Bug 448586
Summary: | Firefox 3 crashes Xorg at picture.c:1600 | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Richard Ryder <rryder> | ||||||||||||
Component: | xorg-x11-server | Assignee: | Adam Jackson <ajax> | ||||||||||||
Status: | CLOSED ERRATA | QA Contact: | desktop-bugs <desktop-bugs> | ||||||||||||
Severity: | high | Docs Contact: | |||||||||||||
Priority: | urgent | ||||||||||||||
Version: | 5.2 | CC: | bugs+fedora, cmeadors, john, mgordon, peak, shillman, xgl-maint | ||||||||||||
Target Milestone: | rc | ||||||||||||||
Target Release: | --- | ||||||||||||||
Hardware: | All | ||||||||||||||
OS: | Linux | ||||||||||||||
Whiteboard: | |||||||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||||||
Doc Text: | Story Points: | --- | |||||||||||||
Clone Of: | Environment: | ||||||||||||||
Last Closed: | 2009-09-02 11:42:21 UTC | Type: | --- | ||||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||||
Documentation: | --- | CRM: | |||||||||||||
Verified Versions: | Category: | --- | |||||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||
Embargoed: | |||||||||||||||
Attachments: |
|
Description
Richard Ryder
2008-05-27 18:16:36 UTC
Created attachment 306809 [details]
Xorg core generated by gdb gcore command
Created attachment 308531 [details]
dmesg from sosreport
Created attachment 308532 [details]
xorg.conf from sosreport
Created attachment 308533 [details]
Xorg.0.log from sosreport
Please, could you confirm if this URL causes the same crash? http://en.wikipedia.org/wiki/Special:Allmessages I'm having similar crashes in Fedora 8 with the above URL, with intel (open-source) and nvidia (closed-source) drivers, but with a different backtrace: Program received signal SIGSEGV, Segmentation fault. 0x0044817f in fbRasterizeEdges (buf=0x8695098, bpp=8, width=436, stride=109, l=0xbffaff54, r=0xbffaff2c, t=-2147481464, b=28571510) at fbedge.c:171 171 ap[lxi] = clip255 (ap[lxi] + N_X_FRAC(8) - lxs); (gdb) backtrace #0 0x0044817f in fbRasterizeEdges (buf=0x8695098, bpp=8, width=436, stride=109, l=0xbffaff54, r=0xbffaff2c, t=-2147481464, b=28571510) at fbedge.c:171 #1 0x00440a0f in fbRasterizeTrapezoid (pPicture=0x85fe368, trap=0x864e978, x_off=<value optimized out>, y_off=0) at fbtrap.c:143 #2 0x0035534a in _nv000753X () from /usr/lib/xorg/modules/drivers//nvidia_drv.so Also bug 453607 seems related. This seems to be a duplicate of bug 455209 (which is in Fedora 8). *** Bug 453607 has been marked as a duplicate of this bug. *** We are experiencing this particular error at our site as well. The wikipedia link above causes the same crash for us. backtrace informatino varies slightly based on whether teh Composite X extension is enabled. With Composite enabled, the backgrace looks as such: Program received signal SIGSEGV, Segmentation fault. 0x08147898 in PictureMatchFormat () (gdb) where #0 0x08147898 in PictureMatchFormat () #1 0x081478e1 in ValidatePicture () #2 0x081479a1 in CompositePicture () #3 0x08146dc8 in miTrapezoids () #4 0x00a61837 in _nv002361X () from /usr/lib/xorg/modules/drivers/nvidia_drv.so #5 0x0000000c in ?? () #6 0x088b67a8 in ?? () #7 0x08904908 in ?? () #8 0x08824798 in ?? () #9 0x00000000 in ?? () (gdb) Disabling Composite changes the backtrace slightly: Program received signal SIGSEGV, Segmentation fault. 0x08147978 in CompositePicture () (gdb) where #0 0x08147978 in CompositePicture () #1 0x08146dc8 in miTrapezoids () #2 0x00f82837 in _nv002361X () from /usr/lib/xorg/modules/drivers/nvidia_drv.so #3 0x0000000c in ?? () #4 0x09f2aca8 in ?? () #5 0x09efdbd0 in ?? () #6 0x09e8f2f0 in ?? () #7 0x00000000 in ?? () (gdb) I tried using an X11R7.3 X-server, with Composite extensions enabled...this bug did not occur when running with the X11R7.3 X-server. All our tests were done using the "nvidia" proprietary video device driver. The problem lies in the negative (and very large) value of parameter "t" when fbRasterizeEdges() is called. The function draws outside the allocated buffer ("buf") and causes a lot of collateral damage. The sources of negative values of "t" is RenderSampleCeilY() called from fbRasterizeTrapezoid(). Something overflows and yields a negative result when it is called with a large positive value of its first parameter "y" (afaik >= 2147481463) and this happens when the client asks the server to draw a strange trapezoid very close the edge of the coordinate space: (gdb) bt 1 #0 fbRasterizeTrapezoid (pPicture=0x94d5dc8, trap=0x9509b1c, x_off=0, y_off=0) at fbtrap.c:137 (gdb) p *trap $36 = {top = 2147483647, bottom = 2147483647, left = {p1 = {x = 0, y = 0}, p2 = {x = 0, y = 2147483647}}, right = {p1 = {x = 65536, y = 2147483647}, p2 = {x = 0, y = 2147483647}}} (gdb) p t $37 = -2147481464 (gdb) print RenderSampleCeilY(2147483647, 8) $38 = -2147481464 (And no, this not a duplicate of bug 455209.) Created attachment 330662 [details]
test case
$ gcc trapezoid_of_death.c -lX11 -lXext -lXrender
$ DISPLAY=[the display you want to kill] ./a.out
(It is necessary to send two trapezoids, one with saner top/bottom, to get past a check in miTrapezoids().)
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. Fixing component. Built as xorg-x11-server-1.1.1-48.53.el5 MODIFIED Fix verified using the 20090608.2 tree. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-1373.html |