Ubuntu
xorg-server package

Xorg crashed with SIGSEGV in _start()

Bug #720445 reported by Manoj Iyer
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
xorg-server (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

created USB installer from Feb 16 live image, before I could select to boot from USB stick or install ubiquity crashed, and it booted into live image, shortly after that I was prompted to file a bug related to this Xorg crash. Installing on HP Mini 210 1084NR

...
[ 192.278] (WW) intel(0): intel_uxa_prepare_access: bo map failed: Cannot allocate memory
[ 192.279] (WW) intel(0): intel_uxa_prepare_access: bo map failed: Cannot allocate memory
[ 192.279] (WW) intel(0): intel_uxa_prepare_access: bo map failed: Cannot allocate memory
[ 192.279] (WW) intel(0): intel_uxa_prepare_access: bo map failed: Cannot allocate memory
[ 192.280] (WW) intel(0): intel_uxa_prepare_access: bo map failed: Cannot allocate memory
[ 192.281] (WW) intel(0): intel_uxa_prepare_access: bo map failed: Cannot allocate memory
[ 192.282]
Backtrace:
[ 192.282] 0: X (xorg_backtrace+0x3b) [0x80e94cb]
[ 192.282] 1: X (0x8048000+0x5dcd8) [0x80a5cd8]
[ 192.282] 2: (vdso) (__kernel_rt_sigreturn+0x0) [0xfae40c]
[ 192.283] 3: X (0x8048000+0x22a80) [0x806aa80]
[ 192.283] 4: X (0x8048000+0x278d7) [0x806f8d7]
[ 192.283] 5: X (0x8048000+0x1a84c) [0x806284c]
[ 192.283] 6: /lib/libc.so.6 (__libc_start_main+0xe6) [0x15ece6]
[ 192.283] 7: X (0x8048000+0x1a441) [0x8062441]
[ 192.283] Segmentation fault at address 0x10
[ 192.283]
Caught signal 11 (Segmentation fault). Server aborting
[ 192.283]

ProblemType: Crash
DistroRelease: Ubuntu 11.04
Package: xserver-xorg-core 2:1.9.99.901+git20110131.be3be758-0ubuntu4
ProcVersionSignature: Ubuntu 2.6.38-3.30-generic 2.6.38-rc4
Uname: Linux 2.6.38-3-generic i686
Architecture: i386
DRM.card0.LVDS.1:
 status: connected
 enabled: enabled
 dpms: On
 modes: 1024x600
 edid-base64: AP///////wAGr9IxAAAAAAESAQOAFg14CrmllllXkSgfUFQAAAABAQEBAQEBAQEBAQEBAQEBLBUAnkFYHCAYiDEA330AAAAYAAAADwAAAAAAAAAAAAAAAAAgAAAA/gBBVU8KICAgICAgICAgAAAA/gBCMTAxQVcwMyBWMSAKAA8=
DRM.card0.VGA.1:
 status: disconnected
 enabled: disabled
 dpms: Off
 modes:
 edid-base64:
Date: Wed Feb 16 23:15:34 2011
DistUpgraded: Fresh install
DistroCodename: natty
DistroVariant: ubuntu
ExecutablePath: /usr/bin/Xorg
GdmLog1: Not present
GdmLog2: Not present
GraphicsCard:
 Subsystem: Hewlett-Packard Company Device [103c:3660]
   Subsystem: Hewlett-Packard Company Device [103c:3660]
LiveMediaBuild: Ubuntu 11.04 "Natty Narwhal" - Alpha i386 (20110216)
MachineType: Hewlett-Packard HP Mini 210-1000
ProcCmdline: X -br -ac -noreset -nolisten tcp -nr vt7 :0
ProcEnviron:
 LANGUAGE=
 PATH=(custom, no user)
 LANG=en_US.UTF-8
ProcKernelCmdLine: noprompt cdrom-detect/try-usb=true persistent file=/cdrom/preseed/hostname.seed boot=casper initrd=/casper/initrd.lz quiet splash -- maybe-ubiquity
ProcKernelCmdLine_: noprompt cdrom-detect/try-usb=true persistent file=/cdrom/preseed/hostname.seed boot=casper initrd=/casper/initrd.lz quiet splash -- maybe-ubiquity
SegvAnalysis:
 Segfault happened at: 0x8138a8e: movb $0x23,(%eax)
 PC (0x08138a8e) ok
 source "$0x23" ok
 destination "(%eax)" (0x00000000) not located in a known VMA region (needed writable region)!
SegvReason: writing NULL VMA
Signal: 11
SourcePackage: xorg-server
StacktraceTop:
 ?? () from /usr/lib/xorg/modules/drivers/intel_drv.so
 ?? ()
 ?? ()
 _start ()
Title: Xorg crashed with SIGSEGV in _start()
UserGroups:

