[Bug 73108] New: crash in _sna_pixmap_move_to_cpu in 2.99.906

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Sat Dec 28 15:43:30 PST 2013 

https://bugs.freedesktop.org/show_bug.cgi?id=73108

          Priority: medium
            Bug ID: 73108
          Assignee: chris at chris-wilson.co.uk
           Summary: crash in _sna_pixmap_move_to_cpu in 2.99.906
        QA Contact: intel-gfx-bugs at lists.freedesktop.org
          Severity: normal
    Classification: Unclassified
                OS: All
          Reporter: michael.meeks at collabora.com
          Hardware: Other
            Status: NEW
           Version: unspecified
         Component: Driver/intel
           Product: xorg

Running libreoffice to render something or other, sadly this really screwed up
the middle of a 30 minute profiling run in callgrind against a deadline ... [
wow I hate Xorg bugs in production ], I got:

Program received signal SIGSEGV, Segmentation fault.
__memset_sse2 () at ../sysdeps/i386/i686/multiarch/memset-sse2.S:298
298     ../sysdeps/i386/i686/multiarch/memset-sse2.S: No such file or
directory.
(gdb) bt
#0  __memset_sse2 () at ../sysdeps/i386/i686/multiarch/memset-sse2.S:298
#1  0xb6bf0a44 in memset (__len=<optimized out>, __ch=<optimized out>,
    __dest=<optimized out>) at /usr/include/bits/string3.h:84
#2  _sna_pixmap_move_to_cpu (pixmap=pixmap at entry=0x8c0aec8,
    flags=flags at entry=3) at sna_accel.c:2110
#3  0xb6bf3b81 in sna_drawable_move_region_to_cpu (drawable=0x8c0aec8,
    region=region at entry=0xbfb39ba8, flags=flags at entry=3) at sna_accel.c:2479
#4  0xb6c4c987 in trapezoid_span_inplace__x8r8g8b8 (op=<optimized out>,
    dst=dst at entry=0x8bef1b0, src=src at entry=0x8ca6150, src_x=src_x at entry=45,
    src_y=src_y at entry=6, maskFormat=maskFormat at entry=0x85c2208,
    flags=flags at entry=2, ntrap=ntrap at entry=16, traps=traps at entry=0x8d4191c)
    at sna_trapezoids_precise.c:2689
#5  0xb6c4ed05 in precise_trapezoid_span_inplace (sna=sna at entry=0xb5b08000,
    op=op at entry=3 '\003', src=src at entry=0x8ca6150, dst=dst at entry=0x8bef1b0,
    maskFormat=maskFormat at entry=0x85c2208, flags=flags at entry=2,
    src_x=src_x at entry=45, src_y=src_y at entry=6, ntrap=ntrap at entry=16,
    traps=traps at entry=0x8d4191c, fallback=fallback at entry=false)
    at sna_trapezoids_precise.c:2926
#6  0xb6c31019 in trapezoid_span_inplace (fallback=false, traps=0x8d4191c,
    ntrap=16, src_y=6, src_x=45, flags=2, maskFormat=0x85c2208, dst=0x8bef1b0,
    src=0x8ca6150, op=3 '\003', sna=0xb5b08000) at sna_trapezoids.h:153
#7  sna_composite_trapezoids (op=3 '\003', src=0x8ca6150, dst=0x8bef1b0,
    maskFormat=0x85c2208, xSrc=45, ySrc=6, ntrap=16, traps=0x8d4191c)
---Type <return> to continue, or q <return> to quit---
    at sna_trapezoids.c:669
#8  0x0815771e in CompositeTrapezoids (op=3 '\003', pSrc=0x8ca6150,
    pDst=0x8bef1b0, maskFormat=0x85c2208, xSrc=45, ySrc=6, ntrap=16,
    traps=traps at entry=0x8d4191c) at picture.c:1640
#9  0x0815c82b in ProcRenderTrapezoids (client=0x8b81178) at render.c:759
#10 0x08157b7d in ProcRenderDispatch (client=0x8b81178) at render.c:1989
#11 0x0807eecd in Dispatch () at dispatch.c:432
#12 0x0806cf6a in main (argc=12, argv=0xbfb3c464, envp=0xbfb3c498)
    at main.c:298
(gdb) l
293     in ../sysdeps/i386/i686/multiarch/memset-sse2.S
(gdb) up
#1  0xb6bf0a44 in memset (__len=<optimized out>, __ch=<optimized out>,
    __dest=<optimized out>) at /usr/include/bits/string3.h:84
warning: Source file is more recent than executable.
84        return __builtin___memset_chk (__dest, __ch, __len, __bos0 (__dest));
(gdb) l
79            && (!__builtin_constant_p (__ch) || __ch != 0))
80          {
81            __warn_memset_zero_len ();
82            return __dest;
83          }
84        return __builtin___memset_chk (__dest, __ch, __len, __bos0 (__dest));
85      }
86
87      #ifdef __USE_BSD
88      __fortify_function void
(gdb) p __dest
$1 = <optimized out>
(gdb) up
#2  _sna_pixmap_move_to_cpu (pixmap=pixmap at entry=0x8c0aec8,
    flags=flags at entry=3) at sna_accel.c:2110
2110                            memset(pixmap->devPrivate.ptr,
priv->clear_color,
(gdb) l
2105                    }
2106
2107                    if (priv->clear_color == 0 ||
2108                        pixmap->drawable.bitsPerPixel == 8 ||
2109                        priv->clear_color == (1 << pixmap->drawable.depth)
- 1) {
2110                            memset(pixmap->devPrivate.ptr,
priv->clear_color,
2111                                   pixmap->devKind *
pixmap->drawable.height);
2112                    } else {
2113                            pixman_fill(pixmap->devPrivate.ptr,
2114                                        pixmap->devKind/sizeof(uint32_t),
(gdb) p pixmap
$2 = (struct _Pixmap *) 0x8c0aec8
(gdb) p *pixmap
$3 = {drawable = {type = 1 '\001', class = 0 '\000', depth = 32 ' ',
    bitsPerPixel = 32 ' ', id = 67111130, x = 0, y = 0, width = 60,
    height = 60, pScreen = 0x85cb738, serialNumber = 761839},
  devPrivates = 0x8c0aefc, refcnt = 3, devKind = 240, devPrivate = {
    ptr = 0xb4517000, val = -1269731328, uval = 3025235968,
    fptr = 0xb4517000}, screen_x = 0, screen_y = 0, usage_hint = 0,
  master_pixmap = 0x8dde2c0}
(gdb) p pixmap->devKind
$4 = 240
(gdb) p pixmap->drawable.height
$5 = 60

