[Bug 96194] New: Gvim causes Xorg to crash in Intel driver.
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Wed May 25 10:44:21 UTC 2016
https://bugs.freedesktop.org/show_bug.cgi?id=96194
Bug ID: 96194
Summary: Gvim causes Xorg to crash in Intel driver.
Product: xorg
Version: unspecified
Hardware: x86-64 (AMD64)
OS: OpenBSD
Status: NEW
Severity: major
Priority: medium
Component: Driver/intel
Assignee: chris at chris-wilson.co.uk
Reporter: edd at theunixzoo.co.uk
QA Contact: intel-gfx-bugs at lists.freedesktop.org
Hi,
I posted an X bug to x11 at openbsd.org recently. See below the report. I figured
I should raise this upstream.
```
$ Xorg -version
X.Org X Server 1.17.4
Release Date: 2015-10-28
X Protocol Version 11, Revision 0
Build Operating System: OpenBSD 6.0 amd64
Current Operating System: OpenBSD wilfred.home 6.0 GENERIC.MP#12 amd64
Build Date: 23 May 2016 06:21:16PM
Current version of pixman: 0.32.8
Before reporting problems, check http://wiki.x.org
to make sure that you have the latest version.
```
Original report follows:
```
Hi,
CC Matthieu and a couple of others who are experiencing (maybe) the same issue.
Over the past few months, I've been troubled by Xorg crashing when I am
using gvim. I am unable to reliably reproduce the crash, but the last
time I saw it, I was resizing the gvim window. Below is a trace for this
instance.
I've only had a cursory inspection, but it looks to me like a value (pt
in frame 2) is being used as a pointer (p in frame 1). The dereference
p->x is segging the X server.
Any ideas? Shall I raise this upstream?
Debug binary is here:
http://theunixzoo.co.uk/random/Xorg
Gzipped core file is here:
http://theunixzoo.co.uk/random/Xorg.core.gz
GDB session and trace:
# gdb -c /var/crash/Xorg.core /usr/X11R6/bin/Xorg
...
#0 0x000017eaa59dca49 in pt_add (cmd=1224738816, pt=0x17ea8b579000, dx=4,
dy=83)
at /usr/xenocara/driver/xf86-video-intel/src/sna/sna_blt.c:3093
3093 u.pt.x = pt->x + dx;
(gdb) bt
#0 0x000017eaa59dca49 in pt_add (cmd=1224738816, pt=0x17ea8b579000, dx=4,
dy=83)
at /usr/xenocara/driver/xf86-video-intel/src/sna/sna_blt.c:3093
#1 0x000017eaa59dca10 in sna_blt_fill_op_points (sna=0x17ea7246a000,
op=0x7f7ffffbb1a0, dx=4, dy=83, p=0x17ea8b579004, n=0)
at /usr/xenocara/driver/xf86-video-intel/src/sna/sna_blt.c:3198
#2 0x000017eaa59b7b64 in sna_poly_point_blt (drawable=0x17eaa8edd200,
bo=0x17e9e8b55000, damage=0x0, gc=0x17ea2fb9ef00, mode=0,
n=45, pt=0x17ea8b578f40, clipped=false) at
/usr/xenocara/driver/xf86-video-intel/src/sna/sna_accel.c:8709
#3 0x000017eaa59b8569 in sna_poly_point (drawable=0x17eaa8edd200,
gc=0x17ea2fb9ef00, mode=0, n=45, pt=0x17ea8b578f40)
at /usr/xenocara/driver/xf86-video-intel/src/sna/sna_accel.c:8876
#4 0x000017e7c3c8e1e0 in damagePolyPoint (pDrawable=0x17eaa8edd200,
pGC=0x17ea2fb9ef00, mode=0, npt=45, ppt=0x17ea8b578f40)
