Ubuntu
xorg-server package

Bug #358009
Comment #13

Comment 13 for bug 358009

Revision history for this message

In freedesktop.org Bugzilla #19034, Tom Jaeger (thjaeger) wrote on 2009-01-06:

#13

I see, so the patch doesn't handle floating SDs correctly, but something similar is still needed to get correct behavior on attached SDs: Otherwise the SD's animated cursor keeps overwriting the correct cursor associated with the MD.

The crash looks like a dangling pointer to me:

This is where the animated cursor is freed:

Breakpoint 2, FreeCursor (value=0x9c0a548, cid=58720462) at ../../dix/cursor.c:125
125 for (nscr = 0; nscr < screenInfo.numScreens; nscr++)
(gdb) bt
#0 FreeCursor (value=0x9c0a548, cid=58720462) at ../../dix/cursor.c:125
#1 0x0807448c in FreeResource (id=58720462, skipDeleteFuncType=0) at ../../dix/resource.c:561
#2 0x08087d23 in ProcFreeCursor (client=0x9a75408) at ../../dix/dispatch.c:2956
#3 0x0808cd7f in Dispatch () at ../../dix/dispatch.c:437
#4 0x08071b3d in main (argc=10, argv=0xbfe273d4, envp=Cannot access memory at address 0x20000007
) at ../../dix/main.c:383

And here it is still accessed from the block handler:

Program received signal SIGSEGV, Segmentation fault.
0x3a313158 in ?? ()
(gdb) bt
#0 0x3a313158 in ?? ()
#1 0x0807242c in dixFreePrivates (privates=0x9bbea10) at ../../dix/privates.c:213
#2 0x080815ba in FreeCursor (value=0x9bb99a8, cid=0) at ../../dix/cursor.c:130
#3 0x080f01b7 in xf86_use_hw_cursor_argb (screen=0x8efaab0, cursor=0x9bbe0b8)
    at ../../../../hw/xfree86/modes/xf86Cursors.c:485
#4 0x080f787a in xf86CursorSetCursor (pDev=0x9128800, pScreen=0x8efaab0, pCurs=0x9bbe0b8, x=<value optimized out>,
    y=<value optimized out>) at ../../../../hw/xfree86/ramdac/xf86Cursor.c:332
#5 0x0811b8f8 in miPointerUpdateSprite (pDev=0x9128800) at ../../mi/mipointer.c:407
#6 0x0811bb3d in miPointerDisplayCursor (pDev=0x9128800, pScreen=0x8efaab0, pCursor=0x9bbe0b8)
    at ../../mi/mipointer.c:198
#7 0x08149156 in CursorDisplayCursor (pDev=0x9128800, pScreen=0x8efaab0, pCursor=0x9bbe0b8) at ../../xfixes/cursor.c:148
#8 0x0817a205 in AnimCurScreenBlockHandler (screenNum=0, blockData=0x0, pTimeout=0xbfe27288, pReadmask=0x81f51e0)
    at ../../render/animcur.c:203
#9 0x08143618 in compBlockHandler (i=0, blockData=0x0, pTimeout=0xbfe27288, pReadmask=0x81f51e0)
    at ../../composite/compinit.c:158
#10 0x080909b8 in BlockHandler (pTimeout=0xbfe27288, pReadmask=0x81f51e0) at ../../dix/dixutils.c:384
#11 0x08130024 in WaitForSomething (pClientsReady=0x9124ec0) at ../../os/WaitFor.c:215
#12 0x0808cabe in Dispatch () at ../../dix/dispatch.c:367
#13 0x08071b3d in main (argc=10, argv=0xbfe273d4, envp=0x0) at ../../dix/main.c:383
(gdb) up 8
#8 0x0817a205 in AnimCurScreenBlockHandler (screenNum=0, blockData=0x0, pTimeout=0xbfe27288, pReadmask=0x81f51e0)
    at ../../render/animcur.c:203
203 (void) (*pScreen->DisplayCursor) (dev,
(gdb) print animCurState[dev->id].pCursor
$5 = (CursorPtr) 0x9c0a548

I see, so the patch doesn't handle floating SDs correctly, but something similar is still needed to get correct behavior on attached SDs:  Otherwise the SD's animated cursor keeps overwriting the correct cursor associated with the MD.

