Bug#653252: an application triggers a segfault in xserver when working with 3D
On Mon, Dec 26, 2011 at 12:35:51PM +0100, Julien Cristau wrote:
> On Mon, Dec 26, 2011 at 03:58:20 +0300, Stanislav Maslovski wrote:
>
> > Backtrace:
> > [ 338.144] 0: X (xorg_backtrace+0x26) [0x7f99b9cde9b6]
> > [ 338.144] 1: X (0x7f99b9b5a000+0x188619) [0x7f99b9ce2619]
> > [ 338.144] 2: /lib/x86_64-linux-gnu/libpthread.so.0 (0x7f99b8e83000+0xf030) [0x7f99b8e92030]
> > [ 338.144] 3: /usr/lib/x86_64-linux-gnu/dri/i965_dri.so (0x7f99b4b70000+0x4b99c) [0x7f99b4bbb99c]
> > [ 338.144] 4: /usr/lib/xorg/modules/extensions/libglx.so (0x7f99b65fc000+0x41951) [0x7f99b663d951]
> > [ 338.144] 5: /usr/lib/xorg/modules/extensions/libglx.so (0x7f99b65fc000+0x34da8) [0x7f99b6630da8]
> > [ 338.144] 6: /usr/lib/xorg/modules/extensions/libglx.so (0x7f99b65fc000+0x37a09) [0x7f99b6633a09]
> > [ 338.144] 7: X (0x7f99b9b5a000+0x51fc9) [0x7f99b9babfc9]
> > [ 338.144] 8: X (0x7f99b9b5a000+0x4122a) [0x7f99b9b9b22a]
> > [ 338.144] 9: /lib/x86_64-linux-gnu/libc.so.6 (__libc_start_main+0xfd) [0x7f99b7baeead]
> > [ 338.144] 10: X (0x7f99b9b5a000+0x4151d) [0x7f99b9b9b51d]
> > [ 338.144] Segmentation fault at address 0x1665c
> > [ 338.144]
> > Fatal server error:
> > [ 338.144] Caught signal 11 (Segmentation fault). Server aborting
>
> Any chance you could get a backtrace from gdb? See
> http://pkg-xorg.alioth.debian.org/howto/use-gdb.html for some
> instructions. Make sure to install xserver-xorg-core-dbg,
> xserver-xorg-video-intel-dbg and libgl1-mesa-dri-dbg.
I was able to get a core dump. Here goes the gdb log with a
backtrace. The segfault happens always at the address 0x1665c.
(gdb) bt full
#0 0x00007f2bf20a2405 in raise () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#1 0x00007f2bf20a5680 in abort () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#2 0x00007f2bf41c573e in OsAbort () at ../../os/utils.c:1230
No locals.
#3 0x00007f2bf40c82ec in ddxGiveUp (error=EXIT_ERR_ABORT)
at ../../../../hw/xfree86/common/xf86Init.c:936
i = <optimized out>
#4 0x00007f2bf41ca5f2 in AbortServer () at ../../os/log.c:416
No locals.
#5 0x00007f2bf41ca7f5 in FatalError (f=0x7f2bf41f06b0 "Caught signal %d (%s). Server aborting\n")
at ../../os/log.c:547
args = {{gp_offset = 24, fp_offset = 48, overflow_arg_area = 0x7fff23471160,
reg_save_area = 0x7fff234710a0}}
beenhere = 1
#6 0x00007f2bf41c366e in OsSigHandler (sip=<optimized out>, signo=11, unused=<optimized out>)
at ../../os/osinit.c:146
No locals.
#7 OsSigHandler (signo=11, sip=<optimized out>, unused=<optimized out>) at ../../os/osinit.c:108
No locals.
#8 <signal handler called>
No symbol table info available.
