Wizardpen

Segfaults with genius tablet and xorg-server 1.8.1

Bug #586868 reported by Kővágó Zoltán (DirtY iCE)
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Wizardpen
New
Undecided
Unassigned

Bug Description

I'm running amd64 gentoo, xorg-server-1.8.1-r1 and have "UC-LOGIC Tablet WP8060U" (lsusb says "ID 5543:0005 UC-Logic Technology Corp. Genius MousePen 8x6 Tablet"), and use revision 40 of wizardpen driver.

The driver works fine until I touch the tablet with the pen. When I do it, the whole X server chrashes, and leaves me with a nonsense backtrace (only memory adresses).

Using gdb pointed out that the problem is that wizardpen driver doesn't set read_input. IsUSBLine in wizardpen.c:375 somewhy returns false, and the block never executes, and read_input is set nowhere else. Also there is a suspicious "} else" on line 385, but there's no else block (other than the assignment in the next line).

Revision history for this message
Ali Lown (a-lown0) wrote :

The else on line 385 does appear to have no purpose.
Perhaps Gerrard can shed some light on its purpose, since he put it there in rev 32?

Which kernel are you using?
Did you compile support for the event interface? (Presumably you did)
What is your configuration method (hal/udev/xorg.conf.d inputclass)? Can you please attach the appropriate file.

Revision history for this message
Kővágó Zoltán (DirtY iCE) (dirty-ice) wrote :

I'm currently running linux 2.6.35-gentoo-r1. Event interface is compiled into kernel (CONFIG_INPUT_EVDEV), but see also the attached kernel config.

Since I updated to X.Org X Server 1.8.2, but the error persist. I'm using xorg's InputClass as configurating.

Revision history for this message
Kővágó Zoltán (DirtY iCE) (dirty-ice) wrote :

Here is my xorg.conf (i couldn't attach more than one file to a post...)

Revision history for this message
Ali Lown (a-lown0) wrote :

Since I am using the same versions and the same architecture, would you mind trying the attached precompiled tarball (from my machine). Simply extract it to /

Also, if you increase the DebugLevel option (try something around 999), can you please attach the Xorg.0.log, or any appropriate output from it when it segfaults with your current driver (or if it does it with mine too).

Revision history for this message
Kővágó Zoltán (DirtY iCE) (dirty-ice) wrote :

Segfaults with your driver too. Attaching the log.

Revision history for this message
Ali Lown (a-lown0) wrote :

If read_input isn't being set in the IsUSBLine block, how did you get ABS, BTN and PEN messages in the X log, because they are only shown from the USBReadInput function (which is only set in that particular block).

The fact that the last event before the segfault occurs is an ABS_PRESSURE event (albeit a very low one) suggests that it might be the PostMotionEvent method that goes wrong.
Could you put a breakpoint on it and see if it segfaults before it gets to that or if that is at fault. What does report_z show at that point?

Revision history for this message
Kővágó Zoltán (DirtY iCE) (dirty-ice) wrote :

Well if you mean xf86PostMotionEvent i did it (actually i need to rebuild my x server with debugging enabled to get useful info from it). It breaks there a few time, then sigsegv somewhere (it says at 0x0000000000000000...)

The interesting fact that if i run in gdb it doesn't break in ABS_PRESSURE (ot at least don't print it to the log):

[ 690.353] (**) ABS_Z x is 14966
[ 690.353] (**) ABS_RX y is 13092
[ 699.416] (**) ABS_Z x is 14936
[ 699.416] (**) ABS_RX y is 13510
[ 727.080]
Backtrace:
[ 727.081] 0: /usr/bin/X (xorg_backtrace+0x28) [0x4a1318]
[ 727.081] 1: /usr/bin/X (0x400000+0x63709) [0x463709]
[ 727.081] 2: /lib/libpthread.so.0 (0x7f53b4d7b000+0xf410) [0x7f53b4d8a410]
[ 727.081] Segmentation fault at address (nil)

If i don't run it in gdb, the last line is always an ABS_PRESSURE event..

Revision history for this message
Kővágó Zoltán (DirtY iCE) (dirty-ice) wrote :

Now retried with a -g3 xorg server. Now it chrashes after several ABS_PRESSURE event.

