| Summary: | random X11 crash (SIGSEGV) when rendering firefox in pixman/intel | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | xorg | Reporter: | Michael Stapelberg <michael+freedesktop> | ||||||
| Component: | Driver/intel | Assignee: | Chris Wilson <chris> | ||||||
| Status: | RESOLVED MOVED | QA Contact: | Intel GFX Bugs mailing list <intel-gfx-bugs> | ||||||
| Severity: | normal | ||||||||
| Priority: | medium | CC: | chris | ||||||
| Version: | 7.5 (2009.10) | ||||||||
| Hardware: | Other | ||||||||
| OS: | All | ||||||||
| Whiteboard: | |||||||||
| i915 platform: | i915 features: | ||||||||
| Attachments: |
|
||||||||
Occasionally I have seen something similar, mostly when I've just introduced a bug into the driver, but nevertheless. It's basically an integer overflow (resulting in an invalid access) when trying to draw an out-of-bounds rectangle. I've fixed up a couple of that caused hangs, so a slightly different code path. Created attachment 36139 [details] [review] Trim fills to drawable bounds. Michael if you know of a way to reproduce the crash and could test this patch, that would be excellent. Hi Chris, seems like this problem arose when setting very large window coordinates (due to a bug I was setting (2, 0, -8, -23) as window rect while the latter two are interpreted as unsigned values of course). After applying your patch, Xorg does not crash any longer. Thanks! Best regards, Michael After applying the patch I sometimes run into a (nearly?) endless loop in Xorg, for example when opening xpdf. Can you see if your patch is causing this? Backtrace comes here:
0 fbBltOne (src=0x0, srcStride=<value optimized out>, srcX=<value optimized out>, dst=0x9869dba14928,
dstStride=<value optimized out>, dstX=<value optimized out>, dstBpp=32, width=160, height=-32, fgand=0, fgxor=0,
bgand=4294967295, bgxor=0) at ../../fb/fbbltone.c:418
#1 0x00007fe5b29cdb80 in fbOddStipple (dst=<value optimized out>, dstStride=<value optimized out>,
dstX=<value optimized out>, dstBpp=32, width=<value optimized out>, height=<value optimized out>, stip=0x7fe5b1bdc000,
stipStride=16, stipWidth=5, stipHeight=14, fgand=0, fgxor=0, bgand=4294967295, bgxor=0, xRot=69, yRot=0)
at ../../fb/fbstipple.c:261
#2 0x00007fe5b29c57eb in fbFill (pDrawable=<value optimized out>, pGC=0x2e3e050, x=<value optimized out>,
y=<value optimized out>, width=5, height=-32) at ../../fb/fbfill.c:133
#3 0x00007fe5b29c5d0a in fbPolyFillRect (pDrawable=<value optimized out>, pGC=<value optimized out>,
nrect=<value optimized out>, prect=<value optimized out>) at ../../fb/fbfillrect.c:77
#4 0x00007fe5b2e43011 in uxa_check_poly_fill_rect (pDrawable=0x28124b0, pGC=0x2e3e050, nrect=1, prect=0x27b2588)
at ../../uxa/uxa-unaccel.c:257
#5 0x00007fe5b2e3ccf0 in uxa_poly_fill_rect (pDrawable=0x28124b0, pGC=0x2e3e050, nrect=1, prect=0x27b2588)
at ../../uxa/uxa-accel.c:727
#6 0x00000000004c329b in damagePolyFillRect (pDrawable=0x28124b0, pGC=0x2e3e050, nRects=1, pRects=0x27b2588)
at ../../../miext/damage/damage.c:1404
#7 0x0000000000439e24 in ProcPolyFillRectangle (client=0x2b35cb0) at ../../dix/dispatch.c:1939
#8 0x000000000043c9a4 in Dispatch () at ../../dix/dispatch.c:439
#9 0x0000000000425b4a in main (argc=7, argv=0x7d7c88, envp=<value optimized out>) at ../../dix/main.c:285
As far as I know that is a separate bug, caused by a page-fault-of-doom. Found the bug reference I was looking for... bug 28478 for the endless loop. Even though I am using your patch, I just got another crash when running xxdiff. Backtrace comes here:
(gdb) bt full
#0 0x00007fb06fff5175 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
pid = <value optimized out>
selftid = <value optimized out>
#1 0x00007fb06fff7f80 in *__GI_abort () at abort.c:92
act = {__sigaction_handler = {sa_handler = 0, sa_sigaction = 0}, sa_mask = {__val = {0, 3, 0, 0, 0, 140395769797384, 140395802543288,
0, 4294967295, 1179670597, 1, 8102920, 0, 1073741823, 140395692755240, 0}}, sa_flags = 1909584850,
sa_restorer = 0x100041500000001}
sigs = {__val = {32, 0 <repeats 15 times>}}
#2 0x000000000047d783 in ddxGiveUp () at ../../../../hw/xfree86/common/xf86Init.c:1214
i = <value optimized out>
#3 0x000000000046368d in AbortServer () at ../../os/log.c:404
No locals.
