Bug 467370 - sr#1841218/ Xvfb segfaults on fbBlt/memcpy
sr#1841218/ Xvfb segfaults on fbBlt/memcpy
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: xorg-x11-server (Show other bugs)
5.4
x86_64 Linux
medium Severity medium
: rc
: ---
Assigned To: Adam Jackson
desktop-bugs@redhat.com
: OtherQA
Depends On:
Blocks: 508923
  Show dependency treegraph
 
Reported: 2008-10-17 03:35 EDT by ritz
Modified: 2010-10-28 10:02 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 508923 (view as bug list)
Environment:
Last Closed: 2009-09-02 07:42:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description ritz 2008-10-17 03:35:57 EDT
Description of problem:
Xvfb segfaults when run with IDV (http://www.unidata.ucar.edu/software/idv/).

Version-Release number of selected component (if applicable):
xorg-x11-server-Xvfb-1.1.1-48.41.el5_2.1

How reproducible:
always on x86_64

Steps to Reproduce:
1) Download ftp://ftp.unidata.ucar.edu/pub/idv/2_5/idv_2_5_linux-i386_installer.sh and run the installer choosing the defaults
2) Start an Xvfb display:

   # /usr/bin/Xvfb :3 -screen 3 1280x1024x24 -fbdir /var/tmp

3) Download ~/kpit.isl and ~/bundles/kpit.xidv
4) Run the application in the Xvfb display:

   # export DISPLAY=:3.3
   # mkdir ~/images
   # cp /usr/share/pixmaps/gnome-cromagnon.png ~/images/kpit_thumb.png
   # cp /usr/share/backgrounds/tiles/only_k.jpg ~/logo.jpg
   # ~/IDV_2.5/runIDV ~/kpit.isl

  
Actual results:
segv

Expected results:
no segv

Additional info:

looks very similar to - https://bugs.freedesktop.org/show_bug.cgi?id=16758


(gdb) bt
#0  0x0000003b77477aa0 in memcpy () from /lib64/libc.so.6
#1  0x000000000045d296 in fbBlt (srcLine=<value optimized out>, srcStride=<value optimized out>, srcX=<value optimized out>, dstLine=<value optimized out>, dstStride=1, dstX=dwarf2_read_address: Corrupted DWARF expression.
)
   at /usr/include/bits/string3.h:51
#2  0x000000000045d780 in fbBltStip (src=0x7fff3f732cd0, srcStride=-1422343604, srcX=4, dst=0x4, dstStride=4, dstX=0, width=32, height=1, alu=3, pm=4294967295, bpp=32)
   at fbblt.c:950
#3  0x000000000046b4d4 in fbGetImage (pDrawable=<value optimized out>, x=107, y=1025, w=32, h=1, format=2, planeMask=18446744073709551615, d=0x7fff3f732cd0 "") at fbimage.c:331
#4  0x000000000048598e in miBSGetImage (pDrawable=0x17b1c030, sx=29, sy=891, w=1, h=1, format=2, planemask=18446744073709551615, pdstLine=0x7fff3f732cd0 "") at mibstore.c:617
#5  0x00000000006aa149 in cwGetImage (pSrc=<value optimized out>, x=29, y=891, w=1, h=1, format=2, planemask=18446744073709551615, pdstLine=0x7fff3f732cd0 "") at cw.c:357
#6  0x000000000049374c in miSpriteGetImage (pDrawable=0x17b1c030, sx=29, sy=891, w=1, h=1, format=2, planemask=18446744073709551615, pdstLine=0x7fff3f732cd0 "")
   at misprite.c:301
#7  0x000000000064c408 in read_pixel (dpy=0x7fff3f732cd0, d=0x7fff3f732cd0, x=-1422343604, y=4) at xm_span.c:117
#8  0x000000000064d676 in get_values_rgba (ctx=<value optimized out>, rb=0x17b0f950, n=1, x=0x1748c290, y=0x17490290, values=0x0) at xm_span.c:4341
#9  0x00000000005c1579 in _swrast_blend_span (ctx=0x17442440, rb=0x2aaaab38c24c, span=0x7fff3f73afb0, rgba=0x17480290) at s_blend.c:861
#10 0x00000000005bb026 in _swrast_write_rgba_span (ctx=0x17442440, span=0x7fff3f73afb0) at s_span.c:1365
#11 0x00000000005d727e in general_rgba_line (ctx=0x17442440, vert0=<value optimized out>, vert1=0x4) at s_linetemp.h:430
#12 0x00000000005fce1a in clip_render_line_strip_verts (ctx=0x17442440, start=785, count=848, flags=<value optimized out>) at t_vb_rendertmp.h:107
#13 0x0000000000600cda in run_render (ctx=0x17442440, stage=<value optimized out>) at t_vb_render.c:320
#14 0x000000000060556b in _tnl_run_pipeline (ctx=0x17442440) at t_pipeline.c:159
#15 0x0000000000687ed4 in _tnl_playback_vertex_list (ctx=0x17442440, data=<value optimized out>) at t_save_playback.c:209
#16 0x0000000000525687 in execute_list (ctx=0x17442440, list=<value optimized out>) at dlist.c:5783
#17 0x0000000000528097 in _mesa_CallList (list=1) at dlist.c:6875
#18 0x00000000004d0727 in __glXRender (cl=<value optimized out>, pc=<value optimized out>) at glxcmds.c:1739
#19 0x00000000004ce938 in __glXDispatch (client=<value optimized out>) at glxext.c:522
#20 0x000000000042ecda in Dispatch () at dispatch.c:459
#21 0x000000000043f87e in main (argc=7, argv=0x7fff3f73c0e8, envp=<value optimized out>) at main.c:447
#22 0x0000003b7741d8a4 in __libc_start_main (main=0x43f430 <main>, argc=7, ubp_av=0x7fff3f73c0e8, init=<value optimized out>, fini=<value optimized out>,
   rtld_fini=<value optimized out>, stack_end=0x7fff3f73c0d8) at libc-start.c:231
#23 0x000000000041e679 in _start ()

