Bug 106827

Summary: Segmentation fault in i915_validate_state on SolveSpace startup
Product: Mesa Reporter: Paul Fertser <fercerpav>
Component: Drivers/DRI/i915Assignee: Default DRI bug account <dri-devel>
Status: RESOLVED MOVED QA Contact: Default DRI bug account <dri-devel>
Severity: normal    
Priority: medium    
Version: git   
Hardware: x86 (IA32)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description Paul Fertser 2018-06-05 17:39:24 UTC 
Hello,

I am getting a SIGSEGV on startup of SolveSpace v2.1.rc1-418-g2b9ffd1 on a GNU/Linux system.

Running on a i915 (chipset: 945GM) from Mesa Project
OpenGL version 2.1 Mesa 18.2.0-devel (git-66c61797ad) is supported

$ LD_LIBRARY_PATH=/usr/local/lib gdb ~/tmp/solvespace/build/bin/solvespace
GNU gdb (Gentoo 7.12.1 vanilla) 7.12.1
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://bugs.gentoo.org/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /home/pavel/tmp/solvespace/build/bin/solvespace...(no debugging symbols found)...done.
(gdb) r
Starting program: /home/pavel/tmp/solvespace/build/bin/solvespace 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/libthread_db.so.1".
SolveSpace!

Generate::ALL (for bounding box) took 238 ms
Generate::ALL took 256 ms

Program received signal SIGSEGV, Segmentation fault.
i915_validate_state (batch_space=<synthetic pointer>, i915=0xb8a488)
    at ../../../../../src/gallium/drivers/i915/i915_state_emit.c:525
525	   VALIDATE_ATOM(program, I915_HW_PROGRAM);
(gdb) bt full
#0  i915_validate_state (batch_space=<synthetic pointer>, i915=0xb8a488)
    at ../../../../../src/gallium/drivers/i915/i915_state_emit.c:525
        tmp = <optimized out>
#1  i915_emit_hardware_state (i915=0xb8a488)
    at ../../../../../src/gallium/drivers/i915/i915_state_emit.c:551
        batch_space = 48
        save_ptr = <optimized out>
#2  0xb3c353bb in i915_clear_emit (pipe=0xb8a488, buffers=1, color=0xbb9cd8, depth=1, stencil=0, 
    destx=0, desty=0, width=868, height=759) at ../../../../../src/gallium/drivers/i915/i915_clear.c:173
        clear_params = 3
        clear_color = 0
        clear_depth = <optimized out>
        clear_stencil = <optimized out>
        clear_color8888 = 0
        u_color = {ub = 9 '\t', us = 9, ui = {9, 196608, 11, 196608}, h = {9, 0, 0, 3}, f = {
            1.26116862e-44, 2.75506488e-40, 1.54142831e-44, 2.75506488e-40}, d = {
            4.1720134847010471e-309, 4.1720134847010569e-309, 4.6186441515375747e-62, 0}}
        cbuf_tex = <optimized out>
        depth_tex = <optimized out>
        depth_clear_bbp = <optimized out>
        color_clear_bbp = 0
#3  0xb3c36035 in i915_clear_render (pipe=0xb8a488, buffers=1, color=0xbb9cd8, depth=1, stencil=0)
    at ../../../../../src/gallium/drivers/i915/i915_clear.c:256
No locals.
#4  0xb3929aff in st_Clear (ctx=<optimized out>, mask=<optimized out>)
    at ../../../src/mesa/state_tracker/st_cb_clear.c:451
        depthRb = <optimized out>
        quad_buffers = <optimized out>
        clear_buffers = <optimized out>
        i = <optimized out>
#5  0xb376c572 in clear (no_error=false, mask=<optimized out>, ctx=0xbb87a0)
    at ../../../src/mesa/main/clear.c:221
        bufferMask = 16
#6  _mesa_Clear (mask=<optimized out>) at ../../../src/mesa/main/clear.c:242
        ctx = 0xbb87a0
#7  0x0047b891 in SolveSpace::OpenGl2Renderer::UpdateProjection() ()
No symbol table info available.
#8  0x0047ba33 in SolveSpace::OpenGl2Renderer::NewFrame() ()
No symbol table info available.
#9  0x0048bbe7 in SolveSpace::GraphicsWindow::Paint() ()
No symbol table info available.
#10 0x0046ea4e in SolveSpace::GraphicsWidget::on_render(Glib::RefPtr<Gdk::GLContext> const&) ()
No symbol table info available.
#11 0xb7d2ac61 in Gtk::GLArea_Class::render_callback(_GtkGLArea*, _GdkGLContext*) ()
   from /usr/lib/libgtkmm-3.0.so.1
No symbol table info available.
#12 0xb60c908e in ffi_call_SYSV () from /usr/lib/libffi.so.6
---Type <return> to continue, or q <return> to quit---
No symbol table info available.
#13 0xb60c8ca6 in ffi_call () from /usr/lib/libffi.so.6
No symbol table info available.
#14 0xb6651301 in g_cclosure_marshal_generic_va () from /usr/lib/libgobject-2.0.so.0
No symbol table info available.
#15 0xb665088b in ?? () from /usr/lib/libgobject-2.0.so.0
No symbol table info available.
#16 0xb666cca7 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
No symbol table info available.
#17 0xb666d7e3 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
No symbol table info available.
#18 0xb7509f01 in ?? () from /usr/lib/libgtk-3.so.0
No symbol table info available.
#19 0xb7ddd640 in Gtk::Widget::on_draw(Cairo::RefPtr<Cairo::Context> const&) ()
   from /usr/lib/libgtkmm-3.0.so.1
No symbol table info available.
#20 0xb7dee546 in Gtk::Widget_Class::draw_callback(_GtkWidget*, _cairo*) ()
   from /usr/lib/libgtkmm-3.0.so.1
No symbol table info available.
#21 0xb76e71df in ?? () from /usr/lib/libgtk-3.so.0
No symbol table info available.
#22 0xb746b4d0 in gtk_container_propagate_draw () from /usr/lib/libgtk-3.so.0
No symbol table info available.
#23 0xb74ef254 in ?? () from /usr/lib/libgtk-3.so.0
No symbol table info available.
#24 0xb7ddd640 in Gtk::Widget::on_draw(Cairo::RefPtr<Cairo::Context> const&) ()
   from /usr/lib/libgtkmm-3.0.so.1
No symbol table info available.
#25 0xb7dee546 in Gtk::Widget_Class::draw_callback(_GtkWidget*, _cairo*) ()
   from /usr/lib/libgtkmm-3.0.so.1
No symbol table info available.
#26 0xb76e71df in ?? () from /usr/lib/libgtk-3.so.0
No symbol table info available.
#27 0xb746b4d0 in gtk_container_propagate_draw () from /usr/lib/libgtk-3.so.0
No symbol table info available.
#28 0xb746b5ab in ?? () from /usr/lib/libgtk-3.so.0
No symbol table info available.
#29 0xb740da1b in ?? () from /usr/lib/libgtk-3.so.0
No symbol table info available.
#30 0xb7471635 in ?? () from /usr/lib/libgtk-3.so.0
No symbol table info available.
#31 0xb747784d in ?? () from /usr/lib/libgtk-3.so.0
No symbol table info available.
#32 0xb7410939 in ?? () from /usr/lib/libgtk-3.so.0
No symbol table info available.
#33 0xb7dee5d7 in Gtk::Widget_Class::draw_callback(_GtkWidget*, _cairo*) ()
   from /usr/lib/libgtkmm-3.0.so.1
---Type <return> to continue, or q <return> to quit---
No symbol table info available.
#34 0xb76e71df in ?? () from /usr/lib/libgtk-3.so.0
No symbol table info available.
#35 0xb746b4d0 in gtk_container_propagate_draw () from /usr/lib/libgtk-3.so.0
No symbol table info available.
#36 0xb746b5ab in ?? () from /usr/lib/libgtk-3.so.0
No symbol table info available.
#37 0xb76f777e in ?? () from /usr/lib/libgtk-3.so.0
No symbol table info available.
#38 0xb7ddd640 in Gtk::Widget::on_draw(Cairo::RefPtr<Cairo::Context> const&) ()
   from /usr/lib/libgtkmm-3.0.so.1
No symbol table info available.
#39 0xb7dee546 in Gtk::Widget_Class::draw_callback(_GtkWidget*, _cairo*) ()
   from /usr/lib/libgtkmm-3.0.so.1
No symbol table info available.
#40 0xb76e71df in ?? () from /usr/lib/libgtk-3.so.0
No symbol table info available.
#41 0xb76f1e42 in ?? () from /usr/lib/libgtk-3.so.0
No symbol table info available.
#42 0xb755aa49 in gtk_main_do_event () from /usr/lib/libgtk-3.so.0
No symbol table info available.
