[Spice-devel] repeatable xorg qxl crash inside qxl_image_create()

David Mansfield spice at dm.cobite.com
Tue May 13 14:28:38 PDT 2014 

On 05/13/2014 04:59 PM, Dominique Rodrigues wrote:
> Which version of qemu-kvm do you use ? 2.0 ?
>

All packages are F20 standard:

qemu-kvm-1.6.2-4.fc20.x86_64

However, the crash happens in the xorg package, which is:

xorg-x11-drv-qxl-0.1.1-3.fc20.x86_64


> Le 13/05/2014 22:01, David Mansfield a écrit :
>> Hi All:
>>
>> I'd like help tracking down the solution to a very repeatable xorg 
>> crash.  I can cause the crash by either:
>>
>> 1) logging in and opening the second monitor without having removed 
>> ~/.config/monitors.xml first.
>>
>> 2) using "shutter" (screen capture utility) to capture a "selection"
>>
>> I have a few coredumps with what seem like valid backtraces. (see 
>> below for an example).
>>
>> The xorg crash is caused by an assert is happening in frame#4, 
>> function qxl_bo_output_bo_reloc():
>>
>>     if (qxl->cmds.n_reloc_bos >= MAX_RELOCS || qxl->cmds.n_relocs >= 
>> MAX_RELOCS)
>>       assert(0);
>>
>> According to GDB, both n_reloc_bos = 96 and n_relocs = 96. 
>> (MAX_RELOCS=96).
>>
>> It seems that the "loop" in qxl_image_create (qxl_image.c) is 
>> "chunking" the the create into pieces no bigger than "chunk_size" and 
>> that this size is not big enough (or MAX_RELOCS is too small).
>>
>> From GDB (inside qxl_image_create() on or about line 174):
>>
>> (gdb) print h
>> $13 = 31
>> (gdb) print height
>> $14 = 847
>> (gdb) print chunk_size
>> $15 = 262144
>> (gdb) print n_lines
>> $16 = 17
>>
>> So we have 31 lines left to go (out of 847), and we're copying 17 
>> lines at a time.  Close but no cigar.
>>
>> Is the fix to increase the chunk_size or to increase MAX_RELOCS or is 
>> something else broken here?
>>
>> FYI: I'm running F20 fully updated guest, host and client (all same 
>> box).  I'm running "dual head" 1920x1200 (3840x1200 total FB 
>> resolution).
>>
>> Thanks,
>> David Mansfield
>> Cobite, INC.
>>
>> Thread 1 (Thread 0x7f35578169c0 (LWP 1256)):
>> #0  0x0000003810c35c39 in __GI_raise (sig=sig at entry=6) at 
>> ../nptl/sysdeps/unix/sysv/linux/raise.c:56
>>         resultvar = 0
>>         pid = 1256
>>         selftid = 1256
>> #1  0x0000003810c37348 in __GI_abort () at abort.c:89
>>         save_stage = 2
>>         act = {__sigaction_handler = {sa_handler = 0x7fff57866f2a, 
>> sa_sigaction = 0x7fff57866f2a}, sa_mask = {__val = {240800730995,
>>               139867066025450, 482, 4294967295, 240799384819, 4, 
>> 140734661805968, 49, 0, 140734661806112, 0, 0, 0, 21474836480,
>>               139867078164480, 240800742792}}, sa_flags = 1456027411, 
>> sa_restorer = 0x7f3556c94720 <__PRETTY_FUNCTION__.25149>}
>>         sigs = {__val = {32, 0 <repeats 15 times>}}
>> #2  0x0000003810c2eb96 in __assert_fail_base (fmt=0x3810d7bd88 
>> "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
>>     assertion=assertion at entry=0x7f3556c93713 "0", 
>> file=file at entry=0x7f3556c945ea "qxl_kms.c", line=line at entry=482,
>>     function=function at entry=0x7f3556c94720 
>> <__PRETTY_FUNCTION__.25149> "qxl_bo_output_bo_reloc") at assert.c:92
