Fork us on GitHub Follow us on Facebook Follow us on Twitter

Opened 9 years ago

Closed 9 years ago

#223 closed defect (fixed)

fb crashes if mouse moves during start up

Reported by: Jakub Jermář Owned by:
Priority: major Milestone: 0.4.3
Component: helenos/srv/fb Version: mainline
Keywords: Cc:
Blocker for: Depends on:
See also:

Description

On the current head (r398), default ia32 build, the fb server crashes when mouse is being moved when the system starts up (just move it continuously from the grub menu and while kernel console is active).

See the attached screenshot for the stack trace and the attached fb.disasm for the disassembler output.

Attachments (2)

fbcrash.png (22.2 KB) - added by Jakub Jermář 9 years ago.
Screenshot with the stack trace.
fb.disasm.bz2 (139.2 KB) - added by Jakub Jermář 9 years ago.
fb disassembler output.

Download all attachments as: .zip

Change History (5)

Changed 9 years ago by Jakub Jermář

Attachment: fbcrash.png added

Screenshot with the stack trace.

Changed 9 years ago by Jakub Jermář

Attachment: fb.disasm.bz2 added

fb disassembler output.

comment:1 Changed 9 years ago by Jakub Jermář

Summary: fb crashes if mous moves during start upfb crashes if mouse moves during start up

comment:2 Changed 9 years ago by Jakub Jermář

I think this problem exists, because console starts to process mouse events even before gcons_init() is finished. The scenario which I observed looks something like this:

  • in console, both xres and yres are 0 (i.e. before they are initialized to something non-zero)
  • gcons_mouse_move() is called to process a mouse event
  • no matter what the dx and dy parameters to gcons_mouse_mode() were, calling limit() (twice) will result in passing mouse_x == mouse_y == -1 to fb in the FB_POINTER_MOVE request
  • fb receives the FB_POITNER_MOVE call and calls mouse_move()
  • mouse_move() sets pointer_x and pointer_y to -1, which it read from the IPC request
  • processing any consequent request from fb_client_connection() will result in calling mouse_show()
  • mouse_show() sets the pointer vport's x and y coordinates to -1 and calls copy_vp_to_pixmap()
  • copy_vp_to_pixmap() then calculates a source address for memcpy() using vport→y, which is -1, which results in adding a negative number to the fb start address
  • memcpy() crashes because fb accesses memory around one scanline below the beginning of the framebuffer memory

comment:3 Changed 9 years ago by Jakub Jermář

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.