[Bug]: Xserver Random crash on mouse event trigger (trackpad touch mode)

[Art-Chen]

Problem description

Cmdline: /system/bin/app_process / com.termux.x11.CmdEntryPoint :0
pid: 13175, tid: 13267, name: Thread-2  >>> /system/bin/app_process <<<
uid: 0
tagged_addr_ctrl: 0000000000000001 (PR_TAGGED_ADDR_ENABLE)
pac_enabled_keys: 000000000000000f (PR_PAC_APIAKEY, PR_PAC_APIBKEY, PR_PAC_APDAKEY, PR_PAC_APDBKEY)
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0000000000000018
Cause: null pointer dereference
    x0  b400007a6ecb3520  x1  000000000043599c  x2  000000000043599c  x3  b400007a6ecd4a48
    x4  b400007a6ecd4b70  x5  0000000000000004  x6  0000007a5cf35408  x7  0000007a5cf36814
    x8  0000000000000000  x9  00000000fffffff9  x10 0000000000000018  x11 0000000000000001
    x12 0000000000000002  x13 0000000000000001  x14 0000000000000001  x15 0000000000000001
    x16 0000007a5b921c80  x17 0000007a5b84dc54  x18 0000007a5ac24000  x19 b400007a6ecb3520
    x20 000000000043599c  x21 0000000000000001  x22 0000000000000001  x23 b400007a6ecd5510
    x24 b400007a6ecd4900  x25 0000000000000270  x26 0000007a5cf35108  x27 000000000043599c
    x28 0000007a5cf37000  x29 0000007a5cf34dc0
    lr  0000007a5b84e204  sp  0000007a5cf34dc0  pc  0000007a5b84dce8  pst 0000000080001000

13 total frames
backtrace:
      #00 pc 0000000000237ce8  /data/app/~~jHU5KoMopkqKJNsiAj-OUQ==/com.termux.x11-LF3CpzGipoxjL8KKRz96wg==/base.apk!libXlorie.so (offset 0x570000) (ProcessVelocityData2D+148) (BuildId: 70c24986c5313848477ca7ad55c7f0a61e182461)
      #01 pc 0000000000238200  /data/app/~~jHU5KoMopkqKJNsiAj-OUQ==/com.termux.x11-LF3CpzGipoxjL8KKRz96wg==/base.apk!libXlorie.so (offset 0x570000) (BuildId: 70c24986c5313848477ca7ad55c7f0a61e182461)
      #02 pc 000000000022e608  /data/app/~~jHU5KoMopkqKJNsiAj-OUQ==/com.termux.x11-LF3CpzGipoxjL8KKRz96wg==/base.apk!libXlorie.so (offset 0x570000) (BuildId: 70c24986c5313848477ca7ad55c7f0a61e182461)
      #03 pc 000000000022e048  /data/app/~~jHU5KoMopkqKJNsiAj-OUQ==/com.termux.x11-LF3CpzGipoxjL8KKRz96wg==/base.apk!libXlorie.so (offset 0x570000) (GetPointerEvents+596) (BuildId: 70c24986c5313848477ca7ad55c7f0a61e182461)
      #04 pc 000000000022ddb8  /data/app/~~jHU5KoMopkqKJNsiAj-OUQ==/com.termux.x11-LF3CpzGipoxjL8KKRz96wg==/base.apk!libXlorie.so (offset 0x570000) (QueuePointerEvents+48) (BuildId: 70c24986c5313848477ca7ad55c7f0a61e182461)
      #05 pc 00000000000dad50  /data/app/~~jHU5KoMopkqKJNsiAj-OUQ==/com.termux.x11-LF3CpzGipoxjL8KKRz96wg==/base.apk!libXlorie.so (offset 0x570000) (BuildId: 70c24986c5313848477ca7ad55c7f0a61e182461)
      #06 pc 00000000002ec1d8  /data/app/~~jHU5KoMopkqKJNsiAj-OUQ==/com.termux.x11-LF3CpzGipoxjL8KKRz96wg==/base.apk!libXlorie.so (offset 0x570000) (BuildId: 70c24986c5313848477ca7ad55c7f0a61e182461)
      #07 pc 00000000002e4978  /data/app/~~jHU5KoMopkqKJNsiAj-OUQ==/com.termux.x11-LF3CpzGipoxjL8KKRz96wg==/base.apk!libXlorie.so (offset 0x570000) (WaitForSomething+424) (BuildId: 70c24986c5313848477ca7ad55c7f0a61e182461)
      #08 pc 0000000000210e3c  /data/app/~~jHU5KoMopkqKJNsiAj-OUQ==/com.termux.x11-LF3CpzGipoxjL8KKRz96wg==/base.apk!libXlorie.so (offset 0x570000) (BuildId: 70c24986c5313848477ca7ad55c7f0a61e182461)
      #09 pc 000000000021b2c0  /data/app/~~jHU5KoMopkqKJNsiAj-OUQ==/com.termux.x11-LF3CpzGipoxjL8KKRz96wg==/base.apk!libXlorie.so (offset 0x570000) (BuildId: 70c24986c5313848477ca7ad55c7f0a61e182461)
      #10 pc 00000000000da450  /data/app/~~jHU5KoMopkqKJNsiAj-OUQ==/com.termux.x11-LF3CpzGipoxjL8KKRz96wg==/base.apk!libXlorie.so (offset 0x570000) (BuildId: 70c24986c5313848477ca7ad55c7f0a61e182461)
      #11 pc 00000000000fd134  /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+208) (BuildId: 1e3ca19bcae05c01b019c85f3f422e56)
      #12 pc 0000000000096ae4  /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+68) (BuildId: 1e3ca19bcae05c01b019c85f3f422e56)

