Summary: | Xserver crash when running x11perf -shmputxy10 test case | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | xorg | Reporter: | Jay Cotton <jay.cotton> | ||||||
Component: | Server/General | Assignee: | Xorg Project Team <xorg-team> | ||||||
Status: | RESOLVED FIXED | QA Contact: | Xorg Project Team <xorg-team> | ||||||
Severity: | normal | ||||||||
Priority: | medium | CC: | ajax, alan.coopersmith, eich, mat, maxi, peter.hutterer, sndirsch | ||||||
Version: | 7.4 (2008.09) | ||||||||
Hardware: | x86 (IA32) | ||||||||
OS: | All | ||||||||
Whiteboard: | |||||||||
i915 platform: | i915 features: | ||||||||
Bug Depends on: | |||||||||
Bug Blocks: | 23613 | ||||||||
Attachments: |
|
I can reproduce on git master versions of xorg-server & libpixman from today. Building debuggable libpixman shows that pixman is striding out of the shared memory pixmap: t@1 (l@1) signal SEGV (no mapping at the fault address) in pixman_blt_mmx at line 3054 in file "pixman-mmx.c" 3054 (dbx) where current thread: t@1 =>[1] pixman_blt_mmx(src_bits = 0xfd2d3000, dst_bits = 0xf9200000, src_stride = 2400, dst_stride = 6400, src_bpp = 32, dst_bpp = 32, src_x = 574, src_y = 504, dst_x = 577, dst_y = 507, width = 10, height = 9), line 3054 in "pixman-mmx.c" [2] mmx_blt(imp = 0x83b2e50, src_bits = 0xfd2d3000, dst_bits = 0xf9200000, src_stride = 600, dst_stride = 1600, src_bpp = 32, dst_bpp = 32, src_x = 574, src_y = 504, dst_x = 577, dst_y = 507, width = 10, height = 10), line 3347 in "pixman-mmx.c" [3] _pixman_implementation_blt(imp = 0x83b2e50, src_bits = 0xfd2d3000, dst_bits = 0xf9200000, src_stride = 600, dst_stride = 1600, src_bpp = 32, dst_bpp = 32, src_x = 574, src_y = 504, dst_x = 577, dst_y = 507, width = 10, height = 10), line 250 in "pixman-implementation.c" [4] pixman_blt(src_bits = 0xfd2d3000, dst_bits = 0xf9200000, src_stride = 600, dst_stride = 1600, src_bpp = 32, dst_bpp = 32, src_x = 574, src_y = 504, dst_x = 577, dst_y = 507, width = 10, height = 10), line 236 in "pixman.c" [5] fbCopyNtoN(0x86eddd8, 0x86eb740, 0x86ed918, 0x8047230, 0x1, 0xfffffffd, 0xfffffffd, 0x0, 0x0, 0x0, 0x0, 0x8275edd), at 0xfe57d6c9 [6] miDoCopy(0x86eddd8, 0x86eb740, 0x86ed918, 0x23e, 0x1f8, 0xa, 0xa, 0x23e, 0x1f8, 0xfe57d33c, 0x0, 0x0, 0x0), at 0x82768dc [7] fbCopyArea(0x86eddd8, 0x86eb740, 0x86ed918, 0x23e, 0x1f8, 0xa, 0xa, 0x23e, 0x1f8, 0xfe558534, 0x80472f8, 0xfe4efa4e), at 0xfe57dfcc [8] XAACopyAreaFallback(0x86eddd8, 0x86eb740, 0x86ed918, 0x23e, 0x1f8, 0xa, 0xa, 0x23e, 0x1f8, 0xfe55853c, 0x8047358, 0xfe4f0e68), at 0xfe4efaaf [9] XAACopyArea(0x86eddd8, 0x86eb740, 0x86ed918, 0x23e, 0x1f8, 0xa, 0xa, 0x23e, 0x1f8, 0x80473c8, 0x80473cc, 0xfe5430ce), at 0xfe4f1164 [10] cwCopyArea(0x86eddd8, 0x86eb740, 0x86ed918, 0x23e, 0x1f8, 0xa, 0xa, 0x23e, 0x1f8, 0x83303b4, 0x0, 0x81b3bbd), at 0xfe5431b0 [11] damageCopyArea(0x86eddd8, 0x86eb740, 0x86ed918, 0x23e, 0x1f8, 0xa, 0xa, 0x23e, 0x1f8), at 0x81b4376 [12] ProcShmPutImage(0x86e92d8, 0x0, 0x0, 0x818a8b1), at 0x8189f89 [13] ProcShmDispatch(0x86e92d8, 0x8a, 