I am seeing a 100% reproducible crash in XWin from xorg-server-1.8.2-1.
I first saw it when I ran a full-screen DirectX game while the server
was running, but I'm also able to reproduce it with the dxdiag tool.
Here are the steps:

1) Start the X server. The exact method of starting it hasn't had any
affect on my testing. Starting either with the installed Start menu
shortcut or just running XWin.exe without arguments produces the same
results.

2) In Start -> Run..., enter dxdiag to run the DirectX Diagnostic tool.

3) In dxdiag, select the Display tab.

4) Click the button labeled "Test Direct3D" (the button labeled "Test
DirectDraw" also triggers the crash, but takes longer).

XWin crashes when the first full-screen test begins.

I rebuilt the X server with debugging enabled and got the following
backtrace:

$ gdb hw/xwin/XWin.exe
GNU gdb 6.8.0.20080328-cvs (cygwin-special)
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-pc-cygwin"...
(gdb) run
Starting program: /usr/src/xorg-server-1.8.2-1/build/xwin-ddx/hw/xwin/XWin.exe
[New thread 3084.0xc20]
[New thread 3084.0xda8]
warning: Lowest section in /cygdrive/c/WINDOWS/system32/wmi.dll is .text at 
76d31000
[New thread 3084.0xa68]
[New thread 3084.0xd38]

Program received signal SIGSEGV, Segmentation fault.
0x00415677 in winFreeFBShadowDDNL (pScreen=0x1008c1d0)
    at 
/usr/src/xorg-server-1.8.2-1/src/xserver-cygwin-1.8.2-1/hw/xwin/winshadddnl.c:560
560           IDirectDrawSurface4_SetClipper (pScreenPriv->pddsPrimary4,
(gdb) bt
#0  0x00415677 in winFreeFBShadowDDNL (pScreen=0x1008c1d0)
    at 
/usr/src/xorg-server-1.8.2-1/src/xserver-cygwin-1.8.2-1/hw/xwin/winshadddnl.c:560
#1  0x0042f917 in winDoRandRScreenSetSize (pScreen=0x1008c1d0, width=640, 
height=480,
    mmWidth=3435973836, mmHeight=1080233164)
    at 
/usr/src/xorg-server-1.8.2-1/src/xserver-cygwin-1.8.2-1/hw/xwin/winrandr.c:191
#2  0x0041a369 in winWindowProc (hwnd=0x1c023c, message=126, wParam=16, 
lParam=31457920)
    at 
/usr/src/xorg-server-1.8.2-1/src/xserver-cygwin-1.8.2-1/hw/xwin/winwndproc.c:344
#3  0x7e418734 in USER32!GetDC () from /cygdrive/c/WINDOWS/system32/user32.dll
#4  0x001c023c in ?? ()
#5  0x0000007e in ?? ()
#6  0x00000010 in ?? ()
#7  0x01e00280 in ?? ()
#8  0x00419bcc in winReshapeRootless ()
#9  0x7e418816 in USER32!GetDC () from /cygdrive/c/WINDOWS/system32/user32.dll
#10 0x00419bcc in winReshapeRootless ()
#11 0x7e428ea0 in USER32!DefWindowProcW () from 
/cygdrive/c/WINDOWS/system32/user32.dll
#12 0x00000000 in ?? ()
(gdb) p pScreenPriv->pddsPrimary4
$1 = (LPDIRECTDRAWSURFACE4) 0x0
(gdb)

Using the option -engine 2 also crashes, but produces a slightly
different backtrace:

(gdb) run -engine 2
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /usr/src/xorg-server-1.8.2-1/build/xwin-ddx/hw/xwin/XWin.exe 
-engine 2
[New thread 2208.0x904]
[New thread 2208.0x664]
warning: Lowest section in /cygdrive/c/WINDOWS/system32/wmi.dll is .text at 
76d31000
[New thread 2208.0x350]
[New thread 2208.0x39c]