dmi.bios.date: 12/04/2009
dmi.bios.vendor: Hewlett-Packard
dmi.bios.version: F.02
dmi.board.asset.tag: Base Board Asset Tag
dmi.board.name: 3660
dmi.board.vendor: Hewlett-Packard
dmi.board.version: 48.10
dmi.chassis.type: 10
dmi.chassis.vendor: Hewlett-Packard
dmi.chassis.version: N/A
dmi.modalias: dmi:bvnHewlett-Packard:bvrF.02:bd12/04/2009:svnHewlett-Packard:pnHPMini210-1000:pvr04A1100000202300000300000:rvnHewlett-Packard:rn3660:rvr48.10:cvnHewlett-Packard:ct10:cvrN/A:
dmi.product.name: HP Mini 210-1000
dmi.product.version: 04A1100000202300000300000
dmi.sys.vendor: Hewlett-Packard
version.compiz: compiz 1:0.9.2.1+glibmainloop4-0ubuntu11
version.libdrm2: libdrm2 2.4.23-1ubuntu3
version.libgl1-mesa-glx: libgl1-mesa-glx 7.10-1ubuntu3
version.xserver-xorg: xserver-xorg 1:7.6~3ubuntu4
version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:6.13.2+git20110124.fadee040-0ubuntu4
version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.14.0-1ubuntu9
version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:0.0.16+git20110107+b795ca6e-0ubuntu4

See original description

Related branches

lp:ubuntu/natty/xorg-server
Revision history for this message
Manoj Iyer (manjo) wrote :
visibility: private → public
Revision history for this message
Bryce Harrington (bryce) wrote :
Download full text (5.4 KiB)

#0 XISendDeviceHierarchyEvent (flags=0xbfa27e1c) at ../../Xi/xichangehierarchy.c:73
        ev = 0x0
        info = <value optimized out>
        dummyDev = {public = {devicePrivate = 0x0, processInputProc = 0, realInputProc = 0,
            enqueueInputProc = 0, on = 0}, next = 0x0, startup = 0, deviceProc = 0, inited = 0,
          enabled = 0, coreEvents = 0, deviceGrab = {grabTime = {months = 0, milliseconds = 0},
            fromPassiveGrab = 0, implicitGrab = 0, activeGrab = {next = 0x0, resource = 0,
              device = 0x0, window = 0x0, ownerEvents = 0, keyboardMode = 0, pointerMode = 0,
              grabtype = GRABTYPE_CORE, type = 0 '\000', modifiersDetail = {exact = 0, pMask = 0x0},
              modifierDevice = 0x0, detail = {exact = 0, pMask = 0x0}, confineTo = 0x0, cursor = 0x0,
              eventMask = 0, deviceMask = 0, xi2mask = {"\000\000" <repeats 42 times>}}, grab = 0x0,
            activatingKey = 0 '\000', ActivateGrab = 0, DeactivateGrab = 0, sync = {frozen = 0,
              state = 0, other = 0x0, event = 0x0}}, type = 0, xinput_type = 0, name = 0x0, id = 0,
          key = 0x0, valuator = 0x0, button = 0x0, focus = 0x0, proximity = 0x0, absolute = 0x0,
          kbdfeed = 0x0, ptrfeed = 0x0, intfeed = 0x0, stringfeed = 0x0, bell = 0x0, leds = 0x0,
          xkb_interest = 0x0, config_info = 0x0, unused_classes = 0x0, saved_master_id = 0,
          devPrivates = 0x0, unwrapProc = 0, spriteInfo = 0x0, u = {master = 0x0, lastSlave = 0x0},
          last = {valuators = {0 <repeats 36 times>}, remainder = {0 <repeats 36 times>},
            numValuators = 0, slave = 0x0}, properties = {properties = 0x0, handlers = 0x0},
          transform = {m = {{0, 0, 0}, {0, 0, 0}, {0, 6.239361907117234e-287,
                2.1792897639592041e-311}}}, xtest_master_id = 164071608}
        dev = <value optimized out>
        i = <value optimized out>
#1 0x08066f94 in DisableDevice (dev=0x9d371b0, sendevent=1 '\001') at ../../dix/devices.c:507
        prev = <value optimized out>
        other = <value optimized out>
        enabled = 0 '\000'
        flags = {0, 0, 0, 0, 128, 0 <repeats 35 times>}
---Type <return> to continue, or q <return> to quit--- q
Quit
(gdb) bt full
#0 XISendDeviceHierarchyEvent (flags=0xbfa27e1c) at ../../Xi/xichangehierarchy.c:73
        ev = 0x0
        info = <value optimized out>
        dummyDev = {public = {devicePrivate = 0x0, processInputProc = 0, realInputProc = 0,
            enqueueInputProc = 0, on = 0}, next = 0x0, startup = 0, deviceProc = 0, inited = 0,
          enabled = 0, coreEvents = 0, deviceGrab = {grabTime = {months = 0, milliseconds = 0},
            fromPassiveGrab = 0, implicitGrab = 0, activeGrab = {next = 0x0, resource = 0,
              device = 0x0, window = 0x0, ownerEvents = 0, keyboardMode = 0, pointerMode = 0,
              grabtype = GRABTYPE_CORE, type = 0 '\000', modifiersDetail = {exact = 0, pMask = 0x0},
              modifierDevice = 0x0, detail = {exact = 0, pMask = 0x0}, confineTo = 0x0, cursor = 0x0,
              eventMask = 0, deviceMask = 0, xi2mask = {"\000\000" <repeats 42 times>}}, grab = 0x0,
            activatingKey = 0 '\000'...

