Bug 44003

Summary: easystroke crashes xserver when grabbing mouse
Product: xorg Reporter: Harald Judt <h.judt>
Component: Server/Input/CoreAssignee: Peter Hutterer <peter.hutterer>
Status: RESOLVED FIXED QA Contact: Xorg Project Team <xorg-team>
Severity: critical    
Priority: medium CC: mistryous
Version: unspecifiedKeywords: regression
Hardware: x86-64 (AMD64)   
OS: Linux (All)   
Whiteboard: 2011BRB_Reviewed
i915 platform: i915 features:
Bug Depends on:    
Bug Blocks: 40982    

Description Harald Judt 2011-12-21 02:28:57 UTC 
Since commit http://cgit.freedesktop.org/xorg/xserver/commit/?id=51437995a5041a8c53c33b508b1607c78a5fa463, xserver crashes when easystroke tries to grab the mouse.

Steps to reproduce:
0) Easystroke can be found here: http://sourceforge.net/apps/trac/easystroke/wiki
1) Configure easystroke to use mouse button 3 (the right mouse button) to draw a gesture.
2) Try to draw the gesture.

Expected results:
Whatever, but not a crash.

Actual results:
xserver crashes.

Bisect log:
git bisect start
# bad: [629a575261c08ca67324fea4c975636a1a95dc75] Input: Convert positionSprite and GetPointerEvents? to double
git bisect bad 629a575261c08ca67324fea4c975636a1a95dc75
# bad: [51437995a5041a8c53c33b508b1607c78a5fa463] Input: Don't call positionSprite for non-pointer devices
git bisect bad 51437995a5041a8c53c33b508b1607c78a5fa463
# good: [afb1fe695d197187a301c19863a128a65389b15c] Merge remote-tracking branch 'whot/next'
git bisect good afb1fe695d197187a301c19863a128a65389b15c
# good: [3463078f9697fad0ee11837d80e88889fc6a28a4] Input: Convert clipAxis, moveAbsolute and moveRelative to double
git bisect good 3463078f9697fad0ee11837d80e88889fc6a28a4
# good: [2b8f1d07bd42c9d3db3dbacfe6a1335e47236a6c] Input: Widen pointer acceleration types to double
git bisect good 2b8f1d07bd42c9d3db3dbacfe6a1335e47236a6c
# good: [5680fa41ea3373651f7017898a307e97cf29b0d3] Input: Remove x and y from moveAbsolute/moveRelative
git bisect good 5680fa41ea3373651f7017898a307e97cf29b0d3
# good: [4c364a312daf2b743a0a60b9907f671804a1b1b6] Input: Convert rescaleValuatorAxis to double
git bisect good 4c364a312daf2b743a0a60b9907f671804a1b1b6


I tried to do a backtrace, here are the results:
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x000000000044787d in fill_pointer_events (events=0x7f967c5cfb00, pDev=0x28fbc20, type=<optimized out>, 
    buttons=0, ms=8160051, flags=<optimized out>, mask_in=0x7fff6932af60)
    at /var/tmp/portage/x11-base/xorg-server-9999/work/xorg-server-9999/dix/getevents.c:1269
1269	/var/tmp/portage/x11-base/xorg-server-9999/work/xorg-server-9999/dix/getevents.c: No such file or directory.
	in /var/tmp/portage/x11-base/xorg-server-9999/work/xorg-server-9999/dix/getevents.c
#0  0x000000000044787d in fill_pointer_events (events=0x7f967c5cfb00, pDev=0x28fbc20, type=<optimized out>, 
    buttons=0, ms=8160051, flags=<optimized out>, mask_in=0x7fff6932af60)
    at /var/tmp/portage/x11-base/xorg-server-9999/work/xorg-server-9999/dix/getevents.c:1269
        master = 0x0
        num_events = 2
        event = <optimized out>
        raw = 0x7f967c5cf010
        screenx = 468.34844975875581
        screeny = 251.06989430009799
        devx = <optimized out>
        devy = <optimized out>
        mask = {last_bit = 1 '\001', mask = "\002\000\000\000", valuators = {0, 251.06989430009799, 
            0 <repeats 34 times>}}
        scr = 0x246c5d0
#1  0x0000000000448bae in GetPointerEvents (events=0x7f967c5cf010, pDev=0x28fbc20, type=<optimized out>, 
    buttons=0, flags=10, mask_in=0x2901a70)
    at /var/tmp/portage/x11-base/xorg-server-9999/work/xorg-server-9999/dix/getevents.c:1493
        ms = 8160051
        num_events = 0
        nev_tmp = <optimized out>
        h_scroll_axis = <optimized out>
        v_scroll_axis = 4
        mask = {last_bit = 1 '\001', mask = "\002\000\000\000", valuators = {0, 6, 0 <repeats 34 times>}}
        scroll = {last_bit = 16 '\020', mask = "\000\000\000\000", valuators = {0, 4.9406564584124654e-324, 
            2.1965629963860771e-317, 4.9406564584124654e-324, 6.930964410386682e-310, 4.060144521969696e-317, 
            2.2178685892316892e-316, 7.9050503334599447e-323, 6.930964410386682e-310, 2.7203546946881373e-316, 
            2.2178685892316892e-316, 2.7203491611529039e-316, 0, 4.9406564584124654e-324, 
            6.930964410386682e-310, 2.1232095640136731e-316, 2.2178685892316892e-316, 2.7203491611529039e-316, 
            0, 4.9406564584124654e-324, 6.9309642528293452e-310, 4.060144521969696e-317, 
            2.1975363057083844e-317, 2.0661437961614591e-316, 6.9532308073918443e-310, 
            6.9532308073918443e-310, 2.0659501224282893e-316, 2.0659580274786228e-316, 
            2.1232095640136731e-316, 0, 2.1601538167470981e-317, 4.060144521969696e-317, 
            2.1232095640136731e-316, 2.1232095640136731e-316, 2.1903461683644567e-317, 4.060144521969696e-317}}
        i = <optimized out>
        realtype = 6
#2  0x000000000044903d in QueuePointerEvents (device=0x28fbc20, type=<optimized out>, buttons=<optimized out>, 
    flags=<optimized out>, mask=<optimized out>)
    at /var/tmp/portage/x11-base/xorg-server-9999/work/xorg-server-9999/dix/getevents.c:1140
        nevents = <optimized out>
#3  0x00007f96767d6fd0 in EvdevProcessSyncEvent (pInfo=0x28fa4b0, ev=<optimized out>)
    at /var/tmp/portage/x11-drivers/xf86-input-evdev-9999/work/xf86-input-evdev-9999/src/evdev.c:839
        num_v = 0
        v = {0 <repeats 36 times>}
        pEvdev = 0x28fac40
        first_v = 0
#4  EvdevProcessEvent (ev=<optimized out>, pInfo=0x28fa4b0)
    at /var/tmp/portage/x11-drivers/xf86-input-evdev-9999/work/xf86-input-evdev-9999/src/evdev.c:873
No locals.
#5  EvdevReadInput (pInfo=0x28fa4b0)
    at /var/tmp/portage/x11-drivers/xf86-input-evdev-9999/work/xf86-input-evdev-9999/src/evdev.c:921
        ev = {{time = {tv_sec = 1324462369, tv_usec = 408178}, type = 2, code = 1, value = 6}, {time = {
              tv_sec = 1324462369, tv_usec = 408183}, type = 0, code = 0, value = 0}, {time = {tv_sec = 0, 
              tv_usec = 0}, type = 0, code = 0, value = 0} <repeats 14 times>}
        i = <optimized out>
        len = 48
#6  0x000000000046c9b7 in xf86SigioReadInput (fd=<optimized out>, closure=0x28fa4b0)
    at /var/tmp/portage/x11-base/xorg-server-9999/work/xorg-server-9999/hw/xfree86/common/xf86Events.c:298
        errno_save = 0
        pInfo = 0x28fa4b0
#7  0x0000000000491d0e in xf86SIGIO (sig=<optimized out>)
    at /var/tmp/portage/x11-base/xorg-server-9999/work/xorg-server-9999/hw/xfree86/os-support/linux/../shared/sigio.c:109
        i = <optimized out>
        ready = {fds_bits = {8192, 0 <repeats 15 times>}}
        to = {tv_sec = 0, tv_usec = 0}
        save_errno = 0
        r = 1
#8  <signal handler called>
No symbol table info available.
#9  0x00007f967a97ed03 in __select_nocancel () at ../sysdeps/unix/syscall-template.S:82
No locals.
#10 0x000000000055e9fb in WaitForSomething (pClientsReady=0x28e7bc0)
    at /var/tmp/portage/x11-base/xorg-server-9999/work/xorg-server-9999/os/WaitFor.c:232
        i = <optimized out>
        waittime = {tv_sec = 0, tv_usec = 413}
        wt = 0x7fff6932bd90
        timeout = <optimized out>
        clientsReadable = {fds_bits = {0 <repeats 16 times>}}
        clientsWritable = {fds_bits = {355, 55388368, 140284281425504, 287072, 55672480, 4433117, 3, 4427826, 
            38504576, 4508448, 42, 140284281425504, 55060592, 1, 0, 0}}
        selecterr = <optimized out>
        nready = 0
        devicesReadable = {fds_bits = {42974240, 140284281425504, 44014432, 1, 0, 32, 44597680, 5670796, 1, 
            5652693, 55060480, 140282221821984, 0, 0, 0, 44014368}}
        now = <optimized out>
        someReady = <optimized out>
#11 0x0000000000433812 in Dispatch ()
    at /var/tmp/portage/x11-base/xorg-server-9999/work/xorg-server-9999/dix/dispatch.c:366
        clientReady = 0x28e7bc0
        result = <optimized out>
        client = <optimized out>
        nready = <optimized out>
        icheck = 0x7d92a0
        start_tick = <optimized out>
#12 0x0000000000422f87 in main (argc=4, argv=<optimized out>, envp=<optimized out>)
    at /var/tmp/portage/x11-base/xorg-server-9999/work/xorg-server-9999/dix/main.c:287
        i = <optimized out>
        alwaysCheckForInput = {0, 1}
Detaching from program: /usr/bin/Xorg, process 11639
Comment 1 Jeremy Huddleston Sequoia 2012-01-02 20:36:12 UTC 
The regression is new to 1.12 as the offending commit was not cherry-picked into 1.11
Comment 2 Peter Hutterer 2012-01-04 21:59:00 UTC 
http://patchwork.freedesktop.org/patch/8615/
Comment 3 Harald Judt 2012-01-04 23:31:28 UTC 
Thanks. I confirm the patch fixes the problem.

