[Bug 106642] X server crashes in i965 on desktop startup when DRI3 v1.2 / modifier support is enabled

Thu May 24 11:17:54 UTC 2018

https://bugs.freedesktop.org/show_bug.cgi?id=106642

            Bug ID: 106642
           Summary: X server crashes in i965 on desktop startup when DRI3
                    v1.2 / modifier support is enabled
           Product: Mesa
           Version: git
          Hardware: Other
                OS: All
            Status: NEW
          Keywords: regression
          Severity: blocker
          Priority: highest
         Component: Drivers/DRI/i965
          Assignee: intel-3d-bugs at lists.freedesktop.org
          Reporter: eero.t.tamminen at intel.com
        QA Contact: intel-3d-bugs at lists.freedesktop.org

Created attachment 139737
  --> https://bugs.freedesktop.org/attachment.cgi?id=139737&action=edit
Gdb backtrace of the X server crash

Setup:
* drm-tip kernel
* Mesa git from last night
* X server v1.20 or newer, with DRI3 v1.2 / modifiers enabled in X
configuration:
------------------------
Section "ServerFlags"
    Option "Debug" "dmabuf_capable"
EndSection
------------------------
* Rest is Ubuntu 16.04

Use-case:
* Log in to X session that uses GL/GLES compositor (Unity, Gnome...)

Expected result:
* Desktop appears

Actual result:
* X crashes in i965 driver, on all devices we have

Crash disappears if one disables the X configuration "dmabuf_capable" setting
that enables DRI3 v1.2 / modifiers support in X.

Crash is here:
Thread 1 "X" received signal SIGSEGV, Segmentation fault.
0x00007f19d6d487ca in isl_format_supports_ccs_e
(devinfo=devinfo at entry=0x2286ab8, format=ISL_FORMAT_UNSUPPORTED)
    at isl/isl_format.c:558

See attached Gdb backtrace for more info.

Looking at the indicated code, the bug is obvious:

* isl.h declares:
  ISL_FORMAT_UNSUPPORTED = UINT16_MAX

* isl_format_supports_ccs_e() function uses that as array index:
-------------------------------
isl_format_supports_ccs_e(const struct gen_device_info *devinfo,
                          enum isl_format format)
{
   if (!format_info[format].exists)
      return false;
...
-------------------------------

* But array size is much smaller:
  $ grep "  SF" ./src/intel/isl/isl_format.c | wc -l
  258

Crash started to happen between:
* 2018-05-22 17:02:28 UTC: 92f01fc5f9: i965: Emit VF cache invalidates for
48-bit addressing bugs with softpin.
* 2018-05-23 17:19:04 UTC: b73b340c37: i965: add {X,A}BGR2101010 to
'intel_image_formats'

Either addition of the new formats, or Jason's blitter support removal commits
started to trigger usage of ISL_FORMAT_UNSUPPORTED.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/intel-3d-bugs/attachments/20180524/f24e98e3/attachment.html>