[Bug 105906] [DRI3] Compiz segfaults in intel_destroy_image()

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Thu Apr 5 15:50:57 UTC 2018 

https://bugs.freedesktop.org/show_bug.cgi?id=105906

            Bug ID: 105906
           Summary: [DRI3] Compiz segfaults in intel_destroy_image()
           Product: Mesa
           Version: git
          Hardware: Other
                OS: All
            Status: NEW
          Severity: major
          Priority: medium
         Component: Drivers/DRI/i965
          Assignee: intel-3d-bugs at lists.freedesktop.org
          Reporter: eero.t.tamminen at intel.com
        QA Contact: intel-3d-bugs at lists.freedesktop.org

Created attachment 138623
  --> https://bugs.freedesktop.org/attachment.cgi?id=138623&action=edit
Gdb backtrace of the crash

Somewhere between following Mesa commits:
1e9d779331: 2018-03-08 18:14:02 UTC: meson: Fix building gallium media libs
without egl
a2f08dd574: 2018-03-12 17:24:31 UTC: gallium: Use struct gl_array_attributes*
as st_pipe_vertex_format argument.

Ubuntu 16.04 Unity Compiz started randomly crashing to NULL pointer access
during our test-runs. Normally Unity desktop is able to successfully restart
Compiz, so it can crash again.

During ~3 hour test runs, it will segfault a few times, which can be seen from
dmes:
[ 8002.554441] compiz[5936]: segfault at 8 ip 00007fe34f8bcc34 sp
00007ffe0e44a810 error 4 in i965_dri.so[7fe34f4ac000+84e000]
[ 8046.153748] compiz[7073]: segfault at 8 ip 00007f218d4f7c34 sp
00007ffe8e5973f0 error 4 in i965_dri.so[7f218d0e7000+84e000]

I've seen these crashes on all platforms we have.

I was able to catch the crash twice in Gdb from 3 hour test-run, both times it
was due to intel_destroy_image() getting a NULL pointer:
#0  intel_destroy_image (image=0x0)
#1  dri3_free_render_buffer ()
#2  dri3_get_buffer ()
#3  loader_dri3_get_buffers ()
#4  intel_update_image_buffers ()
#5  intel_update_renderbuffers ()
#6  intel_prepare_render ()
#7  brw_prepare_drawing ()
#8  brw_draw_prims ()
#9  vbo_draw_arrays ()
...
#22 CompositeScreen::handlePaintTimeout()

See attached full backtrace for details.

As this happens randomly i.e. seems to be timing related, my guess would be
that it happens when application either starts or exits, and compositor happens
to be doing screen update at the same time.

(Unfortunately I don't have data from between those Mesa dates.  Because issue
takes long time to reproduce and is random, it's not bisection friendly.)

---

In dmesg outputs, the crash happens always on same VMA page in Mesa, on all
platforms.  The actual crash instruction pointer address has couple of
different addresses inside that (4K?) page, so it's possible that the above
backtrace isn't the only one.

Crash happens both in a setup using slightly older kernel & X builds, and one
using the latest git version of those i.e. it's due to a Mesa change, not one
in other components (in the Ubuntu itself, in this time frame there was only
update to libgcrypto20 to disable FIPS, if it was enabled).

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/intel-3d-bugs/attachments/20180405/6ff92154/attachment.html>

More information about the intel-3d-bugs mailing list