[Bug 77074] Xorg crashes while using Aegisub

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Thu Jan 10 06:21:45 UTC 2019 

https://bugs.freedesktop.org/show_bug.cgi?id=77074

--- Comment #126 from Mikolaj <ejpbazlv at mail.unet.to> ---
I think this problem is fixed, as I encountered same issue on OpenBSD with
GIMP. I had very easy repro case by just opening new file and navigating file
browser in the recently open files. Crash each time of Xorg. More details
reported here:

https://marc.info/?l=openbsd-bugs&m=154706833406795&w=2

GDB details from openbsd-bugs email:

(gdb) bt
#0  0x00000aeb3630ff3a in sna_blt_copy_boxes (sna=0xaeb33262000, alu=3 '\003',
src_bo=0xaeb79f86400, src_dx=0, src_dy=0,
    dst_bo=0xaeb79f8a200, dst_dx=0, dst_dy=0, bpp=32, box=0xaeb63870000,
nbox=0)
    at
/home/mkucharski/openbsd/xenocara/driver/xf86-video-intel/src/sna/sna_blt.c:3759
#1  0x00000aeb363544e9 in no_render_copy_boxes (sna=0xaeb33262000, alu=3
'\003', src=0xaeb7ab1b080, src_bo=0xaeb79f86400, src_dx=0,
    src_dy=0, dst=0xaeb7ab1b080, dst_bo=0xaeb79f8a200, dst_dx=0, dst_dy=0,
box=0xaeb63868010, n=2038, flags=0)
    at
/home/mkucharski/openbsd/xenocara/driver/xf86-video-intel/src/sna/sna_render.c:137
#2  0x00000aeb362d2907 in sna_pixmap_move_to_gpu (pixmap=0xaeb7ab1b080,
flags=10)
    at
/home/mkucharski/openbsd/xenocara/driver/xf86-video-intel/src/sna/sna_accel.c:4246
#3  0x00000aeb362f375a in sna_copy_boxes (src=0xaeb7ab1b080, dst=0xaeb1507e400,
gc=0xaeacb235a00, region=0x7f7ffffe9750, dx=-616,
    dy=-72, bitplane=0, closure=0x0) at
/home/mkucharski/openbsd/xenocara/driver/xf86-video-intel/src/sna/sna_accel.c:6387
#4  0x00000aeb362f5122 in sna_do_copy (src=0xaeb7ab1b080, dst=0xaeb1507e400,
gc=0xaeacb235a00, sx=0, sy=0, width=1535, height=1012,
    dx=616, dy=72, copy=0xaeb362f2f00 <sna_copy_boxes>, bitPlane=0,
closure=0x0)
    at
/home/mkucharski/openbsd/xenocara/driver/xf86-video-intel/src/sna/sna_accel.c:6959
#5  0x00000aeb362dd3c7 in sna_copy_area (src=0xaeb7ab1b080, dst=0xaeb1507e400,
gc=0xaeacb235a00, src_x=0, src_y=0, width=1535,
    height=1012, dst_x=245, dst_y=71) at
/home/mkucharski/openbsd/xenocara/driver/xf86-video-intel/src/sna/sna_accel.c:7041
#6  0x00000ae8a1bdd17d in damageCopyArea (pSrc=0xaeb7ab1b080,
pDst=0xaeb1507e400, pGC=0xaeacb235a00, srcx=0, srcy=0, width=1535,
    height=1012, dstx=245, dsty=71) at
/home/mkucharski/openbsd/xenocara/xserver/miext/damage/damage.c:775
#7  0x00000ae8a1a4728a in ProcCopyArea (client=0xaeb6c1f3800) at
/home/mkucharski/openbsd/xenocara/xserver/dix/dispatch.c:1722
#8  0x00000ae8a1a41df0 in Dispatch () at
/home/mkucharski/openbsd/xenocara/xserver/dix/dispatch.c:480
#9  0x00000ae8a1a55479 in dix_main (argc=7, argv=0x7f7ffffe9b18,
envp=0x7f7ffffe9b58)
    at /home/mkucharski/openbsd/xenocara/xserver/dix/main.c:287
#10 0x00000ae8a1a2e357 in main (argc=7, argv=0x7f7ffffe9b18,
envp=0x7f7ffffe9b58)
    at /home/mkucharski/openbsd/xenocara/xserver/dix/stubmain.c:34
(gdb) list
/home/mkucharski/openbsd/xenocara/driver/xf86-video-intel/src/sna/sna_blt.c:3759
3754
3755                                            assert(box->x1 >= 0);
3756                                            assert(box->y1 >= 0);
3757
3758                                            *(uint64_t *)&b[0] = hdr;
3759                                            *(uint64_t *)&b[2] = *(const
uint64_t *)box;
3760                                            *(uint64_t *)(b+4) =
3761                                                    kgem_add_reloc64(kgem,
kgem->nbatch + 4, dst_bo,
3762                                                                    
I915_GEM_DOMAIN_RENDER << 16 |
3763                                                                    
I915_GEM_DOMAIN_RENDER |

...

(gdb) print box
$2 = (const BoxRec *) 0xaeb63870000
(gdb) print *(const uint64_t *)box
Cannot access memory at address 0xaeb63870000

...

(gdb) print *(const uint64_t *) 0xaeb63870000
Cannot access memory at address 0xaeb63870000
(gdb) print *(const uint64_t *) 0xaeb63868010
$5 = 568481871298560

What I see in above backtrace, inside sna_blt_copy_boxes() box=0xaeb63870000,
however
in no_render_copy_boxes() box=0xaeb63868010 and that results Xorg crash when
accessing
box variable.

(gdb) bt
#0  0x00000aeb3630ff3a in sna_blt_copy_boxes (sna=0xaeb33262000, alu=3 '\003',
src_bo=0xaeb79f86400, src_dx=0, src_dy=0,
    dst_bo=0xaeb79f8a200, dst_dx=0, dst_dy=0, bpp=32, box=0xaeb63870000,
nbox=0)
                                                      ^^^^^^^^^^^^^^^^^
    at
/home/mkucharski/openbsd/xenocara/driver/xf86-video-intel/src/sna/sna_blt.c:3759
#1  0x00000aeb363544e9 in no_render_copy_boxes (sna=0xaeb33262000, alu=3
'\003', src=0xaeb7ab1b080, src_bo=0xaeb79f86400, src_dx=0,
    src_dy=0, dst=0xaeb7ab1b080, dst_bo=0xaeb79f8a200, dst_dx=0, dst_dy=0,
box=0xaeb63868010, n=2038, flags=0)
                                                                          
^^^^^^^^^^^^^^^^^
    at
/home/mkucharski/openbsd/xenocara/driver/xf86-video-intel/src/sna/sna_render.c:137
...


Yesterday I've compiled e5ff8e1828f97891c819c919d7115c6e18b2eb1f from
https://gitlab.freedesktop.org/xorg/driver/xf86-video-intel.git and only
problem on the way was bugzilla id 109268 (byteswap.h not available on OpenBSD)
and the crash is gone with latest code of xf86-video-intel the driver.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/intel-gfx-bugs/attachments/20190110/023ce933/attachment-0001.html>

More information about the intel-gfx-bugs mailing list