SegFault in miDCSaveUnderCursor
Submitted by Lee Leahu
Assigned to Xorg Project Team
Description
X.org server 1.8.0 Tag (Released by Gentoo) X.org is configured for a 2×2 screen layout (each screen 1280×1024, a total resolution of 2560×2048, using Xinerama) X.org remotely controlled using x11vnc
– The SegFault –
(gdb) c Continuing.
Program received signal SIGSEGV, Segmentation fault. 0×00000000005e078f in miDCSaveUnderCursor (pDev=0×18d6790, pScreen=0×1290440, x=323, y=265, w=26, h=32) at midispcur.c:536 536 pSave = pBuffer->pSave;
– The Backtrace –
(gdb) bt #0 0×00000000005e078f in miDCSaveUnderCursor (pDev=0×18d6790, pScreen=0×1290440, x=323, y=265, w=26, h=32) at midispcur.c:536 #1 (closed) 0×00000000005f55a8 in miSpriteSaveUnderCursor (pDev=0×18d6790, pScreen=0×1290440) at misprite.c:1039 #2 0×00000000005f4f92 in miSpriteSetCursor (pDev=0×18d6790, pScreen=0×1290440, pCursor=0×259be50, x=332, y=274) at misprite.c:902 #3 (closed) 0×00000000005d760f in xf86CursorSetCursor (pDev=0×18d6790, pScreen=0×1290440, pCurs=0×259be50, x=332, y=274) at xf86Cursor.c:377 #4 (closed) 0×0000000000469664 in miPointerUpdateSprite (pDev=0×18d6790) at mipointer.c:402 #5 (closed) 0×00000000004fb939 in ProcXTestFakeInput (client=0×1a284d0) at xtest.c:454 #6 (closed) 0×00000000004fba42 in ProcXTestDispatch (client=0×1a284d0) at xtest.c:487 #7 (closed) 0×000000000042ded8 in Dispatch () at dispatch.c:439 #8 (closed) 0×0000000000424bf3 in main (argc=8, argv=0×7fff36312dd8, envp=0×7fff36312e20) at main.c:286
– The source code in question –
File: dix/events.c / Lines: 299-303 299 Bool 300 DevHasCursor(DeviceIntPtr pDev) 301 { 302 return pDev->spriteInfo->spriteOwner; 303 }
File: mi/midispcur.c / Lines: 62-64 62 /* per device private data */ 63 static int miDCSpriteKeyIndex; 64 static DevPrivateKey miDCSpriteKey = &miDCSpriteKeyIndex;
File: mi/midispcur.c / Lines: 78-81
78 #define MIDCBUFFER(dev)
79 ((DevHasCursor(dev)) ?
80 (miDCBufferPtr)dixLookupPrivate(&dev->devPrivates, miDCSpriteKey) :
81 (miDCBufferPtr)dixLookupPrivate(&dev->u.master->devPrivates, miDCSpriteKey))
File: mi/midispcur.c / Lines: 522-537 522 static Bool 523 miDCSaveUnderCursor (DeviceIntPtr pDev, ScreenPtr pScreen, 524 int x, int y, int w, int h) 525 { 526 miDCScreenPtr pScreenPriv; 527 miDCBufferPtr pBuffer; 528 PixmapPtr pSave; 529 WindowPtr pWin; 530 GCPtr pGC; 531 532 pScreenPriv = (miDCScreenPtr)dixLookupPrivate(&pScreen->devPrivates, 533 miDCScreenKey); 534 pBuffer = MIDCBUFFER(pDev); 535 536 pSave = pBuffer->pSave; 537 pWin = WindowTable[pScreen->myNum];
– Analysis: What does pBuffer contain? –
(gdb) print pBuffer $1 = (miDCBufferPtr) 0×0
– Analysis: What does pDev contain? –
(gdb) print pDev $2 = (DeviceIntPtr) 0×18d6790
(gdb) print *pDev
