Ubuntu
xorg-server package

  1. Bug #328035
  2. Comment #9

Comment 9 for bug 328035

Revision history for this message
Matt Zimmerman (mdz) wrote : Re: *** glibc detected *** free(): invalid next size (fast) for xf86Wakeup() call

After a couple of days of normal use (including suspend/resume), I caught it in gdb. Again, the actual corruption may be happening elsewhere, but at least we can see exactly where the server is dying.

Program received signal SIGABRT, Aborted.
0x00007f7ccea1cfb5 in raise () from /lib/libc.so.6
(gdb) bt
#0 0x00007f7ccea1cfb5 in raise () from /lib/libc.so.6
#1 0x00007f7ccea1ebc3 in abort () from /lib/libc.so.6
#2 0x00007f7ccea5c228 in __libc_message () from /lib/libc.so.6
#3 0x00007f7ccea61cb8 in malloc_printerr () from /lib/libc.so.6
#4 0x00007f7ccea64276 in free () from /lib/libc.so.6
#5 0x00000000004faae4 in LogVMessageVerb (type=X_INFO, verb=3,
    format=0xa7e7f00 "intel(0): xf86BindGARTMemory: bind key %d at 0x%08lx (pgoffset %d)\n", args=0x7fffd8eed3f0) at ../../os/log.c:392
#6 0x000000000048e99b in xf86VDrvMsgVerb (scrnIndex=0, type=X_INFO, verb=3,
    format=0x57fe18 "xf86BindGARTMemory: bind key %d at 0x%08lx (pgoffset %d)\n", args=0x7fffd8eed3f0) at ../../../../hw/xfree86/common/xf86Helper.c:1260
#7 0x0000000000490340 in xf86DrvMsgVerb (scrnIndex=3739, type=3739, verb=6,
    format=0xffffffffffffffff <Address 0xffffffffffffffff out of bounds>)
    at ../../../../hw/xfree86/common/xf86Helper.c:1275
#8 0x00000000004749b4 in xf86BindGARTMemory (screenNum=<value optimized out>,
    key=0, offset=190644224)
    at ../../../../../hw/xfree86/os-support/linux/lnx_agp.c:304
#9 0x00007f7ccd4344dd in i830_bind_memory (pScrn=0x258df10, mem=0x25c6f20)
    at ../../src/i830_memory.c:210
#10 0x00007f7ccd434f5d in i830_bind_all_memory (pScrn=0x258df10)
    at ../../src/i830_memory.c:2024
#11 0x00007f7ccd42f190 in I830EnterVT (scrnIndex=0,
    flags=<value optimized out>) at ../../src/i830_driver.c:3587
#12 0x000000000048c392 in CMapEnterVT (index=0, flags=0)
---Type <return> to continue, or q <return> to quit---
    at ../../../../hw/xfree86/common/xf86cmap.c:455
#13 0x000000000049d679 in xf86XVEnterVT (index=0, flags=0)
    at ../../../../hw/xfree86/common/xf86xv.c:1228
#14 0x00007f7ccdf08c7f in glxDRIEnterVT (index=0, flags=0)
    at ../../glx/glxdri.c:858
#15 0x0000000000485c7c in xf86Wakeup (blockData=<value optimized out>,
    err=<value optimized out>, pReadmask=<value optimized out>)
    at ../../../../hw/xfree86/common/xf86Events.c:634
#16 0x0000000000451d2b in WakeupHandler (result=-1, pReadmask=0x7ddf20)
    at ../../dix/dixutils.c:418
#17 0x00000000004ee59f in WaitForSomething (pClientsReady=0x27cd6e0)
    at ../../os/WaitFor.c:231
#18 0x000000000044def0 in Dispatch () at ../../dix/dispatch.c:367
#19 0x0000000000433c5d in main (argc=10, argv=0x7fffd8eedb18,
    envp=<value optimized out>) at ../../dix/main.c:397
(gdb) bt full
#0 0x00007f7ccea1cfb5 in raise () from /lib/libc.so.6
No symbol table info available.
#1 0x00007f7ccea1ebc3 in abort () from /lib/libc.so.6
No symbol table info available.
#2 0x00007f7ccea5c228 in __libc_message () from /lib/libc.so.6
No symbol table info available.
#3 0x00007f7ccea61cb8 in malloc_printerr () from /lib/libc.so.6
No symbol table info available.
#4 0x00007f7ccea64276 in free () from /lib/libc.so.6
No symbol table info available.
#5 0x00000000004faae4 in LogVMessageVerb (type=X_INFO, verb=3,
    format=0xa7e7f00 "intel(0): xf86BindGARTMemory: bind key %d at 0x%08lx (pgoffset %d)\n", args=0x7fffd8eed3f0) at ../../os/log.c:392
        s = 0x5980a5 "(II)"
        time = {tv_sec = 1235089915, tv_usec = 155019}
        tv_sec = <value optimized out>
