Bug 455359

Summary: Firefox crashes X-Server - blows out to login prompt
Product: Red Hat Enterprise Linux 5 Reporter: Charles Houp <moon>
Component: xorg-x11-serverAssignee: Dave Airlie <airlied>
Status: CLOSED ERRATA QA Contact: desktop-bugs <desktop-bugs>
Severity: high Docs Contact:
Priority: low    
Version: 5.2CC: airlied, amyagi, bforte, cmeadors, gecko-bugs-nobody, lihuang, pasteur, philip.r.schaffner, ralph, rodrigue, tao, tim.verhoeven.be, xgl-maint, yzhou
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
* when certain values for trapezoidal data were passed to the X server by Firefox, X would crash. Therefore, if the user visited a html document that contained such data, X would attempt to render it, crash, and leave the user at the login prompt. This update for X corrects this behavior, and is able to handle these values without crashing.
 Story Points: ---
Clone Of:
: 492561 (view as bug list) Environment:
Last Closed: 2009-01-20 21:29:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 492561    
Attachments:
Description Flags
dmesg
none
xorg.conf
none
Xorg.0.log
none
Xorg.0.log.old
none
Xorg.0.log with ATI driver. It doesn't start. none

Description Charles Houp 2008-07-15 02:47:11 UTC 
Description of problem:
Access to certain web pages by firefox causes system to blowout to login prompt,
this web link specifically causes problem every time:
http://ubuntuguide.org/wiki/Ubuntu:Gutsy

Version-Release number of selected component (if applicable):
firefox 3.

How reproducible:
go to this web link: http://ubuntuguide.org/wiki/Ubuntu:Gutsy


Steps to Reproduce:
1.Open firefox
2.input http://ubuntuguide.org/wiki/Ubuntu:Gutsy into address
3.press enter
  
Actual results:
blows out to login prompt

Expected results:
access the web link entered 

Additional info:
Comment 1 Akemi Yagi 2008-07-15 03:40:41 UTC 
Just adding another example URL that causes the X session to crash.  Seems to
happen even with Firefox3 downloaded from the mozilla site.

http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Booklet
Comment 2 Tim Verhoeven 2008-07-15 09:07:28 UTC 
In my testing I have only seen this happen on x86_64 systems, I have had no
crashes on i686. I've tested with both 32bit and 64bit firefox on x86_64 and
both have the isse.
Comment 3 Martin Stransky 2008-07-15 10:23:44 UTC 
I can reproduce it reliably on RHEL-5.2 / x86_64.
But works fine in F9, seems to be RHEL-5 specific.
Comment 4 Martin Stransky 2008-07-15 10:30:10 UTC 
Works fine inside RHEL-5.2 / x86_64 / VNC session....
Comment 5 Martin Stransky 2008-07-15 10:43:57 UTC 
/var/log/messages:

Jul 15 12:42:47 dhcp-lab-122 kernel: Xorg[3446]: segfault at 000000ff67b4eb0f
rip 0000003667871ce6 rsp 00007fffbc20fa70 error 
6
Jul 15 12:42:47 dhcp-lab-122 gconfd (komat-3580): Received signal 15, shutting
down cleanly
Jul 15 12:42:47 dhcp-lab-122 gconfd (komat-3580): Exiting
Jul 15 12:42:49 dhcp-lab-122 kernel: mtrr: type mismatch for c0000000,1000000
old: write-back new: write-combining
Comment 6 Martin Stransky 2008-07-15 10:47:23 UTC 
From Xorg.0.log.old:

