Summary: | random X11 crash (SIGSEGV) when rendering firefox in pixman/intel | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | xorg | Reporter: | Michael Stapelberg <michael+freedesktop> | ||||||
Component: | Driver/intel | Assignee: | Chris Wilson <chris> | ||||||
Status: | RESOLVED MOVED | QA Contact: | Intel GFX Bugs mailing list <intel-gfx-bugs> | ||||||
Severity: | normal | ||||||||
Priority: | medium | CC: | chris | ||||||
Version: | 7.5 (2009.10) | ||||||||
Hardware: | Other | ||||||||
OS: | All | ||||||||
Whiteboard: | |||||||||
i915 platform: | i915 features: | ||||||||
Attachments: |
|
Occasionally I have seen something similar, mostly when I've just introduced a bug into the driver, but nevertheless. It's basically an integer overflow (resulting in an invalid access) when trying to draw an out-of-bounds rectangle. I've fixed up a couple of that caused hangs, so a slightly different code path. Created attachment 36139 [details] [review] Trim fills to drawable bounds. Michael if you know of a way to reproduce the crash and could test this patch, that would be excellent. Hi Chris, seems like this problem arose when setting very large window coordinates (due to a bug I was setting (2, 0, -8, -23) as window rect while the latter two are interpreted as unsigned values of course). After applying your patch, Xorg does not crash any longer. Thanks! Best regards, Michael After applying the patch I sometimes run into a (nearly?) endless loop in Xorg, for example when opening xpdf. Can you see if your patch is causing this? Backtrace comes here: 0 fbBltOne (src=0x0, srcStride=<value optimized out>, srcX=<value optimized out>, dst=0x9869dba14928, dstStride=<value optimized out>, dstX=<value optimized out>, dstBpp=32, width=160, height=-32, fgand=0, fgxor=0, bgand=4294967295, bgxor=0) at ../../fb/fbbltone.c:418 #1 0x00007fe5b29cdb80 in fbOddStipple (dst=<value optimized out>, dstStride=<value optimized out>, dstX=<value optimized out>, dstBpp=32, width=<value optimized out>, height=<value optimized out>, stip=0x7fe5b1bdc000, stipStride=16, stipWidth=5, stipHeight=14, fgand=0, fgxor=0, bgand=4294967295, bgxor=0, xRot=69, yRot=0) at ../../fb/fbstipple.c:261 #2 0x00007fe5b29c57eb in fbFill (pDrawable=<value optimized out>, pGC=0x2e3e050, x=<value optimized out>, y=<value optimized out>, width=5, height=-32) at ../../fb/fbfill.c:133 #3 0x00007fe5b29c5d0a in fbPolyFillRect (pDrawable=<value optimized out>, pGC=<value optimized out>, nrect=<value optimized out>, prect=<value optimized out>) at ../../fb/fbfillrect.c:77 #4 0x00007fe5b2e43011 in uxa_check_poly_fill_rect (pDrawable=0x28124b0, pGC=0x2e3e050, nrect=1, prect=0x27b2588) at ../../uxa/uxa-unaccel.c:257 #5 0x00007fe5b2e3ccf0 in uxa_poly_fill_rect (pDrawable=0x28124b0, pGC=0x2e3e050, nrect=1, prect=0x27b2588) at ../../uxa/uxa-accel.c:727 #6 0x00000000004c329b in damagePolyFillRect (pDrawable=0x28124b0, pGC=0x2e3e050, nRects=1, pRects=0x27b2588) at ../../../miext/damage/damage.c:1404 #7 0x0000000000439e24 in ProcPolyFillRectangle (client=0x2b35cb0) at ../../dix/dispatch.c:1939 #8 0x000000000043c9a4 in Dispatch () at ../../dix/dispatch.c:439 #9 0x0000000000425b4a in main (argc=7, argv=0x7d7c88, envp=<value optimized out>) at ../../dix/main.c:285 As far as I know that is a separate bug, caused by a page-fault-of-doom. Found the bug reference I was looking for... bug 28478 for the endless loop. Even though I am using your patch, I just got another crash when running xxdiff. Backtrace comes here: (gdb) bt full #0 0x00007fb06fff5175 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 pid = <value optimized out> selftid = <value optimized out> #1 0x00007fb06fff7f80 in *__GI_abort () at abort.c:92 act = {__sigaction_handler = {sa_handler = 0, sa_sigaction = 0}, sa_mask = {__val = {0, 3, 0, 0, 0, 140395769797384, 140395802543288, 0, 4294967295, 1179670597, 1, 8102920, 0, 1073741823, 140395692755240, 0}}, sa_flags = 1909584850, sa_restorer = 0x100041500000001} sigs = {__val = {32, 0 <repeats 15 times>}} #2 0x000000000047d783 in ddxGiveUp () at ../../../../hw/xfree86/common/xf86Init.c:1214 i = <value optimized out> #3 0x000000000046368d in AbortServer () at ../../os/log.c:404 No locals. #4 0x0000000000463d2e in FatalError (f=0x5734a0 "Caught signal %d (%s). Server aborting\n") at ../../os/log.c:529 args = {{gp_offset = 24, fp_offset = 48, overflow_arg_area = 0x7fffb8ed2720, reg_save_area = 0x7fffb8ed2660}} beenhere = 1 #5 0x0000000000467f3e in OsSigHandler (signo=11, sip=0x7fb06b650928, unused=<value optimized out>) at ../../os/osinit.c:156 No locals. #6 <signal handler called> No symbol table info available. #7 fbBltOne (src=<value optimized out>, srcStride=<value optimized out>, srcX=<value optimized out>, dst=0x7fb06b650928, dstStride=<value optimized out>, dstX=<value optimized out>, dstBpp=32, width=-832, height=-5, fgand=0, fgxor=4287072135, bgand=4294967295, bgxor=0) at ../../fb/fbbltone.c:352 fbBits = 0x7fb06db78790 srcEnd = 0x7fb06d78a240 pixelsPerDst = <value optimized out> leftShift = 2 rightShift = 30 startmask = 0 endmask = 0 bits = 1073741823 bitsLeft = 0 bitsRight = <value optimized out> left = <value optimized out> mask = <value optimized out> nDst = -26 w = 0 n = -26 nmiddle = <value optimized out> copy = 0 transparent = 1 srcinc = <value optimized out> endNeedsLoad = 0 fbLane = 0x7fb06dd7baf0 "" startbyte = <value optimized out> endbyte = 0 #8 0x00007fb06db76b80 in fbOddStipple (dst=<value optimized out>, dstStride=<value optimized out>, dstX=<value optimized out>, dstBpp=32, width=<value optimized out>, height=<value optimized out>, stip=0x7fb06d78a000, stipStride=16, stipWidth=16, stipHeight=16, fgand=0, fgxor=4287072135, bgand=4294967295, bgxor=0, xRot=584, yRot=-478) at ../../fb/fbstipple.c:261 stipX = 2 stipY = <value optimized out> sx = 1840698024 widthTmp = 0 h = -5 w = -832 x = 17920 ---Type <return> to continue, or q <return> to quit--- y = 0 #9 0x00007fb06db6e7eb in fbFill (pDrawable=<value optimized out>, pGC=0x15c8ec0, x=<value optimized out>, y=<value optimized out>, width=-26, height=-5) at ../../fb/fbfill.c:133 fgand = 0 fgxor = 4287072135 bgand = <value optimized out> bgxor = <value optimized out> pStip = <value optimized out> stipWidth = 16 stipHeight = 16 dst = 0x7fb06a638000 dstStride = 2560 dstBpp = 32 dstXoff = 0 dstYoff = <value optimized out> pPriv = 0x15c9080 x1 = -26 x2 = <value optimized out> y1 = <value optimized out> y2 = <value optimized out> #10 0x00007fb06db6ed0a in fbPolyFillRect (pDrawable=<value optimized out>, pGC=<value optimized out>, nrect=<value optimized out>, prect=<value optimized out>) at ../../fb/fbfillrect.c:77 pClip = 0x2a848b0 pbox = <value optimized out> extentX1 = 586 extentX2 = 1142 extentY1 = 82 extentY2 = 631 fullX1 = 586 fullX2 = 1142 fullY1 = 558 fullY2 = 572 partX1 = <value optimized out> partX2 = <value optimized out> partY1 = <value optimized out> partY2 = <value optimized out> xorg = 584 yorg = 80 #11 0x00007fb06dfec011 in uxa_check_poly_fill_rect (pDrawable=0x35629a0, pGC=0x15c8ec0, nrect=1, prect=0x37ae988) at ../../uxa/uxa-unaccel.c:257 __FUNCTION__ = "uxa_check_poly_fill_rect" #12 0x00007fb06dfe5cf0 in uxa_poly_fill_rect (pDrawable=0x35629a0, pGC=0x15c8ec0, nrect=1, prect=0x37ae988) at ../../uxa/uxa-accel.c:727 pClip = 0x2a848b0 pPixmap = 0x252d000 pbox = <value optimized out> extentX1 = 0 extentX2 = 44589488 extentY1 = 32688 extentY2 = 1842878571 fullX1 = <value optimized out> fullX2 = <value optimized out> fullY1 = <value optimized out> fullY2 = <value optimized out> partX1 = <value optimized out> partX2 = <value optimized out> partY1 = <value optimized out> ---Type <return> to continue, or q <return> to quit--- partY2 = <value optimized out> xoff = <value optimized out> yoff = <value optimized out> xorg = 0 yorg = 44589488 pReg = 0x3d36f10 #13 0x00000000004c329b in damagePolyFillRect (pDrawable=0x35629a0, pGC=0x15c8ec0, nRects=1, pRects=0x37ae988) at ../../../miext/damage/damage.c:1404 pGCPriv = 0x275b2b0 oldFuncs = 0x7c3ae0 #14 0x0000000000439e24 in ProcPolyFillRectangle (client=0x18107d0) at ../../dix/dispatch.c:1939 things = 1840698024 pGC = 0x15c8ec0 pDraw = 0x35629a0 #15 0x000000000043c9a4 in Dispatch () at ../../dix/dispatch.c:439 result = <value optimized out> client = 0x18107d0 nready = 0 start_tick = 167320 #16 0x0000000000425b4a in main (argc=7, argv=0x7d7c88, envp=<value optimized out>) at ../../dix/main.c:285 i = 1 alwaysCheckForInput = {0, 1} In a sense, that is a good thing since the patch *should* have had no effect and appeared to be a band-aid for a deeper bug. This means that I need to keep digging. Thanks. -- GitLab Migration Automatic Message -- This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/xorg/driver/xf86-video-intel/issues/5. |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.