0x80477c8, 0x809aad2), at 0x818ad5f [14] Dispatch(0x0, 0x83048a0, 0x0, 0x83331b0, 0x83331b4, 0x8332ad0), at 0x809ab83 [15] main(0x4, 0x80478e4, 0x80478f8, 0x807f36f), at 0x80d8ddc (dbx) print d d = 0xf9518c04 "ÿÿÿ" (dbx) print s s = 0xfd3fadf8 "<bad address 0xfd3fadf8>" (dbx) print * (char *) 0xfd2d3000 *((char *) 0xfd2d3000U) = '\0' (dbx) pmap -xF 1911 1911: /usr/X11R7/bin/Xorg :0 -config /etc/X11/xorg.conf-1.7 Address Kbytes RSS Anon Locked Mode Mapped File [....] FD2D3000 1072 1072 - - r-xs- [ shmid=0x8 ] FD3E0000 16 16 - - r-x-- kbd_drv.so FD3F3000 12 12 4 - rwx-- kbd_drv.so FD400000 16384 16384 - -rw-s- The input to pixman_blt() seems to be wrong: src_bits is 0xfd2d3000 src_y is 504 stride is 600 (given in number of uint32_t) so the first source pixel is at >>> hex (0xfd2d3000 + 504 * 4 * 600) '0xfd3fa500L' which is outside the mapping. The blt routine works left-to-right, so it starts with the last pixel of the first line: >>> hex (0xfd2d3000 + 504 * 4 * 600 + 574 * 4) '0xfd3fadf8L' which is the faulting address. Nothing jumps out at me from looking at the fbCopyNtoN() source though, so I'd guess the bug is somewhere in the shared memory extension. This change to shm.c seems to fix the problem. --- /export/home/XW_NV_MWS/open-src/xserver/xorg/build_32/xorg-server-1.6.3/Xext/shm.c Mon Aug 17 16:29:46 2009 +++ shm.c Tue Aug 18 14:35:39 2009 @@ -499,8 +499,8 @@ char *data) { PixmapPtr pPixmap; - - pPixmap = GetScratchPixmapHeader(dst->pScreen, w, h, depth, + + pPixmap = GetScratchPixmapHeader(dst->pScreen, sw, sh, depth, BitsPerPixel(depth), PixmapBytePad(w, depth), data); If the fix is correct, the PixmapBytePad() call in there probably also needs to be changed to use sw instead of w - does that still work? It would be interesting to see the parameters passed to doShmPutImage() when the problem occurs. #6 0x080d3850 in KdBacktrace (signum=11) at ../../../../hw/kdrive/src/kdrive.c:1313 #7 <signal handler called> #8 pixman_blt_sse2 (src_bits=<value optimized out>, dst_bits=<value optimized out>, src_stride=600, dst_stride=1024, src_bpp=32, dst_bpp=32, src_x=576, src_y=576, dst_x=3, dst_y=3, width=10, height=10) at pixman-sse2.c:5330 #9 0x0409d740 in sse2_blt (imp=0x48fc3d0, src_bits=0x541a000, dst_bits=0x4af1000, src_stride=600, dst_stride=1024, src_bpp=32, dst_bpp=32, src_x=576, src_y=576, dst_x=3, dst_y=3, width=10, height=10) at pixman-sse2.c:5729 #10 0x04065223 in _pixman_implementation_blt (imp=0x48fc3d0, src_bits=0x541a000, dst_bits=0x4af1000, src_stride=600, dst_stride=1024, src_bpp=32, dst_bpp=32, src_x=576, src_y=576, dst_x=3, dst_y=3, width=10, height=10) at pixman-implementation.c:250 #11 0x0408a4b8 in pixman_blt (src_bits=0x541a000, dst_bits=0x4af1000, src_stride=600, dst_stride=1024, src_bpp=32, dst_bpp=32, src_x=576, src_y=576, dst_x=3, dst_y=3, width=10, height=10) at pixman.c:236 #12 0x080e1010 in fbCopyNtoN (pSrcDrawable=0x51cec30, pDstDrawable=0x50dd3a0, pGC=0x51c1ed0, pbox=0xbeaa2368, nbox=0, dx=573, dy=573, reverse=0, upsidedown=0, bitplane=0, closure=0x0) at ../../fb/fbcopy.c:64 #13 0x080e1cb0 in fbCopyRegion (pSrcDrawable=0x51cec30, pDstDrawable=0x50dd3a0, pGC=0x51c1ed0, pDstRegion=0xbeaa2368, dx=573, dy=573, copyProc=0x80e0de0 <fbCopyNtoN>, bitPlane=0, closure=0x0) at ../../fb/fbcopy.c:396 #14 0x080e2159 in fbDoCopy (pSrcDrawable=0x51cec30, pDstDrawable=0x50dd3a0, pGC=0x51c1ed0, xIn=576, yIn=576, widthSrc=10, heightSrc=10, xOut=3, yOut=3, copyProc=0x80e0de0 <fbCopyNtoN>, bitPlane=0, closure=0x0) at ../../fb/fbcopy.c:596 #15 0x080e22bf in fbCopyArea (pSrcDrawable=0x51cec30, pDstDrawable=0x50dd3a0, pGC=0x51c1ed0, xIn=576, yIn=576, widthSrc=10, heightSrc=10, xOut=0, yOut=0) at ../../fb/fbcopy.c:634 #16 0x081c969d in damageCopyArea (pSrc=0x51cec30, pDst=0x50dd3a0, pGC=0x51c1ed0, srcx=576, srcy=576, width=10, height=10, dstx=0, dsty=0) at ../../../miext/damage/damage.c:949 #17 0x08134171 in doShmPutImage (dst=0x50dd3a0, pGC=0x51c1ed0, depth=24, format=1, w=600, h=600, sx=576, sy=576, sw=10, sh=10, dx=0, dy=0, data=0x541a000 "") at ../../Xext/shm.c:509 #18 0x0813599d in ProcShmPutImage (client=0x50dba18) at ../../Xext/shm.c:865 #19 0x08136960 in ProcShmDispatch (client=0x50dba18) at ../../Xext/shm.c:1119 #20 0x080b3779 in Dispatch () at ../../dix/dispatch.c:456 #21 0x0809ab46 in main (argc=8, argv=0xbeaa2734, envp=0xbeaa2758) at ../../dix/main.c:397 #7 <signal handler called> No symbol table info available. #8 pixman_blt_sse2 (src_bits=<value optimized out>, dst_bits=<value optimized out>, src_stride=600, dst_stride=1024, src_bpp=32, dst_bpp=32, src_x=576, src_y=576, dst_x=3, dst_y=3, width=10, height=10) at pixman-sse2.c:5330 w = 40 s = (uint8_t *) 0x556c100 <Address 0x556c100 out of bounds> d = (uint8_t *) 0x4af400c "" src_bytes = (uint8_t *) 0x556c100 <Address 0x556c100 out of bounds> dst_bytes = (uint8_t *) 0x4af400c "" byte_width = 40 #9 0x0409d740 in sse2_blt (imp=0x48fc3d0, src_bits=0x541a000, dst_bits=0x4af1000, src_stride=600, dst_stride=1024, src_bpp=32, dst_bpp=32, src_x=576, src_y=576, dst_x=3, dst_y=3, width=10, height=10) at pixman-sse2.c:5729 No locals. #10 0x04065223 in _pixman_implementation_blt (imp=0x48fc3d0, src_bits=0x541a000, dst_bits=0x4af1000, src_stride=600, dst_stride=1024, src_bpp=32, dst_bpp=32, src_x=576, src_y=576, dst_x=3, dst_y=3, width=10, height=10) at pixman-implementation.c:250 No locals. #11 0x0408a4b8 in pixman_blt (src_bits=0x541a000, dst_bits=0x4af1000, src_stride=600, dst_stride=1024, src_bpp=32, dst_bpp=32, src_x=576, src_y=576, dst_x=3, dst_y=3, width=10, height=10) at pixman.c:236 No locals. #12 0x080e1010 in fbCopyNtoN (pSrcDrawable=0x51cec30, pDstDrawable=0x50dd3a0, pGC=0x51c1ed0, pbox=0xbeaa2368, nbox=0, dx=573, dy=573, reverse=0, upsidedown=0, bitplane=0, closure=0x0) at ../../fb/fbcopy.c:64 alu = 3 '\003' pm = 4294967295 src = (FbBits *) 0x541a000 srcStride = 600 srcBpp = 32 srcXoff = 0 srcYoff = 0 dst = (FbBits *) 0x4af1000 dstStride = 1024 dstBpp = 32 dstXoff = 0 dstYoff = 0 #13 0x080e1cb0 in fbCopyRegion (pSrcDrawable=0x51cec30, pDstDrawable=0x50dd3a0, pGC=0x51c1ed0, pDstRegion=0xbeaa2368, dx=573, dy=573, copyProc=0x80e0de0 <fbCopyNtoN>, bitPlane=0, closure=0x0) at ../../fb/fbcopy.c:396 careful = 0 reverse = 0 upsidedown = 0 pbox = (BoxPtr) 0xbeaa2368 nbox = 1 pboxNew1 = (BoxPtr) 0x0 pboxNew2 = (BoxPtr) 0x0 pboxBase = (BoxPtr) 0x471c930 pboxNext = (BoxPtr) 0x0 pboxTmp = (BoxPtr) 0x49bc4c8 #14 0x080e2159 in fbDoCopy (pSrcDrawable=0x51cec30, pDstDrawable=0x50dd3a0, pGC=0x51c1ed0, xIn=576, yIn=576, widthSrc=10, heightSrc=10, xOut=3, yOut=3, copyProc=0x80e0de0 <fbCopyNtoN>, bitPlane=0, closure=0x0) at ../../fb/fbcopy.c:596 prgnSrcClip = (RegionPtr) 0x0 freeSrcClip = 0 prgnExposed = (RegionPtr) 0x0 rgnDst = {extents = {x1 = 3, y1 = 3, x2 = 13, y2 = 13}, data = 0x0} dx = 573 dy = 573 numRects = 1 box_x1 = 3 box_y1 = 3 box_x2 = 13 box_y2 = 13 fastSrc = 1 fastDst = 1 fastExpose = 1 #15 0x080e22bf in fbCopyArea (pSrcDrawable=0x51cec30, pDstDrawable=0x50dd3a0, pGC=0x51c1ed0, xIn=576, yIn=576, widthSrc=10, heightSrc=10, xOut=0, yOut=0) at ../../fb/fbcopy.c:634 copy = (fbCopyProc) 0x80e0de0 <fbCopyNtoN> #16 0x081c969d in damageCopyArea (pSrc=0x51cec30, pDst=0x50dd3a0, pGC=0x51c1ed0, srcx=576, srcy=576, width=10, height=10, dstx=0, dsty=0) at ../../../miext/damage/damage.c:949 ret = (RegionPtr) 0x8291ff4 pGCPriv = (DamageGCPrivPtr) 0x51c2008 oldFuncs = (GCFuncs *) 0x8299360 #17 0x08134171 in doShmPutImage (dst=0x50dd3a0, pGC=0x51c1ed0, depth=24, format=1, w=600, h=600, sx=576, sy=576, sw=10, sh=10, dx=0, dy=0, data=0x541a000 "") at ../../Xext/shm.c:509 pPixmap = (PixmapPtr) 0x51cec30 #18 0x0813599d in ProcShmPutImage (client=0x50dba18) at ../../Xext/shm.c:865 pGC = (GCPtr) 0x51c1ed0 pDraw = (DrawablePtr) 0x50dd3a0 length = 1824 shmdesc = (ShmDescPtr) 0x51cea60 stuff = (xShmPutImageReq *) 0x50dbca0 #19 0x08136960 in ProcShmDispatch (client=0x50dba18) at ../../Xext/shm.c:1119 stuff = (xReq *) 0x50dbca0 #20 0x080b3779 in Dispatch () at ../../dix/dispatch.c:456 clientReady = (int *) 0x50af208 result = 0 client = (ClientPtr) 0x50dba18 nready = 0 icheck = (HWEventQueuePtr *) 0x82c2fcc start_tick = 5380 #21 0x0809ab46 in main (argc=8, argv=0xbeaa2734, envp=0xbeaa2758) at ../../dix/main.c:397 i = 1 alwaysCheckForInput = {0, 1} gdb> f 18 #18 0x0813599d in ProcShmPutImage (client=0x50dba18) at ../../Xext/shm.c:865 gdb> p *stuff $24 = {reqType = 130 '\202', shmReqType = 3 '\003', length = 10, drawable = 4194305, gc = 4194308, totalWidth = 600, totalHeight = 600, srcX = 576, srcY = 576, srcWidth = 10, srcHeight = 10, dstX = 0, dstY = 0, depth = 24 '\030', format = 1 '\001', sendEvent = 0 '\0', bpad = 0 '\0', shmseg = 4194312, offset = 0} gdb> p *shmdesc $25 = {next = 0x0, shmid = 427229334, refcnt = 1, addr = 0x541a000 "", writable = 0, size = 1094400} gdb> p (double)shmdesc->size / 600 / 600 $26 = 3.04 gdb> p (double)shmdesc->size / 2400 $27 = 456 gdb> p (double)shmdesc->size / 1800 $28 = 608 gdb> f 17 #17 0x08134171 in doShmPutImage (dst=0x50dd3a0, pGC=0x51c1ed0, depth=24, format=1, w=600, h=600, sx=576, sy=576, sw=10, sh=10, dx=0, dy=0, data=0x541a000 "") at ../../Xext/shm.c:509 gdb> p *pPixmap $29 = {drawable = {type = 1 '\001', class = 0 '\0', depth = 24 '\030', bitsPerPixel = 32 ' ', id = 0, x = 0, y = 0, width = 600, height = 600, pScreen = 0x4717ce8, serialNumber = 20}, devPrivates = 0x0, refcnt = 1, devKind = 2400, devPrivate = {ptr = 0x541a000, val = 88186880, uval = 88186880, fptr = 0x541a000}, screen_x = 0, screen_y = 0, usage_hint = 0} As you can see, the size of the shm segment is about 600x600x24 bits, so we have 24-bit pixmap data in there. The bitsPerPixel of our scratch pixmap is 32, though. I assume this is the reason for the invalid memory reads. With 16 bit color depth, the xserver does not crash but the x11perf output is distorted. This bug was introduced by: commit ee7c684f21d220d5e046bab31ae617a7d64d60f6 Author: Adam Jackson <ajax@redhat.com> Date: Wed Aug 27 16:05:47 2008 -0400 Reimplement ShmPutImage. Reverting the changes to Xext/shm* (I didn't bother to resolve the merge conflicts in exa/*) lets -shmputxy10 finish in Xephyr without valgrind moaning and without graphical glitches. Created attachment 29650 [details] [review] My test patch that reverts the faulty changes Just in case someone wants to test this. No idea whether EXA still works, though. :) Removing from 7.5 tracker, the 1.7 tracker is enough. Created attachment 29667 [details] [review] Possible fix Does this patch work? It just uses the old code for the non-ZPixmap case. There might be a better solution though. (In reply to comment #8) > Does this patch work? It just uses the old code for the non-ZPixmap case. There > might be a better solution though. server doesn't crash anymore with this patch applied. I think this is good enough as a workaround for now - please push if you think the patch is ready. (In reply to comment #9) > I think this is good enough as a workaround for now - please push if you think > the patch is ready. Thanks, but I'd like to know Adam's opinion first. Ajax - any comments on the patch? (In reply to comment #8) > Created an attachment (id=29667) [details] > Possible fix > > Does this patch work? It just uses the old code for the non-ZPixmap case. There > might be a better solution though. Looks fine to me, ACK. Michel, please push this to master and I'll cherry-pick it for 1.7. Fix pushed to master as 11817a881cb93a89788105d1e575a468f2a8d27c . |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.
Start the test and after a minute or so the server restarts/or segv. The log file is large but not remarkable (see attachment) The backtrace is: mdb: stop on SIGSEGV mdb: target stopped at: libpixman-1.so.0`pixmanBltsse2+0x180: movl (%r8),%ecx > $c libpixman-1.so.0`pixmanBltsse2+0x180() libfb.so`fbCopyNtoN+0x1bb() libfb.so`fbCopyRegion+0x3ce() libfb.so`fbDoCopy+0x39b() libfb.so`fbCopyArea+0x33() libxaa.so`XAACopyAreaFallback+0x10d() libxaa.so`cwCopyArea+0xe6() damageCopyArea+0x1a9() ProcShmPutImage+0x3e4() Dispatch+0x81a() main+0x66f() The bug is asserted in the DDX code, but it is seen in many DDXen.