#4 0x0000000000463d2e in FatalError (f=0x5734a0 "Caught signal %d (%s). Server aborting\n") at ../../os/log.c:529
args = {{gp_offset = 24, fp_offset = 48, overflow_arg_area = 0x7fffb8ed2720, reg_save_area = 0x7fffb8ed2660}}
beenhere = 1
#5 0x0000000000467f3e in OsSigHandler (signo=11, sip=0x7fb06b650928, unused=<value optimized out>) at ../../os/osinit.c:156
No locals.
#6 <signal handler called>
No symbol table info available.
#7 fbBltOne (src=<value optimized out>, srcStride=<value optimized out>, srcX=<value optimized out>, dst=0x7fb06b650928,
dstStride=<value optimized out>, dstX=<value optimized out>, dstBpp=32, width=-832, height=-5, fgand=0, fgxor=4287072135, bgand=4294967295,
bgxor=0) at ../../fb/fbbltone.c:352
fbBits = 0x7fb06db78790
srcEnd = 0x7fb06d78a240
pixelsPerDst = <value optimized out>
leftShift = 2
rightShift = 30
startmask = 0
endmask = 0
bits = 1073741823
bitsLeft = 0
bitsRight = <value optimized out>
left = <value optimized out>
mask = <value optimized out>
nDst = -26
w = 0
n = -26
nmiddle = <value optimized out>
copy = 0
transparent = 1
srcinc = <value optimized out>
endNeedsLoad = 0
fbLane = 0x7fb06dd7baf0 ""
startbyte = <value optimized out>
endbyte = 0
#8 0x00007fb06db76b80 in fbOddStipple (dst=<value optimized out>, dstStride=<value optimized out>, dstX=<value optimized out>, dstBpp=32,
width=<value optimized out>, height=<value optimized out>, stip=0x7fb06d78a000, stipStride=16, stipWidth=16, stipHeight=16, fgand=0,
fgxor=4287072135, bgand=4294967295, bgxor=0, xRot=584, yRot=-478) at ../../fb/fbstipple.c:261
stipX = 2
stipY = <value optimized out>
sx = 1840698024
widthTmp = 0
h = -5
w = -832
x = 17920
---Type <return> to continue, or q <return> to quit---
y = 0
#9 0x00007fb06db6e7eb in fbFill (pDrawable=<value optimized out>, pGC=0x15c8ec0, x=<value optimized out>, y=<value optimized out>, width=-26,
height=-5) at ../../fb/fbfill.c:133
fgand = 0
fgxor = 4287072135
bgand = <value optimized out>
bgxor = <value optimized out>
pStip = <value optimized out>
stipWidth = 16
stipHeight = 16
dst = 0x7fb06a638000
dstStride = 2560
dstBpp = 32
dstXoff = 0
dstYoff = <value optimized out>
pPriv = 0x15c9080
x1 = -26
x2 = <value optimized out>
y1 = <value optimized out>
y2 = <value optimized out>
#10 0x00007fb06db6ed0a in fbPolyFillRect (pDrawable=<value optimized out>, pGC=<value optimized out>, nrect=<value optimized out>,
prect=<value optimized out>) at ../../fb/fbfillrect.c:77
pClip = 0x2a848b0
pbox = <value optimized out>
extentX1 = 586
extentX2 = 1142
extentY1 = 82
extentY2 = 631
fullX1 = 586
fullX2 = 1142
fullY1 = 558
fullY2 = 572
partX1 = <value optimized out>
partX2 = <value optimized out>
partY1 = <value optimized out>
partY2 = <value optimized out>
xorg = 584
yorg = 80
#11 0x00007fb06dfec011 in uxa_check_poly_fill_rect (pDrawable=0x35629a0, pGC=0x15c8ec0, nrect=1, prect=0x37ae988) at ../../uxa/uxa-unaccel.c:257
__FUNCTION__ = "uxa_check_poly_fill_rect"
#12 0x00007fb06dfe5cf0 in uxa_poly_fill_rect (pDrawable=0x35629a0, pGC=0x15c8ec0, nrect=1, prect=0x37ae988) at ../../uxa/uxa-accel.c:727
pClip = 0x2a848b0
pPixmap = 0x252d000
pbox = <value optimized out>
extentX1 = 0
extentX2 = 44589488
extentY1 = 32688
extentY2 = 1842878571
fullX1 = <value optimized out>
fullX2 = <value optimized out>
fullY1 = <value optimized out>
fullY2 = <value optimized out>
partX1 = <value optimized out>
partX2 = <value optimized out>
partY1 = <value optimized out>
---Type <return> to continue, or q <return> to quit---
partY2 = <value optimized out>
xoff = <value optimized out>
yoff = <value optimized out>
xorg = 0
yorg = 44589488
pReg = 0x3d36f10
#13 0x00000000004c329b in damagePolyFillRect (pDrawable=0x35629a0, pGC=0x15c8ec0, nRects=1, pRects=0x37ae988)
at ../../../miext/damage/damage.c:1404
pGCPriv = 0x275b2b0
oldFuncs = 0x7c3ae0
#14 0x0000000000439e24 in ProcPolyFillRectangle (client=0x18107d0) at ../../dix/dispatch.c:1939
things = 1840698024
pGC = 0x15c8ec0
pDraw = 0x35629a0
#15 0x000000000043c9a4 in Dispatch () at ../../dix/dispatch.c:439
result = <value optimized out>
client = 0x18107d0
nready = 0
start_tick = 167320
#16 0x0000000000425b4a in main (argc=7, argv=0x7d7c88, envp=<value optimized out>) at ../../dix/main.c:285
i = 1
alwaysCheckForInput = {0, 1}
In a sense, that is a good thing since the patch *should* have had no effect and appeared to be a band-aid for a deeper bug. This means that I need to keep digging. Thanks. -- GitLab Migration Automatic Message -- This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/xorg/driver/xf86-video-intel/issues/5. |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.