------------------------------------------------------------------------------

(gdb) bt full
#0  0x0000003b77477aa0 in memcpy () from /lib64/libc.so.6
mallstream = (FILE *) 0x0
tr_old_memalign_hook = (void *(*)(size_t, size_t, const void *)) 0
tr_old_malloc_hook = (void *(*)(size_t, const void *)) 0
tr_old_realloc_hook = (void *(*)(void *, size_t, const void *)) 0
lock = 0
mallenv = "MALLOC_TRACE"
malloc_trace_buffer = 0x0
tr_old_free_hook = (void (*)(void *, const void *)) 0
mallwatch = (void *) 0x0
#1  0x000000000045d296 in fbBlt (srcLine=<value optimized out>, srcStride=<value optimized out>, srcX=<value optimized out>, dstLine=<value optimized out>, dstStride=1, dstX=dwarf2_read_address: Corrupted DWARF expression.
)
   at /usr/include/bits/string3.h:51
i = 1
src = (CARD8 *) 0x2aaaab38c24c <Address 0x2aaaab38c24c out of bounds>
dst = (CARD8 *) 0x7fff3f732cd0 ""
src = <value optimized out>
dst = <value optimized out>
leftShift = <value optimized out>
rightShift = <value optimized out>
startmask = <value optimized out>
endmask = <value optimized out>
bits = <value optimized out>
bits1 = <value optimized out>
nmiddle = <value optimized out>
destInvarient = <value optimized out>
startbyte = <value optimized out>
endbyte = <value optimized out>
_ca1 = <value optimized out>
_cx1 = <value optimized out>
_ca2 = <value optimized out>
_cx2 = <value optimized out>
#2  0x000000000045d780 in fbBltStip (src=0x7fff3f732cd0, srcStride=-1422343604, srcX=4, dst=0x4, dstStride=4, dstX=0, width=32, height=1, alu=3, pm=4294967295, bpp=32)
   at fbblt.c:950
No locals.
#3  0x000000000046b4d4 in fbGetImage (pDrawable=<value optimized out>, x=107, y=1025, w=32, h=1, format=2, planeMask=18446744073709551615, d=0x7fff3f732cd0 "") at fbimage.c:331
pm = 4294967295
src = (FbBits *) 0x2aaaaae8aca0
srcStride = 1280
srcBpp = 32
srcXoff = 0
srcYoff = 0
dst = (FbStip *) 0x4
dstStride = 4
#4  0x000000000048598e in miBSGetImage (pDrawable=0x17b1c030, sx=29, sy=891, w=1, h=1, format=2, planemask=18446744073709551615, pdstLine=0x7fff3f732cd0 "") at mibstore.c:617
subWindowMode = 0
x = <value optimized out>
y = <value optimized out>
pPixmap = (PixmapPtr) 0x0
---Type <return> to continue, or q <return> to quit---
Border = {extents = {x1 = 19018, y1 = -182, x2 = 31611, y2 = -133}, data = 0xff000000ff000000}
pBox = <value optimized out>
pSrcWin = <value optimized out>
xoff = 2
n = <value optimized out>
pGC = (GCPtr) 0x0
pWin = <value optimized out>
yoff = 1
Remaining = {extents = {x1 = 107, y1 = 1025, x2 = 108, y2 = 1026}, data = 0x0}
Inside = {extents = {x1 = 18761, y1 = -183, x2 = 19275, y2 = -181}, data = 0xff464646ff4a4a4a}
pScreen = (ScreenPtr) 0x172e03c0
bounds = {x1 = 29, y1 = 891, x2 = 30, y2 = 892}
depth = 24 '\030'
#5  0x00000000006aa149 in cwGetImage (pSrc=<value optimized out>, x=29, y=891, w=1, h=1, format=2, planemask=18446744073709551615, pdstLine=0x7fff3f732cd0 "") at cw.c:357
pScreen = (ScreenPtr) 0x172e03c0
pBackingDrawable = (DrawablePtr) 0x7fff3f732cd0
src_off_x = 0
src_off_y = 0
#6  0x000000000049374c in miSpriteGetImage (pDrawable=0x17b1c030, sx=29, sy=891, w=1, h=1, format=2, planemask=18446744073709551615, pdstLine=0x7fff3f732cd0 "")
   at misprite.c:301
pScreen = (ScreenPtr) 0x172e03c0
#7  0x000000000064c408 in read_pixel (dpy=0x7fff3f732cd0, d=0x7fff3f732cd0, x=-1422343604, y=4) at xm_span.c:117
p = 0
#8  0x000000000064d676 in get_values_rgba (ctx=<value optimized out>, rb=0x17b0f950, n=1, x=0x1748c290, y=0x17490290, values=0x0) at xm_span.c:4341
p = <value optimized out>
rgba = (GLubyte (*)[4]) 0x7fff3f732df0
dpy = (XMesaDisplay *) 0x172e03c0
source = <value optimized out>
Comment 2 Matěj Cepl 2008-11-11 11:32:39 EST
Thanks for the bug report.  We have reviewed the information you have provided above, and there is some additional information we require that will be helpful in our diagnosis of this issue.