#43 0xb72611ff in ?? () from /usr/lib/libgdk-3.so.0
No symbol table info available.
#44 0xb727579a in ?? () from /usr/lib/libgdk-3.so.0
No symbol table info available.
#45 0xb7283a63 in ?? () from /usr/lib/libgdk-3.so.0
No symbol table info available.
#46 0xb7276ca7 in ?? () from /usr/lib/libgdk-3.so.0
No symbol table info available.
#47 0xb7276ea8 in ?? () from /usr/lib/libgdk-3.so.0
No symbol table info available.
#48 0xb6650643 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
No symbol table info available.
#49 0xb6663f46 in ?? () from /usr/lib/libgobject-2.0.so.0
No symbol table info available.
#50 0xb666d47a in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
No symbol table info available.
#51 0xb666d7e3 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
No symbol table info available.
#52 0xb726c46b in ?? () from /usr/lib/libgdk-3.so.0
No symbol table info available.
#53 0xb726d08e in ?? () from /usr/lib/libgdk-3.so.0
No symbol table info available.
#54 0xb7252f2e in ?? () from /usr/lib/libgdk-3.so.0
No symbol table info available.
#55 0xb70b2087 in ?? () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
---Type <return> to continue, or q <return> to quit---
#56 0xb70b1450 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#57 0xb70b1868 in ?? () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#58 0xb70b1c31 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#59 0xb755996d in gtk_main () from /usr/lib/libgtk-3.so.0
No symbol table info available.
#60 0xb7d4955d in Gtk::Main::run(Gtk::Window&) () from /usr/lib/libgtkmm-3.0.so.1
No symbol table info available.
#61 0x00456e02 in main ()
No symbol table info available.
(gdb) 
(gdb) disassemble 
Dump of assembler code for function _mesa_Clear:
   0xb376c410 <+0>:	push   %ebp
   0xb376c411 <+1>:	push   %edi
   0xb376c412 <+2>:	push   %esi
   0xb376c413 <+3>:	push   %ebx
   0xb376c414 <+4>:	call   0xb373f270 <__x86.get_pc_thunk.bx>
   0xb376c419 <+9>:	add    $0x75abe7,%ebx
   0xb376c41f <+15>:	sub    $0x1c,%esp
   0xb376c422 <+18>:	mov    -0x20(%ebx),%eax
   0xb376c428 <+24>:	mov    0x30(%esp),%edi
   0xb376c42c <+28>:	mov    %gs:(%eax),%esi
   0xb376c42f <+31>:	mov    0x310(%esi),%eax
   0xb376c435 <+37>:	test   $0x1,%al
   0xb376c437 <+39>:	jne    0xb376c5e0 <_mesa_Clear+464>
   0xb376c43d <+45>:	test   $0x2,%al
   0xb376c43f <+47>:	jne    0xb376c5a0 <_mesa_Clear+400>
   0xb376c445 <+53>:	mov    %edi,%ebp
   0xb376c447 <+55>:	and    $0xffffb8ff,%ebp
   0xb376c44d <+61>:	jne    0xb376c5bc <_mesa_Clear+428>
   0xb376c453 <+67>:	mov    %edi,%eax
   0xb376c455 <+69>:	and    $0x200,%eax
   0xb376c45a <+74>:	mov    %eax,0x8(%esp)
   0xb376c45e <+78>:	je     0xb376c46f <_mesa_Clear+95>
   0xb376c460 <+80>:	mov    0x4(%esi),%eax
   0xb376c463 <+83>:	sub    $0x1,%eax
   0xb376c466 <+86>:	cmp    $0x2,%eax
   0xb376c469 <+89>:	jbe    0xb376c618 <_mesa_Clear+520>
   0xb376c46f <+95>:	mov    0xceb8(%esi),%ecx
   0xb376c475 <+101>:	test   %ecx,%ecx
   0xb376c477 <+103>:	jne    0xb376c600 <_mesa_Clear+496>
   0xb376c47d <+109>:	mov    0xd8(%esi),%eax
