[Bug 108782] Android: i965/brw_draw affected by segfault in intel_disable_rb_aux_buffer()
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Sun Nov 18 21:32:52 UTC 2018
https://bugs.freedesktop.org/show_bug.cgi?id=108782
Bug ID: 108782
Summary: Android: i965/brw_draw affected by segfault in
intel_disable_rb_aux_buffer()
Product: Mesa
Version: git
Hardware: Other
OS: All
Status: NEW
Severity: normal
Priority: medium
Component: Drivers/DRI/i965
Assignee: intel-3d-bugs at lists.freedesktop.org
Reporter: issor.oruam at gmail.com
QA Contact: intel-3d-bugs at lists.freedesktop.org
Many Android applications are affected
F DEBUG : pid: 7402, tid: 7421, name: RenderThread >>> jackpal.androidterm
<<<
F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x68
F DEBUG : Cause: null pointer dereference
F DEBUG :
F DEBUG : backtrace:
F DEBUG : #00 pc 0003c16a /system/vendor/lib/dri/i965_dri.so
(intel_disable_rb_aux_buffer+138)
F DEBUG : #01 pc 0003b954 /system/vendor/lib/dri/i965_dri.so
(brw_predraw_resolve_inputs+980)
F DEBUG : #02 pc 0003c526 /system/vendor/lib/dri/i965_dri.so
(brw_draw_prims+774)
utente at utente-Giga:~/oreo-x86_kernel$ addr2line -Cfe
out/target/product/x86_64/symbols/system/vendor/lib/dri/i965_dri.so
0003c16a /system/vendor/lib/dri/i965_dri.so (intel_disable_rb_aux_buffer+138)
0003b954 /system/vendor/lib/dri/i965_dri.so (brw_predraw_resolve_inputs+980)
0003c526 /system/vendor/lib/dri/i965_dri.so (brw_draw_prims+774)
intel_disable_rb_aux_buffer
external/mesa/src/mesa/drivers/dri/i965/brw_draw.c:366
brw_predraw_resolve_inputs
external/mesa/src/mesa/drivers/dri/i965/brw_draw.c:532
brw_prepare_drawing
external/mesa/src/mesa/drivers/dri/i965/brw_draw.c:841
The null pointer is irb->mt at line 366 however adding a check prior to
evaluation of irb->mt->bo avoids the segfault (I can hear music of games
instead of getting the error/segfault) but it produces black rendering :-)
[attempted patch]
utente at utente-Giga:~/oreo-x86_kernel/external/mesa$ git diff
diff --git a/src/mesa/drivers/dri/i965/brw_draw.c
b/src/mesa/drivers/dri/i965/brw_draw.c
index bc0b3683a2..3a921e1dea 100644
--- a/src/mesa/drivers/dri/i965/brw_draw.c
+++ b/src/mesa/drivers/dri/i965/brw_draw.c
@@ -362,11 +362,12 @@ intel_disable_rb_aux_buffer(struct brw_context *brw,
for (unsigned i = 0; i < fb->_NumColorDrawBuffers; i++) {
struct intel_renderbuffer *irb =
intel_renderbuffer(fb->_ColorDrawBuffers[i]);
-
- if (irb && irb->mt->bo == tex_mt->bo &&
- irb->mt_level >= min_level &&
- irb->mt_level < min_level + num_levels) {
- found = draw_aux_buffer_disabled[i] = true;
+ if (irb && irb->mt) {
+ if (irb->mt->bo == tex_mt->bo &&
+ irb->mt_level >= min_level &&
+ irb->mt_level < min_level + num_levels) {
+ found = draw_aux_buffer_disabled[i] = true;
+ }
}
}
Please assist in finding a solution. Older versions of code seem to have a more
explicit handling in miptree with bool disable_aux, the simplifications seem to
cause systematic crashes in many apps e.g. Olympus Rising
Please also be aware that there are several cases in i965 where
{irb,stencil_irb,depth_irb}->mt are causing SIGSEGV MAPERR with null pointer
dereference, maybe this happens only with Android, but it is very severe
problem in there.
Another thing to check is if having const inside for loops is correct.
Please have a look at the latest i965 commits in my development branch
and instruct if some of them should be pushed to mesa-dev/18.3 ML:
https://github.com/maurossi/mesa/commits/19.0.0-devel_w46
Mauro
--
You are receiving this mail because:
You are the assignee for the bug.
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/intel-3d-bugs/attachments/20181118/ee760090/attachment.html>
More information about the intel-3d-bugs
mailing list