FS#43937 - [xorg-server] Server crashes when drawing filled arcs that open up or down with xlib
Attached to Project:
Arch Linux
Opened by Austin (austn3) - Tuesday, 24 February 2015, 22:01 GMT
Last edited by Laurent Carlier (lordheavy) - Tuesday, 14 April 2015, 12:28 GMT
Opened by Austin (austn3) - Tuesday, 24 February 2015, 22:01 GMT
Last edited by Laurent Carlier (lordheavy) - Tuesday, 14 April 2015, 12:28 GMT
|
Details
Description: I'm taking an online AI class where the first
project was to modify a python pacman game. The game would
crash the xserver whenever it tried to draw pacman facing up
or down. Multiple Arch users reported this bug as well
across multiple desktop environments and at least
xf86-video-intel (HD4000) and xf86-videeo-nouveau (GeForce
6100). Python was using the Tk interface. This Tk script
will cause the crash. (Run with "wish <file name>". It
will work as expected with -start 10 or -start 190 but will
crash with -start 100 or -start 280. I was able to run an
XCB program that drew arcs that open up and down as
expected, but I don't know if that means anything..
#!/usr/bin/wish canvas .myCanvas -background red -width 100 -height 100 pack .myCanvas .myCanvas create arc 10 10 80 80 -fill yellow -start 100 -extent 340 ----- Xorg crash log ----- (EE) [mi] EQ overflow continuing. 1000 events have been dropped. (EE) [mi] No further overflow reports will be reported until the clog is cleared. (EE) (EE) Backtrace: (EE) 0: /usr/lib/xorg-server/Xorg (QueuePointerEvents+0x52) [0x450382] (EE) 1: /usr/lib/xorg/modules/input/evdev_drv.so (_init+0x2ef7) [0x7f9b2be02977] (EE) 2: /usr/lib/xorg/modules/input/evdev_drv.so (_init+0x363d) [0x7f9b2be03c3d] (EE) 3: /usr/lib/xorg-server/Xorg (DPMSSupported+0xe8) [0x476c98] (EE) 4: /usr/lib/xorg-server/Xorg (xf86SerialModemClearBits+0x277) [0x4a05a7] (EE) 5: /usr/lib/libc.so.6 (__restore_rt+0x0) [0x7f9b33b6453f] (EE) 6: /usr/lib/libpthread.so.0 (__pthread_once_slow+0xc2) [0x7f9b33921e82] (EE) 7: /usr/lib/libc.so.6 (backtrace+0x9c) [0x7f9b33c2636c] (EE) 8: /usr/lib/libc.so.6 (backtrace_and_maps+0x2e) [0x7f9b33b50b25] (EE) 9: /usr/lib/libc.so.6 (__libc_message+0x2ce) [0x7f9b33ba298e] (EE) 10: /usr/lib/libc.so.6 (malloc_printerr+0x9e) [0x7f9b33ba7dee] (EE) 11: /usr/lib/libc.so.6 (_int_malloc+0x3af) [0x7f9b33ba964f] (EE) 12: /usr/lib/libc.so.6 (__libc_malloc+0x6e) [0x7f9b33bab81e] (EE) 13: /lib64/ld-linux-x86-64.so.2 (_dl_scope_free+0x8c) [0x7f9b35a4185c] (EE) 13: /lib64/ld-linux-x86-64.so.2 (_dl_scope_free+0x8c) [0x7f9b35a4185c] (EE) 14: /lib64/ld-linux-x86-64.so.2 (_dl_map_object_deps+0xc8f) [0x7f9b35a3c7ef] (EE) 15: /lib64/ld-linux-x86-64.so.2 (dl_open_worker+0xff) [0x7f9b35a424cf] (EE) 16: /lib64/ld-linux-x86-64.so.2 (_dl_catch_error+0x74) [0x7f9b35a3e0a4] (EE) 17: /lib64/ld-linux-x86-64.so.2 (_dl_open+0xc3) [0x7f9b35a41e53] (EE) 18: /usr/lib/libc.so.6 (do_dlopen+0x3d) [0x7f9b33c4e1fd] (EE) 19: /lib64/ld-linux-x86-64.so.2 (_dl_catch_error+0x74) [0x7f9b35a3e0a4] (EE) 20: /usr/lib/libc.so.6 (dlerror_run+0x2f) [0x7f9b33c4e28f] (EE) 21: /usr/lib/libc.so.6 (__libc_dlopen_mode+0x31) [0x7f9b33c4e301] (EE) 22: /usr/lib/libc.so.6 (init+0x15) [0x7f9b33c26255] (EE) 23: /usr/lib/libpthread.so.0 (__pthread_once_slow+0x7b) [0x7f9b33921e3b] (EE) 24: /usr/lib/libc.so.6 (backtrace+0x9c) [0x7f9b33c2636c] (EE) 25: /usr/lib/libc.so.6 (backtrace_and_maps+0x2e) [0x7f9b33b50b25] (EE) 26: /usr/lib/libc.so.6 (__libc_message+0x2ce) [0x7f9b33ba298e] (EE) 27: /usr/lib/libc.so.6 (malloc_printerr+0x9e) [0x7f9b33ba7dee] (EE) 28: /usr/lib/libc.so.6 (_int_free+0x12b) [0x7f9b33ba85cb] (EE) 29: /usr/lib/xorg-server/Xorg (miPolyFillArc+0x320) [0x574dc0] (EE) 30: /usr/lib/xorg/modules/drivers/intel_drv.so (_init+0x3a2f4) [0x7f9b2e77a374] (EE) 31: /usr/lib/xorg-server/Xorg (DamageRegionAppend+0x1597) [0x51ba57] (EE) 32: /usr/lib/xorg-server/Xorg (SendGraphicsExpose+0xd64) [0x436114] (EE) 33: /usr/lib/xorg-server/Xorg (SendErrorToClient+0x2f7) [0x438a97] (EE) 34: /usr/lib/xorg-server/Xorg (remove_fs_handlers+0x41b) [0x43cbcb] (EE) 35: /usr/lib/libc.so.6 (__libc_start_main+0xf0) [0x7f9b33b51800] (EE) 36: /usr/lib/xorg-server/Xorg (_start+0x29) [0x427039] (EE) 37: ? (?+0x29) [0x29] (EE) |
This task depends upon
Closed by Laurent Carlier (lordheavy)
Tuesday, 14 April 2015, 12:28 GMT
Reason for closing: Fixed
Additional comments about closing: xorg-server-1.17.1-5
Tuesday, 14 April 2015, 12:28 GMT
Reason for closing: Fixed
Additional comments about closing: xorg-server-1.17.1-5
XFillArc(dpy, w, gc, 10, 10, 180, 180, 100 << 6, 340 << 6);
Changing 100 to 10 in that program will work as expected.
g++ prog-2.cc -lX11 -o prog2
This bug seems to be driver independent, can be reproduced with both Mesa AMD and proprietary Nvidia driver
It locked up my computer, so I tried with xvnc and I found out that /usr/bin/Xvnc(miPolyFillArc+0x320) chrashes.
Breakpoint 1, miPolyFillArc (pDraw=<optimized out>, pGC=<optimized out>, narcs_all=<optimized out>, parcs=<optimized out>)
at mifillarc.c:694
694 free (points);
4: narcs_all = <optimized out>
3: points = <optimized out>
2: pts = <optimized out>
1: nspans = <optimized out>
(gdb) continue
Continuing.
Program received signal SIGABRT, Aborted.
0x00007fc0e338f4b7 in raise () from /usr/lib/libc.so.6
(gdb) bt
#0 0x00007fc0e338f4b7 in raise () from /usr/lib/libc.so.6
#1 0x00007fc0e339088a in abort () from /usr/lib/libc.so.6
#2 0x00007fc0e33cd993 in __libc_message () from /usr/lib/libc.so.6
#3 0x00007fc0e33d2dee in malloc_printerr () from /usr/lib/libc.so.6
#4 0x00007fc0e33d35cb in _int_free () from /usr/lib/libc.so.6
#5 0x000000000059c070 in miPolyFillArc (pDraw=<optimized out>, pGC=<optimized out>, narcs_all=<optimized out>,
parcs=<optimized out>) at mifillarc.c:694
#6 0x00000000004c33e7 in damagePolyFillArc (pDrawable=0x2c73730, pGC=0x2924d10, nArcs=1, pArcs=0x2b2f6c0) at damage.c:1229
#7 0x000000000055d1a4 in ProcPolyFillArc (client=0x2833640) at dispatch.c:1906
#8 0x00000000005606b7 in Dispatch () at dispatch.c:432
#9 0x00000000005647ff in dix_main (argc=17, argv=0x7ffface76938, envp=<optimized out>) at main.c:298
#10 0x00007fc0e337c800 in __libc_start_main () from /usr/lib/libc.so.6
#11 0x0000000000446f59 in _start ()
690 nspans = pts - points;
2: points = (DDXPointPtr) 0x31a8150
1: nspans = 39
(gdb)
Continuing.
