Changed in xorg-server:
importance: Unknown → Critical
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.