$3 = {public = {devicePrivate = 0×0, processInputProc = 0×56bd73 <ProcessKeyboardEvent>, realInputProc = 0×56bd73 <ProcessKeyboardEvent>,
enqueueInputProc = 0×44ac4c <EnqueueEvent>, on = 0}, next = 0×19e1e70, startup = 1, deviceProc = 0×45cfab <CoreKeyboardProc>, inited = 1, enabled = 1,
coreEvents = 1, deviceGrab = {grabTime = {months = 0, milliseconds = 132503957}, fromPassiveGrab = 0, implicitGrab = 0, activeGrab = {next = 0×0, resource = 0,
device = 0×0, window = 0×0, ownerEvents = 0, keyboardMode = 0, pointerMode = 0, grabtype = GRABTYPE_CORE, type = 0 ‘\000′, modifiersDetail = {exact = 0,
pMask = 0×0}, modifierDevice = 0×0, detail = {exact = 0, pMask = 0×0}, confineTo = 0×0, cursor = 0×0, eventMask = 0, deviceMask = 0, xi2mask = {
"\000\000" <repeats 42 times>}}, grab = 0×0, activatingKey = 0 ‘\000′, ActivateGrab = 0×44bc90 <ActivateKeyboardGrab>,
DeactivateGrab = 0×44be4f <DeactivateKeyboardGrab>, sync = {frozen = 0, state = 0, other = 0×0, event = 0×0}}, type = 3, xinput_type = 0,
name = 0×18d6bb0 "Virtual core XTEST keyboard", id = 5, key = 0×18d6c00, valuator = 0×0, button = 0×0, focus = 0×18dd4d0, proximity = 0×0, absolute = 0×0,
kbdfeed = 0×18d6c80, ptrfeed = 0×0, intfeed = 0×0, stringfeed = 0×0, bell = 0×0, leds = 0×0, xkb_interest = 0×0, config_info = 0×0, devPrivates = 0×18d7400,
nPrivates = 0, unwrapProc = 0×53f984 <xkbUnwrapProc>, spriteInfo = 0×18d6b08, u = {master = 0×15d5750, lastSlave = 0×15d5750}, last = {valuators = {
0 <repeats 36 times>}, remainder = {0 <repeats 36 times>}, numValuators = 0, slave = 0×0}, properties = {properties = 0×18d6550, handlers = 0×18d65a0}}
– Analysis – MIDCBUFFER: What does DevHasCursor(dev) return? –
(gdb) print *pDev->spriteInfo $4 = {sprite = 0×18d5220, spriteOwner = 0, paired = 0×15d5750}
(gdb) print pDev->spriteInfo->spriteOwner $5 = 0
– Analysis – MIDCBUFFER: What does dev->u.master->devPrivates contain? –
(gdb) print pDev->u.master $6 = (DeviceIntPtr) 0×15d5750
(gdb) print pDev->u.master->devPrivates $7 = (PrivateRec *) 0×15d5bb0
– Analysis – MIDCBUFFER: Are the private key and index defined? –
(gdb) print miDCSpriteKey $8 = (DevPrivateKey) 0×87e3dc
(gdb) print miDCSpriteKeyIndex $9 = 47
– Analysis – MIDCBUFFER: What does dixLookupPrivate return? –
(gdb) print pDev->u.master->devPrivates[*miDCSpriteKey] $11 = {state = 1, value = 0×0}
– Final Thoughts –
There’s another bug (#24181) that appears to be the same (or very very close) to this.
Git Tag 1.8.0.901 contains a patch (and it’s revert) about not thrashing resources when displaying the software cursor across screens. It’s not clear if that patch is intended to resolve this problem, but it needs to be tested if Git Tag 1.8.0.901 resolves this problem. If that doesn’t, then it needs to be tested if Git Master resolves this problem. Any help would be appreciated.
Version: git