[dix] crash in CreateDefaultTile()
Submitted by Mihai Dontu
Assigned to Xorg Project Team
Description
I'm not sure this bug is really in Xorg (the server), but it has manifested in it ever since x11-drivers/xf86-video-intel >= 2.20.7:
$ gdb --batch --command=cmd.txt [New LWP 30401]
warning: Could not load shared library symbols for linux-vdso.so.1. Do you need "set solib-search-path" or "set sysroot"? [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Core was generated by `/usr/bin/X.bin -core -br -novtswitch -quiet :0 vt7 -nolisten tcp -auth /var/run'. Program terminated with signal 6, Aborted.
#0 0x0000003debc35ab5 in raise () from /lib64/libc.so.6
#0 0x0000003debc35ab5 in raise () from /lib64/libc.so.6
No symbol table info available.
#1 0x0000003debc36f36 in abort () from /lib64/libc.so.6
No symbol table info available.
#2 0x0000000000593b8e in OsAbort () at utils.c:1266
No locals.
#3 0x000000000047d30c in ddxGiveUp (error=<optimized out>) at xf86Init.c:1060
i = <optimized out>
#4 0x00000000005989e2 in AbortServer () at log.c:652
No locals.
#5 0x00000000005991fd in FatalError (f=f@entry=0x5c1308 "Caught signal %d (%s). Server aborting\n") at log.c:793
args = {{gp_offset = 24, fp_offset = 48, overflow_arg_area = 0x7ffff8096f60, reg_save_area = 0x7ffff8096ea0}}
args2 = {{gp_offset = 8, fp_offset = 48, overflow_arg_area = 0x7ffff8096f60, reg_save_area = 0x7ffff8096ea0}}
beenhere = 1
#6 0x00000000005919ce in OsSigHandler (sip=<optimized out>, signo=11, unused=<optimized out>) at osinit.c:146
No locals.
#7 OsSigHandler (signo=11, sip=<optimized out>, unused=<optimized out>) at osinit.c:107
No locals.
#8 <signal handler called>
No symbol table info available.
#9 0x000000000045040e in CreateDefaultTile (pGC=pGC@entry=0x17d6620) at gc.c:584
tmpval = {{val = 0, ptr = 0x7fff00000000}, {val = 0, ptr = 0x0}, {val = 13, ptr = 0xd}}
pTile = <optimized out>
pgcScratch = <optimized out>
rect = {x = -824, y = 382, width = 0, height = 0}
w = 1
h = 1
#10 0x0000000000451078 in ChangeGC (client=client@entry=0x1350c40, pGC=pGC@entry=0x17d6620, mask=0, mask@entry=65536, pUnion=0x7ffff80975e8, pUnion@entry=0x7ffff80975e0) at gc.c:405
index2 = <optimized out>
error = 0
pPixmap = <optimized out>
maskQ = 65536
__PRETTY_FUNCTION__ = "ChangeGC"
#11 0x000000000045128b in ChangeGCXIDs (client=client@entry=0x1350c40, pGC=0x17d6620, mask=65536, pC32=pC32@entry=0x17efcf8) at gc.c:458
vals = {{val = 0, ptr = 0x0}, {val = 17563424, ptr = 0x10bff20}, {val = 24995840, ptr = 0x1017d6800}, {val = 17563424, ptr = 0x10bff20}, {val = 17581616, ptr = 0x10c4630}, {val = 17789712, ptr = 0x10f7310}, {val = 0, ptr = 0x0}, {val = 24995616, ptr = 0x17d6720}, {val = 0, ptr = 0x0}, {val = 8438048, ptr = 0x80c120 <clientTable+448>}, {val = 0, ptr = 0x0}, {val = 373, ptr = 0x175}, {val = 22827584, ptr = 0x15c5240}, {val = 20253760, ptr = 0x1350c40}, {val = 29360937, ptr = 0x1c00329}, {val = 3, ptr = 0x3}, {val = 24995360, ptr = 0x17d6620}, {val = 0, ptr = 0x0}, {val = 24992032, ptr = 0x17d5920}, {val = 4591587, ptr = 0x460fe3 <dixLookupResourceByType+307>}, {val = 0, ptr = 0x0}, {val = 32, ptr = 0x3d00000020}, {val = 22827584, ptr = 0x15c5240}}
i = <optimized out>
#12 0x0000000000439032 in ProcChangeGC (client=0x1350c40) at dispatch.c:1474
pGC = 0x17d6620
result = <optimized out>
len = 1
stuff = 0x17efcec
#13 0x000000000043d4c1 in Dispatch () at dispatch.c:428
clientReady = 0x124df30
result = <optimized out>
client = 0x1350c40
nready = 0
icheck = 0x813f10 <checkForInput>
start_tick = 0
#14 0x000000000042c0fa in main (argc=11, argv=0x7ffff80978c8, envp=<optimized out>) at main.c:295
i = <optimized out>
alwaysCheckForInput = {0, 1}
#9 0x000000000045040e in CreateDefaultTile (pGC=pGC@entry=0x17d6620) at gc.c:584
584 (*pGC->pScreen->QueryBestSize) (TileShape, &w, &h, pGC->pScreen);
$1 = {pScreen = 0xbb837d7abb86c183, depth = 128 '\200', alu = 126 '~', lineWidth = 48003, dashOffset = 32122, numInDashList = 48004, dash = 0xbb837d7abba5949e <Address 0xbb837d7abba5949e out of bounds>, lineStyle = 3, capStyle = 2, joinStyle = 3, fillStyle = 1, fillRule = 1, arcMode = 1, subWindowMode = 0, graphicsExposures = 0, clientClipType = 3, miTranslate = 0, tileIsPixel = 1, fExpose = 1, freeCompClip = 1, scratch_inuse = 0, unused = 6000, planemask = 18430913026116272574, fgPixel = 2405720158, bgPixel = 1, tile = {pixmap = 0x0, pixel = 0}, stipple = 0x10f7310, patOrg = {x = 0, y = 0}, font = 0x10f8780, clipOrg = {x = 0, y = 0}, clientClip = 0x0, stateChanges = 8388607, serialNumber = 2147483648, funcs = 0x80a060 <damageGCFuncs>, ops = 0x7f771aab5880 <sna_gc_ops>, devPrivates = 0x17d66c0, pRotatedPixmap = 0x0, pCompositeClip = 0x0}
cmd.txt:4: Error in sourced command file:
Cannot access memory at address 0xbb837d7abb86c183
I'm running Gentoo Linux, x86_64, kernel 3.5.4, gcc 4.7.1, no special CFLAGS/LDFLAGS.
Steps to reproduce: login into KDE (via kdm) and try to start chromium (other apps don't trigger the crash).