Created attachment 24378 [details]
gdb session with full backtrace
Forwarded from Ubuntu https://bugs.launchpad.net/bugs/348428
When running two X servers (fast user switching) the second session will crash when switching to another VT:
*** glibc detected *** /usr/bin/X: double free or corruption (out): 0x0d73de98 ***
Snippet from gdb (note the render_state value):
#10 0xb792d336 in drm_intel_bo_unreference () from /usr/lib/libdrm_intel.so.1
No symbol table info available.
#11 0xb799e1dc in gen4_render_state_cleanup (pScrn=0x98f8760)
render_state = (struct gen4_render_state *) 0xc
i = 0
#12 0xb797165d in I830LeaveVT (scrnIndex=0, flags=0)
pScrn = (ScrnInfoPtr) 0x98f8760
pI830 = (I830Ptr) 0x98f8dd8
This happens with -intel from master, mesa 7.4 and xserver 1.6.
From another commenter:
the crash doesn't happen when using noaccel and for some reason the libdrm-intel-dbg package doesn't work correctly
stacktrace after doing a local debug rebuild:
"0xb80b7430 in __kernel_vsyscall ()
#0 0xb80b7430 in __kernel_vsyscall ()
#1 0xb7c936d0 in raise () from /lib/tls/i686/cmov/libc.so.6
#2 0xb7c95098 in abort () from /lib/tls/i686/cmov/libc.so.6
#3 0xb7cd124d in ?? () from /lib/tls/i686/cmov/libc.so.6
#4 0xb7cd7604 in ?? () from /lib/tls/i686/cmov/libc.so.6
#5 0xb7cd95b6 in free () from /lib/tls/i686/cmov/libc.so.6
#6 0xb7914e25 in free_block (bufmgr_fake=0x9c6f0f0, block=0xd513498)
#7 0xb7915dd7 in drm_intel_fake_bo_unreference_locked (bo=0x9c78ac0)
#8 0xb7915e0a in drm_intel_fake_bo_unreference_locked (bo=0x9c78d80)
#9 0xb7915e98 in drm_intel_fake_bo_unreference (bo=0x9c78d80)
#10 0xb7914417 in drm_intel_bo_unreference (bo=0x9c78d80)
#11 0xb798a1dc in gen4_render_state_cleanup (pScrn=0x9c22d80)
#12 0xb795d65d in I830LeaveVT (scrnIndex=0, flags=0)
#13 0x080de1da in xf86XVLeaveVT (index=0, flags=0)
#14 0x080c8277 in xf86Wakeup (blockData=0x0, err=-1, pReadmask=0x81f72c0)
---Type <return> to continue, or q <return> to quit---
#15 0x08091322 in WakeupHandler (result=-1, pReadmask=0x81f72c0)
#16 0x081329eb in WaitForSomething (pClientsReady=0xd47e530)
#17 0x0808d2be in Dispatch () at ../../dix/dispatch.c:367
#18 0x080722ed in main (argc=10, argv=0xbffd3d64, envp=Cannot access memory at address 0x51dd
the server which crashes is the guest session one and it corrupts the screen
I am the person who submitted this bug to ubuntu's Launchpad.
Tormod sent me a link to this bug, which is an upstream version of the original ubuntu bug report that I submitted.
I would like to state here that I am willing to be a guinea pig for any possible testing that is needed to fix this bug.
I am a computer programmer and write scripts also so I will be able to provide reasonable level of help.
Created attachment 24408 [details]
backtrace from debug build without optimisation
You're using the fake bufmgr, which means no GEM. I'll have to build a new kernel w/o GEM to test this... Given the backtrace it should be pretty easy to track down once I have that.
Meanwhile, testers narrowed the regression to these two patches:
Fix Xv crash with overlay video :
Fix XV with non-GEM kernels by allocating a larger fake bufmgr. :
These were cherrypicked for fixing the following bug, which I've reopened for Ubuntu:
[i855] xserver-xorg-video-intel-2.6.3 : Only green window when playing movies with XV extension
https://bugs.freedesktop.org/show_bug.cgi?id=21025 is most likely connected and has a complete backtrace.
Hm, seems to work ok with a 2.6.29ish kernel... I'll try to get your package combo...
Ok reproduced it with 2.6.28... now to fix it...
Created attachment 24654 [details] [review]
NULL fake bo block when freeing in evict_all
Can you give this patch a try? If the gen4 bo ends up on the LRU, we'll free it at evict_all time, but a later unref of the object will try to free it again unless we NULL the block pointer.
Author: Jesse Barnes <email@example.com>
Date: Tue Apr 21 17:13:16 2009 -0700
intel: NULL fake bo block when freeing in evict_all
Fixes assertion failures on later use of the object.