Bug 104579

Summary: crash in intel_miptree_create_for_dri_image due to invalid bo
Product: Mesa Reporter: ubitux <freedesktop>
Component: Drivers/DRI/i965Assignee: Intel 3D Bugs Mailing List <intel-3d-bugs>
Status: RESOLVED DUPLICATE QA Contact: Intel 3D Bugs Mailing List <intel-3d-bugs>
Severity: normal    
Priority: medium CC: evangelos
Version: 17.3   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description ubitux 2018-01-11 07:22:21 UTC 
Running openra (20171014, mono5+SDL+OpenGL) under i3-wm and switching workspaces 3-4 times quickly leads to a crash in the i965 code:

Thread 1 (Thread 0x7fb469096780 (LWP 25267)):
#0  0x00007fb468557697 in waitpid () from /usr/lib/libpthread.so.0
#1  0x000055bd82cc9ff0 in mono_handle_native_crash (signal=<optimized out>, signal@entry=0x55bd82ec6333 "SIGSEGV", ctx=ctx@entry=0x7ffc61d9bd40, info=info@entry=0x7ffc61d9be70) at mini-exceptions.c:2567
#2  0x000055bd82c3fee5 in mono_sigsegv_signal_handler (_dummy=11, _info=0x7ffc61d9be70, context=0x7ffc61d9bd40) at mini-runtime.c:2868
#3  <signal handler called>
#4  brw_bo_get_tiling (bo=bo@entry=0x51, tiling_mode=tiling_mode@entry=0x7ffc61d9c2f8, swizzle_mode=swizzle_mode@entry=0x7ffc61d9c2fc) at brw_bufmgr.c:1104
#5  0x00007fb45b2198fa in intel_miptree_create_for_bo (brw=brw@entry=0x55bd84d997e0, bo=0x51, format=format@entry=MESA_FORMAT_B8G8R8X8_UNORM, offset=0, width=80, height=0, depth=1, pitch=-1979489440, flags=MIPTREE_CREATE_DEFAULT) at intel_mipmap_tree.c:850
#6  0x00007fb45b219b5a in intel_miptree_create_for_dri_image (brw=brw@entry=0x55bd84d997e0, image=image@entry=0x55bd89c890d0, target=target@entry=3553, format=MESA_FORMAT_B8G8R8X8_UNORM, is_winsys_image=is_winsys_image@entry=true) at intel_mipmap_tree.c:1039
#7  0x00007fb45b1ee5c5 in intel_update_image_buffer (intel=intel@entry=0x55bd84d997e0, rb=rb@entry=0x55bd84f4e2c0, buffer=0x55bd89c890d0, buffer_type=buffer_type@entry=__DRI_IMAGE_BUFFER_BACK, drawable=<optimized out>) at brw_context.c:1632
#8  0x00007fb45b1f1242 in intel_update_image_buffers (drawable=0x55bd84f3fea0, brw=0x55bd84d997e0) at brw_context.c:1703
#9  intel_update_renderbuffers (context=context@entry=0x55bd84dc6870, drawable=drawable@entry=0x55bd84f3fea0) at brw_context.c:1361
#10 0x00007fb45b1f1531 in intel_prepare_render (brw=brw@entry=0x55bd84d997e0) at brw_context.c:1382
#11 0x00007fb45b1ecdee in brw_clear (ctx=0x55bd84d997e0, mask=18) at brw_clear.c:278

Commenting out the GL.Clear() call in OpenRA leads to a similar crash somewhere else (typically from GL draw primitives).

In the backtrace, the pointer to bo looks pretty much invalid (0x51), leading to a crash in brw_bo_get_tiling when dereferencing it.
Comment 1 ubitux 2018-01-11 22:06:12 UTC 
Since the trace was randomly changing, I added some debug in intel_update_image_buffer(), and it looks like there is a memory corruption happening in __DRIimageRec struct (intel one):

buffer=0x55fdda4e3f00
buffer->screen=0x55fdda4c2130
buffer->bo=0x1
buffer->pitch=0xda196040
buffer->internal_format=0x55fd
buffer->dri_format=0x00000004

bo is definitely a broken pointer, 0xda196040 is way too huge to be a valid pitch (even interpreted as negative), 0x55fd doesn't look like a valid GL internal format (previous calls are 0x1907 / GL_RGB), dri_format also got changed from 0x1002. I didn't check any further in the struct to see where the corruption starts, maybe I should?
Comment 2 Evangelos Foutras 2018-01-12 06:48:24 UTC 
Most likely the same issue as in bug 104214. Try the patch from comment 29 on that bug.
Comment 3 ubitux 2018-01-12 08:51:23 UTC 
I can confirm the patch in bug 104214 fixes this issue as well. Thank you.

*** This bug has been marked as a duplicate of bug 104214 ***

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.