Please assist debugging X server crash
(the above happens with package from debian/experimental, with ATI
Technologies Inc Rage 128 RF video card)
One of users here experienced a nearly-reproducable X server crash
("nearly-reproducable" means that he does a compex sequence of actions,
and at some moment it leads to the crash, he could reproduce that for me
with XFree86-debug started from gdb, but the exact user action that causes
the crash is unclear).
So I see that X server receives SIGSEGV.
I have a core file.
#0 0x08498622 in CopyGC (pgcSrc=0x94ec930, pgcDst=0x90ba598, mask=8387584)
#1 0x0848611f in ProcCopyGC (client=0x8f0e9c0) at dispatch.c:1607
#2 0x084837c4 in Dispatch () at dispatch.c:450
#3 0x0849acc4 in main (argc=5, argv=0xbffffd64, envp=0xbffffd7c) at
gc.c:771 line is completely safe (it only reads a local variable).
But: 'print $eip' shows that $eip is not at instruction boundary!
And instruction decode started from $eip gives an instruction with invalid
memory access, causing SIGSEGV.
I've analysed the assembly code for CopyGC(). It looks ok, at least there
are no invalid control-pass instructions.
I've analysed the stack - it also looks ok, nothing seems broken.
The only idea I have is that in some function called from CopyGC (there are
several, including indirect drivers calls) some sort of out-of-bounds
memory write happens that breaks the return address in the stack, so when
function returns back to CopyGC(), the control arises at invalid point,
So I'm interested what to do next to locate the bug. I can provide any
technical information, including the core file (45 megabytes), or do some
analysis myself if someone will assist me on that.