at /usr/xenocara/xserver/miext/damage/damage.c:840
#5 0x000017e7c3b54d44 in ProcPolyPoint (client=0x17e9d7208200) at
/usr/xenocara/xserver/dix/dispatch.c:1746
#6 0x000017e7c3b50dad in Dispatch () at
/usr/xenocara/xserver/dix/dispatch.c:429
#7 0x000017e7c3b60396 in dix_main (argc=6, argv=0x7f7ffffbb648,
envp=0x7f7ffffbb680) at /usr/xenocara/xserver/dix/main.c:298
#8 0x000017e7c3b412f7 in main (argc=6, argv=0x7f7ffffbb648,
envp=0x7f7ffffbb680) at /usr/xenocara/xserver/dix/stubmain.c:34
(gdb) list pt_add
3082
3083 _sna_blt_fill_boxes(sna, &op->base.u.blt, box, nbox);
3084 }
3085
3086 static inline uint64_t pt_add(uint32_t cmd, const DDXPointRec *pt,
int16_t dx, int16_t dy)
3087 {
3088 union {
3089 DDXPointRec pt;
3090 uint32_t i;
3091 } u;
(gdb)
3092
3093 u.pt.x = pt->x + dx;
3094 u.pt.y = pt->y + dy;
3095
3096 return cmd | (uint64_t)u.i<<32;
3097 }
3098
3099 fastcall static void sna_blt_fill_op_points(struct sna *sna,
3100 const struct sna_fill_op
*op,
3101 int16_t dx, int16_t dy,
(gdb) p pt
$1 = (const DDXPointRec *) 0x17ea8b579000
(gdb) p pt->x
Cannot access memory at address 0x17ea8b579000
(gdb) frame 1
#1 0x000017eaa59dca10 in sna_blt_fill_op_points (sna=0x17ea7246a000,
op=0x7f7ffffbb1a0, dx=4, dy=83, p=0x17ea8b579004, n=0)
at /usr/xenocara/driver/xf86-video-intel/src/sna/sna_blt.c:3198
3198 *((uint64_t *)b + 0) = pt_add(cmd, p++,
dx, dy);
(gdb) list sna_blt_fill_op_points
3098
3099 fastcall static void sna_blt_fill_op_points(struct sna *sna,
3100 const struct sna_fill_op
*op,
3101 int16_t dx, int16_t dy,
3102 const DDXPointRec *p, int
n)
...
(gdb) p p
$2 = (const DDXPointRec *) 0x17ea8b579004
(gdb) p p->x
Cannot access memory at address 0x17ea8b579004
(gdb) frame 2
#2 0x000017eaa59b7b64 in sna_poly_point_blt (drawable=0x17eaa8edd200,
bo=0x17e9e8b55000, damage=0x0, gc=0x17ea2fb9ef00, mode=0,
n=45, pt=0x17ea8b578f40, clipped=false) at
/usr/xenocara/driver/xf86-video-intel/src/sna/sna_accel.c:8709
8709 fill.points(sna, &fill, last.x, last.y, pt, n);
(gdb) list sna_poly_point_blt
8678 sna_poly_point_blt(DrawablePtr drawable,
8679 struct kgem_bo *bo,
8680 struct sna_damage **damage,
8681 GCPtr gc, int mode, int n, DDXPointPtr pt,
8682 bool clipped)
8683 {
...
8709 fill.points(sna, &fill, last.x, last.y, pt, n);
...
(gdb) p pt.x
$6 = 38
(gdb) p pt
$7 = 0x17ea8b578f40
Xorg.0.log:
[ 64357.076]
X.Org X Server 1.17.4
Release Date: 2015-10-28
[ 64357.076] X Protocol Version 11, Revision 0
[ 64357.076] Build Operating System: OpenBSD 6.0 amd64
[ 64357.076] Current Operating System: OpenBSD wilfred.home 6.0 GENERIC.MP#12
amd64
[ 64357.076] Build Date: 23 May 2016 06:21:16PM
[ 64357.076]
[ 64357.076] Current version of pixman: 0.32.8
[ 64357.076] Before reporting problems, check http://wiki.x.org
to make sure that you have the latest version.
