Ubuntu
glamor-egl package

glamor-egl crashes when running autopilot tests

Bug #1244324 reported by Maarten Lankhorst
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
glamor
Fix Released
Medium
glamor-egl (Ubuntu)
Fix Released
High
Maarten Lankhorst
Saucy
Fix Released
Undecided
Unassigned

Bug Description

[Impact]
 * When compositing is toggled, xorg-server can crash when dereferencing freed memory, killing the xserver.
 * Bug is fixed by updating the window pixmap when that pixmap is changed in SetWindowPixmap.

[Test Case]
 * See first comment for full testcase.
 * Start recordmydesktop, then start window-mocker.
 * Kill window-mocker, xserver shouldn't crash.
 * Run X in valgrind with --free-fill to be certain.

 * Automated version: "autopilot run -v autopilot.tests.functional"

[Regression Potential]
 * Fix uploaded to trusty. Will watch ubuntu-x bugs for any new bugs regarding glamor-egl.

[Other Info]
Crash in Xorg dereferencing freed memory when running "autopilot run -v autopilot.tests.functional"

See original description
Maarten Lankhorst (mlankhorst)
no longer affects: mesa (Ubuntu)
Changed in glamor-egl (Ubuntu):
assignee: nobody → Maarten Lankhorst (mlankhorst)
importance: Undecided → High
status: New → Triaged
Revision history for this message
Maarten Lankhorst (mlankhorst) wrote :

Minimal testcase:

Have window-mocker, recordmydesktop and compiz installed.

Create a file mock with this content:
{"Menu": [{"Menu": ["Open", "Save", "Save As", "Quit"], "Title": "File"}, {"Menu": ["Help 1", "Help 2", "Help 3", "Help 4"], "Title": "Help"}], "Contents": "TextEdit"}

start recordmydesktop with compiz enabled:

/usr/bin/recordmydesktop --no-sound --no-frame -o /dev/null

start window-mocker:

/usr/bin/python /usr/bin/window-mocker -testability mock

Kill window mocker, the xserver will crash.

Revision history for this message
In , Bugs-i (bugs-i) wrote :

Minimal testcase:

Have window-mocker, recordmydesktop and compiz installed.

Create a file mock with this content:
{"Menu": [{"Menu": ["Open", "Save", "Save As", "Quit"], "Title": "File"}, {"Menu": ["Help 1", "Help 2", "Help 3", "Help 4"], "Title": "Help"}], "Contents": "TextEdit"}

start recordmydesktop with compiz enabled:

/usr/bin/recordmydesktop --no-sound --no-frame -o /dev/null

start window-mocker:

/usr/bin/python /usr/bin/window-mocker -testability mock

Kill window mocker, the xserver will crash.

Maarten Lankhorst (mlankhorst)
Changed in glamor-egl (Ubuntu):
status: Triaged → In Progress
Revision history for this message
Oibaf (oibaf) wrote :

There are already some patches on glamor git after 0.5.1 that may fix this, e.g.:
http://cgit.freedesktop.org/xorg/driver/glamor/commit/?id=83f87f3bb8a0c18c3218695b1eb14065a82e8819
http://cgit.freedesktop.org/xorg/driver/glamor/commit/?id=0bf74791b93cd6a96ef0ba95c0e17bcf9aba5834

In my PPA I have glamor-egl updated to current git:
https://launchpad.net/~oibaf/+archive/graphics-drivers/

Revision history for this message
Maarten Lankhorst (mlankhorst) wrote :

Ok testing glamor-egl.git works, but it seems LIBGL_ALWAYS_INDIRECT=1 glxinfo crashes on the git branch.

Revision history for this message
Maarten Lankhorst (mlankhorst) wrote :
Download full text (5.1 KiB)

Valgrind:

==1242== Invalid read of size 4
==1242== at 0xAD31FA4: __glXDRIdrawableWaitGL (glxdri2.c:171)
==1242== by 0xB67A014: ??? (in /usr/lib/x86_64-linux-gnu/dri/r600_dri.so)
==1242== by 0xB679595: dri_make_current (in /usr/lib/x86_64-linux-gnu/dri/r600_dri.so)
==1242== by 0xB60D855: ??? (in /usr/lib/x86_64-linux-gnu/dri/r600_dri.so)
==1242== by 0x863F9A7: ??? (in /usr/lib/x86_64-linux-gnu/mesa-egl/libEGL.so.1.0.0)
==1242== by 0x8636728: eglMakeCurrent (in /usr/lib/x86_64-linux-gnu/mesa-egl/libEGL.so.1.0.0)
==1242== by 0x842B6C2: glamor_egl_make_current (glamor_egl.c:131)
==1242== by 0x8C8194F: glamor_make_current (glamor_utils.h:1796)
==1242== by 0x8C8199B: glamor_get_dispatch (glamor_utils.h:1809)
==1242== by 0x8C81F6B: glamor_block_handler (glamor.c:223)
==1242== by 0x161AA3: _CallCallbacks (dixutils.c:719)
==1242== by 0x2AEBEA: FlushAllOutput (callback.h:83)
==1242== Address 0x1e1564c0 is 96 bytes inside a block of size 232 free'd
==1242== at 0x4C2B60C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1242== by 0xAD28A1E: DrawableGone (glxext.c:148)
==1242== by 0x17EE91: doFreeResource (resource.c:873)
==1242== by 0x17F920: FreeResource (resource.c:903)
==1242== by 0x157F96: ProcDestroyWindow (dispatch.c:718)
==1242== by 0x15D0CD: Dispatch (dispatch.c:432)
==1242== by 0x14C5E9: main (main.c:298)
==1242==
==1242== Invalid read of size 4
==1242== at 0xAD31FA7: __glXDRIdrawableWaitGL (glxdri2.c:172)
==1242== by 0xB67A014: ??? (in /usr/lib/x86_64-linux-gnu/dri/r600_dri.so)
==1242== by 0xB679595: dri_make_current (in /usr/lib/x86_64-linux-gnu/dri/r600_dri.so)
==1242== by 0xB60D855: ??? (in /usr/lib/x86_64-linux-gnu/dri/r600_dri.so)
==1242== by 0x863F9A7: ??? (in /usr/lib/x86_64-linux-gnu/mesa-egl/libEGL.so.1.0.0)
==1242== by 0x8636728: eglMakeCurrent (in /usr/lib/x86_64-linux-gnu/mesa-egl/libEGL.so.1.0.0)
==1242== by 0x842B6C2: glamor_egl_make_current (glamor_egl.c:131)
==1242== by 0x8C8194F: glamor_make_current (glamor_utils.h:1796)
==1242== by 0x8C8199B: glamor_get_dispatch (glamor_utils.h:1809)
==1242== by 0x8C81F6B: glamor_block_handler (glamor.c:223)
==1242== by 0x161AA3: _CallCallbacks (dixutils.c:719)
==1242== by 0x2AEBEA: FlushAllOutput (callback.h:83)
==1242== Address 0x1e1564c4 is 100 bytes inside a block of size 232 free'd
==1242== at 0x4C2B60C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1242== by 0xAD28A1E: DrawableGone (glxext.c:148)
==1242== by 0x17EE91: doFreeResource (resource.c:873)
==1242== by 0x17F920: FreeResource (resource.c:903)
==1242== by 0x157F96: ProcDestroyWindow (dispatch.c:718)
==1242== by 0x15D0CD: Dispatch (dispatch.c:432)
==1242== by 0x14C5E9: main (main.c:298)
==1242==
==1242== Invalid read of size 8
==1242== at 0xAD31FAA: __glXDRIdrawableWaitGL (glxdri2.c:175)
==1242== by 0xB67A014: ??? (in /usr/lib/x86_64-linux-gnu/dri/r600_dri.so)
==1242== by 0xB679595: dri_make_current (in /usr/lib/x86_64-linux-gnu/dri/r600_dri.so)
==1242== by 0xB60D855: ??? (in /usr/lib/x86_64-linux-gnu/dri/r600_dri.so)
==1242== by 0x863F9A7: ??? (in /usr/lib/x86_64-lin...

Read more...

Revision history for this message
Maarten Lankhorst (mlankhorst) wrote :

And recordmydesktop is still reading in freed memory.

==2216== Invalid read of size 4
==2216== at 0x8CAA086: glamor_get_tex_format_type_from_pixmap (glamor_utils.h:1251)
==2216== by 0x8CAD173: glamor_download_sub_pixmap_to_cpu (glamor_pixmap.c:1074)
==2216== by 0x8CA8B93: _glamor_get_image (glamor_getimage.c:66)
==2216== by 0x8CA8D0B: glamor_get_image (glamor_getimage.c:92)
==2216== by 0x29C6D2: miSpriteGetImage (misprite.c:413)
==2216== by 0x1E8404: compGetImage (compinit.c:148)
==2216== by 0x1F6FBB: ProcShmGetImage (shm.c:688)
==2216== by 0x1F79CF: ProcShmDispatch (shm.c:1125)
==2216== by 0x15D0CD: Dispatch (dispatch.c:432)
==2216== by 0x14C5E9: main (main.c:298)
==2216== Address 0x21417010 is 16 bytes inside a block of size 120 free'd
==2216== at 0x4C2B60C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2216== by 0x229B31: FreePicture (picture.c:1479)
==2216== by 0x229CB3: PictureDestroyWindow (picture.c:73)
==2216== by 0x235DA9: damageDestroyWindow (damage.c:1646)
==2216== by 0x1EA320: compDestroyWindow (compwindow.c:590)
==2216== by 0x2110E5: DbeDestroyWindow (dbe.c:1389)
==2216== by 0x186019: FreeWindowResources (window.c:909)
==2216== by 0x188CB7: DeleteWindow (window.c:979)
==2216== by 0x17EE91: doFreeResource (resource.c:873)
==2216== by 0x17FEBB: FreeClientResources (resource.c:1139)
==2216== by 0x15C59E: CloseDownClient (dispatch.c:3402)
==2216== by 0x15D105: Dispatch (dispatch.c:444)
==2216==
(II) fail to get matched format for dfdfdfdf

Revision history for this message
In , Bugs-i (bugs-i) wrote :

glamor-egl 0.5.1 crashes, git no longer crashes, but valgrind shows it still reads freed memory. git also breaks glxinfo with LIBGL_ALWAYS_INDIRECT=1

Bug Watch Updater (bug-watch-updater)
Changed in glamor:
importance: Unknown → Medium
status: Unknown → Confirmed
Revision history for this message
In , Bugs-i (bugs-i) wrote :

Some more poking, it seems someone is changing drawable around..

create picture 0x1cd457e0, with drawable 0x1327d1f0
(some log spam removed, involving correct picture and drawable)
destroy picture 0x1cd457e0, with drawable 0x1cd65820 and private 0x1cd658e0 0 (nil)

Then finally, at the end when valgrind blows up, I get this:

Obtaining format for pixmap 0x1327d1f0 and picture 0x1cd457e0
==7989== Invalid read of size 4
==7989== at 0x8CAA0CA: glamor_get_tex_format_type_from_pixmap (glamor_utils.h:1252)
==7989== by 0x8CAD1B7: glamor_download_sub_pixmap_to_cpu (glamor_pixmap.c:1074)
==7989== by 0x8CA8BB7: _glamor_get_image (glamor_getimage.c:66)
==7989== by 0x8CA8D2F: glamor_get_image (glamor_getimage.c:92)
==7989== by 0x29AEF2: miSpriteGetImage (misprite.c:413)
==7989== by 0x1E7674: compGetImage (compinit.c:148)
==7989== by 0x1F5E5B: ProcShmGetImage (shm.c:684)
==7989== by 0x1F686F: ProcShmDispatch (shm.c:1121)
==7989== by 0x15D00D: Dispatch (dispatch.c:432)
==7989== by 0x14C569: main (main.c:298)
==7989== Address 0x1cd457f0 is 16 bytes inside a block of size 120 free'd
==7989== at 0x4C2B60C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==7989== by 0x228897: FreePicture (picture.c:1477)
==7989== by 0x228B23: PictureDestroyWindow (picture.c:73)
==7989== by 0x234C19: damageDestroyWindow (damage.c:1646)
==7989== by 0x1E92C0: compDestroyWindow (compwindow.c:590)
==7989== by 0x20FF85: DbeDestroyWindow (dbe.c:1389)
==7989== by 0x185D46: FreeWindowResources (window.c:907)
==7989== by 0x1889A7: DeleteWindow (window.c:975)
==7989== by 0x17EBF1: doFreeResource (resource.c:873)
==7989== by 0x17FC1B: FreeClientResources (resource.c:1139)
==7989== by 0x15C4DE: CloseDownClient (dispatch.c:3402)
==7989== by 0x2AB843: CheckConnections (connection.c:1008)
==7989==
(II) fail to get matched format for dfdfdfdf

I guess the method of obtaining pixmap from a window drawable may result in not always returning the same pixmap, causing this bug...

Revision history for this message
In , Bugs-i (bugs-i) wrote :

Created attachment 88619
fixup picture in SetWindowPixmap

I found a fix, if I update the pixmap in SetWindowPixmap the testcase doesn't crash.

Revision history for this message
In , Zhigang-gong (zhigang-gong) wrote :

(In reply to comment #3)
> Created attachment 88619 [details] [review]
> fixup picture in SetWindowPixmap
>
> I found a fix, if I update the pixmap in SetWindowPixmap the testcase
> doesn't crash.

Good catch! Could you rebase your patch with git master and send it to the glamor mail list: <email address hidden>. Please use git format-patch to generate the patch. Thanks.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package glamor-egl - 0.5.1-0ubuntu6

---------------
glamor-egl (0.5.1-0ubuntu6) trusty; urgency=low

  * Add a hook to SetWindowPixmap to fix recordmydesktop crashing. (LP: #1244324)
 -- Maarten Lankhorst <email address hidden> Wed, 06 Nov 2013 10:36:44 +0100

Changed in glamor-egl (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
In , Zhigang-gong (zhigang-gong) wrote :

(In reply to comment #3)
> Created attachment 88619 [details] [review]
> fixup picture in SetWindowPixmap
>
> I found a fix, if I update the pixmap in SetWindowPixmap the testcase
> doesn't crash.

I just pushed your patch. Could you have a try with the git master version?
And if everything is ok, please close this bug. Thanks.

Bug Watch Updater (bug-watch-updater)
Changed in glamor:
status: Confirmed → Fix Released
Maarten Lankhorst (mlankhorst)
description: updated
Revision history for this message
Stéphane Graber (stgraber) wrote : Please test proposed package

Hello Maarten, or anyone else affected,

Accepted glamor-egl into saucy-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/glamor-egl/0.5.1-0ubuntu4.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in glamor-egl (Ubuntu Saucy):
status: New → Fix Committed
tags: added: verification-needed
Revision history for this message
Maarten Lankhorst (mlankhorst) wrote :

Works. :)

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package glamor-egl - 0.5.1-0ubuntu4.2

---------------
glamor-egl (0.5.1-0ubuntu4.2) saucy-proposed; urgency=low

  * Add a hook to SetWindowPixmap to fix recordmydesktop crashing. (LP: #1244324)
 -- Maarten Lankhorst <email address hidden> Mon, 11 Nov 2013 11:14:48 +0000

Changed in glamor-egl (Ubuntu Saucy):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for glamor-egl has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.