Bug 838761

Summary: hovering the mouse over a link in pidgin crashes the X server in radeon_get_pixmap_bo()
Product: [openSUSE] openSUSE 12.3 Reporter: Benjamin Poirier <bpoirier>
Component: X.OrgAssignee: E-mail List <xorg-maintainer-bugs>
Status: RESOLVED WONTFIX QA Contact: E-mail List <xorg-maintainer-bugs>
Severity: Major    
Priority: P3 - Medium CC: eich, sndirsch, tiwai
Version: Final   
Target Milestone: ---   
Hardware: x86-64   
OS: openSUSE 12.3   
Whiteboard: GOLD
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: x error log

Description Benjamin Poirier 2013-09-05 20:07:22 UTC 
Created attachment 556056 [details]
x error log

Hovering the mouse pointer over a (very long) http link received in a pidgin
conversation crashes the X server. It crashed when the link was in the
conversation window and it also crashes when I view it in the conversation
log. I can reproduce this 100% of the time.

The link is:
https://maps.google.ca/maps?saddr=1238+Richards+St,+Vancouver,+BC+V6B+5B6&amp;daddr=46.7750062,-121.5503434+to:45.7149409,-121.82936+to:42.4050433,-121.3488507+to:39.6260569,-119.9163901+to:36.1008917,-115.1357298+to:Mexicali,+Mexico+to:33.5830672,-117.8489924+to:36.205844,-121.7353826+to:36.5680587,-121.7755765+to:39.1975335,-123.7465772+to:41.5253432,-124.0357272+to:44.4614257,-124.0767441+to:45.0201762,-123.94261+to:46.2032331,-123.8557026+to:47.8277281,-124.2643915+to:48.4473339,-123.3719914+to:1238+Richards+St,+Vancouver,+BC+V6B+5B6&amp;hl=en&amp;ll=45.58329,-110.917969&amp;spn=27.029272,67.631836&amp;sll=46.777493,-118.674316&amp;sspn=6.61344,16.907959&amp;geocode=FS3i7wIdb0Op-CmHAo6x1nOGVDGGgizMY4pPJg%3BFd66yQId-UnB-CnjfVPz_jKXVDEeVeIPhEUw1Q%3BFfyNuQIdEAi9-ClHuFdKK96VVDGzKaV7GmKPtw%3BFbMMhwIdDl3E-CmDYGP5QeTIVDGp-OW5Jt8dhg%3BFUilXAIdmjja-CnhGiet806ZgDF15bTPu3lsng%3BFRvbJgIdDysj-SldIDIDBsXIgDFlyAZY9wHiOA%3BFZvP8QEdmlYe-SnT3XeoDHDXgDGa9c3loDMA1A%3BFdtvAAIdYMT5-CmFD0z0I-HcgDEggCuVznA94g%3BFRR1KAIdKne--ClroDck-YONgDHcSWy97_N0ow%3BFfr7LQIdKNq9-Cmzjzh4ZfCNgDGVYeeyZRlawg%3BFV0bVgId78af-ClpCIcCO6qBgDHJnb4hkGiXlQ%3BFV-geQIdcV2b-Cknxi0sJFTQVDGmtqSyBbWoxw%3BFXFtpgIdOL2a-CnpOykWPsPBVDENvA2BBzN6Cw%3BFRD0rgIdLsmc-CmZZSrFSZPqVDGLKGdLKkmqIg%3BFWEBwQIdqhye-Ckfrm2-0mSTVDGIXEuidWvUKg%3BFRDL2QIdOeCX-CkhGPxFUnCOVDEkk1MfK3vt_g%3BFWU_4wIdKX6l-Ck_B2gMnXOPVDEfIjwVo7eK8Q%3BFS3i7wIdb0Op-CmHAo6x1nOGVDGGgizMY4pPJg&amp;mra=dpe&amp;mrsp=2&amp;sz=7&amp;via=1,2,3,4,5,7,8,9,10,11,12,13,14,15,16&amp;t=m&amp;z=5

I've collected a core dump and the X.org log (attached). Some info from the
core dump follows:

ben@d2:~/crashdump$ gdb /usr/bin/Xorg core
GNU gdb (GDB) SUSE (7.5.1-2.1.1)
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-suse-linux".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/Xorg...Reading symbols from /usr/lib/debug/usr/bin/Xorg.debug...done.
done.