Program received signal SIGABRT, Aborted.
0x00007ff2b62274b7 in raise () from /usr/lib/libc.so.6
(gdb) bt
#0 0x00007ff2b62274b7 in raise () from /usr/lib/libc.so.6
#1 0x00007ff2b622888a in abort () from /usr/lib/libc.so.6
#2 0x00007ff2b6265993 in __libc_message () from /usr/lib/libc.so.6
#3 0x00007ff2b626adee in malloc_printerr () from /usr/lib/libc.so.6
#4 0x00007ff2b626b5cb in _int_free () from /usr/lib/libc.so.6
#5 0x00000000006114f7 in miPolyFillArc (pDraw=0x30df900, pGC=0x2dc2200, narcs_all=1, parcs=0x2fcf5c0) at mifillarc.c:694
#6 0x00000000004f71f2 in damagePolyFillArc (pDrawable=0x30df900, pGC=0x2dc2200, nArcs=1, pArcs=0x2fcf5c0) at damage.c:1229
#7 0x00000000005b8313 in ProcPolyFillArc (client=0x2d998e0) at dispatch.c:1906
#8 0x00000000005b4276 in Dispatch () at dispatch.c:432
#9 0x00000000005c2241 in dix_main (argc=17, argv=0x7ffd693bdc68, envp=0x7ffd693bdcf8) at main.c:298
#10 0x0000000000560091 in main (argc=17, argv=0x7ffd693bdc68, envp=0x7ffd693bdcf8) at stubmain.c:34
(gdb) frame 5
#5 0x00000000006114f7 in miPolyFillArc (pDraw=0x30df900, pGC=0x2dc2200, narcs_all=1, parcs=0x2fcf5c0) at mifillarc.c:694
694 free (points);
(gdb) display points
3: points = (DDXPointPtr) 0x31a8150
(gdb)
This is a bit earlier in the execution (points differ):
Breakpoint 1, miPolyFillArc (pDraw=0x30df900, pGC=0x2dc2200, narcs_all=1, parcs=0x2fcf580) at mifillarc.c:690
690 nspans = pts - points;
(gdb) bt
#0 miPolyFillArc (pDraw=0x30df900, pGC=0x2dc2200, narcs_all=1, parcs=0x2fcf580) at mifillarc.c:690
#1 0x00000000004f71f2 in damagePolyFillArc (pDrawable=0x30df900, pGC=0x2dc2200, nArcs=1, pArcs=0x2fcf580) at damage.c:1229
#2 0x00000000005b8313 in ProcPolyFillArc (client=0x2d998e0) at dispatch.c:1906
#3 0x00000000005b4276 in Dispatch () at dispatch.c:432
#4 0x00000000005c2241 in dix_main (argc=17, argv=0x7ffd693bdc68, envp=0x7ffd693bdcf8) at main.c:298
#5 0x0000000000560091 in main (argc=17, argv=0x7ffd693bdc68, envp=0x7ffd693bdcf8) at stubmain.c:34
(gdb) display nspans
1: nspans = 41
(gdb) display points
2: points = (DDXPointPtr) 0x31a8010
(gdb) next
691 if (nspans)
2: points = (DDXPointPtr) 0x31a8010
1: nspans = 40
(gdb)
692 (*pGC->ops->FillSpans) (pDraw, pGC, nspans, points,
2: points = (DDXPointPtr) 0x31a8010
1: nspans = 40
(gdb)
694 free (points);
2: points = (DDXPointPtr) 0x31a8010
1: nspans = 40
(gdb)
696 parcs += narcs;
2: points = (DDXPointPtr) 0x31a8010
1: nspans = 40
(gdb)
697 narcs_all -= narcs;
2: points = (DDXPointPtr) 0x31a8010
1: nspans = 40
(gdb)
650 while (narcs_all > 0) {
(gdb)
699 }
(gdb)
damagePolyFillArc (pDrawable=0x30df900, pGC=0x2dc2200, nArcs=1, pArcs=0x2fcf580) at damage.c:1230
1230 damageRegionProcessPending(pDrawable);
(gdb)
1231 DAMAGE_GC_OP_EPILOGUE(pGC, pDrawable);
(gdb)
1232 }
(gdb) cont
Continuing.
This patch solved it for me
http://marc.info/?l=freedesktop-xorg-devel&m=142850468414906&w=3