Bug 530630

Summary: Random NULL dereference in damageDestroyClip
Product: [Fedora] Fedora Reporter: Jan Kratochvil <jan.kratochvil>
Component: xorg-x11-serverAssignee: Adam Jackson <ajax>
Status: CLOSED WORKSFORME QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 12CC: mcepl, xgl-maint
Target Milestone: ---Keywords: EasyFix, Reopened, Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-10-25 21:38:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 432388    
Attachments:
Description Flags
/var/log/Xorg.0.log.old none

Description Jan Kratochvil 2009-10-23 21:13:35 UTC
Created attachment 365892 [details]
/var/log/Xorg.0.log.old

Description of problem:
Just randomly crashed.

Version-Release number of selected component (if applicable):
xorg-x11-server-Xorg-1.7.0-1.fc12.x86_64

How reproducible:
Happened just once.

Steps to Reproduce:
1. Nothing specific.

Actual results:
#6  <signal handler called>
#7  0x00000000004d081a in damageDestroyClip (pGC=0x2e05c60) at damage.c:567
#8  0x000000000043f989 in FreeGC (value=0x2e05c60, gid=<value optimized out>) at gc.c:878
#9  0x00000000004493c0 in FreeResource (id=20971821, skipDeleteFuncType=0) at resource.c:562
#10 0x000000000042a15b in ProcFreeGC (client=0x1c6b380) at dispatch.c:1672
#11 0x000000000042c60c in Dispatch () at dispatch.c:445
#12 0x0000000000421c9a in main (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>) at main.c:285

Expected results:
No crash.

Additional info:
(gdb) info threads 
* 1 Thread 2306  0x0000003a3c633575 in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
[...]
(gdb) l
562	
563	static void
564	damageDestroyClip(GCPtr pGC)
565	{
566	    DAMAGE_GC_FUNC_PROLOGUE (pGC);
567	    (* pGC->funcs->DestroyClip)(pGC);
568	    DAMAGE_GC_FUNC_EPILOGUE (pGC);
569	}
570	
571	#define TRIM_BOX(box, pGC) if (pGC->pCompositeClip) { \
(gdb) p pGC
$1 = (struct _GC *) 0x2e05c60
(gdb) p pGC->funcs
$2 = (GCFuncs *) 0x0

Comment 1 Matěj Cepl 2009-10-26 16:06:22 UTC
Backtrace:
0: /usr/bin/Xorg-orig (xorg_backtrace+0x28) [0x49e758]
1: /usr/bin/Xorg-orig (0x400000+0x619a9) [0x4619a9]
2: /lib64/libpthread.so.0 (0x3a3d200000+0xf320) [0x3a3d20f320]
3: /usr/bin/Xorg-orig (0x400000+0xd081a) [0x4d081a]
4: /usr/bin/Xorg-orig (FreeGC+0x19) [0x43f989]
5: /usr/bin/Xorg-orig (FreeResource+0x140) [0x4493c0]
6: /usr/bin/Xorg-orig (0x400000+0x2a15b) [0x42a15b]
7: /usr/bin/Xorg-orig (0x400000+0x2c60c) [0x42c60c]
8: /usr/bin/Xorg-orig (0x400000+0x21c9a) [0x421c9a]
9: /lib64/libc.so.6 (__libc_start_main+0xfd) [0x3a3c61eb4d]
10: /usr/bin/Xorg-orig (0x400000+0x21849) [0x421849]
Segmentation fault at address 0x28

Fatal server error:
Caught signal 11 (Segmentation fault). Server aborting


Please consult the The X.Org Foundation support 
	 at http://bodhi.fedoraproject.org/

Comment 2 Matěj Cepl 2009-11-05 17:18:56 UTC
Since this bugzilla report was filed, there have been several major updates in various components of the Xorg system, which may have resolved this issue. Users who have experienced this problem are encouraged to upgrade their system to the latest version of their packages (at least F12Beta, but even better if the very latest versions).

Please, if you experience this problem on the up-to-date system, let us now in the comment for this bug, or whether the upgraded system works for you.

If you won't be able to reply in one month, I will have to close this bug as INSUFFICIENT_DATA. Thank you.

[This is a bulk message for all open Fedora Rawhide Xorg-related bugs. I'm adding myself to the CC list for each bug, so I'll see any comments you make after this and do my best to make sure every issue gets proper attention.]

Comment 3 Jan Kratochvil 2009-11-06 16:19:32 UTC
It was never reproducible, I do not know.

Someone should verify the sources but ... hmm.

Comment 4 Matěj Cepl 2009-11-08 10:35:04 UTC
(In reply to comment #3)
> It was never reproducible, I do not know.
> 
> Someone should verify the sources but ... hmm.  

I think we should.

Comment 5 Bug Zapper 2009-11-16 14:08:09 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 6 Adam Jackson 2010-10-25 21:38:26 UTC
I don't see any way this can happen (in the F14 version of the X server).  Reopen if you hit it again I guess?  Not a satisfying answer but it's all I've got.