[Bug 108782] Android: i965/brw_draw affected by segfault in intel_disable_rb_aux_buffer()

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Sun Nov 18 21:32:52 UTC 2018


            Bug ID: 108782
           Summary: Android: i965/brw_draw affected by segfault in
           Product: Mesa
           Version: git
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: Drivers/DRI/i965
          Assignee: intel-3d-bugs at lists.freedesktop.org
          Reporter: issor.oruam at gmail.com
        QA Contact: intel-3d-bugs at lists.freedesktop.org

Many Android applications are affected

F DEBUG   : pid: 7402, tid: 7421, name: RenderThread  >>> jackpal.androidterm
F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x68
F DEBUG   : Cause: null pointer dereference
F DEBUG   : 
F DEBUG   : backtrace:
F DEBUG   :     #00 pc 0003c16a  /system/vendor/lib/dri/i965_dri.so
F DEBUG   :     #01 pc 0003b954  /system/vendor/lib/dri/i965_dri.so
F DEBUG   :     #02 pc 0003c526  /system/vendor/lib/dri/i965_dri.so

utente at utente-Giga:~/oreo-x86_kernel$ addr2line -Cfe

0003c16a  /system/vendor/lib/dri/i965_dri.so (intel_disable_rb_aux_buffer+138)
0003b954  /system/vendor/lib/dri/i965_dri.so (brw_predraw_resolve_inputs+980)
0003c526  /system/vendor/lib/dri/i965_dri.so (brw_draw_prims+774)


The null pointer is irb->mt at line 366 however adding a check prior to
evaluation of irb->mt->bo avoids the segfault (I can hear music of games
instead of getting the error/segfault) but it produces black rendering :-)

[attempted patch]
utente at utente-Giga:~/oreo-x86_kernel/external/mesa$ git diff
diff --git a/src/mesa/drivers/dri/i965/brw_draw.c
index bc0b3683a2..3a921e1dea 100644
--- a/src/mesa/drivers/dri/i965/brw_draw.c
+++ b/src/mesa/drivers/dri/i965/brw_draw.c
@@ -362,11 +362,12 @@ intel_disable_rb_aux_buffer(struct brw_context *brw,
    for (unsigned i = 0; i < fb->_NumColorDrawBuffers; i++) {
       struct intel_renderbuffer *irb =
-      if (irb && irb->mt->bo == tex_mt->bo &&
-          irb->mt_level >= min_level &&
-          irb->mt_level < min_level + num_levels) {
-         found = draw_aux_buffer_disabled[i] = true;
+      if (irb && irb->mt) {
+        if (irb->mt->bo == tex_mt->bo &&
+             irb->mt_level >= min_level &&
+             irb->mt_level < min_level + num_levels) {
+           found = draw_aux_buffer_disabled[i] = true;
+         }

Please assist in finding a solution. Older versions of code seem to have a more
explicit handling in miptree with bool disable_aux, the simplifications seem to
cause systematic crashes in many apps e.g. Olympus Rising

Please also be aware that there are several cases in i965 where
{irb,stencil_irb,depth_irb}->mt are causing SIGSEGV MAPERR with null pointer
dereference, maybe this happens only with Android, but it is very severe
problem in there.

Another thing to check is if having const inside for loops is correct.
Please have a look at the latest i965 commits in my development branch
and instruct if some of them should be pushed to mesa-dev/18.3 ML:



You are receiving this mail because:
You are the assignee for the bug.
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/intel-3d-bugs/attachments/20181118/ee760090/attachment.html>

More information about the intel-3d-bugs mailing list