   0xb376c483 <+115>:	cmpw   $0x8cd5,0xfc(%eax)
   0xb376c48c <+124>:	jne    0xb376c580 <_mesa_Clear+368>
   0xb376c492 <+130>:	cmpb   $0x0,0xd159(%esi)
   0xb376c499 <+137>:	jne    0xb376c598 <_mesa_Clear+392>
   0xb376c49f <+143>:	cmpw   $0x1c00,0xceb4(%esi)
   0xb376c4a8 <+152>:	jne    0xb376c598 <_mesa_Clear+392>
   0xb376c4ae <+158>:	cmpb   $0x0,0x1add(%esi)
   0xb376c4b5 <+165>:	jne    0xb376c4c9 <_mesa_Clear+185>
   0xb376c4b7 <+167>:	mov    %edi,%edx
   0xb376c4b9 <+169>:	and    $0xfffffeff,%edi
   0xb376c4bf <+175>:	and    $0x200,%edx
   0xb376c4c5 <+181>:	mov    %edx,0x8(%esp)
   0xb376c4c9 <+185>:	mov    %edi,%ebx
   0xb376c4cb <+187>:	and    $0x4000,%ebx
   0xb376c4d1 <+193>:	je     0xb376c52b <_mesa_Clear+283>
   0xb376c4d3 <+195>:	mov    0x2e0(%eax),%ebx
---Type <return> to continue, or q <return> to quit---
   0xb376c4d9 <+201>:	test   %ebx,%ebx
   0xb376c4db <+203>:	je     0xb376c52b <_mesa_Clear+283>
   0xb376c4dd <+205>:	lea    0x154c(%esi),%ecx
   0xb376c4e3 <+211>:	xor    %ebx,%ebx
   0xb376c4e5 <+213>:	mov    %edi,0x30(%esp)
   0xb376c4e9 <+217>:	mov    %ecx,0xc(%esp)
   0xb376c4ed <+221>:	lea    0x0(%esi),%esi
   0xb376c4f0 <+224>:	mov    0x2e4(%eax,%ebp,4),%edi
   0xb376c4f7 <+231>:	cmp    $0xffffffff,%edi
   0xb376c4fa <+234>:	je     0xb376c51c <_mesa_Clear+268>
   0xb376c4fc <+236>:	mov    0xc(%esp),%edx
   0xb376c500 <+240>:	mov    %ebp,%ecx
   0xb376c502 <+242>:	call   0xb376c0f0 <color_buffer_writes_enabled>
   0xb376c507 <+247>:	test   %al,%al
   0xb376c509 <+249>:	je     0xb376c516 <_mesa_Clear+262>
   0xb376c50b <+251>:	mov    $0x1,%eax
   0xb376c510 <+256>:	mov    %edi,%ecx
   0xb376c512 <+258>:	shl    %cl,%eax
   0xb376c514 <+260>:	or     %eax,%ebx
   0xb376c516 <+262>:	mov    0xd8(%esi),%eax
   0xb376c51c <+268>:	add    $0x1,%ebp
   0xb376c51f <+271>:	cmp    0x2e0(%eax),%ebp
   0xb376c525 <+277>:	jb     0xb376c4f0 <_mesa_Clear+224>
   0xb376c527 <+279>:	mov    0x30(%esp),%edi
   0xb376c52b <+283>:	test   $0x100,%edi
   0xb376c531 <+289>:	je     0xb376c53f <_mesa_Clear+303>
   0xb376c533 <+291>:	mov    %ebx,%edx
   0xb376c535 <+293>:	or     $0x10,%edx
   0xb376c538 <+296>:	cmpb   $0x0,0x21(%eax)
   0xb376c53c <+300>:	cmovne %edx,%ebx
   0xb376c53f <+303>:	and    $0x400,%edi
   0xb376c545 <+309>:	je     0xb376c553 <_mesa_Clear+323>
   0xb376c547 <+311>:	mov    %ebx,%edx
   0xb376c549 <+313>:	or     $0x20,%edx
   0xb376c54c <+316>:	cmpb   $0x0,0x22(%eax)
   0xb376c550 <+320>:	cmovne %edx,%ebx
   0xb376c553 <+323>:	mov    0x8(%esp),%edx
   0xb376c557 <+327>:	test   %edx,%edx
   0xb376c559 <+329>:	je     0xb376c567 <_mesa_Clear+343>
   0xb376c55b <+331>:	mov    %ebx,%edx
   0xb376c55d <+333>:	or     $0x40,%edx
   0xb376c560 <+336>:	cmpb   $0x0,0x20(%eax)
   0xb376c564 <+340>:	cmovne %edx,%ebx
   0xb376c567 <+343>:	sub    $0x8,%esp
   0xb376c56a <+346>:	push   %ebx
   0xb376c56b <+347>:	push   %esi
   0xb376c56c <+348>:	call   *0xf8(%esi)
---Type <return> to continue, or q <return> to quit---
=> 0xb376c572 <+354>:	add    $0x10,%esp
   0xb376c575 <+357>:	jmp    0xb376c598 <_mesa_Clear+392>