Created attachment 34440 [details] Xorg logfile When moving firefox to a different workspace in my window manager, sometimes my Xorg exits because of receiving a SIGSEGV. I am not entirely sure where the origin of this problem is, but I would suspect the intel driver, which is why I assigned it to Driver/intel. If I am wrong, feel free to re-assign. Backtrace comes here (Xorg logfile is attached): #0 0x00007fb4cb103f45 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 0x00007fb4cb106d80 in *__GI_abort () at abort.c:88 #2 0x000000000047cff3 in ddxGiveUp () at ../../../../hw/xfree86/common/xf86Init.c:1214 #3 0x000000000046346d in AbortServer () at ../../os/log.c:404 #4 0x0000000000463b0e in FatalError ( f=0x571720 "Caught signal %d (%s). Server aborting\n") at ../../os/log.c:529 #5 0x0000000000467d3e in OsSigHandler (signo=11, sip=0x7fb4c8090000, unused=<value optimized out>) at ../../os/osinit.c:156 #6 <signal handler called> #7 _mm_store_si128 (bits=<value optimized out>, stride=131072, bpp=<value optimized out>, x=<value optimized out>, y=<value optimized out>, width=<value optimized out>, height=32767, data=16777215) at /usr/lib/gcc/x86_64-linux-gnu/4.4.2/include/emmintrin.h:697 #8 save_128_aligned (bits=<value optimized out>, stride=131072, bpp=<value optimized out>, x=<value optimized out>, y=<value optimized out>, width=<value optimized out>, height=32767, data=16777215) at ../../pixman/pixman-sse2.c:400 #9 pixman_fill_sse2 (bits=<value optimized out>, stride=131072, bpp=<value optimized out>, x=<value optimized out>, y=<value optimized out>, width=<value optimized out>, height=32767, data=16777215) at ../../pixman/pixman-sse2.c:4017 #10 0x00007fb4cbf8a40e in sse2_fill (imp=<value optimized out>, bits=<value optimized out>, stride=<value optimized out>, bpp=32, x=0, y=0, width=32767, height=32767, xor=16777215) at ../../pixman/pixman-sse2.c:5763 #11 0x00007fb4cbf76dad in pixman_fill (bits=<value optimized out>, stride=<value optimized out>, bpp=<value optimized out>, x=<value optimized out>, y=<value optimized out>, width=<value optimized out>, height=32767, xor=16777215) at ../../pixman/pixman.c:256 #12 0x00007fb4c8c83846 in fbFill (pDrawable=0xd97320, pGC=0x1747e20, x=<value optimized out>, y=<value optimized out>, width=<value optimized out>, height=<value optimized out>) at ../../fb/fbfill.c:48 #13 0x00007fb4c8c83ce2 in fbPolyFillRect (pDrawable=<value optimized out>, pGC=<value optimized out>, nrect=<value optimized out>, prect=<value optimized out>) at ../../fb/fbfillrect.c:77 #14 0x00007fb4c90fbf31 in uxa_check_poly_fill_rect (pDrawable=0xd97320, pGC=0x1747e20, nrect=1, prect=0xfa83d8) at ../../uxa/uxa-unaccel.c:257 #15 0x00007fb4c90f62e8 in uxa_poly_fill_rect (pDrawable=0xd97320, pGC=0x1747e20, nrect=1, prect=0xfa83d8) at ../../uxa/uxa-accel.c:727 #16 0x00000000004c263b in damagePolyFillRect (pDrawable=0xd97320, pGC=0x1747e20, nRects=1, pRects=0xfa83d8) at ../../../miext/damage/damage.c:1404 #17 0x000000000055d5b7 in miColorRects (pDst=0xfd8970, pClipPict=0xfd8970, color=<value optimized out>, nRect=<value optimized out>, rects=0xfa83d8, xoff=0, yoff=0) at ../../render/mirect.c:84 #18 0x000000000055d693 in miCompositeRects (op=3 '\003', pDst=0xfd8970, color=0xfa83d0, nRect=<value optimized out>, rects=0xfa83d8) at ../../render/mirect.c:116 #19 0x00000000004b62c4 in ProcRenderFillRectangles (client=0x19506f0) at ../../render/render.c:1471 #20 0x000000000043c974 in Dispatch () at ../../dix/dispatch.c:439 #21 0x0000000000425b9a in main (argc=7, argv=0x7d5228, envp=<value optimized out>) at ../../dix/main.c:285