Bug 1273183

Created attachment 1084528 [details]
File: backtrace

Created attachment 1084529 [details]
File: cgroup

Created attachment 1084530 [details]
File: core_backtrace

Created attachment 1084531 [details]
File: dso_list

Created attachment 1084532 [details]
File: environ

Created attachment 1084533 [details]
File: limits

Created attachment 1084534 [details]
File: maps

Created attachment 1084535 [details]
File: mountinfo

Created attachment 1084536 [details]
File: open_fds

Created attachment 1084537 [details]
File: proc_pid_status

Created attachment 1084538 [details]
File: var_log_messages

Another user experienced a similar problem:

locking lenovo x200 laptop into docking station with 2 external monitors

reporter:       libreport-2.6.3
backtrace_rating: 4
cmdline:        /usr/bin/gnome-shell --wayland --display-server
crash_function: meta_monitor_config_assign_crtcs
executable:     /usr/bin/gnome-shell
global_pid:     1292
kernel:         4.2.6-300.fc23.x86_64
package:        gnome-shell-3.18.3-1.fc23
reason:         gnome-shell killed by SIGABRT
runlevel:       N 5
type:           CCpp
uid:            1000

This crash seems to happen everytime when I unplug my external monitor on my hdmi output.

2025│     {
2026│       g_hash_table_iter_steal (&iter);
2027│       g_ptr_array_add (crtcs, info);
2028│     }
2029│
2030│   all_outputs = meta_monitor_manager_get_outputs (manager,
2031│                                                   &n_outputs);
2032├>  g_assert (n_outputs == config->n_outputs);
2033│
2034│   for (i = 0; i < n_outputs; i++)
2035│     {
2036│       MetaOutputInfo *output_info = g_slice_new (MetaOutputInfo);
2037│       MetaOutputConfig *output_config = &config->outputs[i];
2038│
2039│       output_info->output = find_output_by_key (all_outputs, n_outputs,

(gdb) p	n_outputs
$12 = 2
(gdb) p	*config
$13 = {refcount = 2, keys = 0x55705f87eba0, outputs = 0x55705e337360, n_outputs = 1}
(gdb) p	*all_outputs
$14 = {crtc = 0x55705e416000, winsys_id	= 70, name = 0x55705fa70aa0 "HDMI1", vendor = 0x55705fa70a80 "unknown", product = 0x55705fa70b7
0 "unknown", serial = 0x55705fa70b90 "unknown",	width_mm = 0, height_mm = 0, subpixel_order = COGL_SUBPIXEL_ORDER_UNKNOWN, scale = 0, c
onnector_type = META_CONNECTOR_TYPE_HDMIA, preferred_mode = 0x55705db5e960, modes = 0x55705f1b07f0, n_modes = 24, possible_crtcs = 0x55
705fa70980, n_possible_crtcs = 2, possible_clones = 0x55705fa70bb0, n_possible_clones = 2, backlight = -1, backlight_min = 0, backlight
_max = 0, is_dirty = 0, is_primary = 1, is_presentation	= 0, is_underscanning = 0, supports_underscanning = 0, driver_private = 0x0, dr
iver_notify = 0x0, hotplug_mode_update = 0, suggested_x = -1, suggested_y = -1, tile_info = {group_id = 0, flags = 0, max_h_tiles = 0,
max_v_tiles = 0, loc_h_tile = 0, loc_v_tile = 0, tile_w = 0, tile_h = 0}}

Maybe related to https://retrace.fedoraproject.org/faf/reports/951153/ ?

Regarding retrage 951153:

bt is:
#0  ms_ent_priv (scrn=0x19dae80) at driver.c:187
#1  FreeRec (pScrn=0x19dae80) at driver.c:632
#2  FreeScreen (pScrn=0x19dae80) at driver.c:1281
#3  0x0000000000480d6a in xf86DeleteScreen (pScrn=0x19dae80) at xf86Helper.c:240
#4  0x0000000000498ea6 in xf86platformRemoveDevice (index=index@entry=1) at xf86platformBus.c:587
#5  0x000000000049eb86 in DeleteGPUDeviceRequest (attribs=0x1e3d4f0) at lnx_platform.c:225
#6  0x000000000049a5df in device_removed (device=device@entry=0x1b20960) at udev.c:318
#7  0x000000000049b226 in wakeup_handler (data=<optimized out>, err=5, read_mask=0x8398a0 <LastSelectMask>) at udev.c:361
#8  0x000000000043b4dd in WakeupHandler (result=result@entry=5, pReadmask=pReadmask@entry=0x8398a0 <LastSelectMask>) at dixutils.c:423
#9  0x000000000059398f in WaitForSomething (pClientsReady=pClientsReady@entry=0x18ef140) at WaitFor.c:230
#10 0x000000000043676e in Dispatch () at dispatch.c:359
#11 0x000000000043a953 in dix_main (argc=14, argv=0x7ffe02310118, envp=<optimized out>) at main.c:300
#12 0x00007fba3c25c580 in __libc_start_main () from /lib64/libc.so.6
#13 0x0000000000424ce9 in _start ()

the bug seems to be in:

