XV race condition with xf86XVReputImage, Expose events and Unichrome driver

Barry Scott barry.scott at onelan.co.uk
Thu May 10 07:34:43 PDT 2007

I'm sending this report from Simon Farnsworth to the list.
I'll raise a bug report about this unless you don't want one raised.

I've been tracking down an X server crash in our system, which
appears to be triggered by bugs in xf86xv.c.

Our hardware is a VIA EPIA M10000 (CLE266 graphics), using the
driver from unichrome.sf.net, xorg-server 1.3.0, and Linux 2.6.
We have a single instance of Xine running, using the xv output driver.

When we tell xine to stop playing one movie and to start playing
another movie we see the following sequence of events:

xf86XVClipNotify is called, and the test at line 1135
succeeds as visible is set to 0. This causes pPriv->pDraw
to be set to NULL (line 1143). Trapping X here in the
debugger for a couple of minutes is sufficient to fix the bug.

If we don't stall X, the next call is to
xf86XVWindowExposures; this ends up calling
xf86XVReputImage (line 1082).

xf86XVReputImage assumes that pPriv->pDraw is not NULL,
resulting in a SIGSEGV when it dereferences it (line 871 in an optimised 

If we stall X in xf86XVClipNotify for long enough, the next call
we see is to xf86XVStopVideo, which closes down Xv, ensuring
that we don't see the crash.

For our system, the workaround is to remove ReputImage support
from the device driver, which prevents the call to xf86XVReputImage,
and thus avoids the crash.
Simon Farnsworth

More information about the xorg mailing list