[ 64357.076] Markers: (--) probed, (**) from config file, (==) default setting,
(++) from command line, (!!) notice, (II) informational,
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
[ 64357.076] (==) Log file: "/var/log/Xorg.0.log", Time: Tue May 24 17:40:50
2016
[ 64357.077] (==) Using config file: "/etc/X11/xorg.conf"
[ 64357.077] (==) Using system config directory
"/usr/X11R6/share/X11/xorg.conf.d"
[ 64357.078] (==) No Layout section. Using the first Screen section.
[ 64357.078] (==) No screen section available. Using defaults.
[ 64357.078] (**) |-->Screen "Default Screen Section" (0)
[ 64357.078] (**) | |-->Monitor "<default monitor>"
[ 64357.078] (==) No monitor specified for screen "Default Screen Section".
Using a default monitor configuration.
[ 64357.078] (**) Option "NoTrapSignals" "true"
[ 64357.078] (==) Disabling SIGIO handlers for input devices
[ 64357.078] (==) Automatically adding devices
[ 64357.078] (==) Automatically enabling devices
[ 64357.078] (==) Not automatically adding GPU devices
[ 64357.083] (==) FontPath set to:
/usr/X11R6/lib/X11/fonts/misc/,
/usr/X11R6/lib/X11/fonts/TTF/,
/usr/X11R6/lib/X11/fonts/OTF/,
/usr/X11R6/lib/X11/fonts/Type1/,
/usr/X11R6/lib/X11/fonts/100dpi/,
/usr/X11R6/lib/X11/fonts/75dpi/
[ 64357.083] (==) ModulePath set to "/usr/X11R6/lib/modules"
[ 64357.083] (II) The server relies on wscons to provide the list of input
devices.
If no devices become available, reconfigure wscons or disable
AutoAddDevices.
[ 64357.083] (II) Loader magic: 0x44aa2fc76c0
[ 64357.083] (II) Module ABI versions:
[ 64357.083] X.Org ANSI C Emulation: 0.4
[ 64357.083] X.Org Video Driver: 19.0
[ 64357.083] X.Org XInput driver : 21.0
[ 64357.083] X.Org Server Extension : 9.0
[ 64357.093] (WW) checkDevMem: failed to open /dev/xf86 and /dev/mem
(Operation not permitted)
Check that you have set 'machdep.allowaperture=1'
in /etc/sysctl.conf and reboot your machine
refer to xf86(4) for details
[ 64357.093] linear framebuffer access unavailable
[ 64357.093] (--) PCI:*(0:0:2:0) 8086:0166:17aa:2203 rev 9, Mem @
0xf0000000/4194304, 0xe0000000/268435456, I/O @ 0x00005000/64
[ 64357.093] (II) LoadModule: "glx"
[ 64357.095] (II) Loading /usr/X11R6/lib/modules/extensions/libglx.so
[ 64357.098] (II) Module glx: vendor="X.Org Foundation"
[ 64357.098] compiled for 1.17.4, module version = 1.0.0
[ 64357.098] ABI class: X.Org Server Extension, version 9.0
[ 64357.098] (==) AIGLX enabled
[ 64357.098] (==) Matched intel as autoconfigured driver 0
[ 64357.098] (==) Matched vesa as autoconfigured driver 1
[ 64357.098] (==) Assigned the driver to the xf86ConfigLayout
[ 64357.098] (II) LoadModule: "intel"
[ 64357.098] (II) Loading /usr/X11R6/lib/modules/drivers/intel_drv.so
[ 64357.099] (II) Module intel: vendor="X.Org Foundation"
[ 64357.099] compiled for 1.17.4, module version = 2.99.916
[ 64357.099] Module class: X.Org Video Driver
[ 64357.099] ABI class: X.Org Video Driver, version 19.0
[ 64357.099] (II) LoadModule: "vesa"
[ 64357.099] (II) Loading /usr/X11R6/lib/modules/drivers/vesa_drv.so
[ 64357.100] (II) Module vesa: vendor="X.Org Foundation"
[ 64357.100] compiled for 1.17.4, module version = 2.3.3
[ 64357.100] Module class: X.Org Video Driver
[ 64357.100] ABI class: X.Org Video Driver, version 19.0
[ 64357.100] (II) intel: Driver for Intel(R) Integrated Graphics Chipsets:
