<html> <head> <base href="https://bugs.freedesktop.org/"> </head> <body><table border="1" cellspacing="0" cellpadding="8"> <tr> <th>Bug ID</th> <td><a class="bz_bug_link bz_status_NEW " title="NEW - Crash in st_renderbuffer_delete()" href="https://bugs.freedesktop.org/show_bug.cgi?id=107508">107508</a> </td> </tr> <tr> <th>Summary</th> <td>Crash in st_renderbuffer_delete() </td> </tr> <tr> <th>Product</th> <td>Mesa </td> </tr> <tr> <th>Version</th> <td>unspecified </td> </tr> <tr> <th>Hardware</th> <td>Other </td> </tr> <tr> <th>OS</th> <td>All </td> </tr> <tr> <th>Status</th> <td>NEW </td> </tr> <tr> <th>Severity</th> <td>normal </td> </tr> <tr> <th>Priority</th> <td>medium </td> </tr> <tr> <th>Component</th> <td>Mesa core </td> </tr> <tr> <th>Assignee</th> <td>mesa-dev@lists.freedesktop.org </td> </tr> <tr> <th>Reporter</th> <td>fourdan@xfce.org </td> </tr> <tr> <th>QA Contact</th> <td>mesa-dev@lists.freedesktop.org </td> </tr></table> <p> <div> <pre>Created <span class=""><a href="attachment.cgi?id=140994" name="attach_140994" title="Simple reproducer program">attachment 140994</a> <a href="attachment.cgi?id=140994&action=edit" title="Simple reproducer program">[details]</a></span> Simple reproducer program Description: Some X11/GLX clients can cause a crash of the Xserver in Mesa code. How reproducible: Always Steps to reproduce: 1. Run a Xephyr Xserver wit hglamor enabled: $ Xephyr -glamor :12 2. Save and build the attached reproducer: $ gcc -g gl3.cxx -o gl3 $(pkg-config --cflags --libs x11) -lGL -lGLU (this is based on <a href="https://www.khronos.org/opengl/wiki/Tutorial:_OpenGL_3.0_Context_Creation_(GLX">https://www.khronos.org/opengl/wiki/Tutorial:_OpenGL_3.0_Context_Creation_(GLX</a>) modified to use indirect contexts) 3. Run the reproducer against the Xephyr display: $ DISPLAY=:12 ./gl3 Actual result: Crash of the Xserver in Mesa code because of a NULL pointer dereference (see below). Expected result: No crash Additional data: This is not a new issue and it seems it's been around for quite some time, yet it's fairly rare to trigger because it involves trying to use an indirect GLX context. One noticeable occurrence of this issue is "Slack" being run from "snap": <a href="https://bugzilla.redhat.com/1611140">https://bugzilla.redhat.com/1611140</a> <a href="https://bugs.launchpad.net/ubuntu/+source/xorg-server/+bug/1762971">https://bugs.launchpad.net/ubuntu/+source/xorg-server/+bug/1762971</a> <a href="https://bugs.launchpad.net/ubuntu/+source/mesa/+bug/1754693">https://bugs.launchpad.net/ubuntu/+source/mesa/+bug/1754693</a> etc. I posted a (simple) patch that fixes the issue here: <a href="https://patchwork.freedesktop.org/series/47617/">https://patchwork.freedesktop.org/series/47617/</a> But wanted to get a bit further in my investigation and possibly come up with a simple[r] reproducer (see “Steps to reproduce” above). Crash occurs in `st_renderbuffer_delete()` because cts->st in NULL: Thread 1 "Xephyr" received signal SIGSEGV, Segmentation fault. in st_renderbuffer_delete () at state_tracker/st_cb_fbo.c:241 241 pipe_surface_release(st->pipe, &strb->surface_srgb); (gdb) bt #0 0x00007fffe73054d0 in st_renderbuffer_delete (ctx=0x9c6020, rb=0xfc7320) at state_tracker/st_cb_fbo.c:241 #1 0x00007fffe726a931 in _mesa_reference_renderbuffer_ (ptr=ptr@entry=0xfc6fd8, rb=rb@entry=0x0) at main/renderbuffer.c:212 #2 0x00007fffe71f96ca in _mesa_reference_renderbuffer (rb=0x0, ptr=0xfc6fd8) at main/renderbuffer.h:72 #3 _mesa_free_framebuffer_data (fb=fb@entry=0xfc6e90) at main/framebuffer.c:229 #4 0x00007fffe71f971e in _mesa_destroy_framebuffer (fb=0xfc6e90) at main/framebuffer.c:207 #5 0x00007fffe71f97c9 in _mesa_reference_framebuffer_ (ptr=ptr@entry=0xe3d4b0, fb=fb@entry=0x0) at main/framebuffer.c:265 #6 0x00007fffe7160782 in _mesa_reference_framebuffer (fb=0x0, ptr=0xe3d4b0) at main/framebuffer.h:63 #7 _mesa_free_context_data (ctx=ctx@entry=0xe3d3a0) at