[Intel-gfx] KMS libdrm crash

Peter Clifton pcjc2 at cam.ac.uk
Sat Jan 2 15:14:30 CET 2010 

Hi guys,

I know this belongs in a bug report, but lets first figure out what /
where the fault lies.. then I might be able to figure out where to file
it.

I've BCC'd ubuntu-x, as I'm testing their "xorg-edgers" stuff, and
wanted them to be aware of this, but don't think they need to remain on
the 'CC list for all replies.


I've been seeing intermittent crashes on X start-up with the latest
code. (GM45)

git HEAD 2D driver, libdrm, and "drm-intel-next" branch from
git://git.kernel.org/pub/scm/linux/kernel/git/anholt/drm-intel

(Is this the right place to get the latest from?)..


Anyway.. I managed to persuade apport to get a retrace. (It was
uncooperative at first though).

This is the backtrace:


#0  drmmode_ConvertFromKMode (scrn=<value optimised out>, kmode=0x0, 
    mode=0x87b0554) at ../../src/drmmode_display.c:240
240		mode->Clock = kmode->clock;
(gdb) #
(gdb) bt
#0  drmmode_ConvertFromKMode (scrn=<value optimised out>, kmode=0x0, mode=0x87b0554) at ../../src/drmmode_display.c:240
#1  0x001cc335 in drmmode_output_get_modes (output=0x87ab5e8) at ../../src/drmmode_display.c:836
#2  0x080cbb56 in xf86ProbeOutputModes (scrn=0x8797c88, maxX=8192, maxY=8192) at ../../../../hw/xfree86/modes/xf86Crtc.c:1607
#3  0x080cc551 in xf86InitialConfiguration (scrn=0x8797c88, canGrow=1) at ../../../../hw/xfree86/modes/xf86Crtc.c:2358
#4  0x001cdfd3 in drmmode_pre_init (scrn=0x8797c88, fd=9, cpp=4) at ../../src/drmmode_display.c:1417
#5  0x001b3455 in I830DrmModeInit (scrn=0x8797c88, flags=<value optimised out>) at ../../src/i830_driver.c:779
#6  I830PreInit (scrn=0x8797c88, flags=<value optimised out>) at ../../src/i830_driver.c:910
#7  0x080b6fa8 in InitOutput (pScreenInfo=0x81fd460, argc=8, argv=0xbfeb0ed4) at ../../../../hw/xfree86/common/xf86Init.c:841
#8  0x08066b3b in main (argc=8, argv=0xbfeb0ed4, envp=0xbfeb0ef8) at ../../dix/main.c:205

Looking at frame 1, 

(gdb) frame 1
(gdb) print *koutput
$2 = {connector_id = 15, encoder_id = 0, connector_type = 6, 
  connector_type_id = 1, connection = DRM_MODE_CONNECTED, mmWidth = 0, 
  mmHeight = 0, subpixel = DRM_MODE_SUBPIXEL_UNKNOWN, count_modes = 4, 
  modes = 0x0, count_props = 7, props = 0x8798438, prop_values = 0x87ab8e8, 
  count_encoders = 1, encoders = 0x87ab280}

We see that the "modes" list is NULL, but count_modes is 4. That is why
the crash occurs when we access the modes array.

Having instrumented the drmmode_output_get_modes() function, I
discovered that in some cases the first call to the
DRM_IOCTL_MODE_GETCONNECTOR ioctl indeed returns count_modes = 0, so no
memory is allocated for modes to be returned.

Upon the subsequent ioctl to fill in the details, magically the drm
driver can now find some modes - and it returns a positive mode count.
Since no memory was allocated to store them, it can't return the data.


So.. looks like libdrm / kernel code assume the mode list doesn't change
between ioctls - it clearly does -> BUG.

Or.. should it not change?


On this machine, I get intermittent (false) detection of TV-out modes,
in spite having no TV connected. Just running xrandr 10 times in a row
gave many different outputs, e.g.:

---------------------------
TV1 disconnected (normal left inverted right x axis y axis)
---------------------------
TV1 connected 1360x768+1680+0 (normal left inverted right x axis y axis)
0mm x 0mm
   1360x768       59.8* 
   1152x864       60.0  
   1024x768       60.0  
   800x600        60.3  
   640x480        59.9  
---------------------------
TV1 connected 848x480+1680+0 (normal left inverted right x axis y axis)
0mm x 0mm
   848x480        30.0*+
   640x480        30.0 +
   1024x768       30.0  
   800x600        30.0  
---------------------------
TV1 disconnected (normal left inverted right x axis y axis)
  848x480 (0x12d)   14.5MHz
        h: width   848 start  849 end  912 total  944 skew    0 clock   15.4KHz
        v: height  480 start  481 end  512 total  513           clock   30.0Hz
---------------------------


This is clearly also a bug, but it would seem that there is still an
issue with the DRM_IOCTL_MODE_GETCONNECTOR ioctl.

Is there anything I can do to debug this further?
Disable the TV-out port temporarily to avoid the crashes?
(For now I just patched libdrm to be smarter about not crashing).

Make TV out detection more robust? (Is that the correct fix, or does it
still leave a race condition?)

Let me know what other details you want.


Best regards

Peter Clifton.

More information about the Intel-gfx mailing list