Skip to content

xwayland: Crash in glamor_upload_boxes()

This was initially reported downstream in https://bugzilla.redhat.com/2269500.

Upon resume, Xwayland 23.2.4 (but I very much doubt this is a new regression) would crash with the following backtrace:

(gdb) bt
#0  __pthread_kill_implementation (threadid=<optimized out>, 
    signo=signo@entry=6, no_tid=no_tid@entry=0)
    at pthread_kill.c:44
#1  0x00007f9129c1f8a3 in __pthread_kill_internal (signo=6, 
    threadid=<optimized out>) at pthread_kill.c:78
#2  0x00007f9129bcd8ee in __GI_raise (sig=sig@entry=6)
    at ../sysdeps/posix/raise.c:26
#3  0x00007f9129bb58ff in __GI_abort () at abort.c:79
#4  0x000055d6d39c0d1a in OsAbort () at ../os/utils.c:1363
#5  0x000055d6d39c0f9e in AbortServer () at ../os/log.c:879
#6  FatalError (f=<optimized out>) at ../os/log.c:1017
#7  0x000055d6d39b7984 in OsSigHandler (
    unused=<optimized out>, sip=<optimized out>, signo=11)
    at ../os/osinit.c:156
#8  OsSigHandler (signo=11, sip=<optimized out>, 
    unused=<optimized out>) at ../os/osinit.c:110
#9  <signal handler called>
#10 0x000055d6d38afd33 in glamor_upload_boxes (
    drawable=<optimized out>, in_boxes=0x7ffd63bd3ce0, 
    in_nbox=1, dx_src=1122, dy_src=-17, 
    dx_dst=<optimized out>, dy_dst=-64, 
    bits=0x7f90b177b000 "", byte_stride=30720)
    at ../glamor/glamor_transfer.c:89
#11 0x000055d6d389e27a in glamor_copy_cpu_fbo (closure=0x0, 
    bitplane=0, upsidedown=0, reverse=0, dy=-17, dx=1122, 
    nbox=1, box=0x7ffd63bd3ce0, gc=0x55d6d75af850, 
    dst=0x55d6d6e4d4a0, src=0x55d6d75af850)
    at ../glamor/glamor_copy.c:269
#12 glamor_copy_gl (src=src@entry=0x55d6d75af850, 
    dst=dst@entry=0x55d6d6e4d4a0, gc=gc@entry=0x55d6d74c04b0, 
    box=box@entry=0x7ffd63bd3ce0, nbox=nbox@entry=1, 
    dx=dx@entry=1122, dy=-17, reverse=0, upsidedown=0, 
    bitplane=0, closure=0x0) at ../glamor/glamor_copy.c:714
#13 0x000055d6d389ea01 in glamor_copy (closure=0x0, 
    bitplane=0, upsidedown=0, reverse=0, dy=-17, dx=1122, 
    nbox=1, box=0x7ffd63bd3ce0, gc=0x55d6d74c04b0, 
    dst=0x55d6d6e4d4a0, src=0x55d6d75af850)
    at ../glamor/glamor_copy.c:741
#14 glamor_copy (src=0x55d6d75af850, dst=0x55d6d6e4d4a0, 
    gc=0x55d6d74c04b0, box=0x7ffd63bd3ce0, nbox=1, dx=1122, 
    dy=-17, reverse=0, upsidedown=0, bitplane=0, closure=0x0)
    at ../glamor/glamor_copy.c:726
#15 0x000055d6d39f7455 in miCopyRegion.constprop.0 (
    pSrcDrawable=pSrcDrawable@entry=0x55d6d75af850, 
    pDstDrawable=pDstDrawable@entry=0x55d6d6e4d4a0, 
    pGC=pGC@entry=0x55d6d74c04b0, 
    pDstRegion=pDstRegion@entry=0x7ffd63bd3ce0, 
    dx=dx@entry=1122, dy=dy@entry=-17, 
    copyProc=0x55d6d389e990 <glamor_copy>, bitPlane=0, 
    closure=0x0) at ../mi/micopy.c:121
#16 0x000055d6d39f7ba8 in miDoCopy.constprop.0 (
    pSrcDrawable=0x55d6d75af850, pDstDrawable=0x55d6d6e4d4a0, 
    pGC=0x55d6d74c04b0, xIn=2244, yIn=168, widthSrc=2368, 
    heightSrc=2008, xOut=1122, yOut=185, 
    copyProc=0x55d6d389e990 <glamor_copy>, bitPlane=0, 
    closure=0x0) at ../mi/micopy.c:294
#17 0x000055d6d3899c37 in glamor_copy_area (
    src=<optimized out>, dst=<optimized out>, 
    gc=<optimized out>, srcx=<optimized out>, 
    srcy=<optimized out>, width=<optimized out>, height=2008, 
    dstx=0, dsty=0) at ../glamor/glamor_copy.c:750
#18 0x000055d6d393ca3b in damageCopyArea (pSrc=0x55d6d75af850, 
    pDst=0x55d6d6e4d4a0, pGC=0x55d6d74c04b0, srcx=2244, 
    srcy=<optimized out>, width=<optimized out>, height=2008, 
    dstx=0, dsty=0) at ../miext/damage/damage.c:775
#19 0x000055d6d395844a in doShmPutImage (data=<optimized out>, 
    dy=<optimized out>, dx=<optimized out>, sh=2008, sw=2368, 
    sy=<optimized out>, sx=2244, h=4182, w=<optimized out>, 
    format=<optimized out>, depth=<optimized out>, 
    pGC=<optimized out>, dst=0x55d6d6e4d4a0)
    at ../Xext/shm.c:484
#20 ProcShmPutImage (client=0x55d6d6d10ba0)
    at ../Xext/shm.c:594
#21 0x000055d6d38f2c67 in Dispatch () at ../dix/dispatch.c:545
#22 0x000055d6d3878838 in dix_main (envp=<optimized out>, 
    argv=<optimized out>, argc=<optimized out>)
    at ../dix/main.c:271
#23 main (argc=<optimized out>, argv=<optimized out>, 
    envp=<optimized out>) at ../dix/stubmain.c:34

The issue occurs while trying to write to the destination in glamor_upload_boxes()

(gdb) f 10
#10 0x000055d6d38afd33 in glamor_upload_boxes (
    drawable=<optimized out>, in_boxes=0x7ffd63bd3ce0, 
    in_nbox=1, dx_src=1122, dy_src=-17, 
    dx_dst=<optimized out>, dy_dst=-64, 
    bits=0x7f90b177b000 "", byte_stride=30720)
    at ../glamor/glamor_transfer.c:89
89                              tmp_line[x] = src_line[x] | 0xff000000;
(gdb) p x
$1 = 0
(gdb) p tmp_line[x]
Cannot access memory at address 0x7f90e3e52320
Edited by Olivier Fourdan
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information