[Bug 97909] X-Plane 10 crashes with SIGSEGV on radeonsi

Fri Dec 29 16:31:30 UTC 2017

https://bugs.freedesktop.org/show_bug.cgi?id=97909

Thomas Rohloff <v10lator at myway.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |v10lator at myway.de

--- Comment #9 from Thomas Rohloff <v10lator at myway.de> ---
(In reply to Nicolai Hähnle from comment #5)
> Okay, so I could reproduce this after all with the web demo.
> 
> There is a bug in X-Plane and also questionable behaviour of the driver. The
> bug in X-Plane is that it uses GL_AMD_pinned_memory with a size that is not
> a multiple of a page; as per the spec, the driver is allowed to reject that,
> and we do (apparently unlike the closed source driver...). X-Plane doesn't
> check this error condition, and continues rendering, hence the crash, which
> would also happen with a simple sequence of:
> 
>   glGenBuffers(1, &bo);
>   glBindBuffer(GL_ELEMENT_ARRAY_BUFFER, bo);
>   glDrawElements(...);
> 
> Somewhat surprisingly, the OpenGL spec never states that a draw call that
> goes outside the element/index buffer should flag a GL_INVALID_OPERATION.
> There is also no mention of this in the GL_ARB_robust_buffer_access_behavior
> extension, which is surprising.
> 
> The patch you provide may or may not go in the right direction - I'm not
> sure. If we want to check that, we should do it in api_validate.c, but I'm
> not convinced that we should. Meanwhile, that check wouldn't properly fix
> the issue in X-Plane. To work around the bug in X-Plane, you need to run
> with:
> 
> MESA_EXTENSION_OVERRIDE=-GL_AMD_pinned_memory ./X-Plane-x86_64 --force_run
> 
> which will work with an unmodified driver.

I opened a bug report at X-Plane and will inform you in case they reply.

BTW: Should I open a new bug report for the r600 bug (see below) ?

Here the message I wrote to the X-Plane devs:

Subject: Bug report: Wrog usage of GL_AMD_pinned_memory leads to undefined
result on Mesa drivers

From= v10lator at myway.de
IP= [SNIPPED]
Product= XPlane
Version= 11.11
OS= Linux
Summary= Wrog usage of GL_AMD_pinned_memory leads to undefined behavior on Mesa
drivers
Description= "The bug in X-Plane is that it uses GL_AMD_pinned_memory with a
size that is not a multiple of a page; as per the spec, the driver is allowed
to reject that, and we do (apparently unlike the closed source driver...).
X-Plane doesn't check this error condition, and continues rendering, hence the
crash" - Source: https://bugs.freedesktop.org/show_bug.cgi?id=97909#c5

Similar things as described in the linked bug report are happening on other
Mesa drivers, too. For example see this stacktrace from r600:

[ 1930.559125] general protection fault: 0000 [#1] PREEMPT SMP
[ 1930.559980] Modules linked in: snd_seq_midi snd_usb_audio snd_hwdep
snd_usbmidi_lib snd_rawmidi vboxpci(O) vboxnetadp(O) vboxnetflt(O) nfsd
vboxdrv(O)
[ 1930.560867] CPU: 2 PID: 646 Comm: kworker/2:2 Tainted: G           O   
4.13.0 #9
[ 1930.561771] Hardware name: To be filled by O.E.M. To be filled by
O.E.M./SABERTOOTH 990FX R2.0, BIOS 2901 05/04/2016
[ 1930.562657] Workqueue: events radeon_mn_destroy
[ 1930.563588] task: ffffa246244e5b00 task.stack: ffffa5f0409a0000
[ 1930.564509] RIP: 0010:__mutex_lock.isra.1+0x82/0x518
[ 1930.565425] RSP: 0018:ffffa5f0409a3d60 EFLAGS: 00010282
[ 1930.566312] RAX: 800000015e292268 RBX: ffffa2435d99c228 RCX:
800000015e29226f
[ 1930.567238] RDX: 800000015e29226f RSI: ffffa246244e5b00 RDI:
ffffffffb2a04c10
[ 1930.568174] RBP: ffffa5f0409a3df0 R08: ffffa2435d99c200 R09:
0000000100200007
[ 1930.569124] R10: ffffa5f0409a3e10 R11: ffffa2462c079ac0 R12:
ffffa2463ec9c400
[ 1930.570037] R13: ffffa2435d99f9e8 R14: ffffa2463ec98300 R15:
0000000000000002
[ 1930.570982] FS:  0000000000000000(0000) GS:ffffa2463ec80000(0000)
knlGS:0000000000000000
[ 1930.571938] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1930.572894] CR2: 0000000000ed7000 CR3: 00000003c8c51000 CR4:
00000000000406e0
[ 1930.573857] Call Trace:
[ 1930.574783]  ? __slab_free.isra.68+0x7a/0x210
[ 1930.575744]  ? __slab_free.isra.68+0x7a/0x210
[ 1930.576698]  ? radeon_mn_destroy+0x3a/0x188
[ 1930.577650]  ? radeon_mn_destroy+0x3a/0x188
[ 1930.578577]  ? process_one_work+0x151/0x2d0
[ 1930.579515]  ? worker_thread+0x1f0/0x380
[ 1930.580450]  ? kthread+0xf2/0x128
[ 1930.581381]  ? process_one_work+0x2d0/0x2d0
[ 1930.582309]  ? kthread_create_on_node+0x40/0x40
[ 1930.583195]  ? ret_from_fork+0x22/0x30
[ 1930.584100] Code: 85 c0 0f 84 31 02 00 00 65 48 8b 04 25 80 c2 00 00 48 8b
00 a8 08 75 23 e8 dc be 72 ff 49 8b 45 00 48 83 e0 f8 0f 84 3e 02 00 00 <8b> 58
60 e8 ee be 72 ff 85 db 0f 85 33 02 00 00 65 48 8b 04 25 
[ 1930.585083] RIP: __mutex_lock.isra.1+0x82/0x518 RSP: ffffa5f0409a3d60
[ 1930.592739] ---[ end trace 397a922d2c74a9bd ]---
[ 1932.388592] sched: RT throttling activated
[ 1935.978694] note: kworker/2:2[646] exited with preempt_count 1 
Steps= Run X-Plane 11 on Linux with Mesa drivers.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/dri-devel/attachments/20171229/b1e8ca4d/attachment.html>