[Bug 103499] NULL pointer dereferences in some corner cases
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Sat Oct 28 19:24:40 UTC 2017
https://bugs.freedesktop.org/show_bug.cgi?id=103499
Bug ID: 103499
Summary: NULL pointer dereferences in some corner cases
Product: Mesa
Version: unspecified
Hardware: Other
OS: All
Status: NEW
Severity: normal
Priority: medium
Component: Drivers/DRI/i965
Assignee: intel-3d-bugs at lists.freedesktop.org
Reporter: freedesktop at mva.name
QA Contact: intel-3d-bugs at lists.freedesktop.org
Hi there!
Unfortunately, I'm facing strange issues with segfaults because of null pointer
dereferences on my wife's laptop with Haswell.
Firstly, without "debug" symbols being built, gdb said that segfault is
happening in `intel_miptree_level_has_hiz` function (that made me think about
this bug is being related to the one on the end of the message).
When I recompiled mesa with debug symbols, I got following backtrace:
```
Thread 1 (Thread 0x7ffff7e27800 (LWP 70027)):
#0 0x00007fffdf2be4f9 in intel_miptree_check_level_layer (mt=0x0, level=0,
layer=0) at
/var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/intel_mipmap_tree.c:419
__PRETTY_FUNCTION__ = "intel_miptree_check_level_layer"
#1 0x00007fffdf2c1987 in intel_miptree_level_has_hiz (mt=0x0, level=0) at
/var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/intel_mipmap_tree.c:1826
No locals.
#2 0x00007fffdf2bd78b in intel_renderbuffer_has_hiz (irb=0x950430) at
/var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/intel_fbo.c:934
No locals.
#3 0x00007fffdf27bf50 in brw_fast_clear_depth (ctx=0xb21b40) at
/var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/brw_clear.c:114
brw = 0xb21b40
fb = 0xa50630
depth_irb = 0x950430
mt = 0x0
depth_att = 0xa50808
clear_value = 2.37853907e-38
#4 0x00007fffdf27c37d in brw_clear (ctx=0xb21b40, mask=50) at
/var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/brw_clear.c:228
brw = 0xb21b40
fb = 0xa50630
partial_clear = false
tri_mask = 32767
__PRETTY_FUNCTION__ = "brw_clear"
#5 0x00007fffdeda062d in clear (no_error=false, mask=17664, ctx=0xb21b40) at
/var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/main/clear.c:221
bufferMask = 50
#6 _mesa_Clear (mask=17664) at
/var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/main/clear.c:242
ctx = 0xb21b40
#7 0x00007ffff5efa38a in QSGBatchRenderer::Renderer::renderBatches() () from
/usr/lib64/libQt5Quick.so.5
<...>
```
After some discussion with Jason Ekstrand on the IRC, I've tried to apply that
patch:
```
diff --git a/src/mesa/drivers/dri/i965/brw_clear.c
b/src/mesa/drivers/dri/i965/brw_clear.c
index fe8634b..b0a6602 100644
--- a/src/mesa/drivers/dri/i965/brw_clear.c
+++ b/src/mesa/drivers/dri/i965/brw_clear.c
@@ -112,6 +112,9 @@ brw_fast_clear_depth(struct gl_context *ctx)
if (devinfo->gen < 6)
return false;
+ if (depth_irb->mt == NULL)
+ return false;
+
if (!intel_renderbuffer_has_hiz(depth_irb))
return false;
```
And now, backtrace looks like that:
```
Thread 1 (Thread 0x7ffff7e27800 (LWP 133740)):
#0 0x00007fffdf01bbb6 in intel_miptree_render_aux_usage (brw=0xb28d70, mt=0x0,
srgb_enabled=false, blend_enabled=false) at
/var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/intel_mipmap_tree.c:2575
No locals.
#1 0x00007fffdeffa1c7 in brw_update_renderbuffer_surface (brw=0xb28d70,
rb=0xa4c8f0, flags=0, unit=0, surf_index=0) at
/var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/brw_wm_surface_state.c:219
ctx = 0xb28d70
irb = 0xa4c8f0
mt = 0x0
aux_usage = ISL_AUX_USAGE_HIZ
rb_format = MESA_FORMAT_X8B8G8R8_UNORM
view = {usage = 0, format = 3691008000, base_level = 32767, levels =
4096, base_array_layer = 3, array_len = 9437200, swizzle = {r =
ISL_CHANNEL_SELECT_ZERO, g = ISL_CHANNEL_SELECT_ZERO, b =
ISL_CHANNEL_SELECT_ZERO, a = ISL_CHANNEL_SELECT_ZERO}}
offset = 32767
#2 0x00007fffdeffc097 in brw_update_renderbuffer_surfaces (brw=0xb28d70,
fb=0xa6d970, render_target_start=0, surf_offset=0xb4f584) at
/var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/brw_wm_surface_state.c:1055
surf_index = 0
flags = 0
i = 0
w = 0
h = 0
s = 0
#3 0x00007fffdeffc28f in update_renderbuffer_surfaces (brw=0xb28d70) at
/var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/brw_wm_surface_state.c:1080
ctx = 0xb28d70
wm_prog_data = 0xa3a838
fb = 0xa6d970
#4 0x00007fffdeff0c4c in check_and_emit_atom (brw=0xb28d70,
state=0x7fffffffb320, atom=0xb4feb8) at
/var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/brw_state_upload.c:457
No locals.
