https://bugs.freedesktop.org/show_bug.cgi?id=73566
--- Comment #9 from Bryce Harrington <[email protected]> --- The other two backtraces show a crash in drm_output_set_cursor() stride = wl_shm_buffer_get_stride(buffer->shm_buffer); s = wl_shm_buffer_get_data(buffer->shm_buffer); wl_shm_buffer_begin_access(buffer->shm_buffer); for (i = 0; i < ev->surface->height; i++) memcpy(buf + i * 64, s + i * stride, ev->surface->width * 4); But both s and stride appear to be invalid here: #1 0x00007f31e46dd58f in drm_output_set_cursor (output=0x13f20f0) at compositor-drm.c:1007 ev = 0x142e810 buffer = 0x7f31e5cb8a88 <main_arena+808> stride = -439645528 buf = {0 <repeats 4096 times>} x = 4223888 c = 0x1291940 handle = 0 bo = 0x12a8ea0 s = 0x7f31cb971560 <Address 0x7f31cb971560 out of bounds> i = 0 y = 32561 In the other stacktrace, s looks ok, but stride looks invalid still: #1 0x00007fc70e76a506 in drm_output_set_cursor (output=0x1685ef0) at compositor-drm.c:1004 ev = 0x182d7f0 buffer = 0x7fc70fd45a88 <main_arena+808> stride = 265575080 buf = {0 <repeats 4096 times>} x = 4223888 c = 0x166e940 handle = 0 bo = 0x17cec50 s = 0x1685ef0 "" i = 0 y = 32711 My guess would be that buffer->shm_buffer is uninitialized when this code gets hit, or has been partially destroyed. If this is relatively easily reproduced, perhaps instrumenting the wl_shm_buffer creation and destruction routines would reveal something. Maybe also check reference counts in shm_pool_unref(). -- You are receiving this mail because: You are the assignee for the bug.
_______________________________________________ Wayland-bugs mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/wayland-bugs