>>         str = 0x2832860 ""
>>         total = 4096
>> #3  0x0000003810c2ec42 in __GI___assert_fail 
>> (assertion=assertion at entry=0x7f3556c93713 "0", 
>> file=file at entry=0x7f3556c945ea "qxl_kms.c",
>>     line=line at entry=482, function=function at entry=0x7f3556c94720 
>> <__PRETTY_FUNCTION__.25149> "qxl_bo_output_bo_reloc") at assert.c:101
>> No locals.
>> #4  0x00007f3556c80005 in qxl_bo_output_bo_reloc (qxl=<optimized 
>> out>, dst_offset=<optimized out>, _dst_bo=<optimized out>,
>>     _src_bo=<optimized out>) at qxl_kms.c:482
>>         qxl = <optimized out>
>>         dst_offset = <optimized out>
>>         _dst_bo = <optimized out>
>>         _src_bo = <optimized out>
>>         dst_bo = <optimized out>
>>         src_bo = <optimized out>
>>         r = <optimized out>
>> #5  0x00007f3556c76e31 in qxl_image_create (qxl=qxl at entry=0x2226900, 
>> data=0x39338a0 "", data at entry=0x2d3f8a0 "", x=x at entry=0, y=y at entry=0,
>>     width=width at entry=3840, height=height at entry=847, 
>> stride=stride at entry=15360, Bpp=4, fallback=fallback at entry=0) at 
>> qxl_image.c:174
>>         chunk_size = 262144
>>         n_lines = 17
>>         bo = 0x2621080
>>         chunk = 0x7f354fc1c000
>>         hash = <optimized out>
>>         image = <optimized out>
>>         head_bo = 0x2668620
>>         tail_bo = 0x2621030
>>         image_bo = <optimized out>
>>         dest_stride = 15360
>>         h = 31
>> #6  0x00007f3556c77546 in qxl_surface_put_image_for_reals 
>> (dest=dest at entry=0x2244fb0, x=x at entry=0, y=y at entry=162, 
>> width=width at entry=3840,
>>     height=height at entry=847, src=src at entry=0x2d3f8a0 "", 
>> src_pitch=src_pitch at entry=15360) at qxl_surface.c:794
>>         drawable_bo = 0x26204a0
>>         drawable = <optimized out>
>>         qxl = 0x2226900
>>         rect = {top = 162, left = 0, bottom = 1009, right = 3840}
>>         image_bo = <optimized out>
>> #7  0x00007f3556c7888c in qxl_surface_put_image (dest=0x2244fb0, x=0, 
>> y=162, width=<optimized out>, height=<optimized out>,
>>     src=0x2d3f8a0 "", src_pitch=15360) at qxl_surface.c:824
>>         gross = 847
>>         h2 = 191
>>         use_hack = 1
>> #8  0x00007f3556c84c6d in uxa_copy_n_to_n 
>> (pSrcDrawable=pSrcDrawable at entry=0x2ae0040, pDstDrawable=0x283e120, 
>> pGC=0x266c110,
>>     pbox=0x2a50358, pbox at entry=0x2a50350, nbox=0, nbox at entry=2, 
>> dx=dx at entry=0, dy=dy at entry=0, reverse=0, upsidedown=0,
>>     bitplane=bitplane at entry=0, closure=0x0) at uxa-accel.c:582
>>         stride = <optimized out>
>>         bpp = 4
>>         src = <optimized out>
>>         screen = 0x2230280
>>         src_off_x = 0
>>         src_off_y = 0
>>         dst_off_x = 0
>>         dst_off_y = 0
>>         pSrcPixmap = <optimized out>
>>         pDstPixmap = 0x226a580
>>         src_region = {extents = {x1 = 32, y1 = 0, x2 = 0, y2 = 0}, 
>> data = 0x48000000e00}
>>         dst_region = {extents = {x1 = 1, y1 = 0, x2 = 0, y2 = 0}, 
>> data = 0x40000002}
>>         __FUNCTION__ = "uxa_copy_n_to_n"
>> #9  0x00000000005818ed in miCopyRegion 
