Bug#283127: Server crash probably on huge pixmap allocation

To: Branden Robinson <branden@debian.org>, 283127-quiet@bugs.debian.org
Subject: Bug#283127: Server crash probably on huge pixmap allocation
From: Sami Liedes <sliedes@cc.hut.fi>
Date: Sun, 19 Dec 2004 17:22:55 +0200
Message-id: <[🔎] 20041219152255.GA2383@sk2-4.tky.hut.fi>
Reply-to: Sami Liedes <sliedes@cc.hut.fi>, 283127-quiet@bugs.debian.org
In-reply-to: <[🔎] 20041219004424.GJ12021@redwald.deadbeast.net>
References: <20041126181432.GB16422@sk2-4.tky.hut.fi> <[🔎] 20041219004424.GJ12021@redwald.deadbeast.net>

On Sat, Dec 18, 2004 at 07:44:24PM -0500, Branden Robinson wrote:

> Can you reproduce the problem with xserver-xfree86-dbg?  Install the
> package and tell debconf you want to use that X server.  Then restart the X
> server and try to reproduce the bug (hopefully, this is easy).  If it
> doesn't crash, let us know.  If a bug is in the XFree86 X server's ELF
> module loader, you likely won't see it when you use the debugging server.
> We still want to know that information.  If it does crash, become root,
> enable core dumps ("ulimit -c unlimited" in bash), start the X server as
> root and reproduce the crash again:

I've tried to start the server in 3 different ways:

1. As a normal user using the command "X"
2. As a normal user using the command "startx $(which x-terminal-emulator)"
3. As root using the command "startx $(which x-terminal-emulator)"

Of these, #1 and #3 crash when I run the gv client, #2 doesn't (after
a few tries, anyway; #1 and #3 seem to crash always).

#3 indeed produces a core file in /etc/X11/, after which it goes into
some kind of an endless loop (after printing "When reporting a server
crash..."), eating all CPU it gets and unable to be killed even with
-KILL. #1 doesn't go into an endless loop, but doesn't produce a core
file either.

Unfortunately gdb doesn't seem able to give useful information:

------------------------------------------------------------
# gdb /usr/X11R6/bin/XFree86-debug /etc/X11/core
GNU gdb 6.1-debian
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-linux"...Using host libthread_db library "/lib/tls/libthread_db.so.1".

Core was generated by `/usr/X11R6/bin/X :1'.
Program terminated with signal 6, Aborted.
Cannot access memory at address 0xb8000e28
#0  0xb7e17ed9 in ?? ()
(gdb) bt
#0  0xb7e17ed9 in ?? ()
Cannot access memory at address 0xbfffed10
(gdb)
------------------------------------------------------------

However I tried to attach to a running X process and was able to get
the following backtrace (running the crash-provoking client
immediately after issuing the first 'cont' command):

------------------------------------------------------------
Script started on Sun Dec 19 17:07:08 2004
lh:~# ps |grep XFre
lh:~# ps uax |grep XFre
root      2130  0.7  0.8 147812 4512 ?       S    17:07   0:00 XFree86-debug
root      2145  0.0  0.1  3300  520 pts/1    R+   17:07   0:00 grep XFre
lh:~# gdb /usr/X11/bin/XFree86-debug 2130
GNU gdb 6.1-debian
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-linux"...Using host libthread_db library "/lib/tls/libthread_db.so.1".