i810, i810-dc100, i810e, i815, i830M, 845G, 854, 852GM/855GM, 865G,
915G, E7221 (i915), 915GM, 945G, 945GM, 945GME, Pineview GM,
Pineview G, 965G, G35, 965Q, 946GZ, 965GM, 965GME/GLE, G33, Q35, Q33,
GM45, 4 Series, G45/G43, Q45/Q43, G41, B43
[ 64357.100] (II) intel: Driver for Intel(R) HD Graphics: 2000-6000
[ 64357.100] (II) intel: Driver for Intel(R) Iris(TM) Graphics: 5100, 6100
[ 64357.100] (II) intel: Driver for Intel(R) Iris(TM) Pro Graphics: 5200, 6200,
P6300
[ 64357.100] (II) VESA: driver for VESA chipsets: vesa
[ 64357.100] (--) Using wscons driver on /dev/ttyC4
[ 64357.100] (WW) xf86EnableIO: Failed to set IOPL for extended I/O
Check that you have set 'machdep.allowaperture=1'
in /etc/sysctl.conf and reboot your machine
refer to xf86(4) for details
[ 64357.101] (II) intel(0): Using Kernel Mode Setting driver: i915, version
1.6.0 20080730
[ 64357.101] (WW) Falling back to old probe method for vesa
[ 64357.101] (--) intel(0): Integrated Graphics Chipset: Intel(R) HD Graphics
4000
[ 64357.101] (--) intel(0): CPU: x86-64, sse2, sse3, ssse3, sse4.1, sse4.2, avx
[ 64357.101] (II) intel(0): Creating default Display subsection in Screen
section
"Default Screen Section" for depth/fbbpp 24/32
[ 64357.101] (==) intel(0): Depth 24, (--) framebuffer bpp 32
[ 64357.101] (==) intel(0): RGB weight 888
[ 64357.101] (==) intel(0): Default visual is TrueColor
[ 64357.102] (II) intel(0): Output LVDS1 has no monitor section
[ 64357.103] (--) intel(0): Found backlight control interface wscons (type
'platform') for output LVDS1
[ 64357.103] (II) intel(0): Enabled output LVDS1
[ 64357.103] (II) intel(0): Output VGA1 has no monitor section
[ 64357.103] (II) intel(0): Enabled output VGA1
[ 64357.103] (II) intel(0): Output HDMI1 has no monitor section
[ 64357.103] (II) intel(0): Enabled output HDMI1
[ 64357.103] (II) intel(0): Output DP1 has no monitor section
[ 64357.103] (II) intel(0): Enabled output DP1
[ 64357.103] (II) intel(0): Output HDMI2 has no monitor section
[ 64357.103] (II) intel(0): Enabled output HDMI2
[ 64357.103] (II) intel(0): Output DP2 has no monitor section
[ 64357.103] (II) intel(0): Enabled output DP2
[ 64357.103] (--) intel(0): Using a maximum size of 64x64 for hardware cursors
[ 64357.103] (II) intel(0): Output VIRTUAL1 has no monitor section
[ 64357.103] (II) intel(0): Enabled output VIRTUAL1
[ 64357.103] (--) intel(0): Output LVDS1 using initial mode 1366x768 on pipe 0
[ 64357.103] (--) intel(0): Output HDMI1 using initial mode 1920x1080 on pipe 1
[ 64357.103] (==) intel(0): TearFree disabled
[ 64357.103] (==) intel(0): DPI set to (96, 96)
[ 64357.103] (II) Loading sub module "dri2"
[ 64357.103] (II) LoadModule: "dri2"
[ 64357.103] (II) Module "dri2" already built-in
[ 64357.103] (II) Loading sub module "present"
[ 64357.103] (II) LoadModule: "present"
[ 64357.103] (II) Module "present" already built-in
[ 64357.103] (II) UnloadModule: "vesa"
[ 64357.103] (II) Unloading vesa
[ 64357.103] (==) Depth 24 pixmap format is 32 bpp
[ 64357.104] (II) intel(0): SNA initialized with Ivybridge (gen7, gt2) backend
[ 64357.104] (==) intel(0): Backing store enabled
[ 64357.104] (==) intel(0): Silken mouse disabled
[ 64357.104] (II) intel(0): HW Cursor enabled
[ 64357.104] (II) intel(0): RandR 1.2 enabled, ignore the following RandR
disabled message.
