ubuntu-x-swat team mailing list archive

Thread
Date
[Bug 553647] Re: xserver crash (repeatable, triggered by drawing circle/ellipse e.g. in xfig)

To: ubuntu-x-swat@xxxxxxxxxxxxxxxxxxx
From: Bryce Harrington <bryce@xxxxxxxxxxxxxxxxxxx>
Date: Wed, 28 Apr 2010 21:48:57 -0000
Reply-to: Bug 553647 <553647@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Description changed:

- Binary package hint: xorg
+ [Impact]
+ xfig is no longer as widely used an application as it once was, but regular application usage should not crash X.  It may be an indication of a problem that other legacy apps have beyond xfig.
  
+ [Development]
+ The fix has been committed to the main ubuntu-x git branch, which will be used once Maverick Meerkat is open for development, thus this fix will automatically copy over into it.  The patch is also included in Debian and upstream so we will get it automatically next time we merge this package from Debian.
+ 
+ [Patch]
+ Patch is taken directly from Debian.  This is an upstream patch.
+ http://git.debian.org/?p=pkg-xorg/xserver/xorg-server.git;a=commit;h=94ccaae1ff45c11453141469f5659b6d2a16c4bf
+ 
+ [Test Case]
+ 1. Update Lucid to the latest version.  Reboot and log into Gnome
+ 2. Open xfig
+ 3. Left click in drawing area once (to dismiss the xfig banner)
+ 4. Press the 'c' key
+ 5. Left click in the drawing area
+ 6. Xserver instantly crashes (and is restarted by display manager).  It should not crash at this point.
+ 
+ 
+ [Regression Potential]
+ This is a pretty substantial patch at 887 lines, which addresses an issue in a lesser-used application, and so for those reasons I opted to wait on including it in the Lucid release itself, in the interest in seeing it get further testing time under its belt.  Because Debian and X.org are including the patch, I am assuming it is safe and thus valid for consideration as a regular SRU.
+ 
+ Specific things I am concerned about:  This patch drops several exa
+ functions; are those functions in use by anything (like proprietary
+ drivers, games, or other apps?)  This patch changes fallback behavior
+ which I gather does not get exercised except in certain cases; is it
+ certain that sufficient testing has been done for those cases?
+ 
+ I notice that part of the patch involves adding a number of null-ptr
+ checks.  If testing does reveal this patch causes a regression
+ somewhere, a suggested Plan B would be to extract these checks and see
+ if those alone are sufficient to solve this issue.
+ 
+ [Original Report]
  Here is how to reliably and repeatably crash the X server.
  
  1. Update Lucid to the latest version, as of 2009-04-01.  Reboot and log
  into Gnome
  
  2. Open xfig
  
  3. Left click in drawing area once (to dismiss the xfig banner)
  
  4. Press the 'c' key
  
  5. Left click in the drawing area
  
  6. Xserver instantly crashes (and is restarted by display manager).
  
  This process is reliably repeatable, and I have done so several times to
  gather the ltrace and straces attached.
  
  Some more details:
   * 'c' starts the Circle tool. You can click the circle tool button instead, and have the same result.
   * The ellipse tool has the same effect. However all other tools within xfig work just fine.
   * xfig itself doesn't appear to be dying: it is managing to save a "SAVE.fig" file.
   * How the %(&£"%$ is an application failure able to nuke the Xserver?
  
  Backtrace:
  0: /usr/bin/X (xorg_backtrace+0x3b) [0x80e937b]
  1: /usr/bin/X (0x8048000+0x61c7d) [0x80a9c7d]
  2: (vdso) (__kernel_rt_sigreturn+0x0) [0x57e410]
  3: /usr/lib/xorg/modules/libfb.so (fbPushFill+0xf9) [0x20b459]
  4: /usr/lib/xorg/modules/libfb.so (fbPushImage+0xf2) [0x20b622]
  5: /usr/lib/xorg/modules/libfb.so (fbPushPixels+0x78) [0x20b6b8]
  6: /usr/bin/X (miPolyArc+0x159a) [0x8199aca]
  7: /usr/lib/xorg/modules/libfb.so (fbPolyArc+0x8a) [0x1f90aa]
  8: /usr/lib/xorg/modules/libexa.so (0x384000+0xf2dd) [0x3932dd]
  9: /usr/bin/X (0x8048000+0xd9655) [0x8121655]
  10: /usr/bin/X (0x8048000+0x282f9) [0x80702f9]
  11: /usr/bin/X (0x8048000+0x2a477) [0x8072477]
  12: /usr/bin/X (0x8048000+0x1ed7a) [0x8066d7a]
  13: /lib/tls/i686/cmov/libc.so.6 (__libc_start_main+0xe6) [0x240bd6]
  14: /usr/bin/X (0x8048000+0x1e961) [0x8066961]
  Segmentation fault at address (nil)
  
- 
  ProblemType: Bug
  DistroRelease: Ubuntu 10.04
  Package: xserver-xorg 1:7.5+3ubuntu1
  ProcVersionSignature: Ubuntu 2.6.32-16.25-generic
  Uname: Linux 2.6.32-16-generic i686
  Architecture: i386
  Date: Thu Apr  1 23:14:41 2010
  DkmsStatus: Error: [Errno 2] No such file or directory
  InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Beta i386 (20100318)
  MachineType: LENOVO 200793G
  PccardctlIdent:
   Socket 0:
     no product info available
  PccardctlStatus:
   Socket 0:
     3.3V 32-bit PC Card
  ProcCmdLine: BOOT_IMAGE=/boot/vmlinuz-2.6.32-16-generic root=UUID=5dee2242-a2c7-4f67-9ad6-4265f1d22e12 ro quiet splash
  ProcEnviron:
   PATH=(custom, user)
   LANG=en_GB.utf8
   SHELL=/bin/bash
  SourcePackage: xorg
  dmi.bios.date: 08/27/2009
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 79ETE5WW (2.25 )
  dmi.board.name: 200793G
  dmi.board.vendor: LENOVO
  dmi.board.version: Not Available
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Not Available
  dmi.modalias: dmi:bvnLENOVO:bvr79ETE5WW(2.25):bd08/27/2009:svnLENOVO:pn200793G:pvrThinkPadT60p:rvnLENOVO:rn200793G:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
  dmi.product.name: 200793G
  dmi.product.version: ThinkPad T60p
  dmi.sys.vendor: LENOVO
  system:
   distro:             Ubuntu
   codename:           lucid
   architecture:       i686
   kernel:             2.6.32-16-generic

-- 
xserver crash (repeatable, triggered by drawing circle/ellipse e.g. in xfig)
https://bugs.launchpad.net/bugs/553647
You received this bug notification because you are a member of Ubuntu-X,
which is subscribed to xorg-server in ubuntu.
References

[Bug 553647] [NEW] xserver crash (repeatable, triggered by mouse-click)
From: RichardNeill, 2010-04-01