The crash looks like a dangling pointer to me:

This is where the animated cursor is freed:

Breakpoint 2, FreeCursor (value=0x9c0a548, cid=58720462) at ../../dix/cursor.c:125
125         for (nscr = 0; nscr < screenInfo.numScreens; nscr++)
(gdb) bt
#0  FreeCursor (value=0x9c0a548, cid=58720462) at ../../dix/cursor.c:125
#1  0x0807448c in FreeResource (id=58720462, skipDeleteFuncType=0) at ../../dix/resource.c:561
#2  0x08087d23 in ProcFreeCursor (client=0x9a75408) at ../../dix/dispatch.c:2956
#3  0x0808cd7f in Dispatch () at ../../dix/dispatch.c:437
#4  0x08071b3d in main (argc=10, argv=0xbfe273d4, envp=Cannot access memory at address 0x20000007
) at ../../dix/main.c:383

And here it is still accessed from the block handler:

Program received signal SIGSEGV, Segmentation fault.
0x3a313158 in ?? ()
(gdb) bt
#0  0x3a313158 in ?? ()
#1  0x0807242c in dixFreePrivates (privates=0x9bbea10) at ../../dix/privates.c:213
#2  0x080815ba in FreeCursor (value=0x9bb99a8, cid=0) at ../../dix/cursor.c:130
#3  0x080f01b7 in xf86_use_hw_cursor_argb (screen=0x8efaab0, cursor=0x9bbe0b8)
    at ../../../../hw/xfree86/modes/xf86Cursors.c:485
#4  0x080f787a in xf86CursorSetCursor (pDev=0x9128800, pScreen=0x8efaab0, pCurs=0x9bbe0b8, x=<value optimized out>,
    y=<value optimized out>) at ../../../../hw/xfree86/ramdac/xf86Cursor.c:332
#5  0x0811b8f8 in miPointerUpdateSprite (pDev=0x9128800) at ../../mi/mipointer.c:407
#6  0x0811bb3d in miPointerDisplayCursor (pDev=0x9128800, pScreen=0x8efaab0, pCursor=0x9bbe0b8)
    at ../../mi/mipointer.c:198
#7  0x08149156 in CursorDisplayCursor (pDev=0x9128800, pScreen=0x8efaab0, pCursor=0x9bbe0b8) at ../../xfixes/cursor.c:148
#8  0x0817a205 in AnimCurScreenBlockHandler (screenNum=0, blockData=0x0, pTimeout=0xbfe27288, pReadmask=0x81f51e0)
    at ../../render/animcur.c:203
#9  0x08143618 in compBlockHandler (i=0, blockData=0x0, pTimeout=0xbfe27288, pReadmask=0x81f51e0)
    at ../../composite/compinit.c:158
#10 0x080909b8 in BlockHandler (pTimeout=0xbfe27288, pReadmask=0x81f51e0) at ../../dix/dixutils.c:384
#11 0x08130024 in WaitForSomething (pClientsReady=0x9124ec0) at ../../os/WaitFor.c:215
#12 0x0808cabe in Dispatch () at ../../dix/dispatch.c:367
#13 0x08071b3d in main (argc=10, argv=0xbfe273d4, envp=0x0) at ../../dix/main.c:383
(gdb) up 8
#8  0x0817a205 in AnimCurScreenBlockHandler (screenNum=0, blockData=0x0, pTimeout=0xbfe27288, pReadmask=0x81f51e0)
    at ../../render/animcur.c:203
203                     (void) (*pScreen->DisplayCursor) (dev,
(gdb) print animCurState[dev->id].pCursor
$5 = (CursorPtr) 0x9c0a548

Ubuntuxorg-server package

Comment 13 for bug 358009

Ubuntu
xorg-server package