Backtrace:
0: /usr/bin/Xorg(xf86SigHandler+0x71) [0x4a1021]
1: /lib64/libc.so.6 [0x36678301b0]
2: /usr/bin/Xorg(CompositePicture+0x73) [0x4fd833]
3: /usr/bin/Xorg(miTrapezoids+0x239) [0x4fcd99]
4: /usr/bin/Xorg [0x513a80]
5: /usr/bin/Xorg [0x5041c4]
6: /usr/bin/Xorg(Dispatch+0x1ca) [0x449c9a]
7: /usr/bin/Xorg(main+0x44e) [0x4325ee]
8: /lib64/libc.so.6(__libc_start_main+0xf4) [0x366781d8b4]
9: /usr/bin/Xorg(FontFileCompleteXLFD+0x231) [0x4318c9]

Fatal server error:
Caught signal 11.  Server aborting
Comment 7 Martin Stransky 2008-07-15 10:48:12 UTC 
Created attachment 311800 [details]
dmesg
Comment 8 Martin Stransky 2008-07-15 10:48:32 UTC 
Created attachment 311801 [details]
xorg.conf
Comment 9 Martin Stransky 2008-07-15 10:48:51 UTC 
Created attachment 311802 [details]
Xorg.0.log
Comment 10 Martin Stransky 2008-07-15 10:49:12 UTC 
Created attachment 311803 [details]
Xorg.0.log.old
Comment 11 Martin Stransky 2008-07-15 11:01:11 UTC 
[root@dhcp-lab-122 ~]# lspci
00:00.0 Host bridge: Intel Corporation 5000X Chipset Memory Controller Hub (rev 12)
00:02.0 PCI bridge: Intel Corporation 5000 Series Chipset PCI Express x4 Port 2
(rev 12)
00:03.0 PCI bridge: Intel Corporation 5000 Series Chipset PCI Express x4 Port 3
(rev 12)
00:04.0 PCI bridge: Intel Corporation 5000X Chipset PCI Express x16 Port 4-7
(rev 12)
00:05.0 PCI bridge: Intel Corporation 5000 Series Chipset PCI Express x4 Port 5
(rev 12)
00:06.0 PCI bridge: Intel Corporation 5000 Series Chipset PCI Express x4 Port 6
(rev 12)
00:07.0 PCI bridge: Intel Corporation 5000 Series Chipset PCI Express x4 Port 7
(rev 12)
00:10.0 Host bridge: Intel Corporation 5000 Series Chipset FSB Registers (rev 12)
00:10.1 Host bridge: Intel Corporation 5000 Series Chipset FSB Registers (rev 12)
00:10.2 Host bridge: Intel Corporation 5000 Series Chipset FSB Registers (rev 12)
00:11.0 Host bridge: Intel Corporation 5000 Series Chipset Reserved Registers
(rev 12)
00:13.0 Host bridge: Intel Corporation 5000 Series Chipset Reserved Registers
(rev 12)
00:15.0 Host bridge: Intel Corporation 5000 Series Chipset FBD Registers (rev 12)
00:16.0 Host bridge: Intel Corporation 5000 Series Chipset FBD Registers (rev 12)
00:1b.0 Audio device: Intel Corporation 631xESB/632xESB High Definition Audio
Controller (rev 09)
00:1c.0 PCI bridge: Intel Corporation 631xESB/632xESB/3100 Chipset PCI Express
Root Port 1 (rev 09)
00:1d.0 USB Controller: Intel Corporation 631xESB/632xESB/3100 Chipset UHCI USB
Controller #1 (rev 09)
00:1d.1 USB Controller: Intel Corporation 631xESB/632xESB/3100 Chipset UHCI USB
Controller #2 (rev 09)
00:1d.2 USB Controller: Intel Corporation 631xESB/632xESB/3100 Chipset UHCI USB
Controller #3 (rev 09)
00:1d.3 USB Controller: Intel Corporation 631xESB/632xESB/3100 Chipset UHCI USB
Controller #4 (rev 09)
00:1d.7 USB Controller: Intel Corporation 631xESB/632xESB/3100 Chipset EHCI USB2
Controller (rev 09)
00:1e.0 PCI bridge: Intel Corporation 82801 PCI Bridge (rev d9)
00:1f.0 ISA bridge: Intel Corporation 631xESB/632xESB/3100 Chipset LPC Interface
Controller (rev 09)
00:1f.1 IDE interface: Intel Corporation 631xESB/632xESB IDE Controller (rev 09)
00:1f.2 SATA controller: Intel Corporation 631xESB/632xESB SATA AHCI Controller
(rev 09)
00:1f.3 SMBus: Intel Corporation 631xESB/632xESB/3100 Chipset SMBus Controller
(rev 09)
01:00.0 PCI bridge: Intel Corporation 6311ESB/6321ESB PCI Express Upstream Port
(rev 01)
01:00.3 PCI bridge: Intel Corporation 6311ESB/6321ESB PCI Express to PCI-X
Bridge (rev 01)
02:00.0 PCI bridge: Intel Corporation 6311ESB/6321ESB PCI Express Downstream
Port E1 (rev 01)
02:01.0 PCI bridge: Intel Corporation 6311ESB/6321ESB PCI Express Downstream
Port E2 (rev 01)
07:00.0 VGA compatible controller: ATI Technologies Inc RV516 [Radeon
X1300/X1550 Series]
07:00.1 Display controller: ATI Technologies Inc RV516 [Radeon X1300 Pro]
(Secondary)
0b:00.0 Ethernet controller: Broadcom Corporation NetXtreme BCM5752 Gigabit
Ethernet PCI Express (rev 02)
Comment 12 Martin Stransky 2008-07-15 11:03:21 UTC 
Created attachment 311805 [details]
Xorg.0.log with ATI driver. It doesn't start.
Comment 13 Brian Forte 2008-09-19 04:14:21 UTC 
I've been able to reproduce this behaviour on three x86-based ThinkPads: models T43, T60 and T61, all running RHEL 5.2.

The behaviour presents in both RHEL 5.2 CSB (running Firefox 3.0b5) and generic RHEL 5.2 (running Firefox 3.0.1).

The behaviour does not present if Konquerer 3.5.4-18 is used to load the URL.

The behaviour does not present in Fedora 9, regardless of the browser used to load the URL.

Also, add the following URL to the list of 'crashes X' URLs: <http://fedoraguide.info/index.php?title=Main_Page>. At the risk of stating the obvious, all three URLs noted as causing the behaviour are running MediaWiki.
Comment 14 Cameron Meadors 2008-09-19 12:41:51 UTC 
I have a T60 with RHEL 5.2 x86.  This crash is very reproducible.  Hard to qaulify, but this may be a regression.  I am sure atleast one person viewed one of these URLS before.  Maybe it never worked.
Comment 15 Cameron Meadors 2008-09-19 12:44:18 UTC 
I just realized that this is filed against the vesa driver, but I am using the "intel" driver.
Comment 16 RHEL Program Management 2008-09-19 12:51:15 UTC 
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".
Comment 17 Phil Schaffner 2008-09-22 15:37:57 UTC 
Experiencing this problem with the "nv" driver as well, so it seems to be more general than the component indicates.  Yet another MediaWiki site that triggers the problem is

http://wiki.osx86project.org/wiki/index.php/HCL_10.5.2
Comment 20 RHEL Program Management 2008-09-23 14:15:31 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 22 Dave Airlie 2008-09-23 20:47:46 UTC 
MODIFIED

xorg-x11-server-1.1.1-48.49.el5

built in brew.
Comment 25 Matěj Cepl 2008-09-24 16:20:02 UTC 
RHEL4 version of this bug is bug 463137
Comment 26 Yolkfull Chow 2008-12-11 07:01:38 UTC 
For this bug on rhel5-x86_64 package *firefox-3.0.5-1.el5_2*, cannot login
(stopping at black screen) after system logout. On rhel5-i386, system will
logout as well, but can re-login.
Comment 27 Yolkfull Chow 2008-12-11 07:03:04 UTC 
*** Bug 475937 has been marked as a duplicate of this bug. ***
Comment 29 Ruediger Landmann 2009-01-08 00:44:02 UTC 
Release note added. If any revisions are required, please set the 
"requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

