Hey,
op 20-05-14 06:32, Peter Hutterer schreef:
Once a device is disabled, it doesn't have a sprite pointer anymore. If an
event is still in the queue and processed after DisableDevice finished, a
dereference causes a crash. Example backtrace (crash forced by injecting an
event at the right time):
(EE) 0: /opt/xorg/bin/Xorg (OsSigHandler+0x3c) [0x48d334]
(EE) 1: /lib64/libpthread.so.0 (__restore_rt+0x0) [0x37fcc0f74f]
(EE) 2: /opt/xorg/bin/Xorg (mieqMoveToNewScreen+0x38) [0x609240]
(EE) 3: /opt/xorg/bin/Xorg (mieqProcessDeviceEvent+0xd4) [0x609389]
(EE) 4: /opt/xorg/bin/Xorg (mieqProcessInputEvents+0x206) [0x609720]
(EE) 5: /opt/xorg/bin/Xorg (ProcessInputEvents+0xd) [0x4aeb58]
(EE) 6: /opt/xorg/bin/Xorg (xf86VTSwitch+0x1a6) [0x4af457]
(EE) 7: /opt/xorg/bin/Xorg (xf86Wakeup+0x2bf) [0x4af0a7]
(EE) 8: /opt/xorg/bin/Xorg (WakeupHandler+0x83) [0x4445cb]
(EE) 9: /opt/xorg/bin/Xorg (WaitForSomething+0x3fe) [0x491bf6]
(EE) 10: /opt/xorg/bin/Xorg (Dispatch+0x97) [0x435748]
(EE) 11: /opt/xorg/bin/Xorg (dix_main+0x61d) [0x4438a9]
(EE) 12: /opt/xorg/bin/Xorg (main+0x28) [0x49ba28]
(EE) 13: /lib64/libc.so.6 (__libc_start_main+0xf5) [0x37fc821d65]
(EE) 14: /opt/xorg/bin/Xorg (_start+0x29) [0x425e69]
(EE) 15: ? (?+0x29) [0x29]
xf86VTSwitch() calls ProcessInputEvents() before disabling a device, and
DisableDevice() calls mieqProcessInputEvents() again when flushing touches and
button events. Between that and disabling the device (which causes new events
to be refused) there is a window where events may be triggered and enqueued.
On the next call to PIE that event is processed on a now defunct device,
causing the crash.
The simplest fix to this is to discard events from disabled devices. We flush
the queue often enough before disabling that when we get here, we really don't
care about the events from this device.
X.Org Bug 77884 <http://bugs.freedesktop.org/show_bug.cgi?id=77884>
This breaks tests/input on xorg-server 1.15.1.
(gdb) run
Starting program: /home/mlankhorst/nfs/xorg/xorg-server/build-main/test/input
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Testing double to FP1616/FP3232 conversions
(EE) BUG: triggered 'if (dev == ((void *)0))'
(EE) BUG: ../../dix/devices.c:1344 in InitValuatorClassDeviceStruct()
(EE)
(EE) Backtrace:
(EE) 0: /home/mlankhorst/nfs/xorg/xorg-server/build-main/test/input
(InitValuatorClassDeviceStruct+0x1f4) [0x555555585a74]
(EE) 1: /home/mlankhorst/nfs/xorg/xorg-server/build-main/test/input
(dix_init_valuators+0x40) [0x555555581c40]
(EE) 2: /home/mlankhorst/nfs/xorg/xorg-server/build-main/test/input
(main+0x98f) [0x55555557ddcf]
(EE) 3: /lib/x86_64-linux-gnu/libc.so.6 (__libc_start_main+0xf5)
[0x7ffff5920ec5]
(EE) 4: /home/mlankhorst/nfs/xorg/xorg-server/build-main/test/input
(_start+0x29) [0x55555557f234]
(EE) 5: ? (?+0x29) [0x29]
(EE)
(EE) BUG: triggered 'if (axnum >= dev->valuator->numAxes)'
(EE) BUG: ../../Xi/exevents.c:2115 in SetScrollValuator()
(EE)
(EE) Backtrace:
(EE) 0: /home/mlankhorst/nfs/xorg/xorg-server/build-main/test/input
(SetScrollValuator+0x76) [0x555555641ae6]
(EE) 1: /home/mlankhorst/nfs/xorg/xorg-server/build-main/test/input
(dix_init_valuators+0x166) [0x555555581d66]
(EE) 2: /home/mlankhorst/nfs/xorg/xorg-server/build-main/test/input
(main+0x98f) [0x55555557ddcf]
(EE) 3: /lib/x86_64-linux-gnu/libc.so.6 (__libc_start_main+0xf5)
[0x7ffff5920ec5]
(EE) 4: /home/mlankhorst/nfs/xorg/xorg-server/build-main/test/input
(_start+0x29) [0x55555557f234]
(EE) 5: ? (?+0x29) [0x29]
(EE)
[dix] EventToCore: Not implemented yet
[dix] EventToCore: Not implemented yet
[dix] EventToCore: Not implemented yet
(EE) BUG: triggered 'if (dev == ((void *)0))'
(EE) BUG: ../../dix/devices.c:1344 in InitValuatorClassDeviceStruct()
(EE)
(EE) Backtrace:
(EE) 0: /home/mlankhorst/nfs/xorg/xorg-server/build-main/test/input
(InitValuatorClassDeviceStruct+0x1f4) [0x555555585a74]
(EE) 1: /home/mlankhorst/nfs/xorg/xorg-server/build-main/test/input
(dix_valuator_mode+0x42) [0x5555555838e2]
(EE) 2: /home/mlankhorst/nfs/xorg/xorg-server/build-main/test/input
(main+0xc05) [0x55555557e045]
(EE) 3: /lib/x86_64-linux-gnu/libc.so.6 (__libc_start_main+0xf5)
[0x7ffff5920ec5]
(EE) 4: /home/mlankhorst/nfs/xorg/xorg-server/build-main/test/input
(_start+0x29) [0x55555557f234]
(EE) 5: ? (?+0x29) [0x29]
(EE)
Testing bits_to_bytes()
Testing bytes_to_int32()
Testing pad_to_int32()
Testing padding_for_int32()
Unlinking from front.
Testing input_option list interface
Program received signal SIGSEGV, Segmentation fault.
mieqProcessDeviceEvent (dev=dev@entry=0x0, event=event@entry=0x555555983840
<event>, screen=screen@entry=0x0) at ../../mi/mieq.c:519
519 if (!dev->enabled)
(gdb) print dev
~Maarten
_______________________________________________
[email protected]: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel
