I ran X (compiled with DEB_BUILD_OPTIONS=noopt) under valgrind to get
a better grip on what is going on. I believe this use after free is
what causes the crash (sometimes it doesn't crash but causes other
problems like persistent screen corruption or screen going entirely
dark except for the hw mouse pointer).
Perhaps this is a bug in xserver-xorg-video-intel after all?
==14342== Invalid write of size 4
==14342== at 0x8FDAF90: i830_dri2_frame_event_drawable_gone (intel_dri.c:596)
==14342== by 0x45D38A: FreeResource (resource.c:596)
==14342== by 0x42E38A: ProcDestroyWindow (dispatch.c:732)
==14342== by 0x42D734: Dispatch (dispatch.c:431)
==14342== by 0x425A3A: main (main.c:287)
==14342== Address 0x9fb2af0 is 0 bytes inside a block of size 56 free'd
==14342== at 0x4C268FE: free (vg_replace_malloc.c:366)
==14342== by 0x8FDB7B2: I830DRI2FrameEventHandler (intel_dri.c:842)
==14342== by 0x8FBB159: intel_vblank_handler (intel_display.c:1517)
==14342== by 0x8BA1A1A: drmHandleEvent (in /usr/lib/libdrm.so.2.4.0)
==14342== by 0x8FBB2A6: drm_wakeup_handler (intel_display.c:1564)
==14342== by 0x43B47D: WakeupHandler (dixutils.c:419)
==14342== by 0x479090: WaitForSomething (WaitFor.c:235)
==14342== by 0x42D55F: Dispatch (dispatch.c:367)
==14342== by 0x425A3A: main (main.c:287)
The offending write happens here in intel_dri.c:
591 static int
592 i830_dri2_frame_event_drawable_gone(void *data, XID id)
593 {
594 DRI2FrameEventPtr frame_event = data;
595
! 596 frame_event->drawable_id = None;
597 return Success;
598 }
And the frame_event structure apparently has been previously freed
here in the same file:
758 void I830DRI2FrameEventHandler(unsigned int frame, unsigned int tv_sec,
759 unsigned int tv_usec, DRI2FrameEventPtr swap_info)
760 {
761 DrawablePtr drawable;
762 ScreenPtr screen;
...
839 i830_dri2_del_frame_event(swap_info);
840 I830DRI2DestroyBuffer(drawable, swap_info->front);
841 I830DRI2DestroyBuffer(drawable, swap_info->back);
! 842 free(swap_info);
843 }
Sami
Attachment:
signature.asc
Description: Digital signature