[Spice-devel] repeatable xorg qxl crash inside qxl_image_create()

Dominique Rodrigues dominique.rodrigues at nanocloud.com
Tue May 13 13:59:28 PDT 2014 

Which version of qemu-kvm do you use ? 2.0 ?

Dominique

Le 13/05/2014 22:01, David Mansfield a écrit :
> Hi All:
>
> I'd like help tracking down the solution to a very repeatable xorg
> crash.  I can cause the crash by either:
>
> 1) logging in and opening the second monitor without having removed
> ~/.config/monitors.xml first.
>
> 2) using "shutter" (screen capture utility) to capture a "selection"
>
> I have a few coredumps with what seem like valid backtraces.  (see
> below for an example).
>
> The xorg crash is caused by an assert is happening in frame#4,
> function qxl_bo_output_bo_reloc():
>
>     if (qxl->cmds.n_reloc_bos >= MAX_RELOCS || qxl->cmds.n_relocs >=
> MAX_RELOCS)
>       assert(0);
>
> According to GDB, both n_reloc_bos = 96 and n_relocs = 96.
> (MAX_RELOCS=96).
>
> It seems that the "loop" in qxl_image_create (qxl_image.c) is
> "chunking" the the create into pieces no bigger than "chunk_size" and
> that this size is not big enough (or MAX_RELOCS is too small).
>
> From GDB (inside qxl_image_create() on or about line 174):
>
> (gdb) print h
> $13 = 31
> (gdb) print height
> $14 = 847
> (gdb) print chunk_size
> $15 = 262144
> (gdb) print n_lines
> $16 = 17
>
> So we have 31 lines left to go (out of 847), and we're copying 17
> lines at a time.  Close but no cigar.
>
> Is the fix to increase the chunk_size or to increase MAX_RELOCS or is
> something else broken here?
>
> FYI: I'm running F20 fully updated guest, host and client (all same
> box).  I'm running "dual head" 1920x1200 (3840x1200 total FB resolution).
>
> Thanks,
> David Mansfield
> Cobite, INC.
>
> Thread 1 (Thread 0x7f35578169c0 (LWP 1256)):
> #0  0x0000003810c35c39 in __GI_raise (sig=sig at entry=6) at
> ../nptl/sysdeps/unix/sysv/linux/raise.c:56
>         resultvar = 0
>         pid = 1256
>         selftid = 1256
> #1  0x0000003810c37348 in __GI_abort () at abort.c:89
>         save_stage = 2
>         act = {__sigaction_handler = {sa_handler = 0x7fff57866f2a,
> sa_sigaction = 0x7fff57866f2a}, sa_mask = {__val = {240800730995,
>               139867066025450, 482, 4294967295, 240799384819, 4,
> 140734661805968, 49, 0, 140734661806112, 0, 0, 0, 21474836480,
>               139867078164480, 240800742792}}, sa_flags = 1456027411,
> sa_restorer = 0x7f3556c94720 <__PRETTY_FUNCTION__.25149>}
>         sigs = {__val = {32, 0 <repeats 15 times>}}
> #2  0x0000003810c2eb96 in __assert_fail_base (fmt=0x3810d7bd88
> "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
>     assertion=assertion at entry=0x7f3556c93713 "0",
> file=file at entry=0x7f3556c945ea "qxl_kms.c", line=line at entry=482,
>     function=function at entry=0x7f3556c94720 <__PRETTY_FUNCTION__.25149>
> "qxl_bo_output_bo_reloc") at assert.c:92
>         str = 0x2832860 ""
>         total = 4096
> #3  0x0000003810c2ec42 in __GI___assert_fail
> (assertion=assertion at entry=0x7f3556c93713 "0",
> file=file at entry=0x7f3556c945ea "qxl_kms.c",
>     line=line at entry=482, function=function at entry=0x7f3556c94720
> <__PRETTY_FUNCTION__.25149> "qxl_bo_output_bo_reloc") at assert.c:101
> No locals.
> #4  0x00007f3556c80005 in qxl_bo_output_bo_reloc (qxl=<optimized out>,
> dst_offset=<optimized out>, _dst_bo=<optimized out>,
>     _src_bo=<optimized out>) at qxl_kms.c:482
>         qxl = <optimized out>
>         dst_offset = <optimized out>
>         _dst_bo = <optimized out>
>         _src_bo = <optimized out>
>         dst_bo = <optimized out>
>         src_bo = <optimized out>
>         r = <optimized out>
> #5  0x00007f3556c76e31 in qxl_image_create (qxl=qxl at entry=0x2226900,
> data=0x39338a0 "", data at entry=0x2d3f8a0 "", x=x at entry=0, y=y at entry=0,
>     width=width at entry=3840, height=height at entry=847,
> stride=stride at entry=15360, Bpp=4, fallback=fallback at entry=0) at
> qxl_image.c:174
>         chunk_size = 262144
>         n_lines = 17
>         bo = 0x2621080
>         chunk = 0x7f354fc1c000
>         hash = <optimized out>
>         image = <optimized out>
>         head_bo = 0x2668620
>         tail_bo = 0x2621030
>         image_bo = <optimized out>
>         dest_stride = 15360
>         h = 31
> #6  0x00007f3556c77546 in qxl_surface_put_image_for_reals
> (dest=dest at entry=0x2244fb0, x=x at entry=0, y=y at entry=162,
> width=width at entry=3840,
>     height=height at entry=847, src=src at entry=0x2d3f8a0 "",
