Bug 22946 - [GM965] X segfaults in intel_renderbuffer when closing googleearth
Summary: [GM965] X segfaults in intel_renderbuffer when closing googleearth
Status: RESOLVED FIXED
Alias: None
Product: Mesa
Classification: Unclassified
Component: Drivers/DRI/i965 (show other bugs)
Version: git
Hardware: x86-64 (AMD64) Linux (All)
: high critical
Assignee: Ian Romanick
QA Contact:
URL:
Whiteboard:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2009-07-25 13:20 UTC by Albert Damen
Modified: 2009-09-17 08:41 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments
Xorg.log (19.23 KB, text/plain)
2009-07-25 13:20 UTC, Albert Damen 		Details
xorg.conf (1.70 KB, text/plain)
2009-07-25 13:21 UTC, Albert Damen 		Details
Stacktrace (6.51 KB, text/plain)
2009-07-25 13:21 UTC, Albert Damen 		Details
Possible fix (1.14 KB, patch)
2009-08-31 10:08 UTC, Albert Damen 		Details | Splinter Review
View All

Description Albert Damen 2009-07-25 13:20:25 UTC 
Created attachment 28000 [details]
Xorg.log

Bug description:
When closing googleearth, X crashes and is restarted.

Program received signal SIGSEGV, Segmentation fault.
0x00007f167e64d65c in intel_renderbuffer (rb=0x404) at ../intel/intel_fbo.h:89

System environment:
-- chipset: GM965 (8086:2a02)
-- system architecture: 64-bit
-- xf86-video-intel: bb3007384298cb57625ec0b3868dff9b23568f3e (2.7.99.902)
-- xserver: 48a9d65b88f56d1f8ab3bf824a4fe48c2f68725f (1.6.99.1)
-- mesa: 8c30292a6e48448318d84582df876f35c490f968 (7.6-devel)
-- libdrm: eea95ed8af24300e5a5d2489dfe0d73c24300651 (2.4.12)
-- kernel: 2.6.31-4-generic (based on 2.6.31-rc4)
-- Linux distribution: Ubuntu Karmic (development version)
-- Machine or mobo model: Compal IFL91 laptop (T7500 CPU, 4GB Ram)
-- Display connector: LVDS
-- googleearth: 5.0.11337.1968
-- KMS enabled

Reproducing steps:
Run googleearth, zoom in (lower altitude) and move around a bit. Then close googleearth and see X crash.
Comment 1 Albert Damen 2009-07-25 13:21:12 UTC 
Created attachment 28001 [details]
xorg.conf
Comment 2 Albert Damen 2009-07-25 13:21:48 UTC 
Created attachment 28002 [details]
Stacktrace
Comment 3 Gordon Jin 2009-07-28 02:28:25 UTC 
7.5 is fine.
Comment 4 Adam Jackson 2009-08-24 12:32:55 UTC 
Mass version move, cvs -> git
Comment 5 Albert Damen 2009-08-29 05:47:20 UTC 
The same crash still happens with latest versions from git (29 Aug).

New versions are:
-- xf86-video-intel: 7c48c21b22bf5862c5a35bda1635753cc5a7197c (master)
-- xserver: 24716b9254fa7d609792596723a192bb044a7d3f (1.6.99.1)
-- mesa: da1248bee5471f8da2277118a23b53d308721fca (7.6-devel)
-- libdrm: 73b59c894380995a2889b98e79acadd2da0bb237 (2.4.13)
-- kernel: 2.6.31-8-generic (based on 2.6.31-rc7)
Comment 6 Albert Damen 2009-08-31 10:08:00 UTC 
Created attachment 29046 [details] [review]
Possible fix

I have done some further debugging, by setting a watch on the intel_context's driDrawable->refcount in gdb:

- While googleearth is running, refcount is 2 and does not change
- When I close googleearth, the driContext unbinds from the drawable (driUnbindContext). Refcount is now 1.
- Then driDestroyDrawable reduces refcount to 0. The drawable will now be destroyed and driContext->driDrawablePriv is set to NULL. driDrawable of the intel_context is not changed.
- Finally the intel_context is destroyed (intelDestroyContext). As driDrawable still points to the drawable, this wants to destroy the drawable again, which fails (sigsegv).

Assuming the intel_context can only have a valid drawable if the driContext has a valid drawable, I added a NULL check on driContextPriv->driDrawablePriv. This solves the X crash for me. See attached patch.
Comment 7 Ian Romanick 2009-09-16 16:09:43 UTC 
(In reply to comment #6)
> Created an attachment (id=29046) [details]
> Possible fix
> 
> I have done some further debugging, by setting a watch on the intel_context's
> driDrawable->refcount in gdb:
> 
> - While googleearth is running, refcount is 2 and does not change
> - When I close googleearth, the driContext unbinds from the drawable
> (driUnbindContext). Refcount is now 1.
> - Then driDestroyDrawable reduces refcount to 0. The drawable will now be
> destroyed and driContext->driDrawablePriv is set to NULL. driDrawable of the
> intel_context is not changed.
> - Finally the intel_context is destroyed (intelDestroyContext). As driDrawable
> still points to the drawable, this wants to destroy the drawable again, which
> fails (sigsegv).
> 
> Assuming the intel_context can only have a valid drawable if the driContext has
> a valid drawable, I added a NULL check on driContextPriv->driDrawablePriv. This
> solves the X crash for me. See attached patch.
> 

Based on this description, I think this is a duplicate of bug #23418.  I wish I had read this before working on that bug.  It would have gone much quicker. :)  Anyway, could you verify that the following commit fixes this problem in your environment:

commit 2921a2555d0a76fa649b23c31e3264bbc78b2ff5
Author: Ian Romanick <ian.d.romanick@intel.com>
Date:   Wed Sep 16 07:39:58 2009 -0700

    intel: Deassociated drawables from private context struct in
intelUnbindContext

    The generic DRI infrastructure makes sure that
__DRIcontextRec::driDrawablePriv
    and __DRIcontextRec::driReadablePriv are set to NULL after unbinding a
    context.  However, the intel_context structure keeps cached copies of
    these pointers.  If these cached pointers are not NULLed and the
    drawable is actually destroyed after unbinding the context (typically
    by way of glXDestroyWindow), freed memory will be dereferenced in
    intelDestroyContext.

    This should fix bug #23418.
Comment 8 Albert Damen 2009-09-17 08:41:27 UTC 
I updated to mesa 7.7-devel, commit f911d196cf, which includes your fix. This indeed solved the crash.
Thanks!

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.