<html>
    <head>
      <base href="https://bugs.freedesktop.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Android: i965/brw_draw affected by segfault in intel_disable_rb_aux_buffer()"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=108782">108782</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Android: i965/brw_draw affected by segfault in intel_disable_rb_aux_buffer()
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>Mesa
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>git
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>Drivers/DRI/i965
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>intel-3d-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>issor.oruam@gmail.com
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>intel-3d-bugs@lists.freedesktop.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Many Android applications are affected

F DEBUG   : pid: 7402, tid: 7421, name: RenderThread  >>> jackpal.androidterm
<<<
F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x68
F DEBUG   : Cause: null pointer dereference
F DEBUG   : 
F DEBUG   : backtrace:
F DEBUG   :     #00 pc 0003c16a  /system/vendor/lib/dri/i965_dri.so
(intel_disable_rb_aux_buffer+138)
F DEBUG   :     #01 pc 0003b954  /system/vendor/lib/dri/i965_dri.so
(brw_predraw_resolve_inputs+980)
F DEBUG   :     #02 pc 0003c526  /system/vendor/lib/dri/i965_dri.so
(brw_draw_prims+774)


utente@utente-Giga:~/oreo-x86_kernel$ addr2line -Cfe
out/target/product/x86_64/symbols/system/vendor/lib/dri/i965_dri.so

0003c16a  /system/vendor/lib/dri/i965_dri.so (intel_disable_rb_aux_buffer+138)
0003b954  /system/vendor/lib/dri/i965_dri.so (brw_predraw_resolve_inputs+980)
0003c526  /system/vendor/lib/dri/i965_dri.so (brw_draw_prims+774)

intel_disable_rb_aux_buffer
external/mesa/src/mesa/drivers/dri/i965/brw_draw.c:366
brw_predraw_resolve_inputs
external/mesa/src/mesa/drivers/dri/i965/brw_draw.c:532
brw_prepare_drawing
external/mesa/src/mesa/drivers/dri/i965/brw_draw.c:841

The null pointer is irb->mt at line 366 however adding a check prior to
evaluation of irb->mt->bo avoids the segfault (I can hear music of games
instead of getting the error/segfault) but it produces black rendering :-)

[attempted patch]
utente@utente-Giga:~/oreo-x86_kernel/external/mesa$ git diff
diff --git a/src/mesa/drivers/dri/i965/brw_draw.c
b/src/mesa/drivers/dri/i965/brw_draw.c
index bc0b3683a2..3a921e1dea 100644
--- a/src/mesa/drivers/dri/i965/brw_draw.c
+++ b/src/mesa/drivers/dri/i965/brw_draw.c
@@ -362,11 +362,12 @@ intel_disable_rb_aux_buffer(struct brw_context *brw,
    for (unsigned i = 0; i < fb->_NumColorDrawBuffers; i++) {
       struct intel_renderbuffer *irb =
          intel_renderbuffer(fb->_ColorDrawBuffers[i]);
-
-      if (irb && irb->mt->bo == tex_mt->bo &&
-          irb->mt_level >= min_level &&
-          irb->mt_level < min_level + num_levels) {
-         found = draw_aux_buffer_disabled[i] = true;
+      if (irb && irb->mt) {
+        if (irb->mt->bo == tex_mt->bo &&
+             irb->mt_level >= min_level &&
+             irb->mt_level < min_level + num_levels) {
+           found = draw_aux_buffer_disabled[i] = true;
+         }
       }
    }


Please assist in finding a solution. Older versions of code seem to have a more
explicit handling in miptree with bool disable_aux, the simplifications seem to
cause systematic crashes in many apps e.g. Olympus Rising

Please also be aware that there are several cases in i965 where
{irb,stencil_irb,depth_irb}->mt are causing SIGSEGV MAPERR with null pointer
dereference, maybe this happens only with Android, but it is very severe
problem in there.

Another thing to check is if having const inside for loops is correct.
Please have a look at the latest i965 commits in my development branch
and instruct if some of them should be pushed to mesa-dev/18.3 ML:

<a href="https://github.com/maurossi/mesa/commits/19.0.0-devel_w46">https://github.com/maurossi/mesa/commits/19.0.0-devel_w46</a>

Mauro</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the assignee for the bug.</li>
          <li>You are the QA Contact for the bug.</li>
      </ul>
    </body>
</html>