Attaching to program: /usr/X11R6/bin/XFree86-debug, process 2130
Reading symbols from /usr/lib/libfreetype.so.6...done.
Loaded symbols for /usr/lib/libfreetype.so.6
Reading symbols from /usr/lib/libz.so.1...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /lib/tls/libm.so.6...Reading symbols from /usr/lib/debug//lib/tls/libm-2.3.2.so...done.
done.
Loaded symbols for /lib/tls/libm.so.6
Reading symbols from /lib/tls/libc.so.6...Reading symbols from /usr/lib/debug//lib/tls/libc-2.3.2.so...done.
done.
Loaded symbols for /lib/tls/libc.so.6
Reading symbols from /lib/ld-linux.so.2...Reading symbols from /usr/lib/debug//lib/ld-2.3.2.so...done.
done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/tls/libnss_files.so.2...Reading symbols from /usr/lib/debug//lib/tls/libnss_files-2.3.2.so...done.
done.
Loaded symbols for /lib/tls/libnss_files.so.2
0xb7ec43b8 in ___newselect_nocancel () from /lib/tls/libc.so.6
(gdb) cont
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x0853ba9a in fbBlt (srcLine=0x23f2762c, srcStride=21641, srcX=0, 
    dstLine=0xbffff4fc, dstStride=21641, dstX=0, width=692512, height=0, 
    alu=3, pm=16777215, bpp=32, reverse=0, upsidedown=0) at fbblt.c:180
180	fbblt.c: No such file or directory.
	in fbblt.c
(gdb) bt
#0  0x0853ba9a in fbBlt (srcLine=0x23f2762c, srcStride=21641, srcX=0, 
    dstLine=0xbffff4fc, dstStride=21641, dstX=0, width=692512, height=0, 
    alu=3, pm=16777215, bpp=32, reverse=0, upsidedown=0) at fbblt.c:180
#1  0x0853c9c7 in fbBltStip (src=0x23f12408, srcStride=21641, srcX=0, 
    dst=0xbffea2d8, dstStride=21641, dstX=0, width=692512, height=1, alu=3, 
    pm=16777215, bpp=32) at fbblt.c:919
#2  0x0854952f in fbGetImage (pDrawable=0x7cca8008, x=0, y=32396, w=21641, 
    h=1, format=2, planeMask=16777215, d=0xbffea2d8 "") at fbimage.c:330
#3  0x08377086 in XAAGetImage (pDraw=0x7cca8008, sx=0, sy=32396, w=21641, h=1, 
    format=2, planemask=16777215, pdstLine=0xbffea2d8 "") at xaaInit.c:281
#4  0x086250d5 in miBSGetImage (pDrawable=0x7cca8008, sx=0, sy=32396, w=21641, 
    h=1, format=2, planemask=16777215, pdstLine=0xbffea2d8 "")
    at mibstore.c:613
#5  0x0863ecf7 in miSpriteGetImage (pDrawable=0x7cca8008, sx=0, sy=32396, 
    w=21641, h=1, format=2, planemask=16777215, pdstLine=0xbffea2d8 "")
    at misprite.c:495
#6  0x084e86c6 in DoGetImage (client=0x8ce6e30, format=2, drawable=2097335, 
    x=0, y=32396, width=21641, height=1, planemask=16777215, im_return=0x0)
    at dispatch.c:2244
#7  0x084e8920 in ProcGetImage (client=0x8ce6e30) at dispatch.c:2338
#8  0x084e3688 in Dispatch () at dispatch.c:450
#9  0x084fabfc in main (argc=1, argv=0xbffffae4, envp=0xbffffaec) at main.c:469
(gdb) bt full
#0  0x0853ba9a in fbBlt (srcLine=0x23f2762c, srcStride=21641, srcX=0, 
    dstLine=0xbffff4fc, dstStride=21641, dstX=0, width=692512, height=0, 
    alu=3, pm=16777215, bpp=32, reverse=0, upsidedown=0) at fbblt.c:180
	src = (FbBits *) 0x23f1240c
	dst = (FbBits *) 0xbffea2d8
	leftShift = 0
	rightShift = 0
	startmask = 0
	endmask = 0
	bits = 0
	bits1 = 0
	n = 21640
	nmiddle = 21641
	destInvarient = 0
	startbyte = 0
	endbyte = 0
	_ca1 = 0
	_cx1 = 4278190080
