Bug 22752

Summary: Flash in moblin-web-browser can crash the X server
Product: xorg Reporter: bob <bob>
Component: Driver/intelAssignee: Jesse Barnes <jbarnes>
Status: RESOLVED FIXED QA Contact: Xorg Project Team <xorg-team>
Severity: normal    
Priority: high CC: kui.zheng
Version: unspecifiedKeywords: NEEDINFO
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description bob@o-hand.com 2009-07-13 13:06:00 UTC 
With the latest moblin images, it is possible to reliably crash the X server by opening this url in the moblin-web-browser: http://flickr.com/photos/upload (you need to be logged in)

I shall try to add more information if I find anything more out, but I'm hoping the X server backtrace with symbols will gives someone with more insight a clue about what's broken.

versions:
xf86-video-intel-2.7.99.901
xorg-server-1.6.1.902 - with all moblin 2 patches
OpenGL renderer string: Mesa DRI Intel(R) 945GME GEM 20090114 x86/MMX/SSE2
OpenGL version string: 1.4 Mesa 7.5-rc4

hardware:
Acer aspire one

note: no compositor was running.

Program received signal SIGSEGV, Segmentation fault.
memcpy () at ../sysdeps/i386/i586/memcpy.S:90
90              movl    (%esi), %eax
Current language:  auto; currently asm
(gdb) bt
#0  memcpy () at ../sysdeps/i386/i586/memcpy.S:90
#1  0xb7879b55 in fbBlt (srcLine=0xb6cbc000, srcStride=512, srcX=0, dstLine=0x8b8a6b8, dstStride=1260, dstX=0, width=1260, 
    height=32, alu=3, pm=4294967295, bpp=32, reverse=0, upsidedown=0) at fbblt.c:93
#2  0xb787b12d in fbBltStip (src=0xb6cbc000, srcStride=128, srcX=0, dst=0x8b8a6b8, dstStride=315, dstX=0, width=10080, 
    height=32, alu=3, pm=4294967295, bpp=32) at fbblt.c:944
#3  0xb7881c75 in fbGetImage (pDrawable=0x8b9b028, x=130, y=292, w=315, h=32, format=2, planeMask=4294967295, 
    d=0x8b8a6b8 "���") at fbimage.c:332
#4  0xb791826c in uxa_get_image (pDrawable=0x8b9b028, x=0, y=0, w=315, h=32, format=2, planeMask=4294967295, 
    d=0x8b8a6b8 "���") at uxa-accel.c:1034
#5  0x081465c8 in miSpriteGetImage (pDrawable=0x8b9b028, sx=0, sy=0, w=315, h=32, format=2, planemask=4294967295, 
    pdstLine=0x8b8a6b8 "���") at misprite.c:354
#6  0x0808d457 in DoGetImage (client=0x8b51070, format=2, drawable=50331676, x=0, y=0, width=315, height=32, 
    planemask=4294967295, im_return=0x0) at dispatch.c:2041
#7  0x0808d6ff in ProcGetImage (client=0x8b51070) at dispatch.c:2128
#8  0x08088d2b in Dispatch () at dispatch.c:437
#9  0x0806f768 in main (argc=8, argv=0xbf9421e4, envp=0xbf942208) at main.c:397


At this point I have no idea what's special about the GetImage in question; I can just see from gdb'ing clutter-mozheadless that it comes from flash (though I don't expect that to really be helpful in itself)

Breakpoint 2, 0xb5f8b062 in XGetImage () from /usr/lib/libX11.so.6
#0  0xb5f8b062 in XGetImage () from /usr/lib/libX11.so.6
#1  0xb5f8b29b in XGetSubImage () from /usr/lib/libX11.so.6
#2  0xb5f17fb7 in _gdk_x11_copy_to_image (drawable=0x837f750, image=0x883f018, src_x=0, src_y=0, dest_x=0, dest_y=0, 
    width=315, height=32) at gdkimage-x11.c:619
#3  0xb5eed86c in IA__gdk_drawable_copy_to_image (drawable=0x837f750, image=0x883f018, src_x=0, src_y=0, dest_x=0, 
    dest_y=0, width=315, height=32) at gdkdraw.c:1070
#4  0xb5eed86c in IA__gdk_drawable_copy_to_image (drawable=0x80897c8, image=0x883f018, src_x=0, src_y=0, dest_x=0, 
    dest_y=0, width=315, height=32) at gdkdraw.c:1070
#5  0xb1ebdc23 in ?? () from /usr/lib/flash-plugin/libflashplayer.so
#6  0xb1eb19c5 in ?? () from /usr/lib/flash-plugin/libflashplayer.so
#7  0xb1ea8030 in ?? () from /usr/lib/flash-plugin/libflashplayer.so
#8  0xb1eacae4 in ?? () from /usr/lib/flash-plugin/libflashplayer.so
#9  0x089871fc in ?? ()
#10 0xbfffe888 in ?? ()
#11 0xb7f8ee60 in ?? () from /usr/lib/xulrunner-1.9.2a1pre-headless/libxul.so
#12 0xb7f8ee60 in ?? () from /usr/lib/xulrunner-1.9.2a1pre-headless/libxul.so
#13 0xb7fa0ff4 in sqlite3_bind_null () from /usr/lib/xulrunner-1.9.2a1pre-headless/libxul.so
#14 0xb7fa0ff4 in sqlite3_bind_null () from /usr/lib/xulrunner-1.9.2a1pre-headless/libxul.so
#15 0xbfffe858 in ?? ()
#16 0xb7605bfd in ?? () from /usr/lib/xulrunner-1.9.2a1pre-headless/libxul.so
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
clutter-mozheadless: Fatal IO error 11 (Resource temporarily unavailable) on X server :0.0.

