[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Please assist debugging X server crash


(the above happens with package from debian/experimental, with ATI 
Technologies Inc Rage 128 RF video card)

One of users here experienced a nearly-reproducable X server crash 
("nearly-reproducable" means that he does a compex sequence of actions, 
and at some moment it leads to the crash, he could reproduce that for me 
with XFree86-debug started from gdb, but the exact user action that causes 
the crash is unclear).

So I see that X server receives SIGSEGV.
I have a core file.

(gdb) where
#0  0x08498622 in CopyGC (pgcSrc=0x94ec930, pgcDst=0x90ba598, mask=8387584)
    at gc.c:771
#1  0x0848611f in ProcCopyGC (client=0x8f0e9c0) at dispatch.c:1607
#2  0x084837c4 in Dispatch () at dispatch.c:450
#3  0x0849acc4 in main (argc=5, argv=0xbffffd64, envp=0xbffffd7c) at 

gc.c:771 line is completely safe (it only reads a local variable).

But: 'print $eip' shows that $eip is not at instruction boundary!
And instruction decode started from $eip gives an instruction with invalid 
memory access, causing SIGSEGV.

I've analysed the assembly code for CopyGC(). It looks ok, at least there 
are no invalid control-pass instructions.

I've analysed the stack - it also looks ok, nothing seems broken.

The only idea I have is that in some function called from CopyGC (there are 
several, including indirect drivers calls) some sort of out-of-bounds 
memory write happens that breaks the return address in the stack, so when 
function returns back to CopyGC(), the control arises at invalid point, 
causing SIGSEGV.

So I'm interested what to do next to locate the bug. I can provide any 
technical information, including the core file (45 megabytes), or do some 
analysis myself if someone will assist me on that.

Reply to: