NetBSD Problem Report #54246
From www@netbsd.org Wed May 29 01:33:15 2019
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 01C4C7A188
for <gnats-bugs@gnats.NetBSD.org>; Wed, 29 May 2019 01:33:15 +0000 (UTC)
Message-Id: <20190529013244.227597A1FE@mollari.NetBSD.org>
Date: Wed, 29 May 2019 01:32:44 +0000 (UTC)
From: coypu@sdf.org
Reply-To: coypu@sdf.org
To: gnats-bugs@NetBSD.org
Subject: closing retroarch crashes xorg
X-Send-Pr-Version: www-1.0
>Number: 54246
>Category: xsrc
>Synopsis: closing retroarch crashes xorg
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: xsrc-manager
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed May 29 01:35:00 +0000 2019
>Closed-Date: Fri May 31 21:51:27 +0000 2019
>Last-Modified: Fri May 31 21:51:27 +0000 2019
>Originator: coypu
>Release: NetBSD 8.99.41
>Organization:
>Environment:
NetBSD plu 8.99.41 NetBSD 8.99.41 (GENERIC) #0: Thu May 23 18:48:19 IDT 2019 fly@plu:/home/fly/obj/sys/arch/amd64/compile/GENERIC amd64
>Description:
It's quite hard to get information about Xorg-related crashes, so asking for help.
>How-To-Repeat:
Build retroarch from pkgsrc-current with this change (working around this issue)
Run retroarch
Close retroarch
-> Xorg dies
Index: options.mk
===================================================================
RCS file: /cvsroot/pkgsrc/emulators/retroarch/options.mk,v
retrieving revision 1.11
diff -u -r1.11 options.mk
--- options.mk 19 May 2019 23:13:03 -0000 1.11
+++ options.mk 29 May 2019 01:30:57 -0000
@@ -16,10 +16,8 @@
PKG_SUGGESTED_OPTIONS.Linux+= alsa libdrm pulseaudio mbedtls udev
PKG_SUGGESTED_OPTIONS.NetBSD+= mbedtls
-.if ${OPSYS} != "NetBSD" || ${X11_TYPE} == "modular"
# XXX figure out why the builtin x server crashes on exit
PKG_SUGGESTED_OPTIONS+= x11
-.endif
PKG_OPTIONS_OPTIONAL_GROUPS+= gl
PKG_OPTIONS_GROUP.gl+= opengl
>Fix:
>Release-Note:
>Audit-Trail:
From: coypu@sdf.org
To: gnats-bugs@netbsd.org, mrg@netbsd.org
Cc:
Subject: Re: xsrc/54246: closing retroarch crashes xorg
Date: Fri, 31 May 2019 17:37:19 +0000
This is a double free.
Backtrace:
[New process 2]
Core was generated by `X'.
Program terminated with signal SIGABRT, Aborted.
#0 0x0000757ce3799a5a in _lwp_kill () from /usr/lib/libc.so.12
[Current thread is 1 (process 1)]
(gdb) bt
#0 0x0000757ce3799a5a in _lwp_kill () from /usr/lib/libc.so.12
#1 0x0000757ce3799709 in abort () from /usr/lib/libc.so.12
#2 0x0000000094bafff5 in OsAbort () at /cvs/xsrc/external/mit/xorg-server/dist/os/utils.c:1355
#3 0x0000000094bab3bf in AbortServer () at /cvs/xsrc/external/mit/xorg-server/dist/os/log.c:879
#4 0x0000000094bac0ba in FatalError (f=f@entry=0x94c27000 "Caught signal %d (%s). Server aborting\n") at /cvs/xsrc/external/mit/xorg-server/dist/os/log.c:1017
#5 0x0000000094bb0ba3 in OsSigHandler (signo=11, sip=<optimized out>, unused=<optimized out>) at /cvs/xsrc/external/mit/xorg-server/dist/os/osinit.c:156
#6 <signal handler called>
#7 0x0000000094bc2a8b in DrawableGone (glxPriv=0x757ce774ea40, xid=<optimized out>) at /cvs/xsrc/external/mit/xorg-server/dist/glx/glxext.c:133
#8 0x0000000094a6abca in doFreeResource (res=0x757ce6bccfc0, skip=0) at /cvs/xsrc/external/mit/xorg-server/dist/dix/resource.c:880
#9 0x0000000094a6b685 in FreeResource (id=6291458, skipDeleteFuncType=skipDeleteFuncType@entry=0) at /cvs/xsrc/external/mit/xorg-server/dist/dix/resource.c:910
#10 0x0000000094a81480 in ProcDestroyWindow (client=0x757ce7f49c80) at /cvs/xsrc/external/mit/xorg-server/dist/dix/dispatch.c:765
#11 0x0000000094a86213 in Dispatch () at /cvs/xsrc/external/mit/xorg-server/dist/dix/dispatch.c:478
#12 0x0000000094a5a7af in dix_main (argc=5, argv=0x7f7fff8f6fc8, envp=<optimized out>) at /cvs/xsrc/external/mit/xorg-server/dist/dix/main.c:276
#13 0x0000000094a5a34d in ___start ()
#14 0x00007f7e55c0e978 in ?? () from /usr/libexec/ld.elf_so
#15 0x0000000000000005 in ?? ()
Inspecting in frame 7:
glxPriv->destroy is 0x5a5a5a... which is what jemalloc debug uses to
garbage-fill free'd memory.
Undoing local diffs fixes it (although retroarch crashes on exit, at
least X keeps running.)
Index: dist/glx/glxcmds.c
===================================================================
RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/glx/glxcmds.c,v
retrieving revision 1.11
diff -u -r1.11 glxcmds.c
--- dist/glx/glxcmds.c 31 Dec 2018 09:49:59 -0000 1.11
+++ dist/glx/glxcmds.c 31 May 2019 17:36:09 -0000
@@ -1137,7 +1137,6 @@
drawable->pDraw = pDraw;
drawable->type = type;
drawable->drawId = drawId;
- drawable->otherId = 0;
drawable->config = config;
drawable->eventMask = 0;
@@ -1172,10 +1171,8 @@
* Windows aren't refcounted, so track both the X and the GLX window
* so we get called regardless of destruction order.
*/
- // XXXMRG xorg-server 1.10
- if (drawableId != glxDrawableId && (type == GLX_DRAWABLE_WINDOW /*|| type == GLX_DRAWABLE_PIXMAP*/) &&
+ if (drawableId != glxDrawableId && type == GLX_DRAWABLE_WINDOW &&
!AddResource(pDraw->id, __glXDrawableRes, pGlxDraw))
- /*pGlxDraw->destroy (pGlxDraw);*/
return BadAlloc;
return Success;
Index: dist/glx/glxext.c
===================================================================
RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/glx/glxext.c,v
retrieving revision 1.7
diff -u -r1.7 glxext.c
--- dist/glx/glxext.c 31 Dec 2018 09:49:59 -0000 1.7
+++ dist/glx/glxext.c 31 May 2019 17:36:09 -0000
@@ -97,15 +97,13 @@
{
__GLXcontext *c, *next;
- if (glxPriv->type == GLX_DRAWABLE_WINDOW || glxPriv->type == GLX_DRAWABLE_PIXMAP) {
+ if (glxPriv->type == GLX_DRAWABLE_WINDOW) {
/* If this was created by glXCreateWindow, free the matching resource */
- if (glxPriv->otherId) {
- XID other = glxPriv->otherId;
- glxPriv->otherId = 0;
- if (xid == other)
- FreeResourceByType(glxPriv->drawId, __glXDrawableRes, TRUE);
+ if (glxPriv->drawId != glxPriv->pDraw->id) {
+ if (xid == glxPriv->drawId)
+ FreeResourceByType(glxPriv->pDraw->id, __glXDrawableRes, TRUE);
else
- FreeResourceByType(other, __glXDrawableRes, TRUE);
+ FreeResourceByType(glxPriv->drawId, __glXDrawableRes, TRUE);
}
/* otherwise this window was implicitly created by MakeCurrent */
}
From: "Maya Rashish" <maya@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/54246 CVS commit: xsrc/external/mit/xorg-server/dist/glx
Date: Fri, 31 May 2019 18:01:11 +0000
Module Name: xsrc
Committed By: maya
Date: Fri May 31 18:01:11 UTC 2019
Modified Files:
xsrc/external/mit/xorg-server/dist/glx: glxcmds.c glxdrawable.h
glxext.c
Log Message:
Undo local diff.
It was introduced as one of the patches fixing
https://bugs.freedesktop.org/show_bug.cgi?id=28181
This is marked fixed upstream, and was spotted on non-NetBSD, so it's
very likely to be unnecessary.
This diff was causing a double-free, causing Xorg to crash when closing
pkgsrc/emulators/{retroarch,nestopia}.
This is most likely a problem that became more evident from jemalloc
debug which is filling free'd memory with 0x5a5a5a...
Fixes PR xsrc/54246.
To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.12 xsrc/external/mit/xorg-server/dist/glx/glxcmds.c
cvs rdiff -u -r1.6 -r1.7 xsrc/external/mit/xorg-server/dist/glx/glxdrawable.h
cvs rdiff -u -r1.7 -r1.8 xsrc/external/mit/xorg-server/dist/glx/glxext.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: maya@NetBSD.org
State-Changed-When: Fri, 31 May 2019 21:51:27 +0000
State-Changed-Why:
Gave up on testing if -8 needs the same (can't run -8 xsrc with too new hardware)
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home