gdb) thread apply all bt

Thread 5 (thread 1452.0x814):
#0  0x77f82870 in ntdll!ZwWaitForSingleObject () from /ecos-c/WINNT/system32/NTDLL.DLL
#1  0x74fd1275 in DCISetSrcDestClip () from /ecos-c/WINNT/system32/msafd.dll
#2  0x000001c8 in ?? ()
#3  0x00000001 in ?? ()
#4  0x020beb3c in ?? ()
#5  0x020bef08 in ?? ()
#6  0x020bebc4 in ?? ()
#7  0x020bebb4 in ?? ()
#8  0x000000d0 in ?? ()
#9  0x000201c8 in ?? ()
#10 0xffb3b4c0 in ?? ()
#11 0xffffffff in ?? ()
#12 0x00295a00 in ?? ()
#13 0x00000000 in ?? () from 

Thread 4 (thread 1452.0x724):
#0  0x77f82870 in ntdll!ZwWaitForSingleObject () from /ecos-c/WINNT/system32/NTDLL.DLL
#1  0x74fd1275 in DCISetSrcDestClip () from /ecos-c/WINNT/system32/msafd.dll
#2  0x00000174 in ?? ()
#3  0x00000001 in ?? ()
#4  0x01cbe17c in ?? ()
#5  0x01cbe328 in ?? ()
#6  0x01cbe204 in ?? ()
#7  0x01cbe1f4 in ?? ()
#8  0x34b8b930 in ?? ()
#9  0x01c5940f in ?? ()
#10 0xffb3b4c0 in ?? ()
#11 0xffffffff in ?? ()
#12 0x0026dfc8 in ?? ()
#13 0x00000000 in ?? () from 

Thread 3 (thread 1452.0x720):
#0  0x77f8287e in ntdll!ZwWaitForMultipleObjects () from /ecos-c/WINNT/system32/NTDLL.DLL
#1  0x7c59a1af in WaitForMultipleObjectsEx () from /ecos-c/WINNT/system32/KERNEL32.DLL
#2  0x7c59a0c2 in WaitForMultipleObjects () from /ecos-c/WINNT/system32/KERNEL32.DLL
#3  0x01abfd80 in ?? ()
#4  0x00000001 in ?? ()
#5  0x00000000 in ?? () from 

Thread 2 (thread 1452.0x738):
#0  0x77f8287e in ntdll!ZwWaitForMultipleObjects () from /ecos-c/WINNT/system32/NTDLL.DLL
#1  0x7c59a1af in WaitForMultipleObjectsEx () from /ecos-c/WINNT/system32/KERNEL32.DLL
#2  0x7c59a0c2 in WaitForMultipleObjects () from /ecos-c/WINNT/system32/KERNEL32.DLL
#3  0x012afd48 in ?? ()
#4  0x00000001 in ?? ()
#5  0x00000000 in ?? () from 

Thread 1 (thread 1452.0x5a4):
#0  0x0049143e in fbRasterizeEdges8 (buf=0x24261c8, width=280, stride=70, l=0x22fd80, r=0x22fd50, t=2184, b=849782) at fbedgeimp.h:111
#1  0x00491d74 in fbRasterizeEdges (buf=0x24261c8, bpp=8, width=280, stride=70, l=0x22fd80, r=0x22fd50, t=2184, b=849782) at fbedge.c:130
#2  0x00477838 in fbRasterizeTrapezoid (pPicture=0x2380050, trap=0x23bf248, x_off=-1, y_off=0) at fbtrap.c:143
#3  0x005aae69 in miTrapezoids (op=3 '\003', pSrc=0x24bc0f8, pDst=0x24bb598, maskFormat=0x17c17c8, xSrc=0, ySrc=0, ntrap=1, traps=0x23bf248) at mitrap.c:171
#4  0x0059dcf6 in CompositeTrapezoids (op=3 '\003', pSrc=0x24bc0f8, pDst=0x24bb598, maskFormat=0x17c17c8, xSrc=0, ySrc=0, ntrap=1, traps=0x23bf248) at picture.c:1729
#5  0x005a2c9a in ProcRenderTrapezoids (client=0x184c2a8) at render.c:817
#6  0x005a5a02 in ProcRenderDispatch (client=0x184c2a8) at render.c:1995
#7  0x00409d88 in Dispatch () at dispatch.c:453
#8  0x00401873 in main (argc=4, argv=0x3f23d0, envp=0x3f2c18) at main.c:450