> src_pitch=src_pitch at entry=15360) at qxl_surface.c:794
>         drawable_bo = 0x26204a0
>         drawable = <optimized out>
>         qxl = 0x2226900
>         rect = {top = 162, left = 0, bottom = 1009, right = 3840}
>         image_bo = <optimized out>
> #7  0x00007f3556c7888c in qxl_surface_put_image (dest=0x2244fb0, x=0,
> y=162, width=<optimized out>, height=<optimized out>,
>     src=0x2d3f8a0 "", src_pitch=15360) at qxl_surface.c:824
>         gross = 847
>         h2 = 191
>         use_hack = 1
> #8  0x00007f3556c84c6d in uxa_copy_n_to_n
> (pSrcDrawable=pSrcDrawable at entry=0x2ae0040, pDstDrawable=0x283e120,
> pGC=0x266c110,
>     pbox=0x2a50358, pbox at entry=0x2a50350, nbox=0, nbox at entry=2,
> dx=dx at entry=0, dy=dy at entry=0, reverse=0, upsidedown=0,
>     bitplane=bitplane at entry=0, closure=0x0) at uxa-accel.c:582
>         stride = <optimized out>
>         bpp = 4
>         src = <optimized out>
>         screen = 0x2230280
>         src_off_x = 0
>         src_off_y = 0
>         dst_off_x = 0
>         dst_off_y = 0
>         pSrcPixmap = <optimized out>
>         pDstPixmap = 0x226a580
>         src_region = {extents = {x1 = 32, y1 = 0, x2 = 0, y2 = 0},
> data = 0x48000000e00}
>         dst_region = {extents = {x1 = 1, y1 = 0, x2 = 0, y2 = 0}, data
> = 0x40000002}
>         __FUNCTION__ = "uxa_copy_n_to_n"
> #9  0x00000000005818ed in miCopyRegion
> (pSrcDrawable=pSrcDrawable at entry=0x2ae0040,
> pDstDrawable=pDstDrawable at entry=0x283e120,
>     pGC=pGC at entry=0x266c110,
> pDstRegion=pDstRegion at entry=0x7fff57864cb0, dx=dx at entry=0, dy=dy at entry=0,
>     copyProc=copyProc at entry=0x7f3556c84650 <uxa_copy_n_to_n>,
> bitPlane=bitPlane at entry=0, closure=closure at entry=0x0) at micopy.c:121
>         careful = <optimized out>
>         reverse = <optimized out>
>         upsidedown = <optimized out>
>         pbox = 0x2a50350
>         nbox = 2
>         pboxNew1 = <optimized out>
>         pboxNew2 = 0x0
>         pboxBase = <optimized out>
>         pboxNext = <optimized out>
>         pboxTmp = <optimized out>
> #10 0x0000000000581eb0 in miDoCopy (pSrcDrawable=0x2ae0040,
> pDstDrawable=0x283e120, pGC=0x266c110, xIn=0, yIn=0, widthSrc=3840,
>     heightSrc=heightSrc at entry=1200, xOut=xOut at entry=0,
> yOut=yOut at entry=0, copyProc=copyProc at entry=0x7f3556c84650
> <uxa_copy_n_to_n>,
>     bitPlane=bitPlane at entry=0, closure=closure at entry=0x0) at micopy.c:297
>         prgnSrcClip = 0x0
>         freeSrcClip = 0
>         prgnExposed = 0x0
>         rgnDst = {extents = {x1 = 0, y1 = 0, x2 = 3840, y2 = 1200},
> data = 0x2a50340}
>         dx = 0
>         dy = 0
>         box_x1 = <optimized out>
>         box_y1 = <optimized out>
>         box_x2 = <optimized out>
>         box_y2 = <optimized out>
>         fastSrc = <optimized out>
>         fastDst = <optimized out>
>         fastExpose = <optimized out>
> #11 0x00007f3556c839be in uxa_copy_area (pSrcDrawable=<optimized out>,
> pDstDrawable=<optimized out>, pGC=<optimized out>,
>     srcx=<optimized out>, srcy=<optimized out>, width=<optimized out>,
> height=1200, dstx=0, dsty=0) at uxa-accel.c:642
>         dsty = 0
>         srcx = <optimized out>
>         pSrcDrawable = <optimized out>
>         dstx = 0
>         height = 1200
>         width = <optimized out>
>         srcy = <optimized out>
>         pGC = <optimized out>
>         pDstDrawable = <optimized out>
> #12 0x00000000004361c6 in ProcCopyArea (client=0x2612d30) at
> dispatch.c:1626
>         pDst = 0x283e120
>         pSrc = 0x2ae0040
>         pGC = 0x266c110
>         stuff = 0x293c3ac
>         pRgn = <optimized out>
>         rc = <optimized out>
> #13 0x000000000043a327 in Dispatch () at dispatch.c:432
>         clientReady = 0x24a9c70
>         result = <optimized out>
>         client = 0x2612d30
>         nready = 0
>         icheck = 0x822670 <checkForInput>
>         start_tick = 740
> #14 0x00000000004288da in main (argc=12, argv=0x7fff57864f68,
> envp=<optimized out>) at main.c:298
>         i = <optimized out>
>         alwaysCheckForInput = {0, 1}
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel


-- 


        Dominique Rodrigues

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20140513/f502aee4/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4291 bytes
Desc: Signature cryptographique S/MIME
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20140513/f502aee4/attachment-0001.bin>

More information about the Spice-devel mailing list