<html>
    <head>
      <base href="https://bugs.freedesktop.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - NULL pointer dereferences in some corner cases"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=103499">103499</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>NULL pointer dereferences in some corner cases
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>Mesa
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>Drivers/DRI/i965
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>intel-3d-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>freedesktop@mva.name
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>intel-3d-bugs@lists.freedesktop.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Hi there!
Unfortunately, I'm facing strange issues with segfaults because of null pointer
dereferences on my wife's laptop with Haswell.

Firstly, without "debug" symbols being built, gdb said that segfault is
happening in `intel_miptree_level_has_hiz` function (that made me think about
this bug is being related to the one on the end of the message).

When I recompiled mesa with debug symbols, I got following backtrace:
```
Thread 1 (Thread 0x7ffff7e27800 (LWP 70027)):
#0  0x00007fffdf2be4f9 in intel_miptree_check_level_layer (mt=0x0, level=0,
layer=0) at
/var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/intel_mipmap_tree.c:419
        __PRETTY_FUNCTION__ = "intel_miptree_check_level_layer"
#1  0x00007fffdf2c1987 in intel_miptree_level_has_hiz (mt=0x0, level=0) at
/var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/intel_mipmap_tree.c:1826
No locals.
#2  0x00007fffdf2bd78b in intel_renderbuffer_has_hiz (irb=0x950430) at
/var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/intel_fbo.c:934
No locals.
#3  0x00007fffdf27bf50 in brw_fast_clear_depth (ctx=0xb21b40) at
/var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/brw_clear.c:114
        brw = 0xb21b40
        fb = 0xa50630
        depth_irb = 0x950430
        mt = 0x0
        depth_att = 0xa50808
        clear_value = 2.37853907e-38
#4  0x00007fffdf27c37d in brw_clear (ctx=0xb21b40, mask=50) at
/var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/brw_clear.c:228
        brw = 0xb21b40
        fb = 0xa50630
        partial_clear = false
        tri_mask = 32767
        __PRETTY_FUNCTION__ = "brw_clear"
#5  0x00007fffdeda062d in clear (no_error=false, mask=17664, ctx=0xb21b40) at
/var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/main/clear.c:221
        bufferMask = 50
#6  _mesa_Clear (mask=17664) at
/var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/main/clear.c:242
        ctx = 0xb21b40
#7  0x00007ffff5efa38a in QSGBatchRenderer::Renderer::renderBatches() () from
/usr/lib64/libQt5Quick.so.5
<...>
```


After some discussion with Jason Ekstrand on the IRC, I've tried to apply that
patch:

```

diff --git a/src/mesa/drivers/dri/i965/brw_clear.c
b/src/mesa/drivers/dri/i965/brw_clear.c
index fe8634b..b0a6602 100644
--- a/src/mesa/drivers/dri/i965/brw_clear.c
+++ b/src/mesa/drivers/dri/i965/brw_clear.c
@@ -112,6 +112,9 @@ brw_fast_clear_depth(struct gl_context *ctx)
    if (devinfo->gen < 6)
       return false;

+   if (depth_irb->mt == NULL)
+      return false;
+
    if (!intel_renderbuffer_has_hiz(depth_irb))
       return false;