(gdb) info locals
__a = 17
xi = 280
__ap = (CARD8 *) 0x2427000 <Address 0x2427000 out of bounds>
lxs = 0
rxs = 0
lx = 0
rx = 18350080
lxi = 0
rxi = 280
y = 788616
line = (FbBits *) 0x2426ee8




-	0x491422	<fbRasterizeEdges8+338>:		movzwl 0xffffffd6(%ebp),%eax
-	0x491426	<fbRasterizeEdges8+342>:		shr    $0x8,%eax
-	0x491429	<fbRasterizeEdges8+345>:		neg    %al
-	0x49142b	<fbRasterizeEdges8+347>:		or     %dl,%al
-	0x49142d	<fbRasterizeEdges8+349>:		mov    %al,(%ecx)
-	0x49142f	<fbRasterizeEdges8+351>:		lea    0xffffffe0(%ebp),%eax
-	0x491432	<fbRasterizeEdges8+354>:		incl   (%eax)
-	0x491434	<fbRasterizeEdges8+356>:		lea    0xffffffd0(%ebp),%eax
-	0x491437	<fbRasterizeEdges8+359>:		incl   (%eax)
-	0x491439	<fbRasterizeEdges8+361>:		jmp    0x491405 <fbRasterizeEdges8+309>
-	0x49143b	<fbRasterizeEdges8+363>:		mov    0xffffffe0(%ebp),%eax

!!!!! culprit on line below

-	0x49143e	<fbRasterizeEdges8+366>:		movzbw (%eax),%dx
-	0x491442	<fbRasterizeEdges8+370>:		mov    0xffffffd8(%ebp),%eax
-	0x491445	<fbRasterizeEdges8+373>:		lea    (%edx,%eax,1),%eax
-	0x491448	<fbRasterizeEdges8+376>:		mov    %ax,0xffffffd6(%ebp)
-	0x49144c	<fbRasterizeEdges8+380>:		mov    0xffffffe0(%ebp),%ecx
-	0x49144f	<fbRasterizeEdges8+383>:		movzwl 0xffffffd6(%ebp),%edx
-	0x491453	<fbRasterizeEdges8+387>:		movzwl 0xffffffd6(%ebp),%eax
-	0x491457	<fbRasterizeEdges8+391>:		shr    $0x8,%eax
-	0x49145a	<fbRasterizeEdges8+394>:		neg    %al
-	0x49145c	<fbRasterizeEdges8+396>:		or     %dl,%al
-	0x49145e	<fbRasterizeEdges8+398>:		mov    %al,(%ecx)
-	0x491460	<fbRasterizeEdges8+400>:		mov    0xfffffff8(%ebp),%eax



(gdb) info registers
eax            0x2427000	37908480
ecx            0x2426fff	37908479
edx            0x11	17
ebx            0x4000	16384
esp            0x22fcc0	0x22fcc0
ebp            0x22fcf0	0x22fcf0
esi            0x6ce48	446024
edi            0x0	0
eip            0x49143e	0x49143e
eflags         0x210246	2163270
cs             0x1b	27
ss             0x23	35
ds             0x23	35
es             0x23	35
fs             0x38	56
gs             0x0	0



Evidence that the previous page(4096 bytes) is valid:


(gdb) print *((int *)$eax)
Error: Cannot access memory at address 0x2427000

(gdb) print *((int *)$eax-4)





$1 = 286331153


Fetch info about frames...



(gdb) info frame
Stack level 0, frame at 0x22fcf8:
 eip = 0x49143e in fbRasterizeEdges8 (fbedgeimp.h:111); saved eip 0x491d74
 called by frame at 0x22fd20
 source language c.
 Arglist at 0x22fcf0, args: buf=0x24261c8, width=280, stride=70, l=0x22fd80, r=0x22fd50, t=2184, b=849782
 Locals at 0x22fcf0, Previous frame's sp is 0x22fcf8
 Saved registers:
  ebx at 0x22fcec, ebp at 0x22fcf0, eip at 0x22fcf4


(gdb) info frame
Stack level 1, frame at 0x22fd20:
 eip = 0x491d74 in fbRasterizeEdges (fbedge.c:130); saved eip 0x477838
 called by frame at 0x22fdf0, caller of frame at 0x22fcf8
 source language c.
 Arglist at 0x22fd18, args: buf=0x24261c8, bpp=8, width=280, stride=70, l=0x22fd80, r=0x22fd50, t=2184, b=849782
 Locals at 0x22fd18, Previous frame's sp is 0x22fd20
 Saved registers:
  ebp at 0x22fd18, eip at 0x22fd1c

