Bug 27313

Summary: random X11 crash (SIGSEGV) when rendering firefox in pixman/intel
Product: xorg Reporter: Michael Stapelberg <michael+freedesktop>
Component: Driver/intelAssignee: Chris Wilson <chris>
Status: RESOLVED MOVED QA Contact: Intel GFX Bugs mailing list <intel-gfx-bugs>
Severity: normal    
Priority: medium CC: chris
Version: 7.5 (2009.10)   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments:
Description Flags
Xorg logfile
none
Trim fills to drawable bounds. none

Description Michael Stapelberg 2010-03-25 10:28:35 UTC
Created attachment 34440 [details]
Xorg logfile

When moving firefox to a different workspace in my window manager, sometimes my Xorg exits because of receiving a SIGSEGV. I am not entirely sure where the origin of this problem is, but I would suspect the intel driver, which is why I assigned it to Driver/intel. If I am wrong, feel free to re-assign.

Backtrace comes here (Xorg logfile is attached):
#0  0x00007fb4cb103f45 in *__GI_raise (sig=<value optimized out>)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007fb4cb106d80 in *__GI_abort () at abort.c:88
#2  0x000000000047cff3 in ddxGiveUp () at ../../../../hw/xfree86/common/xf86Init.c:1214
#3  0x000000000046346d in AbortServer () at ../../os/log.c:404
#4  0x0000000000463b0e in FatalError (
    f=0x571720 "Caught signal %d (%s). Server aborting\n") at ../../os/log.c:529
#5  0x0000000000467d3e in OsSigHandler (signo=11, sip=0x7fb4c8090000, 
    unused=<value optimized out>) at ../../os/osinit.c:156
#6  <signal handler called>
#7  _mm_store_si128 (bits=<value optimized out>, stride=131072, 
    bpp=<value optimized out>, x=<value optimized out>, y=<value optimized out>, 
    width=<value optimized out>, height=32767, data=16777215)
    at /usr/lib/gcc/x86_64-linux-gnu/4.4.2/include/emmintrin.h:697
#8  save_128_aligned (bits=<value optimized out>, stride=131072, 
    bpp=<value optimized out>, x=<value optimized out>, y=<value optimized out>, 
    width=<value optimized out>, height=32767, data=16777215)
    at ../../pixman/pixman-sse2.c:400
#9  pixman_fill_sse2 (bits=<value optimized out>, stride=131072, 
    bpp=<value optimized out>, x=<value optimized out>, y=<value optimized out>, 
    width=<value optimized out>, height=32767, data=16777215)
    at ../../pixman/pixman-sse2.c:4017
#10 0x00007fb4cbf8a40e in sse2_fill (imp=<value optimized out>, 
    bits=<value optimized out>, stride=<value optimized out>, bpp=32, x=0, y=0, 
    width=32767, height=32767, xor=16777215) at ../../pixman/pixman-sse2.c:5763
#11 0x00007fb4cbf76dad in pixman_fill (bits=<value optimized out>, 
    stride=<value optimized out>, bpp=<value optimized out>, x=<value optimized out>, 
    y=<value optimized out>, width=<value optimized out>, height=32767, xor=16777215)
    at ../../pixman/pixman.c:256
#12 0x00007fb4c8c83846 in fbFill (pDrawable=0xd97320, pGC=0x1747e20, 
    x=<value optimized out>, y=<value optimized out>, width=<value optimized out>, 
    height=<value optimized out>) at ../../fb/fbfill.c:48
#13 0x00007fb4c8c83ce2 in fbPolyFillRect (pDrawable=<value optimized out>, 
    pGC=<value optimized out>, nrect=<value optimized out>, prect=<value optimized out>)
    at ../../fb/fbfillrect.c:77
#14 0x00007fb4c90fbf31 in uxa_check_poly_fill_rect (pDrawable=0xd97320, pGC=0x1747e20, 
    nrect=1, prect=0xfa83d8) at ../../uxa/uxa-unaccel.c:257
#15 0x00007fb4c90f62e8 in uxa_poly_fill_rect (pDrawable=0xd97320, pGC=0x1747e20, 
    nrect=1, prect=0xfa83d8) at ../../uxa/uxa-accel.c:727
#16 0x00000000004c263b in damagePolyFillRect (pDrawable=0xd97320, pGC=0x1747e20, 
    nRects=1, pRects=0xfa83d8) at ../../../miext/damage/damage.c:1404
#17 0x000000000055d5b7 in miColorRects (pDst=0xfd8970, pClipPict=0xfd8970, 
    color=<value optimized out>, nRect=<value optimized out>, rects=0xfa83d8, xoff=0, 
    yoff=0) at ../../render/mirect.c:84
#18 0x000000000055d693 in miCompositeRects (op=3 '\003', pDst=0xfd8970, color=0xfa83d0, 
    nRect=<value optimized out>, rects=0xfa83d8) at ../../render/mirect.c:116
#19 0x00000000004b62c4 in ProcRenderFillRectangles (client=0x19506f0)
    at ../../render/render.c:1471
#20 0x000000000043c974 in Dispatch () at ../../dix/dispatch.c:439
#21 0x0000000000425b9a in main (argc=7, argv=0x7d5228, envp=<value optimized out>)
    at ../../dix/main.c:285
Comment 1 Chris Wilson 2010-05-11 11:32:35 UTC
Occasionally I have seen something similar, mostly when I've just introduced a bug into the driver, but nevertheless.