   0xb376c577 <+359>:	mov    %esi,%esi
   0xb376c579 <+361>:	lea    0x0(%edi,%eiz,1),%edi
   0xb376c580 <+368>:	lea    -0x27e7c0(%ebx),%eax
   0xb376c586 <+374>:	sub    $0x4,%esp
   0xb376c589 <+377>:	push   %eax
   0xb376c58a <+378>:	push   $0x506
   0xb376c58f <+383>:	push   %esi
   0xb376c590 <+384>:	call   0xb37967a0 <_mesa_error>
   0xb376c595 <+389>:	add    $0x10,%esp
   0xb376c598 <+392>:	add    $0x1c,%esp
   0xb376c59b <+395>:	pop    %ebx
   0xb376c59c <+396>:	pop    %esi
   0xb376c59d <+397>:	pop    %edi
   0xb376c59e <+398>:	pop    %ebp
   0xb376c59f <+399>:	ret    
   0xb376c5a0 <+400>:	sub    $0x8,%esp
   0xb376c5a3 <+403>:	mov    %edi,%ebp
   0xb376c5a5 <+405>:	push   $0x2
   0xb376c5a7 <+407>:	push   %esi
   0xb376c5a8 <+408>:	call   0xb3900cd0 <vbo_exec_FlushVertices>
   0xb376c5ad <+413>:	add    $0x10,%esp
   0xb376c5b0 <+416>:	and    $0xffffb8ff,%ebp
   0xb376c5b6 <+422>:	je     0xb376c453 <_mesa_Clear+67>
   0xb376c5bc <+428>:	push   %edi
   0xb376c5bd <+429>:	lea    -0x27e858(%ebx),%eax
   0xb376c5c3 <+435>:	push   %eax
   0xb376c5c4 <+436>:	push   $0x501
   0xb376c5c9 <+441>:	push   %esi
   0xb376c5ca <+442>:	call   0xb37967a0 <_mesa_error>
   0xb376c5cf <+447>:	add    $0x10,%esp
   0xb376c5d2 <+450>:	add    $0x1c,%esp
   0xb376c5d5 <+453>:	pop    %ebx
   0xb376c5d6 <+454>:	pop    %esi
   0xb376c5d7 <+455>:	pop    %edi
   0xb376c5d8 <+456>:	pop    %ebp
   0xb376c5d9 <+457>:	ret    
   0xb376c5da <+458>:	lea    0x0(%esi),%esi
   0xb376c5e0 <+464>:	sub    $0x8,%esp
   0xb376c5e3 <+467>:	push   $0x1
   0xb376c5e5 <+469>:	push   %esi
   0xb376c5e6 <+470>:	call   0xb3900cd0 <vbo_exec_FlushVertices>
   0xb376c5eb <+475>:	mov    0x310(%esi),%eax
   0xb376c5f1 <+481>:	add    $0x10,%esp
   0xb376c5f4 <+484>:	jmp    0xb376c43d <_mesa_Clear+45>
   0xb376c5f9 <+489>:	lea    0x0(%esi,%eiz,1),%esi
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) i r
eax            0x0	0
ecx            0x0	0
edx            0x2	2
ebx            0x10	16
esp            0xbfffd530	0xbfffd530
ebp            0x0	0x0
esi            0xbb87a0	12289952
edi            0x0	0
eip            0xb376c572	0xb376c572 <_mesa_Clear+354>
eflags         0x210246	[ PF ZF IF RF ID ]
cs             0x73	115
ss             0x7b	123
ds             0x7b	123
es             0x7b	123
fs             0x0	0
gs             0x33	51
(gdb)
Comment 1 Paul Fertser 2018-06-05 21:28:34 UTC 
Ok, recompiling this file with -O makes the issue a bit clearer:

0x09de52ae in validate_program (i915=0xd402bb0, batch_space=0xbe9c8308)
    at ../../../../../src/gallium/drivers/i915/i915_state_emit.c:431
431	   *batch_space = i915->fs->decl_len + i915->fs->program_len + additional_size;
(gdb) p i915->fs
$3 = (struct i915_fragment_shader *) 0x0
Comment 2 Paul Fertser 2018-06-06 05:12:11 UTC 
As an additional datapoint, DRI (non-Gallium) driver from the same tree works without problems.
Comment 3 GitLab Migration User 2019-09-18 19:41:15 UTC 
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/mesa/mesa/issues/787.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.