main/context.c:1326 #8 0x00007fffe7311ef5 in st_destroy_context (st=0xfc0eb0) at state_tracker/st_context.c:653 #9 0x00007fffe74e9cb9 in dri_destroy_context () at dri_context.c:239 #10 0x00007fffe74e8c43 in driDestroyContext (pcp=0x895430) at dri_util.c:524 #11 0x00000000005110c9 in __glXDRIcontextDestroy (baseContext=0x895360) at glxdriswrast.c:132 #12 0x000000000050fe3b in __glXFreeContext (cx=0x895360) at glxext.c:190 #13 ContextGone (cx=0x895360, id=<optimized out>) at glxext.c:82 #14 0x0000000000468f7d in doFreeResource (res=0xfc6bc0, skip=0) at resource.c:880 #15 0x0000000000469be5 in FreeResourceByType (id=<optimized out>, type=<optimized out>, skipFree=<optimized out>) at resource.c:941 #16 0x0000000000514fa1 in __glXDisp_DestroyContext (cl=<optimized out>, pc=0xdd9440 "\225\004\002") at glxcmds.c:437 #17 0x000000000052ebc8 in dispatch_DestroyContext (client=0xadbf70) at vnd_dispatch_stubs.c:86 #18 0x00000000004450e0 in Dispatch () at dispatch.c:478 #19 0x0000000000448fe6 in dix_main (argc=3, argv=0x7fffffffced8, envp=<optimized out>) at main.c:276 #20 0x00007ffff32b024b in __libc_start_main () from /lib64/libc.so.6 #21 0x000000000042ba5a in _start () at ephyrinit.c:51 (gdb) p st $1 = (struct st_context *) 0x0 That context `ctx=0x9c6020` with the `ctx->st` == `NULL` was created by glamor for the screen pixmap: Thread 1 "Xephyr" hit Breakpoint 3, _mesa_init_renderbuffer (rb=0xadc910, name=4294967295) at main/renderbuffer.c:41 41 GET_CURRENT_CONTEXT(ctx); (gdb) bt #0 _mesa_init_renderbuffer (rb=0xadc910, name=4294967295) at main/renderbuffer.c:41 #1 0x00007fffedec21bc in intel_new_renderbuffer (ctx=<optimized out>, name=4294967295) at intel_fbo.c:506 #2 0x00007fffedb1aa3b in _mesa_update_texture_renderbuffer (ctx=0x9c6020, fb=0xadd910, att=0xaddb68) at main/fbobject.c:459 #3 0x00007fffedb1dc90 in set_texture_attachment (layered=0 '\000', layer=0, level=0, texTarget=<optimized out>, texObj=0xab5630, att=0xaddb68, fb=0xadd910, ctx=0x9c6020) at main/fbobject.c:528 #4 _mesa_framebuffer_texture (ctx=0x9c6020, fb=0xadd910, attachment=36064, att=0xaddb68, texObj=0xab5630, textarget=<optimized out>, level=<optimized out>, layer=<optimized out>, layered=<optimized out>) at main/fbobject.c:3516 #5 0x00007fffedb1e017 in framebuffer_texture_with_dims (dims=dims@entry=2, target=<optimized out>, attachment=36064, textarget=3553, texture=<optimized out>, level=0, layer=0, caller=0x7fffee1a084f "glFramebufferTexture2D") at main/fbobject.c:3614 #6 0x00007fffedb1e2d4 in _mesa_FramebufferTexture2D (target=<optimized out>, attachment=<optimized out>, textarget=<optimized out>, texture=<optimized out>, level=<optimized out>) at main/fbobject.c:3652 #7 0x00000000004ae23d in glamor_pixmap_ensure_fb (glamor_priv=glamor_priv@entry=0xa0a760, fbo=fbo@entry=0xad9ea0) at glamor_fbo.c:59 #8 0x00000000004ae5fb in glamor_create_fbo_from_tex (glamor_priv=glamor_priv@entry=0xa0a760, w=w@entry=640, h=h@entry=480, format=format@entry=6408, tex=1, flag=flag@entry=261) at glamor_fbo.c:112 #9 0x00000000004ae64d in glamor_create_fbo (glamor_priv=glamor_priv@entry=0xa0a760, w=w@entry=640, h=h@entry=480, format=format@entry=6408, flag=flag@entry=261) at glamor_fbo.c:166 #10 0x00000000004956c1 in glamor_create_pixmap (screen=0x869fe0, w=640, h=480, depth=24, usage=261) at glamor.c:222 #11 0x0000000000431d20 in ephyr_glamor_create_screen_resources (pScreen=pScreen@entry=0x869fe0) at hostx.c:1623 #12 0x000000000042ce06 in ephyrCreateResources (pScreen=0x869fe0) at ephyr.c:729 #13 0x0000000000448ea9 in dix_main (argc=3, argv=0x7fffffffced8, envp=<optimized out>) at main.c:213 #14 0x00007ffff32b024b in __libc_start_main () from /lib64/libc.so.6 #15 0x000000000042ba5a in _start () at ephyrinit.c:51</pre> </div> </p> <hr> <span>You are receiving this mail because:</span> <ul> <li>You are the assignee for the bug.</li> <li>You are the QA Contact for the bug.</li> </ul> </body> </html>