npe on FeedTrackers:

static inline void
FeedTrackers(DeviceVelocityPtr vel, double dx, double dy, int cur_t)
{
    int n;

    for (n = 0; n < vel->num_tracker; n++) {
        vel->tracker[n].dx += dx;
        vel->tracker[n].dy += dy;
    }
    n = (vel->cur_tracker + 1) % vel->num_tracker;
    **vel->tracker[n].dx = 0.0;**
    vel->tracker[n].dy = 0.0;
    vel->tracker[n].time = cur_t;
    vel->tracker[n].dir = GetDirection(dx, dy);
    DebugAccelF("motion [dx: %f dy: %f dir:%d diff: %d]\n",
                dx, dy, vel->tracker[n].dir,
                cur_t - vel->tracker[vel->cur_tracker].time);
    vel->cur_tracker = n;
}

looks like vel->tracker is null

  237cbc: eb09015f     	cmp	x10, x9
  237cc0: 54fffe6b     	b.lt	0x237c8c <ProcessVelocityData2D+0x38>
  237cc4: b9400e68     	ldr	w8, [x19, #0xc]
  237cc8: 11000508     	add	w8, w8, #0x1
  237ccc: 1ac90d0a     	sdiv	w10, w8, w9
  237cd0: 1b09a155     	msub	w21, w10, w9, w8
  237cd4: 1e780029     	fcvtzs	w9, d1
  237cd8: 93407eb6     	sxtw	x22, w21
  237cdc: 8b35c6c8     	add	x8, x22, w21, sxtw #1
  237ce0: d37df10a     	lsl	x10, x8, #3
  237ce4: f9400268     	ldr	x8, [x19]
  **237ce8: f82a691f     	str	xzr, [x8, x10]**

x8 is null, x10 looks like is n (which is 0x18).

btw, it's my local build and synced with the latest source. working normal on the last sync (git head hash: 4e7763b4aa34e7516a35005cde4e17b63f131a47)

What steps will reproduce the bug?

Start a Game via wine, and touch the screen to move the pointer, or just using the external mouse also can trigger this bug.
It may caused by the relative mouse issue? (not correct, just the guess).

What is the expected behavior?

Working normal without Xserver crashed.

[twaik]

Wait, it works when built locally but does not work if downloaded from github? Sounds like nonsense, builds must be same in both cases.

[Art-Chen]

Wait, it works when built locally but does not work if downloaded from github? Sounds like nonsense, builds must be same in both cases.

Sorry, i means the local build that from git head: 4e7763b4aa34e7516a35005cde4e17b63f131a47 hasn't this issue, so the issue may cause by the change after 4e7763b.

[Art-Chen]

Looks like the changes after 4e7763b has no effect for this issue. Issue closed.