<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW --- - crash in R600UploadToScreenCS"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=73920">73920</a>
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>xorg-driver-ati@lists.x.org
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>crash in R600UploadToScreenCS
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>xorg-team@lists.x.org
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Classification</th>
          <td>Unclassified
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>FreeBSD
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>avg@icyb.net.ua
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>x86-64 (AMD64)
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>7.7 (2011)
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>Driver/Radeon
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>xorg
          </td>
        </tr></table>
      <p>
        <div>
        <pre>The following happens after the fix for <a class="bz_bug_link 
          bz_status_RESOLVED  bz_closed"
   title="RESOLVED FIXED - Big Image in Firefox crashes X server in"
   href="show_bug.cgi?id=44099">bug 44099</a> has been applied.

X server stack trace:
Core was generated by `Xorg'.
Program terminated with signal 11, Segmentation fault.
#0  memcpy () at /usr/src/lib/libc/amd64/string/bcopy.S:65
65              rep
(gdb) bt
#0  memcpy () at /usr/src/lib/libc/amd64/string/bcopy.S:65
#1  0x0000000804edd421 in R600UploadToScreenCS () from
/usr/local/lib/xorg/modules/drivers/radeon_drv.so
#2  0x0000000805b4866d in exaDoPutImage (depth=24, src_stride=<optimized out>,
bits=0x817400000 <Address 0x817400000 out of bounds>, format=2, h=7811, w=8098,
y=0, x=0, pGC=0x8097d6300, pDrawable=0x8101b6840) at exa_accel.c:212
#3  exaPutImage (pDrawable=0x8101b6840, pGC=0x8097d6300, depth=24, x=0, y=0,
w=8098, h=7811, leftPad=0, format=2, bits=0x817400000 <Address 0x817400000 out
of bounds>) at exa_accel.c:233
#4  0x00000000004f166a in damagePutImage (pDrawable=0x8101b6840,
pGC=0x8097d6300, depth=24, x=<optimized out>, y=<optimized out>, w=<optimized
out>, h=7811, leftPad=0, format=2, 
    pImage=0x817400000 <Address 0x817400000 out of bounds>) at damage.c:795
#5  0x00000000004c6e19 in ProcShmPutImage (client=0x80978a6c0) at shm.c:583
#6  0x00000000004c7cc5 in ProcShmDispatch (client=0x80978a6c0) at shm.c:1108
#7  0x0000000000433091 in Dispatch () at dispatch.c:428
#8  0x00000000004224da in main (argc=8, argv=0x7fffffffdcd8, envp=<optimized
out>) at main.c:288

Unfortunately, radeon_drv.so was compiled without debug symbols.

There are also the following messages in the system log right from the crash
time:
kernel: [TTM] Unable to allocate page     
kernel: error: [drm:pid42432:radeon_gem_object_create] *ERROR* Failed to
allocate GEM object (254115840, 2, 4096, -12)
kernel: vm_fault: pager read error, pid 42432 (Xorg)
kernel: pid 42432 (Xorg), uid 0: exited on signal 11 (core dumped)</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>