Read more...

description: updated
Revision history for this message
Apport retracing service (apport) wrote :

StacktraceTop:
 XISendDeviceHierarchyEvent (flags=0xbfa27e1c)
 DisableDevice (dev=0x9d371b0, sendevent=1 '\001')
 ?? ()

Revision history for this message
Apport retracing service (apport) wrote : Stacktrace.txt
Revision history for this message
Apport retracing service (apport) wrote : ThreadStacktrace.txt
Changed in xorg-server (Ubuntu):
importance: Undecided → Medium
tags: removed: need-i386-retrace
Revision history for this message
Bryce Harrington (bryce) wrote :

Sorry, that was a horrible paste.

The crash is an out-of-memory situation. In the first call, XISendDeviceHierarchyEvent() dereferences calloc'd memory without checking the pointer:

void XISendDeviceHierarchyEvent(int flags[MAXDEVICES])
{
...
    ev = calloc(1, sizeof(xXIHierarchyEvent) +
                 MAXDEVICES * sizeof(xXIHierarchyInfo));
    ev->type = GenericEvent;

But as per the backtrace, ev is null at this point:

#0 XISendDeviceHierarchyEvent (flags=0xbfa27e1c) at ../../Xi/xichangehierarchy.c:73
        ev = 0x0

We can patch in a check for this which will fix the X crash, but it doesn't answer the question as to why it is running out of memory to begin with.

Revision history for this message
Bryce Harrington (bryce) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xorg-server - 2:1.9.99.901+git20110131.be3be758-0ubuntu5

---------------
xorg-server (2:1.9.99.901+git20110131.be3be758-0ubuntu5) natty; urgency=low

  * Add 213_xichangehierarchy-check-oom.patch: Another NULL pointer check
    for out-of-memory conditions, this time leading to a segfault in an
    unchecked calloc in XISendDeviceHierarchyEvent().
    (LP: #720445)
 -- Bryce Harrington <email address hidden> Wed, 16 Feb 2011 16:46:35 -0800

Changed in xorg-server (Ubuntu):
status: New → Fix Released
Revision history for this message
Bryce Harrington (bryce) wrote :

I'll leave this closed as fixed, but let me reiterate, this patch does not fix the underlying issue, just a side effect.

Basically, a train has gone off its rails and crashed through a town, and we're just bandaging up a bystander hit by flying debris.

The underlying out of memory issue still needs investigated, and will likely exhibit itself in a crash or freeze somewhere else in the system.

Changed in xorg-server (Ubuntu):
status: Fix Released → New
Bryce Harrington (bryce)
Changed in xorg-server (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.