 183│ modesettingEntPtr ms_ent_priv(ScrnInfoPtr scrn)
 184│ {
 185│     DevUnion     *pPriv;
 186│     modesettingPtr ms = modesettingPTR(scrn);
 187├>    pPriv = xf86GetEntityPrivate(ms->pEnt->index,
 188│                                  ms_entity_index);
 189│     return pPriv->ptr;
 190│ }
 191│
 192│ static int
 193│ open_hw(const char *dev)
 194│ {
/usr/src/debug/xorg-server-1.18.0/hw/xfree86/drivers/modesetting/driver.c  

(gdb) p	ms
$3 = (modesettingPtr) 0x0

(gdb) p *scrn
$5 = {driverVersion = 1, driverName = 0x7fba1d6b3c49 "modesetting", pScreen = 0x21260d0, scrnIndex = 256, configured = 1, origIndex = 256, imageByteOrder = 0, bitmapScanlineUnit = 32, bitmapScanlinePad = 32, bitmapBitOrder = 0, numFormats = 0, formats = {{depth = 0 '\000', bitsPerPixel = 0 '\000', scanlinePad = 0 '\000'}, {depth = 0 '\000', bitsPerPixel = 0 '\000', scanlinePad = 0 '\000'}, {depth = 0 '\000', bitsPerPixel = 0 '\000', scanlinePad = 0 '\000'}, {depth = 0 '\000', bitsPerPixel = 0 '\000', scanlinePad = 0 '\000'}, {depth = 0 '\000', bitsPerPixel = 0 '\000', scanlinePad = 0 '\000'}, {depth = 0 '\000', bitsPerPixel = 0 '\000', scanlinePad = 0 '\000'}, {depth = 0 '\000', bitsPerPixel = 0 '\000', scanlinePad = 0 '\000'}, {depth = 0 '\000', bitsPerPixel = 0 '\000', scanlinePad = 0 '\000'}}, fbFormat = {depth = 24 '\030', bitsPerPixel = 32 ' ', scanlinePad = 32 ' '}, bitsPerPixel = 32, pixmap24 = Pix24DontCare, depth = 24, depthFrom = X_DEFAULT, bitsPerPixelFrom = X_DEFAULT, weight = {red = 8, green = 8, blue = 8}, mask = {red = 16711680, green = 65280, blue = 255}, offset = {red = 16, green = 8, blue = 0}, rgbBits = 8, gamma = {red = 1, green = 1, blue = 1}, defaultVisual = 4, maxHValue = 0, maxVValue = 0, virtualX = 1024, virtualY = 768, xInc = 0, virtualFrom = X_PROBED, displayWidth = 1024, frameX0 = 0, frameY0 = 0, frameX1 = 0, frameY1 = 0, zoomLocked = 0, modePool = 0x0, modes = 0x20da0f0, currentMode = 0x20da0f0, confScreen = 0x149a7a0, monitor = 0x149b010, display = 0x14add30, entityList = 0x19d3d90, numEntities = 1, widthmm = 260, heightmm = 140, xDpi = 100, yDpi =	139, name = 0x7fba1d6b3c55 "modeset", driverPrivate = 0x0, privates = 0x19f1da0, drv = 0x19d3d30, module = 0x19dd9e0, colorKey = 0, overlayFlags = 0, chipset = 0x0, ramdac = 0x0, clockchip = 0x0, progClock = 1, numClocks = 0, clock = {0 <repeats 128 times>}, videoRam = 0, biosBase = 0, memPhysBase =	0, fbOffset = 0, memClk = 0, flipPixels = 0, options = 0x0, chipID = 0, chipRev = 0, vtSema = 0, silkenMouse = 1, clockRanges = 0x0, adjustFlags = 0, preferClone = 0, reservedInt = {0 <repeats 16 times>}, entityInstanceList = 0x19f1de0, vgaDev = 0x0, reservedPtr = {0x0	<repeats 14 times>}, Probe = 0x0, PreInit = 0x7fba1d6add30 <PreInit>, ScreenInit = 0x7fba1d6ad3e0 <ScreenInit>, SwitchMode = 0x7fba1d6ac990 <SwitchMode>, AdjustFrame = 0x7fba1d6ac970 <AdjustFrame>, EnterVT = 0x7fba1d6ad390 <EnterVT>, LeaveVT = 0x7fba1d6ac910 <LeaveVT>, FreeScreen = 0x7fba1d6ac8c0 <FreeScreen>, ValidMode = 0x7fba1d6ac7d0 <ValidMode>, EnableDisableFBAccess = 0x0, SetDGAMode = 0x0, ChangeGamma = 0x4b7d20 <xf86RandR12ChangeGamma>, PointerMoved = 0x4b8b90 <xf86RandR12PointerMoved>, PMEvent =	0x0, DPMSSet = 0x4ae8e0 <xf86DPMSSet>,	LoadPalette = 0x0, SetOverscan = 0x0, DriverFunc = 0x7fba1d6ac7b0 <ms_driver_func>, ModeSet = 0x0, reservedFuncs = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, is_gpu = 1, capabilities = 3}