It's basically an integer overflow (resulting in an invalid access) when trying to draw an out-of-bounds rectangle. I've fixed up a couple of that caused hangs, so a slightly different code path.
Comment 2 Chris Wilson 2010-06-08 05:27:07 UTC
Created attachment 36139 [details] [review]
Trim fills to drawable bounds.

Michael if you know of a way to reproduce the crash and could test this patch, that would be excellent.
Comment 3 Michael Stapelberg 2010-06-28 12:13:03 UTC
Hi Chris,

seems like this problem arose when setting very large window coordinates (due to a bug I was setting (2, 0, -8, -23) as window rect while the latter two are interpreted as unsigned values of course).

After applying your patch, Xorg does not crash any longer. Thanks!

Best regards,
Michael
Comment 4 Michael Stapelberg 2010-06-29 05:54:17 UTC
After applying the patch I sometimes run into a (nearly?) endless loop in Xorg, for example when opening xpdf. Can you see if your patch is causing this? Backtrace comes here:

0  fbBltOne (src=0x0, srcStride=<value optimized out>, srcX=<value optimized out>, dst=0x9869dba14928,
    dstStride=<value optimized out>, dstX=<value optimized out>, dstBpp=32, width=160, height=-32, fgand=0, fgxor=0,
    bgand=4294967295, bgxor=0) at ../../fb/fbbltone.c:418
#1  0x00007fe5b29cdb80 in fbOddStipple (dst=<value optimized out>, dstStride=<value optimized out>,
    dstX=<value optimized out>, dstBpp=32, width=<value optimized out>, height=<value optimized out>, stip=0x7fe5b1bdc000,
    stipStride=16, stipWidth=5, stipHeight=14, fgand=0, fgxor=0, bgand=4294967295, bgxor=0, xRot=69, yRot=0)
    at ../../fb/fbstipple.c:261
#2  0x00007fe5b29c57eb in fbFill (pDrawable=<value optimized out>, pGC=0x2e3e050, x=<value optimized out>,
    y=<value optimized out>, width=5, height=-32) at ../../fb/fbfill.c:133
#3  0x00007fe5b29c5d0a in fbPolyFillRect (pDrawable=<value optimized out>, pGC=<value optimized out>,
    nrect=<value optimized out>, prect=<value optimized out>) at ../../fb/fbfillrect.c:77
#4  0x00007fe5b2e43011 in uxa_check_poly_fill_rect (pDrawable=0x28124b0, pGC=0x2e3e050, nrect=1, prect=0x27b2588)
    at ../../uxa/uxa-unaccel.c:257
#5  0x00007fe5b2e3ccf0 in uxa_poly_fill_rect (pDrawable=0x28124b0, pGC=0x2e3e050, nrect=1, prect=0x27b2588)
    at ../../uxa/uxa-accel.c:727
#6  0x00000000004c329b in damagePolyFillRect (pDrawable=0x28124b0, pGC=0x2e3e050, nRects=1, pRects=0x27b2588)
    at ../../../miext/damage/damage.c:1404
#7  0x0000000000439e24 in ProcPolyFillRectangle (client=0x2b35cb0) at ../../dix/dispatch.c:1939
#8  0x000000000043c9a4 in Dispatch () at ../../dix/dispatch.c:439
#9  0x0000000000425b4a in main (argc=7, argv=0x7d7c88, envp=<value optimized out>) at ../../dix/main.c:285
Comment 5 Chris Wilson 2010-07-01 01:09:53 UTC
As far as I know that is a separate bug, caused by a page-fault-of-doom.
Comment 6 Chris Wilson 2010-07-01 01:40:54 UTC
Found the bug reference I was looking for... bug 28478 for the endless loop.
Comment 7 Michael Stapelberg 2010-07-20 03:54:13 UTC
Even though I am using your patch, I just got another crash when running xxdiff. Backtrace comes here:

(gdb) bt full
#0  0x00007fb06fff5175 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
        pid = <value optimized out>
        selftid = <value optimized out>
#1  0x00007fb06fff7f80 in *__GI_abort () at abort.c:92
        act = {__sigaction_handler = {sa_handler = 0, sa_sigaction = 0}, sa_mask = {__val = {0, 3, 0, 0, 0, 140395769797384, 140395802543288, 
              0, 4294967295, 1179670597, 1, 8102920, 0, 1073741823, 140395692755240, 0}}, sa_flags = 1909584850, 
          sa_restorer = 0x100041500000001}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x000000000047d783 in ddxGiveUp () at ../../../../hw/xfree86/common/xf86Init.c:1214
        i = <value optimized out>
#3  0x000000000046368d in AbortServer () at ../../os/log.c:404
No locals.
#4  0x0000000000463d2e in FatalError (f=0x5734a0 "Caught signal %d (%s). Server aborting\n") at ../../os/log.c:529
        args = {{gp_offset = 24, fp_offset = 48, overflow_arg_area = 0x7fffb8ed2720, reg_save_area = 0x7fffb8ed2660}}
        beenhere = 1
#5  0x0000000000467f3e in OsSigHandler (signo=11, sip=0x7fb06b650928, unused=<value optimized out>) at ../../os/osinit.c:156
No locals.
#6  <signal handler called>
No symbol table info available.
#7  fbBltOne (src=<value optimized out>, srcStride=<value optimized out>, srcX=<value optimized out>, dst=0x7fb06b650928, 
    dstStride=<value optimized out>, dstX=<value optimized out>, dstBpp=32, width=-832, height=-5, fgand=0, fgxor=4287072135, bgand=4294967295, 
    bgxor=0) at ../../fb/fbbltone.c:352
        fbBits = 0x7fb06db78790
        srcEnd = 0x7fb06d78a240
        pixelsPerDst = <value optimized out>
        leftShift = 2
        rightShift = 30
        startmask = 0
        endmask = 0
        bits = 1073741823
        bitsLeft = 0
        bitsRight = <value optimized out>
        left = <value optimized out>
        mask = <value optimized out>
        nDst = -26
        w = 0
        n = -26
        nmiddle = <value optimized out>
        copy = 0
        transparent = 1
        srcinc = <value optimized out>
        endNeedsLoad = 0
        fbLane = 0x7fb06dd7baf0 ""
        startbyte = <value optimized out>
        endbyte = 0
#8  0x00007fb06db76b80 in fbOddStipple (dst=<value optimized out>, dstStride=<value optimized out>, dstX=<value optimized out>, dstBpp=32, 
    width=<value optimized out>, height=<value optimized out>, stip=0x7fb06d78a000, stipStride=16, stipWidth=16, stipHeight=16, fgand=0, 
    fgxor=4287072135, bgand=4294967295, bgxor=0, xRot=584, yRot=-478) at ../../fb/fbstipple.c:261
        stipX = 2
        stipY = <value optimized out>
        sx = 1840698024
        widthTmp = 0
        h = -5
        w = -832
        x = 17920
---Type <return> to continue, or q <return> to quit---
        y = 0
#9  0x00007fb06db6e7eb in fbFill (pDrawable=<value optimized out>, pGC=0x15c8ec0, x=<value optimized out>, y=<value optimized out>, width=-26, 
    height=-5) at ../../fb/fbfill.c:133
        fgand = 0
        fgxor = 4287072135
        bgand = <value optimized out>
        bgxor = <value optimized out>
        pStip = <value optimized out>