```

And now, backtrace looks like that:
```
Thread 1 (Thread 0x7ffff7e27800 (LWP 133740)):
#0  0x00007fffdf01bbb6 in intel_miptree_render_aux_usage (brw=0xb28d70, mt=0x0,
srgb_enabled=false, blend_enabled=false) at
/var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/intel_mipmap_tree.c:2575
No locals.
#1  0x00007fffdeffa1c7 in brw_update_renderbuffer_surface (brw=0xb28d70,
rb=0xa4c8f0, flags=0, unit=0, surf_index=0) at
/var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/brw_wm_surface_state.c:219
        ctx = 0xb28d70
        irb = 0xa4c8f0
        mt = 0x0
        aux_usage = ISL_AUX_USAGE_HIZ
        rb_format = MESA_FORMAT_X8B8G8R8_UNORM
        view = {usage = 0, format = 3691008000, base_level = 32767, levels =
4096, base_array_layer = 3, array_len = 9437200, swizzle = {r =
ISL_CHANNEL_SELECT_ZERO, g = ISL_CHANNEL_SELECT_ZERO, b =
ISL_CHANNEL_SELECT_ZERO, a = ISL_CHANNEL_SELECT_ZERO}}
        offset = 32767
#2  0x00007fffdeffc097 in brw_update_renderbuffer_surfaces (brw=0xb28d70,
fb=0xa6d970, render_target_start=0, surf_offset=0xb4f584) at
/var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/brw_wm_surface_state.c:1055
        surf_index = 0
        flags = 0
        i = 0
        w = 0
        h = 0
        s = 0
#3  0x00007fffdeffc28f in update_renderbuffer_surfaces (brw=0xb28d70) at
/var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/brw_wm_surface_state.c:1080
        ctx = 0xb28d70
        wm_prog_data = 0xa3a838
        fb = 0xa6d970
#4  0x00007fffdeff0c4c in check_and_emit_atom (brw=0xb28d70,
state=0x7fffffffb320, atom=0xb4feb8) at
/var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/brw_state_upload.c:457
No locals.
#5  0x00007fffdeff053a in brw_upload_pipeline_state (brw=0xb28d70,
pipeline=BRW_RENDER_PIPELINE) at
/var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/brw_state_upload.c:571
        atom = 0xb4feb8
        dirty_count = 0
        ctx = 0xb28d70
        i = 33
        state = {mesa = 4294967295, brw = 18446744073709551615}
        fb_samples = 1
        atoms = 0xb4fba0
        num_atoms = 69
#6  0x00007fffdeff0067 in brw_upload_render_state (brw=0xb28d70) at
/var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/brw_state_upload.c:593
No locals.
#7  0x00007fffdefd7338 in brw_try_draw_prims (ctx=0xb28d70, arrays=0x1c351f8,
prims=0x7fffffffb588, nr_prims=1, ib=0x7fffffffb5b0, index_bounds_valid=false,
min_index=0, max_index=4294967295, xfb_obj=0x0, stream=0, indirect=0x0) at
/var/tmp/portage/media-libs/mesa-17.2.3
/work/mesa-17.2.3/src/mesa/drivers/dri/i965/brw_draw.c:777
        sampler_state_size = 16
        new_basevertex = 0
        estimated_max_prim_size = 5120
        new_baseinstance = 0
        vs_prog_data = 0x0
        _warned = false
        msg_id = 0
        brw = 0xb28d70
        i = 0
        fail_next = false
#8  0x00007fffdefd6c02 in brw_draw_prims (ctx=0xb28d70, prims=0x7fffffffb588,
nr_prims=1, ib=0x7fffffffb5b0, index_bounds_valid=0 '\000', min_index=0,
max_index=4294967295, gl_xfb_obj=0x0, stream=0, indirect=0x0) at
/var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.
3/src/mesa/drivers/dri/i965/brw_draw.c:869
        msg_id = 0
        msg_id = 0
        brw = 0xb28d70
        arrays = 0x1c351f8
        xfb_obj = 0x0
#9  0x00007fffdeccb8fd in vbo_validated_drawrangeelements (ctx=0xb28d70,
mode=5, index_bounds_valid=0 '\000', start=0, end=4294967295, count=4,
type=5123, indices=0x2, basevertex=0, numInstances=1, baseInstance=0) at
/var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2
.3/src/mesa/vbo/vbo_exec_array.c:918
        vbo = 0x1c31d30
        ib = {count = 4, index_size = 2, obj = 0xa6b9d0, ptr = 0x2}
        prim = {mode = 5, indexed = 1, begin = 1, end = 1, weak = 0,
no_current_update = 0, is_indirect = 0, pad = 0, start = 0, count = 4,
basevertex = 0, num_instances = 1, base_instance = 0, draw_id = 0,
indirect_offset = 2}
#10 0x00007fffdecc8745 in vbo_exec_DrawElements (mode=5, count=4, type=5123,
indices=0x2) at
/var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/vbo/vbo_exec_array.c:1068
        ctx = 0xb28d70
#11 0x00007ffff5ef9b01 in
QSGBatchRenderer::Renderer::renderMergedBatch(QSGBatchRenderer::Batch const*)
() from /usr/lib64/libQt5Quick.so.5
<...>
```

So, it's still falls into null pointer dereference, as far as I understand the
situation.

I'd like to provide any additional info, if that was not enough to catch the
problem.


P.S. this bug may (or may not) be related to
<a class="bz_bug_link 
          bz_status_RESOLVED  bz_closed"
   title="RESOLVED FIXED - [Regresion] [IVB] Segment fault in recent commit in intel_miptree_level_has_hiz under Ivy bridge"
   href="show_bug.cgi?id=101539">https://bugs.freedesktop.org/show_bug.cgi?id=101539</a>


P.P.S.: Unfortunately, bisecting would be too hard, since there was a huge
version gap between "working" and "not working" state (13.0.2 -> 17.0.3) and it
was also huge system upgrade (too much system packages was upgraded, including
glibc, gcc, llvm, clang, whatever). So, proper bisecting can take forever :'(</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the QA Contact for the bug.</li>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>