This seems to be a bug in the xf86-modesetting driver:

(gdb) p (modesettingPtr)((scrn)->driverPrivate)
$6 = (struct _modesettingRec *) 0x0

driverPrivate is NULL. It is set to NULL in FreeRec function:

 625│         return;
 626│->   pScrn->driverPrivate = NULL;
 627│
 628│     if (ms->fd > 0) {
 629│         modesettingEntPtr ms_ent;
 630│         int ret;
 631│
 632├>        ms_ent = ms_ent_priv(pScrn);
 633│         ms_ent->fd_ref--;
 634│         if (!ms_ent->fd_ref) {
 635│             if (ms->pEnt->location.type == BUS_PCI)
 636│                 ret = drmClose(ms->fd);
 637│             else
 638│ #ifdef XF86_PDEV_SERVER_FD
 639│                 if (!(ms->pEnt->location.type == BUS_PLATFORM &&
/usr/src/debug/xorg-server-1.18.0/hw/xfree86/drivers/modesetting/driver.c   

line 626 clears the pointer and in line 632 it's used later on again by ms_ent_priv()

Offending commit in modesetting driver:

commit 19e1dc8f6ea6d7ff5ba4a5caa0e2f40a47879408
Author: Dave Airlie <airlied>
Date:   Wed Jul 22 03:56:13 2015 +0100

    modesetting: add zaphod support (v3)
    
    This adds zaphod and ZaphodHeads support
    to the the in-server modesetting driver.
    
    this is based on a request from Mario,
    and on the current radeon driver, along
    with some patches from Mario to bring things
    up to the state of the art in Zaphod.
    
    v2: fixup vblank fd registring.
    v3: squash Mario's fixes.
      modesetting: Allow/Fix use of multiple ZaphodHead outputs per x-screen.
      modesetting: Take shift in crtc positions for ZaphodHeads configs into account.
      modesetting: Add ZaphodHeads description to man page.
    small cleanups (airlied).
    
    Reviewed-and-tested-by: Mario Kleiner <mario.kleiner.de>
    Reviewed-by: Alex Deucher <alexander.deucher>
    Signed-off-by: Dave Airlie <airlied>

diff --git a/hw/xfree86/drivers/modesetting/driver.c b/hw/xfree86/drivers/modesetting/driver.c

Created attachment 1112620 [details]
Fix driverPrivate nullification

(In reply to Thomas Meyer from comment #18)
> Created attachment 1112620 [details]
> Fix driverPrivate nullification

Did you try to contact Dave directly? Does your patch fix the issue for you? If so this seems to be a generic upstream patch. I'm not familiar with X.org's contribution policy but I assume the best way to get this fixed is to post your patch (using git send-email, add your DCO/Signed-Off) to xorg-devel (http://lists.x.org/mailman/listinfo/xorg-devel) and CC Dave, Mario and Alex explicitly.
(Please disregard this comment if you did so already. If you don't know how to do this or you think this is too time consuming for you, please let me know so others can drive this patch.)

Besides that your patch seems sensible. "driverPrivate" is needed by the "modesettingPTR" macro so it is set to NULL too early.

Anyway: Assuming your patch fixes the problem this bug is not about gnome-shell but should be filed against xorg-x11 or so.

This bug only occurs on my laptop (Lenovo U31-70) since the update to kernel 4.4.2-301. The older kernel versions work fine.

This message is a reminder that Fedora 23 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 23. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '23'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 23 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Fedora 23 changed to end-of-life (EOL) status on 2016-12-20. Fedora 23 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.