Please attach your X server config file (/etc/X11/xorg.conf) and X server log file (/var/log/Xorg.*.log) to the bug report as individual uncompressed file attachments using the bugzilla file attachment link below.

We will review this issue again once you've had a chance to attach this information.

Thanks in advance.
Comment 7 RHEL Product and Program Management 2009-03-11 14:38:46 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 8 Issue Tracker 2009-03-23 13:58:39 EDT
I was diggin this up further, seems to be weird

as seen


#7  0x0000000000672568 in read_pixel (dpy=0x3, d=0x7fff4b0c0220,
x=1613476428, y=4) at xm_span.c:117
#8  0x00000000006737d6 in get_values_rgba (ctx=<value optimized out>,
rb=0x168fdb90, n=1, x=0x167663d0, y=0x1676a3d0, values=0x0) at
xm_span.c:4341

--------------------------

from inspecting var values, we know

from frame #8 ( get_values_rgba )

(gdb) p n
$15 = 1

(gdb) p x[0] // 0x167663d0
$16 = 29

(gdb) p x[1] //0x167663d4
$17 = 23

--------------------------

as seen from code

static void
get_values_rgba(GLcontext *ctx, struct gl_renderbuffer *rb,
                GLuint n, const GLint x[], const GLint y[], void *values)
{
...
         case PF_8R8G8B:
            for (i=0;i<n;i++) {
               unsigned long p = read_pixel( dpy, buffer,
                                             x[i], YFLIP(xrb, y[i]) );
               rgba[i][RCOMP] = (GLubyte) ((p >> 16) & 0xff);
               rgba[i][GCOMP] = (GLubyte) ((p >> 8)  & 0xff);
               rgba[i][BCOMP] = (GLubyte) ( p        & 0xff);
               rgba[i][ACOMP] = 255;
            }


/*
 * Read a pixel from an X drawable.
 */
static unsigned long read_pixel( XMesaDisplay *dpy,
                                 XMesaDrawable d, int x, int y )


the values being passed to read_pixel are apparently being twisted ? GLint
is defined as int. 



This event sent from IssueTracker by rkhadgar 
 issue 192402
Comment 17 Adam Jackson 2009-05-20 17:29:06 EDT
1808166 build (dist-5E-qu-candidate, RHEL-5:xorg-x11-server-1_1_1-48_61_el5): open (spark.z900.redhat.com) -> closed

MODIFIED
Comment 20 Issue Tracker 2009-05-21 13:20:04 EDT


This event sent from IssueTracker by jruemker 
 issue 192402
it_file 222576
Comment 21 Chris Ward 2009-06-14 19:15:56 EDT
~~ Attention Partners RHEL 5.4 Partner Alpha Released! ~~

RHEL 5.4 Partner Alpha has been released on partners.redhat.com. There should
be a fix present that addresses this particular request. Please test and report back your results here, at your earliest convenience. Our Public Beta release is just around the corner!

If you encounter any issues, please set the bug back to the ASSIGNED state and
describe the issues you encountered. If you have verified the request functions as expected, please set your Partner ID in the Partner field above to indicate successful test results. Do not flip the bug status to VERIFIED. Further questions can be directed to your Red Hat Partner Manager. Thanks!
Comment 23 Adam Jackson 2009-06-17 14:50:17 EDT
Move back to ASSIGNED so this actually shows up as a work item.
Comment 27 Adam Jackson 2009-06-30 10:52:33 EDT
This bug is for a crash in PutImage.  The crash described in comment #19 is in the software GL rendering code, and is tracked in bug #508923.

MODIFIED
Comment 30 Chris Ward 2009-07-03 14:11:03 EDT
~~ Attention - RHEL 5.4 Beta Released! ~~

RHEL 5.4 Beta has been released! There should be a fix present in the Beta release that addresses this particular request. Please test and report back results here, at your earliest convenience. RHEL 5.4 General Availability release is just around the corner!

If you encounter any issues while testing Beta, please describe the issues you have encountered and set the bug into NEED_INFO. If you encounter new issues, please clone this bug to open a new issue and request it be reviewed for inclusion in RHEL 5.4 or a later update, if it is not of urgent severity.

Please do not flip the bug status to VERIFIED. Only post your verification results, and if available, update Verified field with the appropriate value.

Questions can be posted to this bug or your customer or partner representative.
Comment 31 Chris Ward 2009-07-10 15:05:46 EDT
~~ Attention Partners - RHEL 5.4 Snapshot 1 Released! ~~

RHEL 5.4 Snapshot 1 has been released on partners.redhat.com. If you have already reported your test results, you can safely ignore this request. Otherwise, please notice that there should be a fix available now that addresses this particular request. Please test and report back your results here, at your earliest convenience. The RHEL 5.4 exception freeze is quickly approaching.

If you encounter any issues while testing Beta, please describe the issues you have encountered and set the bug into NEED_INFO. If you encounter new issues, please clone this bug to open a new issue and request it be reviewed for inclusion in RHEL 5.4 or a later update, if it is not of urgent severity.

Do not flip the bug status to VERIFIED. Instead, please set your Partner ID in the Verified field above if you have successfully verified the resolution of this issue. 

Further questions can be directed to your Red Hat Partner Manager or other appropriate customer representative.
Comment 32 Chris Ward 2009-08-03 11:44:19 EDT
~~ Attention Partners - RHEL 5.4 Snapshot 5 Released! ~~

RHEL 5.4 Snapshot 5 is the FINAL snapshot to be release before RC. It has been 
released on partners.redhat.com. If you have already reported your test results, 
you can safely ignore this request. Otherwise, please notice that there should be 
a fix available now that addresses this particular issue. Please test and report 
back your results here, at your earliest convenience.

If you encounter any issues while testing Beta, please describe the 
issues you have encountered and set the bug into NEED_INFO. If you 
encounter new issues, please clone this bug to open a new issue and 
request it be reviewed for inclusion in RHEL 5.4 or a later update, if it 
is not of urgent severity. If it is urgent, escalate the issue to your partner manager as soon as possible. There is /very/ little time left to get additional code into 5.4 before GA.

Partners, after you have verified, do not flip the bug status to VERIFIED. Instead, please set your Partner ID in the Verified field above if you have successfully verified the resolution of this issue. 

Further questions can be directed to your Red Hat Partner Manager or other 
appropriate customer representative.
Comment 34 errata-xmlrpc 2009-09-02 07:42:35 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-1373.html

Note You need to log in before you can comment on or make changes to this bug.