[ 64357.104] (==) intel(0): DPMS enabled
[ 64357.104] (II) intel(0): [DRI2] Setup complete
[ 64357.104] (II) intel(0): [DRI2] DRI driver: i965
[ 64357.104] (II) intel(0): [DRI2] VDPAU driver: i965
[ 64357.104] (II) intel(0): direct rendering: DRI2 enabled
[ 64357.104] (II) intel(0): hardware support for Present enabled
[ 64357.105] (--) RandR disabled
[ 64357.129] (II) AIGLX: enabled GLX_MESA_copy_sub_buffer
[ 64357.129] (II) AIGLX: enabled GLX_ARB_create_context
[ 64357.129] (II) AIGLX: enabled GLX_ARB_create_context_profile
[ 64357.129] (II) AIGLX: enabled GLX_EXT_create_context_es2_profile
[ 64357.129] (II) AIGLX: enabled GLX_INTEL_swap_event
[ 64357.129] (II) AIGLX: enabled GLX_SGI_swap_control and GLX_MESA_swap_control
[ 64357.129] (II) AIGLX: enabled GLX_EXT_framebuffer_sRGB
[ 64357.129] (II) AIGLX: enabled GLX_ARB_fbconfig_float
[ 64357.129] (II) AIGLX: GLX_EXT_texture_from_pixmap backed by buffer objects
[ 64357.129] (II) AIGLX: enabled GLX_ARB_create_context_robustness
[ 64357.129] (II) AIGLX: Loaded and initialized i965
[ 64357.129] (II) GLX: Initialized DRI2 GL provider for screen 0
[ 64357.132] (II) intel(0): switch to mode 1366x768 at 60.0 on LVDS1 using pipe 0,
position (0, 0), rotation normal, reflection none
[ 64357.141] (II) intel(0): switch to mode 1920x1080 at 60.0 on HDMI1 using pipe
1, position (0, 0), rotation normal, reflection none
[ 64357.143] (II) intel(0): Setting screen physical size to 508 x 285
[ 64357.288] (II) config/wscons: checking input device /dev/wskbd
[ 64357.288] (II) wskbd: using layout gb
[ 64357.288] (II) LoadModule: "kbd"
[ 64357.290] (II) Loading /usr/X11R6/lib/modules/input/kbd_drv.so
[ 64357.290] (II) Module kbd: vendor="X.Org Foundation"
[ 64357.290] compiled for 1.17.4, module version = 1.8.1
[ 64357.290] Module class: X.Org XInput Driver
[ 64357.290] ABI class: X.Org XInput driver, version 21.0
[ 64357.290] (II) Using input driver 'kbd' for '/dev/wskbd'
[ 64357.290] (**) /dev/wskbd: always reports core events
[ 64357.290] (**) /dev/wskbd: always reports core events
[ 64357.290] (**) Option "Protocol" "standard"
[ 64357.290] (**) Option "XkbRules" "base"
[ 64357.290] (**) Option "XkbModel" "pc105"
[ 64357.290] (**) Option "XkbLayout" "gb"
[ 64357.290] (II) XINPUT: Adding extended input device "/dev/wskbd" (type:
KEYBOARD, id 6)
[ 64357.412] (II) config/wscons: checking input device /dev/wsmouse3
[ 64357.412] (II) LoadModule: "ws"
[ 64357.413] (II) Loading /usr/X11R6/lib/modules/input/ws_drv.so
[ 64357.413] (II) Module ws: vendor="X.Org Foundation"
[ 64357.413] compiled for 1.17.4, module version = 1.3.0
[ 64357.413] Module class: X.Org XInput Driver
[ 64357.413] ABI class: X.Org XInput driver, version 21.0
[ 64357.414] (II) Using input driver 'ws' for '/dev/wsmouse3'