Program received signal SIGSEGV, Segmentation fault.
0x00413586 in winFreeFBShadowDD (pScreen=0x1008c1d8)
    at 
/usr/src/xorg-server-1.8.2-1/src/xserver-cygwin-1.8.2-1/hw/xwin/winshaddd.c:528
528           IDirectDrawSurface2_SetClipper (pScreenPriv->pddsPrimary,
(gdb) bt
#0  0x00413586 in winFreeFBShadowDD (pScreen=0x1008c1d8)
    at 
/usr/src/xorg-server-1.8.2-1/src/xserver-cygwin-1.8.2-1/hw/xwin/winshaddd.c:528
#1  0x0042f917 in winDoRandRScreenSetSize (pScreen=0x1008c1d8, width=640, 
height=480,
    mmWidth=3435973836, mmHeight=1080233164)
    at 
/usr/src/xorg-server-1.8.2-1/src/xserver-cygwin-1.8.2-1/hw/xwin/winrandr.c:191
#2  0x0041a369 in winWindowProc (hwnd=0x6b00f2, message=126, wParam=16, 
lParam=31457920)
    at 
/usr/src/xorg-server-1.8.2-1/src/xserver-cygwin-1.8.2-1/hw/xwin/winwndproc.c:344
#3  0x7e418734 in USER32!GetDC () from /cygdrive/c/WINDOWS/system32/user32.dll
#4  0x006b00f2 in ?? ()
#5  0x0000007e in ?? ()
#6  0x00000010 in ?? ()
#7  0x01e00280 in ?? ()
#8  0x00419bcc in winReshapeRootless ()
#9  0x7e418816 in USER32!GetDC () from /cygdrive/c/WINDOWS/system32/user32.dll
#10 0x00419bcc in winReshapeRootless ()
#11 0x7e428ea0 in USER32!DefWindowProcW () from 
/cygdrive/c/WINDOWS/system32/user32.dll
#12 0x00000000 in ?? ()
(gdb) p pScreenPriv->pddsPrimary
$2 = (LPDIRECTDRAWSURFACE2) 0x0
(gdb)

It looks like these are both the result of some bad code copied and
pasted in winshaddd.c and winshadddnl.c. From winshadddnl.c, in
winFreeFBShadowDDNL:

  /* Detach the clipper from the primary surface and release the clipper. */
  if (pScreenPriv->pddcPrimary)
    {
      /* Detach the clipper */
      IDirectDrawSurface4_SetClipper (pScreenPriv->pddsPrimary4,
                                      NULL);

      /* Release the clipper object */
      IDirectDrawClipper_Release (pScreenPriv->pddcPrimary);
      pScreenPriv->pddcPrimary = NULL;
    }

  /* Release the primary surface, if there is one */
  if (pScreenPriv->pddsPrimary4)
    {
      IDirectDrawSurface4_Release (pScreenPriv->pddsPrimary4);
      ...

The call to IDirectDrawSurface4_SetClipper appears to be passed a
pointer that may be invalid (as suggested by the same variable being
explicitly checked before being used a few lines later). Printing the
value of the pointer confirms it is null at the time of the crash.

Unfortunately, this is only the first problem. I patched the code to
check the validity of the pointer before this call, and the crash simply
moved to another section of the code. Here's the next backtrace, after
patching (and adding a debug build of pixman):

$ gdb ./hw/xwin/XWin.exe
GNU gdb 6.8.0.20080328-cvs (cygwin-special)
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-pc-cygwin"...
(gdb) run
Starting program: /usr/src/xorg-server-1.8.2-1/build/xwin-ddx/hw/xwin/XWin.exe
[New thread 2200.0x430]
[New thread 2200.0x758]
warning: Lowest section in /cygdrive/c/WINDOWS/system32/wmi.dll is .text at 
76d31000
[New thread 2200.0xfb0]
[New thread 2200.0xbbc]

