Bug 530630 - Random NULL dereference in damageDestroyClip
Random NULL dereference in damageDestroyClip
Product: Fedora
Classification: Fedora
Component: xorg-x11-server (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Adam Jackson
Fedora Extras Quality Assurance
: EasyFix, Reopened, Triaged
Depends On:
Blocks: fedora-x-target
  Show dependency treegraph
Reported: 2009-10-23 17:13 EDT by Jan Kratochvil
Modified: 2010-10-25 17:38 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-10-25 17:38:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
/var/log/Xorg.0.log.old (83.17 KB, text/plain)
2009-10-23 17:13 EDT, Jan Kratochvil
no flags Details

  None (edit)
Description Jan Kratochvil 2009-10-23 17:13:35 EDT
Created attachment 365892 [details]

Description of problem:
Just randomly crashed.

Version-Release number of selected component (if applicable):

How reproducible:
Happened just once.

Steps to Reproduce:
1. Nothing specific.

Actual results:
#6  <signal handler called>
#7  0x00000000004d081a in damageDestroyClip (pGC=0x2e05c60) at damage.c:567
#8  0x000000000043f989 in FreeGC (value=0x2e05c60, gid=<value optimized out>) at gc.c:878
#9  0x00000000004493c0 in FreeResource (id=20971821, skipDeleteFuncType=0) at resource.c:562
#10 0x000000000042a15b in ProcFreeGC (client=0x1c6b380) at dispatch.c:1672
#11 0x000000000042c60c in Dispatch () at dispatch.c:445
#12 0x0000000000421c9a in main (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>) at main.c:285

Expected results:
No crash.

Additional info:
(gdb) info threads 
* 1 Thread 2306  0x0000003a3c633575 in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
(gdb) l
563	static void
564	damageDestroyClip(GCPtr pGC)
565	{
567	    (* pGC->funcs->DestroyClip)(pGC);
569	}
571	#define TRIM_BOX(box, pGC) if (pGC->pCompositeClip) { \
(gdb) p pGC
$1 = (struct _GC *) 0x2e05c60
(gdb) p pGC->funcs
$2 = (GCFuncs *) 0x0
Comment 1 Matěj Cepl 2009-10-26 12:06:22 EDT
0: /usr/bin/Xorg-orig (xorg_backtrace+0x28) [0x49e758]
1: /usr/bin/Xorg-orig (0x400000+0x619a9) [0x4619a9]
2: /lib64/libpthread.so.0 (0x3a3d200000+0xf320) [0x3a3d20f320]
3: /usr/bin/Xorg-orig (0x400000+0xd081a) [0x4d081a]
4: /usr/bin/Xorg-orig (FreeGC+0x19) [0x43f989]
5: /usr/bin/Xorg-orig (FreeResource+0x140) [0x4493c0]
6: /usr/bin/Xorg-orig (0x400000+0x2a15b) [0x42a15b]
7: /usr/bin/Xorg-orig (0x400000+0x2c60c) [0x42c60c]
8: /usr/bin/Xorg-orig (0x400000+0x21c9a) [0x421c9a]
9: /lib64/libc.so.6 (__libc_start_main+0xfd) [0x3a3c61eb4d]
10: /usr/bin/Xorg-orig (0x400000+0x21849) [0x421849]
Segmentation fault at address 0x28

Fatal server error:
Caught signal 11 (Segmentation fault). Server aborting

Please consult the The X.Org Foundation support 
	 at http://bodhi.fedoraproject.org/
Comment 2 Matěj Cepl 2009-11-05 12:18:56 EST
Since this bugzilla report was filed, there have been several major updates in various components of the Xorg system, which may have resolved this issue. Users who have experienced this problem are encouraged to upgrade their system to the latest version of their packages (at least F12Beta, but even better if the very latest versions).

Please, if you experience this problem on the up-to-date system, let us now in the comment for this bug, or whether the upgraded system works for you.

If you won't be able to reply in one month, I will have to close this bug as INSUFFICIENT_DATA. Thank you.

[This is a bulk message for all open Fedora Rawhide Xorg-related bugs. I'm adding myself to the CC list for each bug, so I'll see any comments you make after this and do my best to make sure every issue gets proper attention.]
Comment 3 Jan Kratochvil 2009-11-06 11:19:32 EST
It was never reproducible, I do not know.

Someone should verify the sources but ... hmm.
Comment 4 Matěj Cepl 2009-11-08 05:35:04 EST
(In reply to comment #3)
> It was never reproducible, I do not know.
> Someone should verify the sources but ... hmm.  

I think we should.
Comment 5 Bug Zapper 2009-11-16 09:08:09 EST
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
Comment 6 Adam Jackson 2010-10-25 17:38:26 EDT
I don't see any way this can happen (in the F14 version of the X server).  Reopen if you hit it again I guess?  Not a satisfying answer but it's all I've got.

Note You need to log in before you can comment on or make changes to this bug.