#9 intelDRI2Flush (drawable=0x7f2bfaa64aa0) at intel_screen.c:111
ctx = <optimized out>
#10 0x00007f2bf0b1d951 in __glXDRIdrawableSwapBuffers (client=0x7f2bf531f580,
drawable=0x7f2bf767c500) at ../../glx/glxdri2.c:215
priv = 0x7f2bf767c500
screen = 0x7f2bf4f554c0
unused = 139826774013624
#11 0x00007f2bf0b10da8 in __glXDisp_SwapBuffers (cl=0x7f2bf531f6b8, pc=<optimized out>)
at ../../glx/glxcmds.c:1583
client = 0x7f2bf531f580
req = <optimized out>
tag = <optimized out>
drawId = 20973401
glxc = <optimized out>
pGlxDraw = <optimized out>
error = 32555
#12 0x00007f2bf0b13a09 in __glXDispatch (client=<optimized out>) at ../../glx/glxext.c:547
rendering = <optimized out>
stuff = 0x7f2bf70f2630
opcode = <optimized out>
proc = 0x7f2bf0b10cc0 <__glXDisp_SwapBuffers>
cl = 0x7f2bf531f6b8
retval = <optimized out>
#13 0x00007f2bf408cfc9 in Dispatch () at ../../dix/dispatch.c:432
clientReady = 0x7f2bf5288c50
result = <optimized out>
client = 0x7f2bf531f580
nready = 0
icheck = 0x7f2bf4441af0
start_tick = 60
#14 0x00007f2bf407c22a in main (argc=8, argv=<optimized out>, envp=<optimized out>)
at ../../dix/main.c:287
i = <optimized out>
alwaysCheckForInput = {0, 1}
(gdb) disas
Dump of assembler code for function raise:
0x00007f2bf20a23d0 <+0>: mov %fs:0x2d4,%eax
0x00007f2bf20a23d8 <+8>: mov %fs:0x2d0,%esi
0x00007f2bf20a23e0 <+16>: test %esi,%esi
0x00007f2bf20a23e2 <+18>: jne 0x7f2bf20a2410 <raise+64>
0x00007f2bf20a23e4 <+20>: mov $0xba,%eax
0x00007f2bf20a23e9 <+25>: syscall
0x00007f2bf20a23eb <+27>: mov %eax,%esi
0x00007f2bf20a23ed <+29>: mov %eax,%fs:0x2d0
0x00007f2bf20a23f5 <+37>: movslq %edi,%rdx
0x00007f2bf20a23f8 <+40>: movslq %esi,%rsi
0x00007f2bf20a23fb <+43>: movslq %eax,%rdi
0x00007f2bf20a23fe <+46>: mov $0xea,%eax
0x00007f2bf20a2403 <+51>: syscall
=> 0x00007f2bf20a2405 <+53>: cmp $0xfffffffffffff000,%rax
0x00007f2bf20a240b <+59>: ja 0x7f2bf20a2422 <raise+82>
0x00007f2bf20a240d <+61>: repz retq
0x00007f2bf20a240f <+63>: nop
0x00007f2bf20a2410 <+64>: test %eax,%eax
0x00007f2bf20a2412 <+66>: jg 0x7f2bf20a23f5 <raise+37>
0x00007f2bf20a2414 <+68>: test $0x7fffffff,%eax
0x00007f2bf20a2419 <+73>: jne 0x7f2bf20a2432 <raise+98>
0x00007f2bf20a241b <+75>: mov %esi,%eax
0x00007f2bf20a241d <+77>: nopl (%rax)
0x00007f2bf20a2420 <+80>: jmp 0x7f2bf20a23f5 <raise+37>
0x00007f2bf20a2422 <+82>: mov 0x34b9ef(%rip),%rdx # 0x7f2bf23ede18
0x00007f2bf20a2429 <+89>: neg %eax
0x00007f2bf20a242b <+91>: mov %eax,%fs:(%rdx)
0x00007f2bf20a242e <+94>: or $0xffffffff,%eax
0x00007f2bf20a2431 <+97>: retq
0x00007f2bf20a2432 <+98>: neg %eax
0x00007f2bf20a2434 <+100>: jmp 0x7f2bf20a23f5 <raise+37>
End of assembler dump.
(gdb) up 9
#9 intelDRI2Flush (drawable=0x7f2bfaa64aa0) at intel_screen.c:111
111 intel_screen.c: No such file or directory.
in intel_screen.c
Dump of assembler code for function intelDRI2Flush:
0x00007f2bef09b990 <+0>: mov 0x571509(%rip),%rax # 0x7f2bef60cea0
0x00007f2bef09b997 <+7>: push %rbx
0x00007f2bef09b998 <+8>: mov %fs:(%rax),%rbx
=> 0x00007f2bef09b99c <+12>: cmpl $0x3,0x1665c(%rbx)
0x00007f2bef09b9a3 <+19>: jg 0x7f2bef09b9b6 <intelDRI2Flush+38>
0x00007f2bef09b9a5 <+21>: mov 0x1e6c8(%rbx),%rax
0x00007f2bef09b9ac <+28>: test %rax,%rax
0x00007f2bef09b9af <+31>: je 0x7f2bef09b9b6 <intelDRI2Flush+38>
0x00007f2bef09b9b1 <+33>: mov %rbx,%rdi
0x00007f2bef09b9b4 <+36>: callq *%rax
0x00007f2bef09b9b6 <+38>: cmpw $0x0,0x1669c(%rbx)
0x00007f2bef09b9be <+46>: movb $0x1,0x1e6b0(%rbx)
0x00007f2bef09b9c5 <+53>: jne 0x7f2bef09b9d0 <intelDRI2Flush+64>
0x00007f2bef09b9c7 <+55>: pop %rbx
0x00007f2bef09b9c8 <+56>: retq
0x00007f2bef09b9c9 <+57>: nopl 0x0(%rax)
0x00007f2bef09b9d0 <+64>: mov %rbx,%rdi
0x00007f2bef09b9d3 <+67>: lea 0x23496b(%rip),%rsi # 0x7f2bef2d0345
0x00007f2bef09b9da <+74>: mov $0x75,%edx
0x00007f2bef09b9df <+79>: pop %rbx
0x00007f2bef09b9e0 <+80>: jmpq 0x7f2bef08e820 <_intel_batchbuffer_flush>
End of assembler dump.
(gdb) p /x $rbx
$1 = 0x0
(gdb) p /x *0x1665c
Cannot access memory at address 0x1665c
--
Stanislav
Reply to: