530630 – Random NULL dereference in damageDestroyClip

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 530630 - Random NULL dereference in damageDestroyClip

Summary: Random NULL dereference in damageDestroyClip

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	xorg-x11-server
Sub Component:
Version:	12
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Adam Jackson
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	fedora-x-target
TreeView+	depends on / blocked

Reported:	2009-10-23 21:13 UTC by Jan Kratochvil
Modified:	2018-04-11 18:17 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-10-25 21:38:26 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
/var/log/Xorg.0.log.old (deleted) 2009-10-23 21:13 UTC, Jan Kratochvil	no flags	Details
View All

Description Jan Kratochvil 2009-10-23 21:13:35 UTC

Created attachment 365892 [details]
/var/log/Xorg.0.log.old

Description of problem:
Just randomly crashed.

Version-Release number of selected component (if applicable):
xorg-x11-server-Xorg-1.7.0-1.fc12.x86_64

How reproducible:
Happened just once.

Steps to Reproduce:
1. Nothing specific.

Actual results:
#6  <signal handler called>
#7  0x00000000004d081a in damageDestroyClip (pGC=0x2e05c60) at damage.c:567
#8  0x000000000043f989 in FreeGC (value=0x2e05c60, gid=<value optimized out>) at gc.c:878
#9  0x00000000004493c0 in FreeResource (id=20971821, skipDeleteFuncType=0) at resource.c:562
#10 0x000000000042a15b in ProcFreeGC (client=0x1c6b380) at dispatch.c:1672
#11 0x000000000042c60c in Dispatch () at dispatch.c:445
#12 0x0000000000421c9a in main (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>) at main.c:285

Expected results:
No crash.

Additional info:
(gdb) info threads 
* 1 Thread 2306  0x0000003a3c633575 in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
[...]
(gdb) l
562	
563	static void
564	damageDestroyClip(GCPtr pGC)
565	{
566	    DAMAGE_GC_FUNC_PROLOGUE (pGC);
567	    (* pGC->funcs->DestroyClip)(pGC);
568	    DAMAGE_GC_FUNC_EPILOGUE (pGC);
569	}
570	
571	#define TRIM_BOX(box, pGC) if (pGC->pCompositeClip) { \
(gdb) p pGC
$1 = (struct _GC *) 0x2e05c60
(gdb) p pGC->funcs
$2 = (GCFuncs *) 0x0

Comment 1 Matěj Cepl 2009-10-26 16:06:22 UTC

Backtrace:
0: /usr/bin/Xorg-orig (xorg_backtrace+0x28) [0x49e758]
1: /usr/bin/Xorg-orig (0x400000+0x619a9) [0x4619a9]
2: /lib64/libpthread.so.0 (0x3a3d200000+0xf320) [0x3a3d20f320]
3: /usr/bin/Xorg-orig (0x400000+0xd081a) [0x4d081a]
4: /usr/bin/Xorg-orig (FreeGC+0x19) [0x43f989]
5: /usr/bin/Xorg-orig (FreeResource+0x140) [0x4493c0]
6: /usr/bin/Xorg-orig (0x400000+0x2a15b) [0x42a15b]
7: /usr/bin/Xorg-orig (0x400000+0x2c60c) [0x42c60c]
8: /usr/bin/Xorg-orig (0x400000+0x21c9a) [0x421c9a]
9: /lib64/libc.so.6 (__libc_start_main+0xfd) [0x3a3c61eb4d]
10: /usr/bin/Xorg-orig (0x400000+0x21849) [0x421849]
Segmentation fault at address 0x28

Fatal server error:
Caught signal 11 (Segmentation fault). Server aborting


Please consult the The X.Org Foundation support 
	 at http://bodhi.fedoraproject.org/

Comment 2 Matěj Cepl 2009-11-05 17:18:56 UTC

Since this bugzilla report was filed, there have been several major updates in various components of the Xorg system, which may have resolved this issue. Users who have experienced this problem are encouraged to upgrade their system to the latest version of their packages (at least F12Beta, but even better if the very latest versions).

Please, if you experience this problem on the up-to-date system, let us now in the comment for this bug, or whether the upgraded system works for you.

If you won't be able to reply in one month, I will have to close this bug as INSUFFICIENT_DATA. Thank you.

[This is a bulk message for all open Fedora Rawhide Xorg-related bugs. I'm adding myself to the CC list for each bug, so I'll see any comments you make after this and do my best to make sure every issue gets proper attention.]

Comment 3 Jan Kratochvil 2009-11-06 16:19:32 UTC

It was never reproducible, I do not know.

Someone should verify the sources but ... hmm.

Comment 4 Matěj Cepl 2009-11-08 10:35:04 UTC

(In reply to comment #3)
> It was never reproducible, I do not know.
> 
> Someone should verify the sources but ... hmm.  

I think we should.

Comment 5 Bug Zapper 2009-11-16 14:08:09 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 6 Adam Jackson 2010-10-25 21:38:26 UTC

I don't see any way this can happen (in the F14 version of the X server).  Reopen if you hit it again I guess?  Not a satisfying answer but it's all I've got.

Note You need to log in before you can comment on or make changes to this bug.