[Mesa-dev] Crash in iris_bufmgr.c
Mathias Fröhlich
Mathias.Froehlich at gmx.net
Thu May 30 05:30:45 UTC 2019
Hi Kenneth,
since your recent changes, I get a zero pointer dereference in
alloc_bo_from_cache on one workload here:
What I get is
Thread 2 "" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffef776700 (LWP 20924)]
list_del (item=0x7fffe8ae4020) at ../src/util/list.h:91
91 item->prev->next = item->next;
(gdb) p item->prev
$1 = (struct list_head *) 0x0
(gdb) where
#0 list_del (item=0x7fffe8ae4020) at ../src/util/list.h:91
#1 0x00007ffff469072f in alloc_bo_from_cache (bufmgr=0x4d8370, bucket=0x4d8418, memzone=IRIS_MEMZONE_OTHER, flags=0, match_zone=true)
at ../src/gallium/drivers/iris/iris_bufmgr.c:387
[...]
I think the reason is that you use list_for_each_entry_safe in
alloc_bo_from_cache in the outer loop and store a pointer to
the next list entry. But when you call into iris_bo_cache_purge_bucket
from inside that loop the function body there may walk the same list
node than __next from list_for_each_entry_safe in alloc_bo_from_cache
points to and may zero the list pointers out.
You may know best how to fix that.
best and thanks
Mathias
More information about the mesa-dev
mailing list