(gdb) info frame
Stack level 2, frame at 0x22fdf0:
 eip = 0x477838 in fbRasterizeTrapezoid (fbtrap.c:143); saved eip 0x5aae69
 called by frame at 0x22fe50, caller of frame at 0x22fd20
 source language c.
 Arglist at 0x22fde8, args: pPicture=0x2380050, trap=0x23bf248, x_off=-1, y_off=0
 Locals at 0x22fde8, Previous frame's sp is 0x22fdf0
 Saved registers:
  ebx at 0x22fde4, ebp at 0x22fde8, eip at 0x22fdec

(gdb) 
(gdb) info frame
Stack level 3, frame at 0x22fe50:
 eip = 0x5aae69 in miTrapezoids (mitrap.c:171); saved eip 0x59dcf6
 called by frame at 0x22fe90, caller of frame at 0x22fdf0
 source language c.
 Arglist at 0x22fe48, args: op=3 '\003', pSrc=0x24bc0f8, pDst=0x24bb598, maskFormat=0x17c17c8, xSrc=0, ySrc=0, ntrap=1, traps=0x23bf248
 Locals at 0x22fe48, Previous frame's sp is 0x22fe50
 Saved registers:
  ebp at 0x22fe48, eip at 0x22fe4c

(gdb) info frame
Stack level 4, frame at 0x22fe90:
 eip = 0x59dcf6 in CompositeTrapezoids (picture.c:1729); saved eip 0x5a2c9a
 called by frame at 0x22fed0, caller of frame at 0x22fe50
 source language c.
 Arglist at 0x22fe88, args: op=3 '\003', pSrc=0x24bc0f8, pDst=0x24bb598, maskFormat=0x17c17c8, xSrc=0, ySrc=0, ntrap=1, traps=0x23bf248
 Locals at 0x22fe88, Previous frame's sp is 0x22fe90
 Saved registers:
  ebp at 0x22fe88, eip at 0x22fe8c

(gdb) info frame
Stack level 5, frame at 0x22fed0:
 eip = 0x5a2c9a in ProcRenderTrapezoids (render.c:817); saved eip 0x5a5a02
 called by frame at 0x22fef0, caller of frame at 0x22fe90
 source language c.
 Arglist at 0x22fec8, args: client=0x184c2a8
 Locals at 0x22fec8, Previous frame's sp is 0x22fed0
 Saved registers:
  ebp at 0x22fec8, eip at 0x22fecc

-- a bit about the arguments that were used to invoke the fatal fn


(gdb) print *l
$3 = {x = 0, e = -851968, stepx = 0, signdx = 1, dy = 851968, dx = 0, stepx_small = 0, stepx_big = 0, dx_small = 0, dx_big = 0}

(gdb) print *r
$4 = {x = 18350080, e = -851968, stepx = 0, signdx = 1, dy = 851968, dx = 0, stepx_small = 0, stepx_big = 0, dx_small = 0, dx_big = 0}

(gdb) info frame
Stack level 1, frame at 0x22fd20:
 eip = 0x491d74 in fbRasterizeEdges (fbedge.c:130); saved eip 0x477838
 called by frame at 0x22fdf0, caller of frame at 0x22fcf8
 source language c.
 Arglist at 0x22fd18, args: buf=0x24261c8, bpp=8, width=280, stride=70, l=0x22fd80, r=0x22fd50, t=2184, b=849782
 Locals at 0x22fd18, Previous frame's sp is 0x22fd20
 Saved registers:
  ebp at 0x22fd18, eip at 0x22fd1c

--- more info about the stack frame in the function that caused a segfault


(gdb) info frame
Stack level 0, frame at 0x22fcf8:
 eip = 0x49143e in fbRasterizeEdges8 (fbedgeimp.h:111); saved eip 0x491d74
 called by frame at 0x22fd20
 source language c.
 Arglist at 0x22fcf0, args: buf=0x24261c8, width=280, stride=70, l=0x22fd80, r=0x22fd50, t=2184, b=849782
 Locals at 0x22fcf0, Previous frame's sp is 0x22fcf8
 Saved registers:
  ebx at 0x22fcec, ebp at 0x22fcf0, eip at 0x22fcf4

(gdb) print *r
$5 = {x = 18350080, e = -851968, stepx = 0, signdx = 1, dy = 851968, dx = 0, stepx_small = 0, stepx_big = 0, dx_small = 0, dx_big = 0}

(gdb) print *l
$6 = {x = 0, e = -851968, stepx = 0, signdx = 1, dy = 851968, dx = 0, stepx_small = 0, stepx_big = 0, dx_small = 0, dx_big = 0}