New Contents:
* when certain values for trapezoidal data were passed to the X server by Firefox, X would crash. Therefore, if the user visited a html document that contained such data, X would attempt to render it, crash, and leave the user at the login prompt. This update for X corrects this behavior, and is able to handle these values without crashing.
Comment 30 errata-xmlrpc 2009-01-20 21:29:32 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0162.html
Comment 32 lihuang 2009-03-27 10:39:49 UTC 
on my RHEL5.3 x86_64 os .
the given page still crash vnc connection:



bt log:

(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x000000000068f98c in ValidateOnePicture (pPicture=0x2cccad0) at picture.c:1596
1596        if (pPicture->pDrawable && pPicture->serialNumber != pPicture->pDrawable->serialNumber)
(gdb) bt
#0  0x000000000068f98c in ValidateOnePicture (pPicture=0x2cccad0)
    at picture.c:1596
#1  0x000000000068f9d9 in ValidatePicture (pPicture=0x2cccad0)
    at picture.c:1609
#2  0x000000000068fa96 in CompositePicture (op=12 '\f', pSrc=0x2cccad0, 
    pMask=0x2d26fa0, pDst=0x2c26fd0, xSrc=0, ySrc=0, xMask=0, yMask=0, xDst=0, 
    yDst=0, width=1, height=1) at picture.c:1780
#3  0x000000000068efd9 in miTrapezoids (op=12 '\f', pSrc=0x2cccad0, 
    pDst=0x2c26fd0, maskFormat=<value optimized out>, xSrc=0, ySrc=0, ntrap=0, 
    traps=0x3003300) at mitrap.c:175
#4  0x00000000006963b4 in ProcRenderTrapezoids (client=0x2c43b20)
    at render.c:820
#5  0x0000000000431eda in Dispatch () at dispatch.c:459
#6  0x00000000004424c5 in main (argc=19, argv=0x7fff836cac98, 
    envp=<value optimized out>) at main.c:447
(gdb) q
The program is running.  Quit anyway (and detach it)? (y or n) y
LND: Sending signal 11 to process 4344
Detaching from program: /usr/bin/Xvnc, process 4344




[root@dhcp-65-4 ~]# uname -a
Linux dhcp-65-4.nay.redhat.com 2.6.18-128.el5 #1 SMP Wed Dec 17 11:41:38 EST 2008 x86_64 x86_64 x86_64 GNU/Linux

[root@dhcp-65-4 ~]# rpm -qa | grep xorg-x11-server
xorg-x11-server-utils-7.1-4.fc6
xorg-x11-server-Xnest-1.1.1-48.52.el5
xorg-x11-server-debuginfo-1.1.1-48.52.el5
xorg-x11-server-Xvnc-source-1.1.1-48.52.el5
xorg-x11-server-sdk-1.1.1-48.52.el5
xorg-x11-server-Xvfb-1.1.1-48.52.el5
xorg-x11-server-randr-source-1.1.1-48.52.el5
xorg-x11-server-Xephyr-1.1.1-48.52.el5
xorg-x11-server-Xdmx-1.1.1-48.52.el5
xorg-x11-server-Xorg-1.1.1-48.52.el5
Comment 33 lihuang 2009-03-27 10:42:16 UTC 
I have no permission to reopen this bug. could someone help me ?  Thanks
Comment 34 Matěj Cepl 2009-03-30 10:59:06 UTC 
(In reply to comment #33)
> I have no permission to reopen this bug. could someone help me ?  Thanks  

Please file a new bug against component vnc (which is where the crash happens) and attach the information from comment 32.

Thank you
Comment 35 Matěj Cepl 2010-08-17 21:11:04 UTC 
*** Bug 618976 has been marked as a duplicate of this bug. ***