        stipWidth = 16
        stipHeight = 16
        dst = 0x7fb06a638000
        dstStride = 2560
        dstBpp = 32
        dstXoff = 0
        dstYoff = <value optimized out>
        pPriv = 0x15c9080
        x1 = -26
        x2 = <value optimized out>
        y1 = <value optimized out>
        y2 = <value optimized out>
#10 0x00007fb06db6ed0a in fbPolyFillRect (pDrawable=<value optimized out>, pGC=<value optimized out>, nrect=<value optimized out>, 
    prect=<value optimized out>) at ../../fb/fbfillrect.c:77
        pClip = 0x2a848b0
        pbox = <value optimized out>
        extentX1 = 586
        extentX2 = 1142
        extentY1 = 82
        extentY2 = 631
        fullX1 = 586
        fullX2 = 1142
        fullY1 = 558
        fullY2 = 572
        partX1 = <value optimized out>
        partX2 = <value optimized out>
        partY1 = <value optimized out>
        partY2 = <value optimized out>
        xorg = 584
        yorg = 80
#11 0x00007fb06dfec011 in uxa_check_poly_fill_rect (pDrawable=0x35629a0, pGC=0x15c8ec0, nrect=1, prect=0x37ae988) at ../../uxa/uxa-unaccel.c:257
        __FUNCTION__ = "uxa_check_poly_fill_rect"
#12 0x00007fb06dfe5cf0 in uxa_poly_fill_rect (pDrawable=0x35629a0, pGC=0x15c8ec0, nrect=1, prect=0x37ae988) at ../../uxa/uxa-accel.c:727
        pClip = 0x2a848b0
        pPixmap = 0x252d000
        pbox = <value optimized out>
        extentX1 = 0
        extentX2 = 44589488
        extentY1 = 32688
        extentY2 = 1842878571
        fullX1 = <value optimized out>
        fullX2 = <value optimized out>
        fullY1 = <value optimized out>
        fullY2 = <value optimized out>
        partX1 = <value optimized out>
        partX2 = <value optimized out>
        partY1 = <value optimized out>
---Type <return> to continue, or q <return> to quit---
        partY2 = <value optimized out>
        xoff = <value optimized out>
        yoff = <value optimized out>
        xorg = 0
        yorg = 44589488
        pReg = 0x3d36f10
#13 0x00000000004c329b in damagePolyFillRect (pDrawable=0x35629a0, pGC=0x15c8ec0, nRects=1, pRects=0x37ae988)
    at ../../../miext/damage/damage.c:1404
        pGCPriv = 0x275b2b0
        oldFuncs = 0x7c3ae0
#14 0x0000000000439e24 in ProcPolyFillRectangle (client=0x18107d0) at ../../dix/dispatch.c:1939
        things = 1840698024
        pGC = 0x15c8ec0
        pDraw = 0x35629a0
#15 0x000000000043c9a4 in Dispatch () at ../../dix/dispatch.c:439
        result = <value optimized out>
        client = 0x18107d0
        nready = 0
        start_tick = 167320
#16 0x0000000000425b4a in main (argc=7, argv=0x7d7c88, envp=<value optimized out>) at ../../dix/main.c:285
        i = 1
        alwaysCheckForInput = {0, 1}
Comment 8 Chris Wilson 2010-07-20 06:21:11 UTC
In a sense, that is a good thing since the patch *should* have had no
effect and appeared to be a band-aid for a deeper bug. This means that I
need to keep digging. Thanks.
Comment 9 Martin Peres 2019-11-27 13:27:52 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/xorg/driver/xf86-video-intel/issues/5.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.