Created attachment 34440 [details] Xorg logfile When moving firefox to a different workspace in my window manager, sometimes my Xorg exits because of receiving a SIGSEGV. I am not entirely sure where the origin of this problem is, but I would suspect the intel driver, which is why I assigned it to Driver/intel. If I am wrong, feel free to re-assign. Backtrace comes here (Xorg logfile is attached): #0 0x00007fb4cb103f45 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 0x00007fb4cb106d80 in *__GI_abort () at abort.c:88 #2 0x000000000047cff3 in ddxGiveUp () at ../../../../hw/xfree86/common/xf86Init.c:1214 #3 0x000000000046346d in AbortServer () at ../../os/log.c:404 #4 0x0000000000463b0e in FatalError ( f=0x571720 "Caught signal %d (%s). Server aborting\n") at ../../os/log.c:529 #5 0x0000000000467d3e in OsSigHandler (signo=11, sip=0x7fb4c8090000, unused=<value optimized out>) at ../../os/osinit.c:156 #6 <signal handler called> #7 _mm_store_si128 (bits=<value optimized out>, stride=131072, bpp=<value optimized out>, x=<value optimized out>, y=<value optimized out>, width=<value optimized out>, height=32767, data=16777215) at /usr/lib/gcc/x86_64-linux-gnu/4.4.2/include/emmintrin.h:697 #8 save_128_aligned (bits=<value optimized out>, stride=131072, bpp=<value optimized out>, x=<value optimized out>, y=<value optimized out>, width=<value optimized out>, height=32767, data=16777215) at ../../pixman/pixman-sse2.c:400 #9 pixman_fill_sse2 (bits=<value optimized out>, stride=131072, bpp=<value optimized out>, x=<value optimized out>, y=<value optimized out>, width=<value optimized out>, height=32767, data=16777215) at ../../pixman/pixman-sse2.c:4017 #10 0x00007fb4cbf8a40e in sse2_fill (imp=<value optimized out>, bits=<value optimized out>, stride=<value optimized out>, bpp=32, x=0, y=0, width=32767, height=32767, xor=16777215) at ../../pixman/pixman-sse2.c:5763 #11 0x00007fb4cbf76dad in pixman_fill (bits=<value optimized out>, stride=<value optimized out>, bpp=<value optimized out>, x=<value optimized out>, y=<value optimized out>, width=<value optimized out>, height=32767, xor=16777215) at ../../pixman/pixman.c:256 #12 0x00007fb4c8c83846 in fbFill (pDrawable=0xd97320, pGC=0x1747e20, x=<value optimized out>, y=<value optimized out>, width=<value optimized out>, height=<value optimized out>) at ../../fb/fbfill.c:48 #13 0x00007fb4c8c83ce2 in fbPolyFillRect (pDrawable=<value optimized out>, pGC=<value optimized out>, nrect=<value optimized out>, prect=<value optimized out>) at ../../fb/fbfillrect.c:77 #14 0x00007fb4c90fbf31 in uxa_check_poly_fill_rect (pDrawable=0xd97320, pGC=0x1747e20, nrect=1, prect=0xfa83d8) at ../../uxa/uxa-unaccel.c:257 #15 0x00007fb4c90f62e8 in uxa_poly_fill_rect (pDrawable=0xd97320, pGC=0x1747e20, nrect=1, prect=0xfa83d8) at ../../uxa/uxa-accel.c:727 #16 0x00000000004c263b in damagePolyFillRect (pDrawable=0xd97320, pGC=0x1747e20, nRects=1, pRects=0xfa83d8) at ../../../miext/damage/damage.c:1404 #17 0x000000000055d5b7 in miColorRects (pDst=0xfd8970, pClipPict=0xfd8970, color=<value optimized out>, nRect=<value optimized out>, rects=0xfa83d8, xoff=0, yoff=0) at ../../render/mirect.c:84 #18 0x000000000055d693 in miCompositeRects (op=3 '\003', pDst=0xfd8970, color=0xfa83d0, nRect=<value optimized out>, rects=0xfa83d8) at ../../render/mirect.c:116 #19 0x00000000004b62c4 in ProcRenderFillRectangles (client=0x19506f0) at ../../render/render.c:1471 #20 0x000000000043c974 in Dispatch () at ../../dix/dispatch.c:439 #21 0x0000000000425b9a in main (argc=7, argv=0x7d5228, envp=<value optimized out>) at ../../dix/main.c:285