#5 0x00007fffdeff053a in brw_upload_pipeline_state (brw=0xb28d70,
pipeline=BRW_RENDER_PIPELINE) at
/var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/brw_state_upload.c:571
atom = 0xb4feb8
dirty_count = 0
ctx = 0xb28d70
i = 33
state = {mesa = 4294967295, brw = 18446744073709551615}
fb_samples = 1
atoms = 0xb4fba0
num_atoms = 69
#6 0x00007fffdeff0067 in brw_upload_render_state (brw=0xb28d70) at
/var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/brw_state_upload.c:593
No locals.
#7 0x00007fffdefd7338 in brw_try_draw_prims (ctx=0xb28d70, arrays=0x1c351f8,
prims=0x7fffffffb588, nr_prims=1, ib=0x7fffffffb5b0, index_bounds_valid=false,
min_index=0, max_index=4294967295, xfb_obj=0x0, stream=0, indirect=0x0) at
/var/tmp/portage/media-libs/mesa-17.2.3
/work/mesa-17.2.3/src/mesa/drivers/dri/i965/brw_draw.c:777
sampler_state_size = 16
new_basevertex = 0
estimated_max_prim_size = 5120
new_baseinstance = 0
vs_prog_data = 0x0
_warned = false
msg_id = 0
brw = 0xb28d70
i = 0
fail_next = false
#8 0x00007fffdefd6c02 in brw_draw_prims (ctx=0xb28d70, prims=0x7fffffffb588,
nr_prims=1, ib=0x7fffffffb5b0, index_bounds_valid=0 '\000', min_index=0,
max_index=4294967295, gl_xfb_obj=0x0, stream=0, indirect=0x0) at
/var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.
3/src/mesa/drivers/dri/i965/brw_draw.c:869
msg_id = 0
msg_id = 0
brw = 0xb28d70
arrays = 0x1c351f8
xfb_obj = 0x0
#9 0x00007fffdeccb8fd in vbo_validated_drawrangeelements (ctx=0xb28d70,
mode=5, index_bounds_valid=0 '\000', start=0, end=4294967295, count=4,
type=5123, indices=0x2, basevertex=0, numInstances=1, baseInstance=0) at
/var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2
.3/src/mesa/vbo/vbo_exec_array.c:918
vbo = 0x1c31d30
ib = {count = 4, index_size = 2, obj = 0xa6b9d0, ptr = 0x2}
prim = {mode = 5, indexed = 1, begin = 1, end = 1, weak = 0,
no_current_update = 0, is_indirect = 0, pad = 0, start = 0, count = 4,
basevertex = 0, num_instances = 1, base_instance = 0, draw_id = 0,
indirect_offset = 2}
#10 0x00007fffdecc8745 in vbo_exec_DrawElements (mode=5, count=4, type=5123,
indices=0x2) at
/var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/vbo/vbo_exec_array.c:1068
ctx = 0xb28d70
#11 0x00007ffff5ef9b01 in
QSGBatchRenderer::Renderer::renderMergedBatch(QSGBatchRenderer::Batch const*)
() from /usr/lib64/libQt5Quick.so.5
<...>
```
So, it's still falls into null pointer dereference, as far as I understand the
situation.
I'd like to provide any additional info, if that was not enough to catch the
problem.
P.S. this bug may (or may not) be related to
https://bugs.freedesktop.org/show_bug.cgi?id=101539
P.P.S.: Unfortunately, bisecting would be too hard, since there was a huge
version gap between "working" and "not working" state (13.0.2 -> 17.0.3) and it
was also huge system upgrade (too much system packages was upgraded, including
glibc, gcc, llvm, clang, whatever). So, proper bisecting can take forever :'(
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/intel-3d-bugs/attachments/20171028/3c6e583a/attachment.html>
More information about the intel-3d-bugs
mailing list