Program received signal SIGSEGV, Segmentation fault.
__pthread_mutex_lock (mutex=0xb0e7d024) at pthread_mutex_lock.c:51
51                                  PTHREAD_MUTEX_TIMED_NP))

Note to be able to gdb clutter-mozheadless the moblin-web-browser can be run as follows:

$ CLUTTER_MOZEMBED_DEBUG=1 moblin-web-browser http://flickr.com/photos/upload
It will print somthing like:
** Message: Waiting for 'clutter-mozheadless /tmp/clutter-mozembed-21862-0 /tmp/clutter-mozheadless-21862-0 /mozheadless-21862-0' to be run
and clutter-mozheadless can be started like this:
$ gdb --args clutter-mozheadless /tmp/clutter-mozembed-21862-0 /tmp/clutter-mozheadless-21862-0 /mozheadless-21862-0
Comment 1 bob@o-hand.com 2009-07-14 01:35:35 UTC 
For more a bit more context; here is the downstream distro bug originally opened for this problem: http://bugzilla.moblin.org/show_bug.cgi?id=3871
Comment 2 Li Peng 2009-07-14 02:25:13 UTC 
This is a duplicate of bug #22107, Fix is added to moblin.
Comment 3 Li Peng 2009-07-14 02:51:27 UTC 
(In reply to comment #2)
> This is a duplicate of bug #22107, Fix is added to moblin.
> 

sorry for my mistake, this issue still happen when I apply fix of #22107
it doesn't fix this issue. here is corewatcher info 

Application failure message 1:
Program: /usr/bin/Xorg
Type: Aborted.
[New process 641]
#0  0x460cfbf6 in raise () from /lib/libc.so.6
#0  0x460cfbf6 in raise () from /lib/libc.so.6
#1  0x460d1908 in abort () from /lib/libc.so.6
#2  0x0809d7bb in ddxGiveUp ()
#3  0x0810f1ca in AbortServer ()
#4  0x0810f704 in FatalError ()
#5  0x080afe32 in xf86SigHandler ()
#6  <signal handler called>
#7  0xb7e62d4b in fbBlt () from /usr/lib/xorg/modules//libfb.so
#8  0xb7e637ee in fbBltStip () from /usr/lib/xorg/modules//libfb.so
#9  0xb7e67774 in fbGetImage () from /usr/lib/xorg/modules//libfb.so
#10 0xb7ece48c in uxa_get_image () from /usr/lib/xorg/modules/drivers//intel_drv.so
#11 0x080fa319 in ?? ()
#12 0x08083cac in ProcGetImage ()
#13 0x0808572f in Dispatch ()
#14 0x08070a06 in main ()

Application failure message 2:
Program: /usr/bin/clutter-mozheadless
Type: Segmentation fault.
[New process 1050]
[New process 1059]
[New process 1052]
[New process 1054]
[New process 1055]
[New process 1056]
[New process 1057]
[New process 1065]
[New process 1066]
[New process 1053]
#0  0x463478b0 in pthread_mutex_lock () from /lib/libpthread.so.0
#0  0x463478b0 in pthread_mutex_lock () from /lib/libpthread.so.0
#1  0xb2e27af2 in ?? () from /usr/lib/flash-plugin/libflashplayer.so
#2  0xb1cb4024 in ?? ()
#3  0x00000005 in ?? ()
#4  0xb2e27adb in ?? () from /usr/lib/flash-plugin/libflashplayer.so
#5  0xb362e6cc in ftell () from /usr/lib/flash-plugin/libflashplayer.so
#6  0xb364bde0 in ftell () from /usr/lib/flash-plugin/libflashplayer.so
#7  0x0000000b in ?? ()
#8  0xbfa9c2d8 in ?? ()
#9  0xb2e75b72 in ?? () from /usr/lib/flash-plugin/libflashplayer.so
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
Comment 4 Jesse Barnes 2009-07-15 15:23:57 UTC 
I wonder if this is a dupe of #22601...  If so, you'd need:

commit 40e7c9505265823786cf730214db84812a5e494e
Author: Eric Anholt <eric@anholt.net>
Date:   Mon Jul 6 11:54:50 2009 -0700

    Refuse to allocate giant BOs on 32-bit systems.

and

commit 9155cfca75a207bce0fad945f32f0cb33eab8c4e
Author: Eric Anholt <eric@anholt.net>
Date:   Thu Jul 9 14:16:07 2009 -0700

    Fix lols in trying to figure out whether this is a 64-bit build.
Comment 5 Li Peng 2009-07-15 20:24:03 UTC 
(In reply to comment #4)
> I wonder if this is a dupe of #22601...  If so, you'd need:
> 
> commit 40e7c9505265823786cf730214db84812a5e494e
> Author: Eric Anholt <eric@anholt.net>
> Date:   Mon Jul 6 11:54:50 2009 -0700
> 
>     Refuse to allocate giant BOs on 32-bit systems.
> 
> and
> 
> commit 9155cfca75a207bce0fad945f32f0cb33eab8c4e
> Author: Eric Anholt <eric@anholt.net>
> Date:   Thu Jul 9 14:16:07 2009 -0700
> 
>     Fix lols in trying to figure out whether this is a 64-bit build.
> 

Yes, I applied above two fixes and this issue is gone. Thanks very much Jesse. will add them to moblin asap.
Comment 6 Jesse Barnes 2009-07-16 09:40:14 UTC 
Thanks for confirming.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.