[Bug 23742] New: memory corruption on ati/radeon driver or xorg core

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Sun Sep 6 06:52:15 PDT 2009 

http://bugs.freedesktop.org/show_bug.cgi?id=23742

           Summary: memory corruption on ati/radeon driver or xorg core
           Product: xorg
           Version: git
          Platform: x86-64 (AMD64)
        OS/Version: Linux (All)
            Status: NEW
          Severity: major
          Priority: medium
         Component: Driver/Radeon
        AssignedTo: xorg-driver-ati at lists.x.org
        ReportedBy: matti.aarnio at zmailer.org
         QAContact: xorg-team at lists.x.org


Created an attachment (id=29267)
 --> (http://bugs.freedesktop.org/attachment.cgi?id=29267)
sample copy of /var/log/Xorg.0.log

Running bleeding edge Fedora 12 Rawhide  xorg  server with modules
loaded from following packages:

  xorg-x11-server-Xorg-1.6.99-45.20090903.fc12.x86_64
  xorg-x11-drv-ati-6.13.0-0.2.20090821gitb1b77a4d6.fc12.x86_64
  xorg-x11-drv-evdev-2.2.99-6.20090814.fc12.x86_64

Crashes either back to text console, or wedges so badly, that graphics stays on
without other recovery, than reboot (on Linux done with SysReq keys,
thankfully)
Sometimes it just wedges without any hint of problems on the log files.

Some sample backtraces from my saved case logs, malloc()/realloc()/free()
does appear in them more often than not.

Backtrace:
0: /usr/bin/X (xorg_backtrace+0x28) [0x46b1c8]
1: /usr/bin/X (0x400000+0x65b79) [0x465b79]
2: /lib64/libpthread.so.0 (0x7f1ce9957000+0xf320) [0x7f1ce9966320]
3: /usr/bin/X (FreeResource+0xae) [0x430dde]
4: /usr/bin/X (0x400000+0x2bafb) [0x42bafb]
5: /usr/bin/X (0x400000+0x2dfac) [0x42dfac]
6: /usr/bin/X (0x400000+0x21d1a) [0x421d1a]
7: /lib64/libc.so.6 (__libc_start_main+0xfd) [0x7f1ce8129b4d]
8: /usr/bin/X (0x400000+0x218c9) [0x4218c9]
Segmentation fault at address (nil)

Fatal server error:
Caught signal 11 (Segmentation fault). Server aborting


This is easy-ish to provoke with repeatedly poking left-control,
which is then drawing concentric rings around the cursor.  Usually
at that time the system crashes with following kind of reports,
but unfortunately not always.


[mi] EQ overflowing. The server is probably stuck in an infinite loop.

Backtrace:
0: /usr/bin/X (xorg_backtrace+0x28) [0x46b1c8]
1: /usr/bin/X (mieqEnqueue+0x1f4) [0x456cc4]
2: /usr/bin/X (xf86PostMotionEventP+0xde) [0x47894e]
3: /usr/lib64/xorg/modules/input/evdev_drv.so (0x7f584932f000+0x3dff)
[0x7f5849332dff]
4: /usr/bin/X (0x400000+0x6bb17) [0x46bb17]
5: /usr/bin/X (0x400000+0xfcd13) [0x4fcd13]
6: /lib64/libpthread.so.0 (0x7f58609d8000+0xf320) [0x7f58609e7320]
7: /lib64/libc.so.6 (0x7f585f18c000+0xeff8e) [0x7f585f27bf8e]
8: /lib64/libc.so.6 (0x7f585f18c000+0x7d3da) [0x7f585f2093da]
9: /lib64/libc.so.6 (__libc_malloc+0x67) [0x7f585f206f57]
10: /lib64/libc.so.6 (0x7f585f18c000+0x6fe65) [0x7f585f1fbe65]
11: /lib64/libc.so.6 (0x7f585f18c000+0x75876) [0x7f585f201876]
12: /lib64/libc.so.6 (0x7f585f18c000+0x7a803) [0x7f585f206803]
13: /lib64/libc.so.6 (0x7f585f18c000+0x7c5e2) [0x7f585f2085e2]
14: /lib64/libc.so.6 (realloc+0xe5) [0x7f585f208cb5]
15: /usr/bin/X (miRectAlloc+0x37) [0x458647]
16: /usr/lib64/xorg/modules/libfb.so (fbPixmapToRegion+0x46f) [0x7f585b9ae6cf]
17: /usr/bin/X (0x400000+0x9abc9) [0x49abc9]
18: /usr/bin/X (0x400000+0x9be65) [0x49be65]
19: /usr/bin/X (0x400000+0x2dfac) [0x42dfac]
20: /usr/bin/X (0x400000+0x21d1a) [0x421d1a]
21: /lib64/libc.so.6 (__libc_start_main+0xfd) [0x7f585f1aab4d]
22: /usr/bin/X (0x400000+0x218c9) [0x4218c9]

[mi] EQ overflowing. The server is probably stuck in an infinite loop.

Backtrace:
0: /usr/bin/X (xorg_backtrace+0x28) [0x46b1c8]
1: /usr/bin/X (mieqEnqueue+0x1f4) [0x456cc4]
2: /usr/bin/X (xf86PostMotionEventP+0xde) [0x47894e]
3: /usr/lib64/xorg/modules/input/evdev_drv.so (0x7fad872dc000+0x3dff)
[0x7fad872dfdff]
4: /usr/bin/X (0x400000+0x6bb17) [0x46bb17]
5: /usr/bin/X (0x400000+0xfcd13) [0x4fcd13]
6: /lib64/libpthread.so.0 (0x7fad9e985000+0xf320) [0x7fad9e994320]
7: /lib64/libc.so.6 (0x7fad9d139000+0xeff8e) [0x7fad9d228f8e]
8: /lib64/libc.so.6 (0x7fad9d139000+0x7d3da) [0x7fad9d1b63da]
9: /lib64/libc.so.6 (__libc_malloc+0x67) [0x7fad9d1b3f57]
10: /lib64/libc.so.6 (0x7fad9d139000+0x6fe65) [0x7fad9d1a8e65]
11: /lib64/libc.so.6 (0x7fad9d139000+0x75876) [0x7fad9d1ae876]
12: /lib64/libc.so.6 (0x7fad9d139000+0x79e16) [0x7fad9d1b2e16]
13: /lib64/libc.so.6 (__libc_malloc+0x72) [0x7fad9d1b3f62]
14: /usr/bin/X (miRegionCreate+0x23) [0x458e93]
15: /usr/bin/X (miValidatePicture+0x1ab) [0x560d9b]
16: /usr/bin/X (0x400000+0xb643a) [0x4b643a]
17: /usr/bin/X (ValidatePicture+0x9) [0x4b6459]
18: /usr/bin/X (CompositePicture+0xad) [0x4b697d]
19: /usr/bin/X (miTrapezoids+0x21e) [0x55e9fe]
20: /usr/bin/X (0x400000+0xb2f47) [0x4b2f47]
21: /usr/bin/X (0x400000+0x2dfac) [0x42dfac]
22: /usr/bin/X (0x400000+0x21d1a) [0x421d1a]
23: /lib64/libc.so.6 (__libc_start_main+0xfd) [0x7fad9d157b4d]
24: /usr/bin/X (0x400000+0x218c9) [0x4218c9]


-- 
Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the xorg-driver-ati mailing list