The following issue occurs on my Kubuntu 11.10 system (Lenovo T420s w/ Intel HD Graphics 3000). With KWin desktop effects enabled, Xorg crashes on each second login. $ uname -a Linux orion 3.1.0-0301rc10-generic #201110181253 SMP Tue Oct 18 12:57:33 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux $ lspci -vv 00:02.0 VGA compatible controller: Intel Corporation 2nd Generation Core Processor Family Integrated Graphics Controller (rev 09) (prog-if 00 [VGA controller]) Subsystem: Lenovo Device 21d2 Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+ Status: Cap+ 66MHz- UDF- FastB2B+ ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx- Latency: 0 Interrupt: pin A routed to IRQ 49 Region 0: Memory at f0000000 (64-bit, non-prefetchable) [size=4M] Region 2: Memory at e0000000 (64-bit, prefetchable) [size=256M] Region 4: I/O ports at 4000 [size=64] Expansion ROM at <unassigned> [disabled] Capabilities: <access denied> Kernel driver in use: i915 Kernel modules: i915 Full backtrace (based on commit 2608a367acba7247e50754c3daeed09ba2e97d05): -- 8< -- #0 0x00007fcbf4fa63a5 in __GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 resultvar = 0 pid = <optimized out> selftid = <optimized out> #1 0x00007fcbf4fa9b0b in __GI_abort () at abort.c:92 save_stage = 2 act = {__sigaction_handler = {sa_handler = 0x4, sa_sigaction = 0x4}, sa_mask = {__val = {5, 140735046524302, 10, 140513966347903, 3, 140735046516714, 6, 140513966347907, 2, 140735046516734, 2, 140513966338901, 1, 140513966347903, 3, 140735046516708}}, sa_flags = 12, sa_restorer = 0x7fcbf50cd683} sigs = {__val = {32, 0 <repeats 15 times>}} #2 0x00007fcbf4fde113 in __libc_message (do_abort=2, fmt=0x7fcbf50cf0d8 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:189 ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fff6e748960, reg_save_area = 0x7fff6e748870}} ap_copy = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0x7fff6e748960, reg_save_area = 0x7fff6e748870}} fd = 2 on_2 = <optimized out> list = <optimized out> nlist = <optimized out> cp = <optimized out> written = <optimized out> #3 0x00007fcbf4fe8a96 in malloc_printerr (action=3, str=0x7fcbf50cf278 "double free or corruption (!prev)", ptr=<optimized out>) at malloc.c:6283 buf = "0000000002bf2230" cp = <optimized out> #4 0x00007fcbf4fecd7c in __GI___libc_free (mem=<optimized out>) at malloc.c:3738 ar_ptr = 0x7fcbf530a1c0 p = <optimized out> hook = <optimized out> #5 0x00007fcbf31ae5de in i830_dri2_frame_event_drawable_gone (data=0x2bf2230, id=29360131) at ../../src/intel_dri.c:678 resource = 0x2bf2230 #6 0x000000000044ea5c in FreeClientResources (client=0x2d01c10) at ../../dix/resource.c:854 rtype = <optimized out> resources = <optimized out> this = 0x2f4b0c0 j = <optimized out> #7 0x000000000042f05a in CloseDownClient (client=0x2d01c10) at ../../dix/dispatch.c:3461 really_close_down = <optimized out> #8 0x000000000042fb9e in Dispatch () at ../../dix/dispatch.c:441 clientReady = 0x29f4830 result = <optimized out> client = 0x2d01c10 nready = 0 icheck = 0x7f1470 start_tick = 680 #9 0x00000000004232fe in main (argc=8, argv=<optimized out>, envp=<optimized out>) at ../../dix/main.c:287 i = <optimized out> alwaysCheckForInput = {0, 1} -- 8< -- I bi-sected xserver-xorg-video-intel (as available at git://git.debian.org/git/pkg-xorg/driver/xserver-xorg-video-intel, which is what the Ubuntu packages are based on). The first bad commit is: commit 2608a367acba7247e50754c3daeed09ba2e97d05 Author: Chris Wilson <chris@chris-wilson.co.uk> Date: Mon Jul 11 16:28:15 2011 +0100 dri: Prevent abuse of the Resource database The Resource database is only designed to store a single value for a particular type associated with an XID. Due to the asynchronous nature of the vblank/flip requests, we would often associate multiple frame events with a particular drawable/client. Upon freeing the resource, we would not necessarily decouple the right value, leaving a stale pointer behind. Later when the client disappeared, we would write through that stale pointer upsetting valgrind and causing memory corruption. MDK. Instead, we need to implement an extra layer for tracking multiple frames within a single Resource. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=37700 Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
The corresponding Ubuntu bug is abvailable at: https://bugs.launchpad.net/xserver-xorg-video-intel/+bug/876762
http://cgit.freedesktop.org/~ickle/xserver/commit/?id=65a272e7ae9392a5716a620d669ef5261241bc4b dri2: Register the DRI2DrawableType after server regeneration The Resource database is reset upon regeneration and so the dri2 module needs to re-register its RESTYPE for the drawable or else it will clobber the next unsuspecting user of the database. Fortunately, DRI2 is loaded late in the initialisation sequence and was last up until xf86-video-intel started using the Resource database to track outstanding swaps... Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Ping. Chris, why isn't this merged? Please send it to xorg-devel for review.
v1 or v2 is waiting for tlc, id:1314273033-1334-1-git-send-email-chris@chris-wilson.co.uk
Easier way to reproduce the bug on xf86-video-intel and xserver git master (using SandyBridge): # X -retro :0 # DISPLAY=:0 glxinfo # DISPLAY=:0 glxinfo After the second glxinfo, X will crash. Notice that you can't have other X clients, so you can trigger new server generations. My Tested-by was sent to Chris' patch on the list. (what does tlc mean? google didn't help me)
tlc - tender, love and care. ;-)
commit 7972e2dade58158bb98f5b7dc5f873b9fb3446de Author: Chris Wilson <chris@chris-wilson.co.uk> Date: Thu Aug 25 16:04:04 2011 +0100 dri2: Register the DRI2DrawableType after server regeneration The Resource database is reset upon regeneration and so the dri2 module needs to re-register its RESTYPE for the drawable or else it will clobber the next unsuspecting user of the database. Fortunately, DRI2 is loaded late in the initialisation sequence and was last up until xf86-video-intel started using the Resource database to track outstanding swaps... Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com> Tested-by: Paulo Zanoni <paulo.r.zanoni@intel.com> (cherry picked from commit 34b0e4eee911f8b09a3682a7f1b4c8598ef48b8d)
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.