[ 64357.414] (**) /dev/wsmouse3: always reports core events
[ 64357.414] (II) ws: /dev/wsmouse3: debuglevel 0
[ 64357.414] (**) Option "Device" "/dev/wsmouse3"
[ 64357.414] (**) ws: /dev/wsmouse3: ZAxisMapping: buttons 4 and 5
[ 64357.414] (**) ws: /dev/wsmouse3: WAxisMapping: buttons 6 and 7
[ 64357.414] (**) ws: /dev/wsmouse3: associated screen: 0
[ 64357.414] (**) ws: /dev/wsmouse3: device will work in raw mode
[ 64357.414] (II) ws: /dev/wsmouse3: minimum x position: 0
[ 64357.414] (II) ws: /dev/wsmouse3: maximum x position: 27760
[ 64357.414] (II) ws: /dev/wsmouse3: minimum y position: 0
[ 64357.414] (II) ws: /dev/wsmouse3: maximum y position: 15694
[ 64357.414] (==) ws: /dev/wsmouse3: Buttons: 7
[ 64357.414] (**) ws: /dev/wsmouse3: YAxisMapping: buttons 4 and 5
[ 64357.414] (II) XINPUT: Adding extended input device "/dev/wsmouse3" (type:
TOUCHSCREEN, id 7)
[ 64357.414] (**) /dev/wsmouse3: (accel) keeping acceleration scheme 1
[ 64357.414] (**) /dev/wsmouse3: (accel) acceleration profile 0
[ 64357.414] (**) /dev/wsmouse3: (accel) acceleration factor: 2.000
[ 64357.414] (**) /dev/wsmouse3: (accel) acceleration threshold: 4
[ 64357.414] (II) config/wscons: checking input device /dev/wsmouse
[ 64357.414] (II) Using input driver 'ws' for '/dev/wsmouse'
[ 64357.414] (**) /dev/wsmouse: always reports core events
[ 64357.414] (II) ws: /dev/wsmouse: debuglevel 0
[ 64357.414] (**) Option "Device" "/dev/wsmouse"
[ 64357.414] (**) ws: /dev/wsmouse: ZAxisMapping: buttons 4 and 5
[ 64357.414] (**) ws: /dev/wsmouse: WAxisMapping: buttons 6 and 7
[ 64357.414] (**) ws: /dev/wsmouse: associated screen: 0
[ 64357.480] (II) ws: /dev/wsmouse: minimum x position: 0
[ 64357.480] (II) ws: /dev/wsmouse: maximum x position: 1919
[ 64357.480] (II) ws: /dev/wsmouse: minimum y position: 0
[ 64357.480] (II) ws: /dev/wsmouse: maximum y position: 1079
[ 64357.480] (==) ws: /dev/wsmouse: Buttons: 7
[ 64357.485] (**) ws: /dev/wsmouse: YAxisMapping: buttons 4 and 5
[ 64357.485] (II) XINPUT: Adding extended input device "/dev/wsmouse" (type:
MOUSE, id 8)
[ 64357.550] (**) /dev/wsmouse: (accel) keeping acceleration scheme 1
[ 64357.550] (**) /dev/wsmouse: (accel) acceleration profile 0
[ 64357.550] (**) /dev/wsmouse: (accel) acceleration factor: 2.000
[ 64357.550] (**) /dev/wsmouse: (accel) acceleration threshold: 4
[ 64375.884] (II) intel(0): EDID vendor "LGD", prod id 728
[ 64375.884] (II) intel(0): Printing DDC gathered Modelines:
[ 64375.884] (II) intel(0): Modeline "1366x768"x0.0 75.20 1366 1414 1478
1582 768 772 779 792 +hsync -vsync (47.5 kHz eP)
```
--
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/intel-gfx-bugs/attachments/20160525/52b38704/attachment-0001.html>
More information about the intel-gfx-bugs
mailing list