>> (pSrcDrawable=pSrcDrawable at entry=0x2ae0040, 
>> pDstDrawable=pDstDrawable at entry=0x283e120,
>>     pGC=pGC at entry=0x266c110, 
>> pDstRegion=pDstRegion at entry=0x7fff57864cb0, dx=dx at entry=0, 
>> dy=dy at entry=0,
>>     copyProc=copyProc at entry=0x7f3556c84650 <uxa_copy_n_to_n>, 
>> bitPlane=bitPlane at entry=0, closure=closure at entry=0x0) at micopy.c:121
>>         careful = <optimized out>
>>         reverse = <optimized out>
>>         upsidedown = <optimized out>
>>         pbox = 0x2a50350
>>         nbox = 2
>>         pboxNew1 = <optimized out>
>>         pboxNew2 = 0x0
>>         pboxBase = <optimized out>
>>         pboxNext = <optimized out>
>>         pboxTmp = <optimized out>
>> #10 0x0000000000581eb0 in miDoCopy (pSrcDrawable=0x2ae0040, 
>> pDstDrawable=0x283e120, pGC=0x266c110, xIn=0, yIn=0, widthSrc=3840,
>>     heightSrc=heightSrc at entry=1200, xOut=xOut at entry=0, 
>> yOut=yOut at entry=0, copyProc=copyProc at entry=0x7f3556c84650 
>> <uxa_copy_n_to_n>,
>>     bitPlane=bitPlane at entry=0, closure=closure at entry=0x0) at 
>> micopy.c:297
>>         prgnSrcClip = 0x0
>>         freeSrcClip = 0
>>         prgnExposed = 0x0
>>         rgnDst = {extents = {x1 = 0, y1 = 0, x2 = 3840, y2 = 1200}, 
>> data = 0x2a50340}
>>         dx = 0
>>         dy = 0
>>         box_x1 = <optimized out>
>>         box_y1 = <optimized out>
>>         box_x2 = <optimized out>
>>         box_y2 = <optimized out>
>>         fastSrc = <optimized out>
>>         fastDst = <optimized out>
>>         fastExpose = <optimized out>
>> #11 0x00007f3556c839be in uxa_copy_area (pSrcDrawable=<optimized 
>> out>, pDstDrawable=<optimized out>, pGC=<optimized out>,
>>     srcx=<optimized out>, srcy=<optimized out>, width=<optimized 
>> out>, height=1200, dstx=0, dsty=0) at uxa-accel.c:642
>>         dsty = 0
>>         srcx = <optimized out>
>>         pSrcDrawable = <optimized out>
>>         dstx = 0
>>         height = 1200
>>         width = <optimized out>
>>         srcy = <optimized out>
>>         pGC = <optimized out>
>>         pDstDrawable = <optimized out>
>> #12 0x00000000004361c6 in ProcCopyArea (client=0x2612d30) at 
>> dispatch.c:1626
>>         pDst = 0x283e120
>>         pSrc = 0x2ae0040
>>         pGC = 0x266c110
>>         stuff = 0x293c3ac
>>         pRgn = <optimized out>
>>         rc = <optimized out>
>> #13 0x000000000043a327 in Dispatch () at dispatch.c:432
>>         clientReady = 0x24a9c70
>>         result = <optimized out>
>>         client = 0x2612d30
>>         nready = 0
>>         icheck = 0x822670 <checkForInput>
>>         start_tick = 740
>> #14 0x00000000004288da in main (argc=12, argv=0x7fff57864f68, 
>> envp=<optimized out>) at main.c:298
>>         i = <optimized out>
>>         alwaysCheckForInput = {0, 1}
>>
>> _______________________________________________
>> Spice-devel mailing list
>> Spice-devel at lists.freedesktop.org
>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>
>
> -- 
>
>
>         Dominique Rodrigues
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20140513/7343cf5a/attachment.html>

More information about the Spice-devel mailing list