warning: core file may not match specified executable file.
[New LWP 27886]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `X :0 -auth /home/ben/.serverauth.27867 -nolisten tcp -nolisten tcp'.
Program terminated with signal 6, Aborted.
#0  0x00007efffb4a13d5 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) info stack
#0  0x00007efffb4a13d5 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007efffb4a2858 in __GI_abort () at abort.c:90
#2  0x0000000000595a4e in OsAbort () at utils.c:1266
#3  0x000000000047d82c in ddxGiveUp (error=EXIT_ERR_ABORT) at xf86Init.c:1060
#4  0x000000000059a9c2 in AbortServer () at log.c:652
#5  0x000000000059b25d in FatalError (f=f@entry=0x5c25e8 "Caught signal %d (%s). Server aborting\n") at log.c:793
#6  0x00000000005937fe in OsSigHandler (sip=<optimized out>, signo=11, unused=<optimized out>) at osinit.c:146
#7  OsSigHandler (signo=11, sip=<optimized out>, unused=<optimized out>) at osinit.c:107
#8  <signal handler called>
#9  radeon_get_pixmap_bo (pPix=0x26677f0) at radeon.h:628
#10 radeon_dri2_create_buffer2 (pScreen=0x1de2900, drawable=<optimized out>, attachment=0, format=32) at radeon_dri2.c:451
#11 0x000000000056088f in create_buffer (format=32, attachment=0, pDraw=0x26677f0) at dri2.c:446
#12 allocate_or_reuse_buffer (pDraw=pDraw@entry=0x26677f0, pPriv=pPriv@entry=0x297c570, attachment=attachment@entry=0,
    format=format@entry=32, dimensions_match=dimensions_match@entry=1, buffer=buffer@entry=0x296e250, ds=<optimized out>)
    at dri2.c:495
#13 0x00000000005612c6 in do_get_buffers (pDraw=0x26677f0, width=width@entry=0x7fffc4bc44e0,
    height=height@entry=0x7fffc4bc44e8, attachments=0x7efff4446024, attachments@entry=0x7efff444601c, count=1,
    out_count=out_count@entry=0x7fffc4bc44f0, has_format=has_format@entry=1) at dri2.c:573
#14 0x00000000005616e0 in DRI2GetBuffersWithFormat (pDraw=<optimized out>, width=width@entry=0x7fffc4bc44e0,
    height=height@entry=0x7fffc4bc44e8, attachments=attachments@entry=0x7efff444601c, count=<optimized out>,
    out_count=out_count@entry=0x7fffc4bc44f0) at dri2.c:690
#15 0x0000000000563160 in ProcDRI2GetBuffersWithFormat (client=0x217eb90) at dri2ext.c:306
#16 ProcDRI2Dispatch (client=0x217eb90) at dri2ext.c:608
#17 0x000000000043d541 in Dispatch () at dispatch.c:428
#18 0x000000000042c06a in main (argc=8, argv=0x7fffc4bc46f8, envp=<optimized out>) at main.c:295
(gdb) select 9
(gdb) l
51      in ../nptl/sysdeps/unix/sysv/linux/raise.c
(gdb) l radeon_get_pixmap_bo
file: "/usr/include/xorg/privates.h", line number: 137
file: "evergreen_exa.c", line number: 70
file: "r600_exa.c", line number: 149
file: "radeon.h", line number: 617
(gdb) l radeon.h:radeon_get_pixmap_bo
Function "radeon_get_pixmap_bo" not defined in "radeon.h".
(gdb) p $rip
$1 = (void (*)()) 0x7efff807b5f8 <radeon_dri2_create_buffer2+760>
(gdb) l *(0x7efff807b5f8)
0x7efff807b5f8 is in radeon_dri2_create_buffer2 (radeon.h:628).
623         } else
624     #endif
625         {
626             struct radeon_exa_pixmap_priv *driver_priv;
627             driver_priv = exaGetPixmapDriverPrivate(pPix);
628             return driver_priv->bo;
629         }
630
631         return NULL;
632     }
(gdb) info source
Current source file is radeon.h
Compilation directory is /usr/src/debug/xf86-video-ati-7.0.0/src
Located in /usr/src/debug/xf86-video-ati-7.0.0/src/radeon.h
Contains 811 lines.
Source language is c.
Compiled with (null) debugging format.
Does not include preprocessor macro info.
(gdb) l 614,632
614     static inline struct radeon_bo *radeon_get_pixmap_bo(PixmapPtr pPix)
615     {
616     #ifdef USE_GLAMOR
617         RADEONInfoPtr info = RADEONPTR(xf86ScreenToScrn(pPix->drawable.pScreen));
618
619         if (info->use_glamor) {
620             struct radeon_pixmap *priv;
621             priv = radeon_get_pixmap_private(pPix);
622             return priv ? priv->bo : NULL;
623         } else
624     #endif
625         {
626             struct radeon_exa_pixmap_priv *driver_priv;
627             driver_priv = exaGetPixmapDriverPrivate(pPix);
628             return driver_priv->bo;
629         }
630
631         return NULL;
632     }
(gdb) info locals
driver_priv = 0x0
info = <optimized out>
(gdb) info args
pPix = 0x26677f0
(gdb) p *pPix
$2 = {drawable = {type = 1 '\001', class = 0 '\000', depth = 32 ' ', bitsPerPixel = 32 ' ', id = 0, x = 0, y = 0,
    width = 10692, height = 22, pScreen = 0x1de2900, serialNumber = 30146}, devPrivates = 0x2667838, refcnt = 4,
  devKind = 42768, devPrivate = {ptr = 0x0, val = 0, uval = 0, fptr = 0x0}, screen_x = -8132, screen_y = 578, usage_hint = 2,
  master_pixmap = 0x0}
(gdb) q
Comment 2 Stefan Dirsch 2015-01-07 14:37:19 UTC 
Product is no longer supported. In case the issue is still reproducable on a maintainerd product (at that momement: openSUSE 13.1 or later), feel free to reopen.