        tv_usec = <value optimized out>
        diff_sec = 140401
        diff_usec = 57081
        first = 0
        start_tv_sec = 1234949514
        start_usec = 97938
#6 0x000000000048e99b in xf86VDrvMsgVerb (scrnIndex=0, type=X_INFO, verb=3,
    format=0x57fe18 "xf86BindGARTMemory: bind key %d at 0x%08lx (pgoffset %d)\n"---Type <return> to continue, or q <return> to quit---
, args=0x7fffd8eed3f0) at ../../../../hw/xfree86/common/xf86Helper.c:1260
No locals.
#7 0x0000000000490340 in xf86DrvMsgVerb (scrnIndex=3739, type=3739, verb=6,
    format=0xffffffffffffffff <Address 0xffffffffffffffff out of bounds>)
    at ../../../../hw/xfree86/common/xf86Helper.c:1275
        ap = {{gp_offset = 48, fp_offset = 48,
    overflow_arg_area = 0x7fffd8eed4d8, reg_save_area = 0x7fffd8eed410}}
#8 0x00000000004749b4 in xf86BindGARTMemory (screenNum=<value optimized out>,
    key=0, offset=190644224)
    at ../../../../../hw/xfree86/os-support/linux/lnx_agp.c:304
        bind = {key = 8203720, pg_start = 5221568}
        pageOffset = 46544
#9 0x00007f7ccd4344dd in i830_bind_memory (pScrn=0x258df10, mem=0x25c6f20)
    at ../../src/i830_memory.c:210
No locals.
#10 0x00007f7ccd434f5d in i830_bind_all_memory (pScrn=0x258df10)
    at ../../src/i830_memory.c:2024
        mem = (i830_memory *) 0x25c6f20
        pI830 = (I830Ptr) 0x25905e0
#11 0x00007f7ccd42f190 in I830EnterVT (scrnIndex=0,
    flags=<value optimized out>) at ../../src/i830_driver.c:3587
        pScrn = (ScrnInfoPtr) 0x258df10
        pI830 = (I830Ptr) 0x25905e0
#12 0x000000000048c392 in CMapEnterVT (index=0, flags=0)
---Type <return> to continue, or q <return> to quit---
    at ../../../../hw/xfree86/common/xf86cmap.c:455
No locals.
#13 0x000000000049d679 in xf86XVEnterVT (index=0, flags=0)
    at ../../../../hw/xfree86/common/xf86xv.c:1228
        pScreen = (ScreenPtr) 0x25c3250
        ret = <value optimized out>
#14 0x00007f7ccdf08c7f in glxDRIEnterVT (index=0, flags=0)
    at ../../glx/glxdri.c:858
No locals.
#15 0x0000000000485c7c in xf86Wakeup (blockData=<value optimized out>,
    err=<value optimized out>, pReadmask=<value optimized out>)
    at ../../../../hw/xfree86/common/xf86Events.c:634
        LastSelectMask = <value optimized out>
        devicesWithInput = {fds_bits = {2, 41738560, 4294967295,
    140174035943158, 2, 41740288, 4294967295, 140174003247372, 39598032,
    39596624, 8248160, 140174003247661, 0, 0, 8248216, 140174003243846}}
        pInfo = <value optimized out>
#16 0x0000000000451d2b in WakeupHandler (result=-1, pReadmask=0x7ddf20)
    at ../../dix/dixutils.c:418
        i = 0
#17 0x00000000004ee59f in WaitForSomething (pClientsReady=0x27cd6e0)
    at ../../os/WaitFor.c:231
        i = -1
        waittime = {tv_sec = 8230824, tv_usec = 8249376}
---Type <return> to continue, or q <return> to quit---
        wt = (struct timeval *) 0x7d9a90
        timeout = <value optimized out>
        clientsReadable = {fds_bits = {0 <repeats 16 times>}}
        clientsWritable = {fds_bits = {6, 42401864, 8195616, 140174019684392,
    32, 32, 0, 32, 41817776, 5207180, 176377056, 5188519, 32, 140736832919760,
    0, 5190433}}
        curclient = <value optimized out>
        selecterr = 4
        nready = <value optimized out>
        devicesReadable = {fds_bits = {0 <repeats 16 times>}}
        now = <value optimized out>
        someReady = 0
#18 0x000000000044def0 in Dispatch () at ../../dix/dispatch.c:367
        result = 0
        client = (ClientPtr) 0x3068230
        nready = -1
        start_tick = <value optimized out>
#19 0x0000000000433c5d in main (argc=10, argv=0x7fffd8eedb18,
    envp=<value optimized out>) at ../../dix/main.c:397
        i = 1
        alwaysCheckForInput = {0, 1}