Program received signal SIGSEGV, Segmentation fault.
0x6fc4d664 in pixman_fill_sse2 (bits=0x7f8c0008, stride=6376, bpp=32, x=0, y=0, 
width=640,
    height=479, data=0) at 
/usr/src/pixman-0.18.2-1/src/pixman-0.18.2/pixman/pixman-sse2.c:4025
4025                *(uint32_t *)d = data;
(gdb) bt
#0  0x6fc4d664 in pixman_fill_sse2 (bits=0x7f8c0008, stride=6376, bpp=32, x=0, 
y=0, width=640,
    height=479, data=0) at 
/usr/src/pixman-0.18.2-1/src/pixman-0.18.2/pixman/pixman-sse2.c:4025
#1  0x6fc651c5 in sse2_fill (imp=0x10087730, bits=0x7f8c0008, stride=1594, 
bpp=32, x=0, y=0,
    width=640, height=480, xor=0)
    at /usr/src/pixman-0.18.2-1/src/pixman-0.18.2/pixman/pixman-sse2.c:5888
#2  0x6fb57724 in _pixman_implementation_fill (imp=0x10087730, bits=0x7f8c0008, 
stride=1594,
    bpp=32, x=0, y=0, width=640, height=480, xor=0)
    at 
/usr/src/pixman-0.18.2-1/src/pixman-0.18.2/pixman/pixman-implementation.c:225
#3  0x6fb7cab5 in pixman_fill (bits=0x7f8c0008, stride=1594, bpp=32, x=0, y=0, 
width=640,
    height=480, xor=0) at 
/usr/src/pixman-0.18.2-1/src/pixman-0.18.2/pixman/pixman.c:864
#4  0x004492c7 in fbFill (pDrawable=0x10087b38, pGC=0x10086ac0, x=0, y=0, 
width=640, height=480)
    at /usr/src/xorg-server-1.8.2-1/src/xserver-cygwin-1.8.2-1/fb/fbfill.c:48
#5  0x004474eb in fbPolyFillRect (pDrawable=0x10087b38, pGC=0x10086ac0, 
nrect=0, prect=0x10291860)
    at 
/usr/src/xorg-server-1.8.2-1/src/xserver-cygwin-1.8.2-1/fb/fbfillrect.c:77
#6  0x0052730b in damagePolyFillRect (pDrawable=0x10087b38, pGC=0x10086ac0, 
nRects=1,
    pRects=0x10291858)
    at 
/usr/src/xorg-server-1.8.2-1/src/xserver-cygwin-1.8.2-1/miext/damage/damage.c:1404
#7  0x005b1f44 in miPaintWindow (pWin=0x10087b38, prgn=0x10291838, what=0)
    at /usr/src/xorg-server-1.8.2-1/src/xserver-cygwin-1.8.2-1/mi/miexpose.c:673
#8  0x005b1a5c in miWindowExposures (pWin=0x10087b38, prgn=0x10291838, 
other_exposed=0x0)
    at /usr/src/xorg-server-1.8.2-1/src/xserver-cygwin-1.8.2-1/mi/miexpose.c:504
#9  0x005b76fd in miHandleValidateExposures (pWin=0x10087b38)
    at /usr/src/xorg-server-1.8.2-1/src/xserver-cygwin-1.8.2-1/mi/miwindow.c:246
#10 0x0042f874 in xf86SetRootClip (pScreen=0x1008c1b8, enable=1)
    at 
/usr/src/xorg-server-1.8.2-1/src/xserver-cygwin-1.8.2-1/hw/xwin/winrandr.c:164
#11 0x0042f9a9 in winDoRandRScreenSetSize (pScreen=0x1008c1b8, width=640, 
height=480,
    mmWidth=3435973836, mmHeight=1080233164)
    at 
/usr/src/xorg-server-1.8.2-1/src/xserver-cygwin-1.8.2-1/hw/xwin/winrandr.c:212
#12 0x0041a375 in winWindowProc (hwnd=0x370184, message=126, wParam=16, 
lParam=31457920)
    at 
/usr/src/xorg-server-1.8.2-1/src/xserver-cygwin-1.8.2-1/hw/xwin/winwndproc.c:344
#13 0x7e418734 in USER32!GetDC () from /cygdrive/c/WINDOWS/system32/user32.dll
#14 0x00370184 in ?? ()
#15 0x0000007e in ?? ()
#16 0x00000010 in ?? ()
#17 0x01e00280 in ?? ()
#18 0x00419bd8 in winReshapeRootless ()
#19 0x7e418816 in USER32!GetDC () from /cygdrive/c/WINDOWS/system32/user32.dll
#20 0x00419bd8 in winReshapeRootless ()
#21 0x7e428ea0 in USER32!DefWindowProcW () from 
/cygdrive/c/WINDOWS/system32/user32.dll
#22 0x00000000 in ?? ()
(gdb) p d
$1 = (uint8_t *) 0x7f8c0008 <Address 0x7f8c0008 out of bounds>
(gdb)

The backtrace is similar for the patched version using -engine 2 (Shadow
DirectDraw locking). At this point, I should mention yet another case:
-engine 1 (Shadow GDI) has also been crashing all along with a backtrace
that is somewhat similar to the ones seen with the patched DirectDraw
engines. Here's that backtrace:

(gdb) run -engine 1
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /usr/src/xorg-server-1.8.2-1/build/xwin-ddx/hw/xwin/XWin.exe 
-engine 1
[New thread 2920.0xb04]
[New thread 2920.0xce4]
warning: Lowest section in /cygdrive/c/WINDOWS/system32/wmi.dll is .text at 
76d31000
[New thread 2920.0xf40]
[New thread 2920.0x654]

