Chisato Yamauchi
cyama****@plamo*****
2003年 8月 12日 (火) 17:22:57 JST
A serious problem of XAA has been found. It seems that
the XAA's invalid freed memory causes server crash.
Here is backtrace of xfree-gdb.
***************************************
Program received signal SIGSEGV, Segmentation fault.
0x08370e54 in RotateMasksY ()
(gdb) bt
#0 0x08370e54 in RotateMasksY ()
#1 0x08d41e90 in ?? ()
#2 0x08377b7d in XAAPaintWindow ()
#3 0x08377867 in XAAPaintWindow ()
#4 0x0816eec5 in miSpritePaintWindowBackground ()
#5 0x0815bb75 in miClearToBackground ()
#6 0x0816f17f in miSpriteClearToBackground ()
#7 0x080b4871 in ProcClearToBackground ()
#8 0x080b2966 in Dispatch ()
#9 0x080c2b4b in main ()
#10 0x4006113f in __libc_start_main (main=0x80c25e8 <main>, argc=3,
ubp_av=0xbffff9b4, init=0x806d654 <_init>, fini=0x8181570 <_fini>,
rtld_fini=0x4000c770 <_dl_fini>, stack_end=0xbffff9ac)
at ../sysdeps/generic/libc-start.c:129
(gdb)
***************************************
In XAACacheTile() function of xaaPCache.c, pCache sometimes
becomes NULL. So NULL dereference causes server crash.
We attach a patch for preventing this crash. But this
patch does not solve the true nature of the problem, and
garbage was displayed when the problem occurs.
We are continuing the investigation.
It seems that this problem reproduces on the combination
of "nv_drv.o" and XAA. If you have advices, please tell us.
The investigation of this problem is done by Koike Kazuhiko.
This problem reproduces on his machine only. Please write his
name FIRST in ChangeLog when applying the attached patch.
Thanks.
======================================================
After X-TT Project
-------------- next part --------------
*** xc/programs/Xserver/hw/xfree86/xaa/xaaPCache.c.orig 2000-09-26 08:56:14.000000000 +0900
--- xc/programs/Xserver/hw/xfree86/xaa/xaaPCache.c 2003-08-12 16:18:03.000000000 +0900
***************
*** 1472,1477 ****
--- 1472,1482 ----
pCache = &cacheRoot[(*current)++];
if(*current >= max) *current = 0;
+ if ( pCache==NULL ){
+ ErrorF("Something's wrong in XAACacheTile() [pCache==NULL]\n");
+ return pCache;
+ }
+
pCache->serialNumber = pPix->drawable.serialNumber;
pCache->trans_color = pCache->bg = pCache->fg = -1;
pCache->orig_w = w; pCache->orig_h = h;
*** xc/programs/Xserver/hw/xfree86/xaa/xaaPaintWin.c.orig 2003-02-18 01:08:29.000000000 +0900
--- xc/programs/Xserver/hw/xfree86/xaa/xaaPaintWin.c 2003-08-12 16:18:46.000000000 +0900
***************
*** 164,170 ****
XAACacheInfoPtr pCache =
(*infoRec->CacheTile)(infoRec->pScrn, pPix);
! (*infoRec->FillCacheBltRects)(infoRec->pScrn, GXcopy, ~0,
nBox, pBox, xorg, yorg, pCache);
return;
}
--- 164,170 ----
XAACacheInfoPtr pCache =
(*infoRec->CacheTile)(infoRec->pScrn, pPix);
! if(pCache) (*infoRec->FillCacheBltRects)(infoRec->pScrn, GXcopy, ~0,
nBox, pBox, xorg, yorg, pCache);
return;
}