[ 1786.630] (II) No input driver/identifier specified (ignoring)
[ 1793.335] (**) ABS_Z x is 16823
[ 1793.335] (**) ABS_RX y is 9316
[ 1799.996] (**) ABS_Z x is 16845
[ 1799.996] (**) ABS_RX y is 9398
[ 1803.486] (**) ABS_Z x is 16868
[ 1803.486] (**) ABS_RX y is 9701
[ 1806.360] (**) ignored BTN_SIDE event is 1
[ 1806.360] (**) ABS_Z x is 16864
[ 1806.360] (**) ABS_RX y is 9720
[ 1806.360] (**) setting PEN DOWN event
[ 1806.360] (**) ABS_PRESSURE z is 603 (was 0)
[ 1809.326] (**) ABS_Z x is 16849
[ 1809.326] (**) ABS_RX y is 9761
[ 1809.326] (**) ABS_PRESSURE z is 457 (was 603)
[ 1812.000] (**) ABS_Z x is 16815
[ 1812.000] (**) ABS_RX y is 9821
[ 1812.000] (**) ABS_PRESSURE z is 234 (was 457)
[ 1814.734] (**) ignored BTN_SIDE event is 0
[ 1814.734] (**) ABS_Z x is 16770
[ 1814.734] (**) ABS_RX y is 9862
[ 1814.734] (**) setting PEN UP event
[ 1814.734] (**) ABS_PRESSURE z is 0 (was 234)
[ 1822.913] (**) ABS_Z x is 16747
[ 1822.913] (**) ABS_RX y is 9859
[ 1826.124] (**) ABS_Z x is 16757
[ 1826.124] (**) ABS_RX y is 9791
[ 1830.251] (**) ABS_Z x is 16821
[ 1830.251] (**) ABS_RX y is 9671
[ 1833.613] (**) ABS_Z x is 16989
[ 1833.613] (**) ABS_RX y is 9417
[ 1845.948]
Backtrace:

Now i got proper backtraces from gdb. report_z is mostly 0, except the three ABS_PRESSURE, where it's the logged value minus one. But see the attached file. It looks like it segfaults somewhere in xf86SigioReadInput. line 298 contains the following:
pInfo->read_input(pInfo);

(gdb) print * pInfo
$2 = {next = 0x2832f50, name = 0x282bc50 "UC-LOGIC Tablet WP8060U", flags = 78, device_control = 0x7fd62fa6ec80 <DeviceControl>, read_input = 0, control_proc = 0, close_proc = 0x7fd62fa6d7c0 <CloseProc>, switch_mode = 0,
  conversion_proc = 0, reverse_conversion_proc = 0, set_device_valuators = 0, fd = 34, atom = 240, dev = 0x2830850, private = 0x282ff50, private_flags = 0, first = 0, last = 0, old_x = 0, old_y = 0,
  type_name = 0x7fd62fa701e7 "WizardPen Tablet", always_core_feedback = 0x0, conf_idev = 0x282bc20, drv = 0x282c4e0, module = 0x282fee0, options = 0x2830020, history_size = 256}

read_input is somewhy 0. The interesting thing is how does it survive so long without it...

Revision history for this message
Ali Lown (a-lown0) wrote :

Does it survive longer because whatever is causing it to crash is occuring asynchronously (another module overwritting that memory location? failed sys call?), and X is operating slower because of all the extra debugging code and output?

If you put a watch on read_input, are you able to see if it is being overwritten anywhere, because it really shouldn't be loading or receiving any events at all if it is not set when the driver starts up.

Revision history for this message
Kővágó Zoltán (DirtY iCE) (dirty-ice) wrote :
Download full text (5.1 KiB)

Hmm, actually nothing overwrites it. There's two tablet input:

(gdb) break wizardpen.c:555
No source file named wizardpen.c.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (wizardpen.c:555) pending.
(gdb) r
Starting program: /usr/bin/X
[Thread debugging using libthread_db enabled]
[... snip ...]

Breakpoint 1, WizardPenPreInit (drv=<value optimized out>, dev=<value optimized out>, flags=<value optimized out>) at wizardpen.c:555
555 local->fd = -1;
(gdb) print local
$1 = (LocalDevicePtr) 0x2c1eee0
(gdb) print *local
$2 = {next = 0x0, name = 0x2c1e120 "UC-LOGIC Tablet WP8060U", flags = 78, device_control = 0x7f9ad1f68c80 <DeviceControl>, read_input = 0x7f9ad1f67e60 <USBReadInput>, control_proc = 0,
  close_proc = 0x7f9ad1f677c0 <CloseProc>, switch_mode = 0, conversion_proc = 0, reverse_conversion_proc = 0, set_device_valuators = 0, fd = 33, atom = 0, dev = 0x0, private = 0x2c1efb0, private_flags = 0, first = 0,
  last = 0, old_x = 0, old_y = 0, type_name = 0x7f9ad1f6a1e7 "WizardPen Tablet", always_core_feedback = 0x0, conf_idev = 0x2c1e1c0, drv = 0x2c1e870, module = 0x2c1e8b0, options = 0x2c1e900, history_size = 256}
(gdb) c
Continuing.