this is the openSUSE 13.1 package with this recent changelog:

* Sun Dec 01 2013 hrvoje.senjan at gmail.com
- U_sna-Add-the-missing-braces-around-the-conditional-bl.patch:
  fixes regression from 2.99.906 release (fdo#71605, bnc#853085)

* Sat Nov 30 2013 hrvoje.senjan at gmail.com
- U_sna_correct_handling_of_cropped_images.patch:
  Fix X crashes triggered by wrong handling of cropped
  XvImages (bnc#852531)

* Wed Nov 27 2013 tiwai at suse.de
- U_sna-Process-Damage-relative-to-dst-pDrawable-not-its.patch:
  Fix corrupted output with Emacs and others (bnc#852620)

* Thu Nov 14 2013 hrvoje.senjan at gmail.com
- Update to 3.0 prerelease 2.99.906
  + Fix damage handling when rendering to a partially damaged GPU
    surface. Regression in 2.99.905 (fdo#70527)
  + Use asprintf() instead of sprintf()
    Regression in 2.99.905 (fdo#70835), (bnc#847762)
  + Improve accounting for fence overallocation on older gen2/3, and
    improve the tiling mechanism to fit into the same aperture
    constraints (fdo#70924)
  + Add an extra GPU flush on Sandybridge to fix some rare font
    corruption
  + Rasterise lines through all clip boxes
    (fdo#70802
  + Fix regression from stricter handling of failures to move a
    GC to the GPU. Regression in 2.99.905. (fdo#71415), (bnc#847941)
  + Fix various fail along the memcpy_xor paths, including
    inadequate error handling and integer overflow (fdo#70527)
  + Fix outside-of-target stipple uploads (lp#1247785)
  + Fix clip detection for long glyphs
    Incomplete bug fix (causing a regression) in 2.99.905
    (fdo#70527)
  + Fix VSync for the render engine (Xv) on Haswell (fdo#70527)

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/intel-gfx-bugs/attachments/20131228/ad851c73/attachment.html>

More information about the intel-gfx-bugs mailing list