Program received signal SIGSEGV, Segmentation fault.
0x6fc4d707 in pixman_fill_sse2 (bits=0x2b90000, stride=1280, bpp=32, x=0, y=0, 
width=640,
    height=0, data=0) at 
/usr/lib/gcc/i686-pc-cygwin/4.3.4/include/emmintrin.h:699
699       *__P = __B;
(gdb) bt
#0  0x6fc4d707 in pixman_fill_sse2 (bits=0x2b90000, stride=1280, bpp=32, x=0, 
y=0, width=640,
    height=0, data=0) at 
/usr/lib/gcc/i686-pc-cygwin/4.3.4/include/emmintrin.h:699
#1  0x6fc651c5 in sse2_fill (imp=0x10087b78, bits=0x2b90000, stride=320, 
bpp=32, x=0, y=0,
    width=640, height=480, xor=0)
    at /usr/src/pixman-0.18.2-1/src/pixman-0.18.2/pixman/pixman-sse2.c:5888
#2  0x6fb57724 in _pixman_implementation_fill (imp=0x10087b78, bits=0x2b90000, 
stride=320, bpp=32,
    x=0, y=0, width=640, height=480, xor=0)
    at 
/usr/src/pixman-0.18.2-1/src/pixman-0.18.2/pixman/pixman-implementation.c:225
#3  0x6fb7cab5 in pixman_fill (bits=0x2b90000, stride=320, bpp=32, x=0, y=0, 
width=640,
    height=480, xor=0) at 
/usr/src/pixman-0.18.2-1/src/pixman-0.18.2/pixman/pixman.c:864
#4  0x004492c7 in fbFill (pDrawable=0x10087f80, pGC=0x10086f80, x=0, y=0, 
width=640, height=480)
    at /usr/src/xorg-server-1.8.2-1/src/xserver-cygwin-1.8.2-1/fb/fbfill.c:48
#5  0x004474eb in fbPolyFillRect (pDrawable=0x10087f80, pGC=0x10086f80, 
nrect=0, prect=0x1011a8f0)
    at 
/usr/src/xorg-server-1.8.2-1/src/xserver-cygwin-1.8.2-1/fb/fbfillrect.c:77
#6  0x0052730b in damagePolyFillRect (pDrawable=0x10087f80, pGC=0x10086f80, 
nRects=1,
    pRects=0x1011a8e8)
    at 
/usr/src/xorg-server-1.8.2-1/src/xserver-cygwin-1.8.2-1/miext/damage/damage.c:1404
#7  0x005b1f44 in miPaintWindow (pWin=0x10087f80, prgn=0x10291c30, what=0)
    at /usr/src/xorg-server-1.8.2-1/src/xserver-cygwin-1.8.2-1/mi/miexpose.c:673
#8  0x005b1a5c in miWindowExposures (pWin=0x10087f80, prgn=0x10291c30, 
other_exposed=0x0)
    at /usr/src/xorg-server-1.8.2-1/src/xserver-cygwin-1.8.2-1/mi/miexpose.c:504
#9  0x005b76fd in miHandleValidateExposures (pWin=0x10087f80)
    at /usr/src/xorg-server-1.8.2-1/src/xserver-cygwin-1.8.2-1/mi/miwindow.c:246
#10 0x0042f874 in xf86SetRootClip (pScreen=0x1008c1c0, enable=1)
    at 
/usr/src/xorg-server-1.8.2-1/src/xserver-cygwin-1.8.2-1/hw/xwin/winrandr.c:164
#11 0x0042f9a9 in winDoRandRScreenSetSize (pScreen=0x1008c1c0, width=640, 
height=480,
    mmWidth=3435973836, mmHeight=1080233164)
    at 
/usr/src/xorg-server-1.8.2-1/src/xserver-cygwin-1.8.2-1/hw/xwin/winrandr.c:212
#12 0x0041a375 in winWindowProc (hwnd=0x1b02a0, message=126, wParam=16, 
lParam=31457920)
    at 
/usr/src/xorg-server-1.8.2-1/src/xserver-cygwin-1.8.2-1/hw/xwin/winwndproc.c:344
#13 0x7e418734 in USER32!GetDC () from /cygdrive/c/WINDOWS/system32/user32.dll
#14 0x001b02a0 in ?? ()
#15 0x0000007e in ?? ()
#16 0x00000010 in ?? ()
#17 0x01e00280 in ?? ()
#18 0x00419bd8 in winReshapeRootless ()
#19 0x7e418816 in USER32!GetDC () from /cygdrive/c/WINDOWS/system32/user32.dll
#20 0x00419bd8 in winReshapeRootless ()
#21 0x7e428ea0 in USER32!DefWindowProcW () from 
/cygdrive/c/WINDOWS/system32/user32.dll
#22 0x00000000 in ?? ()
(gdb)

At this point I'm a bit stuck. It looks like fbFill might be passing an
invalid pointer to pixman_fill, but the code is hard to follow due to
macros and unfamiliar APIs so I don't know where the root problem is. I
may continue to investigate.

By the way, another backtrace similar to this one showed up in the
mailing list archives from last month:

http://cygwin.com/ml/cygwin-xfree/2010-08/msg00068.html

-Kevin

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://x.cygwin.com/docs/
FAQ:                   http://x.cygwin.com/docs/faq/

Reply via email to