There is another, long-standing bug with regard to easystroke in xorg-server-1.12, though it is not a regression: Bug 39989 - SD grabs interact badly with animated cursors. Maybe we could get that patch into xorg-server-1.12 too?
Comment 4 Peter Hutterer 2012-01-10 21:58:24 UTC 
commit 223ba8b46eacbc8e573bc5136a3d6677f3e39099
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Thu Jan 5 15:55:04 2012 +1000

    dix: fix wrong condition checking for attached slave (#44003)
Comment 5 ybdjkfd 2012-04-13 17:57:19 UTC 
As I opened a ticket in LaunchPad https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/981193 concerning this issue, will this fix the issue I experienced in Ubuntu 11.10 as quoted here:

"I have determined some interaction with easystroke, a gesture recognition program is to blame here, not Firefox or ATI exactly. The program easystoke was used to map a side button on my mouse to Super+A, which activates the "Present Windows" effect in KDE/kwin.

Scrolling in Konqueor and hitting the gesture button on the mouse. Crash. It's not just Firefox nor Mozilla. (Thunderbird also crashed in this regard earlier).
Scrolling in the Desktop (cube effect) and hitting the gesture button on the mouse. Crash. It's not a Web page nor plugin.
Scrolling in the above scenarios and hitting Super+A on the keyboard itself. No crash. It's not "Present Windows" nor kwin in this regard.
Scrolling in the above scenarios and hitting the same button on the mouse without easystroke. No crash. Its not the mouse input in that regard.

So, what is the remapping of a mouse button to Super+A and scrolling at the same time in easystroke doing to Xorg or FGLRX?"

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.