Breakpoint 1, WizardPenPreInit (drv=<value optimized out>, dev=<value optimized out>, flags=<value optimized out>) at wizardpen.c:555
555 local->fd = -1;
(gdb) print local
$3 = (LocalDevicePtr) 0x2c221a0
(gdb) print *local
$4 = {next = 0x0, name = 0x2c034d0 "UC-LOGIC Tablet WP8060U", flags = 78, device_control = 0x7f9ad1f68c80 <DeviceControl>, read_input = 0, control_proc = 0, close_proc = 0x7f9ad1f677c0 <CloseProc>, switch_mode = 0,
  conversion_proc = 0, reverse_conversion_proc = 0, set_device_valuators = 0, fd = 34, atom = 0, dev = 0x0, private = 0x2c222e0, private_flags = 0, first = 0, last = 0, old_x = 0, old_y = 0,
  type_name = 0x7f9ad1f6a1e7 "WizardPen Tablet", always_core_feedback = 0x0, conf_idev = 0x2c034a0, drv = 0x2c1e870, module = 0x2c22270, options = 0x2c223b0, history_size = 256}

the first is filled out correctly, but second is not. and looks like the first handles motion, and the second the clicks..
it reports fd 33 and 34. according to lsof:
X 14370 root 33u CHR 13,67 0t0 2064 /dev/input/event3
fd 34 is not open at all..

Xorg.log:
[ 1896.094] (II) config/udev: Adding input device UC-LOGIC Tablet WP8060U (/dev/input/event3)
[ 1896.094] (**) UC-LOGIC Tablet WP8060U: Applying InputClass "evdev pointer catchall"
[ 1896.094] (**) UC-LOGIC Tablet WP8060U: Applying InputClass "evdev tablet catchall"
[ 1896.094] (**) UC-LOGIC Tablet WP8060U: Applying InputClass "wizardpen tablet"
[ 1896.094] (II) LoadModule: "wizardpen"
[ 1896.094] (II) Loading /usr/lib64/xorg/modules/input/wizardpen_drv.so
[ 1896.098] (II) Module wizardpen: vendor="X.Org Foundation"
[ 1896.098] compiled for 1.8.2, module version = 0.7.3
[ 1896.098] Module class: X.Org XInput Driver
[ 1896.098] ABI class: X.Org XInput driver, version 9.0
[ 1896.098] (**) Option "Device" "/dev/input/event3"
[ 1896.106] (--) UC-LOGIC Tablet WP8060U: MaxX:32767 MaxY:32767 MaxZ:1023
[ 1896.106] (--) UC-LOGIC Tablet WP8060U: aspect ratio:1.33:1...

Read more...

Revision history for this message
Fabián Rodríguez (magicfab) wrote :

Please see this post by Martin about tablets support:
https://lists.launchpad.net/wizardpen-testers/msg00000.html

Also consider joining this team to help get further support for your devices:
https://edge.launchpad.net/~wizardpen-testers

Revision history for this message
Peter Gervai (grin) wrote : Re: [Bug 586868] Re: Segfaults with genius tablet and xorg-server 1.8.1

If you don't stop the mouse device using the tablet driver it'll
crash. If the log shows that the mouse doesn't try to use wizardpen
driver it'll be okay I guess.

My config goes on like this:

Section "InputClass"
   Identifier "wizardpen ignore mouse dev"
   MatchIsTablet "on"
   MatchDevicePath "/dev/input/by-id/usb-UC-LOGIC_Tablet_WP8060U-mouse"
   MatchVendor "UC-LOGIC|KYE Systems|Ace Cad"
   Driver ""
EndSection

Section "InputClass"
   Identifier "wizardpen-general-UC-LOGIC"
   MatchIsTablet "on"
   MatchDevicePath "/dev/input/event*"
   MatchVendor "UC-LOGIC"
   Driver "wizardpen"
EndSection

Or maybe you have a different problem.
--
 byte-byte,
    grin

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.