	_ca2 = 16777215
	_cx2 = 0
#1  0x0853c9c7 in fbBltStip (src=0x23f12408, srcStride=21641, srcX=0, 
    dst=0xbffea2d8, dstStride=21641, dstX=0, width=692512, height=1, alu=3, 
    pm=16777215, bpp=32) at fbblt.c:919
No locals.
#2  0x0854952f in fbGetImage (pDrawable=0x7cca8008, x=0, y=32396, w=21641, 
    h=1, format=2, planeMask=16777215, d=0xbffea2d8 "") at fbimage.c:330
	pm = 16777215
	src = (FbBits *) 0x7cca8058
	srcStride = 21641
	srcBpp = 32
	srcXoff = 0
	srcYoff = 0
	dst = (FbStip *) 0xbffea2d8
	dstStride = 21641
#3  0x08377086 in XAAGetImage (pDraw=0x7cca8008, sx=0, sy=32396, w=21641, h=1, 
    format=2, planemask=16777215, pdstLine=0xbffea2d8 "") at xaaInit.c:281
	pScreen = 0x8b87c68
	infoRec = 0x8ba15e8
	pScrn = 0x8b72fd8
#4  0x086250d5 in miBSGetImage (pDrawable=0x7cca8008, sx=0, sy=32396, w=21641, 
    h=1, format=2, planemask=16777215, pdstLine=0xbffea2d8 "")
    at mibstore.c:613
	pScreen = 0x8b87c68
	bounds = {x1 = 0, y1 = 0, x2 = 0, y2 = 0}
	depth = 0 '\0'
#5  0x0863ecf7 in miSpriteGetImage (pDrawable=0x7cca8008, sx=0, sy=32396, 
    w=21641, h=1, format=2, planemask=16777215, pdstLine=0xbffea2d8 "")
    at misprite.c:495
	pScreen = 0x8b87c68
	pScreenPriv = 0x8b85918
#6  0x084e86c6 in DoGetImage (client=0x8ce6e30, format=2, drawable=2097335, 
    x=0, y=32396, width=21641, height=1, planemask=16777215, im_return=0x0)
    at dispatch.c:2244
	pDraw = 0x7cca8008
	nlines = 1
	linesPerBuf = 1
	linesDone = 0
	widthBytesLine = 86564
	length = 86564
	plane = 0
	pBuf = 0xbffea2d8 ""
	xgi = {type = 1 '\001', depth = 24 '\030', sequenceNumber = 33, 
  length = 21641, visual = 0, pad3 = 0, pad4 = 0, pad5 = 0, pad6 = 3221222792, 
  pad7 = 139608336}
	pVisibleRegion = 0x0
#7  0x084e8920 in ProcGetImage (client=0x8ce6e30) at dispatch.c:2338
	stuff = (xGetImageReq *) 0x8ce7068
#8  0x084e3688 in Dispatch () at dispatch.c:450
	clientReady = (int *) 0xbffff5f4
	result = 20
	client = 0x8ce6e30
	nready = 0
	icheck = (HWEventQueuePtr *) 0x8b5d088
	start_tick = 200
#9  0x084fabfc in main (argc=1, argv=0xbffffae4, envp=0xbffffaec) at main.c:469
	i = 1
	j = 2
	k = 2
	error = -1208272102
	xauthfile = 0x0
	alwaysCheckForInput = {0, 1}
(gdb) cont
Continuing.

Program received signal SIGABRT, Aborted.
0xb7e17ed9 in raise () from /lib/tls/libc.so.6
(gdb) cont
Continuing.

Program terminated with signal SIGABRT, Aborted.
The program no longer exists.
(gdb) quit
lh:~# exit

Script done on Sun Dec 19 17:10:26 2004
------------------------------------------------------------

Hope this information helps. If there's still something I can do to
gather more information, I'll be happy to.

	Sami

Reply to:

References:
- Bug#283127: Server crash probably on huge pixmap allocation
  - From: Branden Robinson <branden@debian.org>

Prev by Date: Bug#277832: #277832 xterm: copy/paste of non-ISO-8859-1 characters between uxterm windows
Next by Date: Bug#282713: xlibs: Error loading keymap /usr/X11R6/lib/X11/xkb/compiled/server-0.xkm
Previous by thread: Processed: Re: Bug#283127: Server crash probably on huge pixmap allocation
Next by thread: Bug#286277: xlibs: please add support for Sweex SW-23 keyboard
Index(es):
- Date
- Thread