Bug 14966

Summary: [i915 mesa_7_0_branch] segment fault with BASE_LEVEL set to 5 for MipMap
Product: Mesa Reporter: Shuang He <shuang.he>
Component: Drivers/DRI/i915Assignee: haihao <haihao.xiang>
Status: VERIFIED FIXED QA Contact:
Severity: normal    
Priority: medium CC: brice.goglin, haihao.xiang, pabs3
Version: unspecified   
Hardware: Other   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Bug Depends on:    
Bug Blocks: 16029    
Attachments: test case

Description Shuang He 2008-03-12 00:18:28 UTC 
Created attachment 15057 [details]
test case

System Environment:
--------------------------

--Platform: i915

--Architecture(32-bit,64-bit,compatiblity): all

--2D driver: 2.2.1

--mesa: 7.0.3-rc2

--Xserver: 1.4

--Drm 2.3

--Kernel:
2.6.23.1


Bug detailed description:
-------------------------
this issue does not happen on i965.
run mesa/demos/shadowtex will abort with following backtrace:
(gdb) bt
#0  0x0000003a38c30ec5 in raise () from /lib64/libc.so.6
#1  0x0000003a38c32970 in abort () from /lib64/libc.so.6
#2  0x0000003a38c2a11f in __assert_fail () from /lib64/libc.so.6
#3  0x00002b8748f26248 in upload_wm_surfaces (brw=0x6161a0) at
brw_wm_surface_state.c:137
#4  0x00002b8748f0a4ca in brw_validate_state (brw=0x6161a0) at
brw_state_upload.c:258
#5  0x00002b8748efda87 in brw_draw_prims (ctx=<value optimized out>,
arrays=0x6535a0, prim=0x651d84, nr_prims=15, ib=0x0,
    min_index=0, max_index=449) at brw_draw.c:300
#6  0x00002b8748fa20ec in vbo_exec_vtx_flush (exec=0x651b40) at
vbo/vbo_exec_draw.c:215
#7  0x00002b8748f9d841 in vbo_exec_FlushVertices (ctx=<value optimized out>,
flags=23309) at vbo/vbo_exec_api.c:700
#8  0x00002b8748f5f6c1 in _mesa_PopMatrix () at main/matrix.c:274
#9  0x00002b8747d50e0f in glPopMatrix () at
../../../src/mesa/glapi/glapitemp.h:1570
#10 0x0000000000402d84 in DrawScene () at shadowtex.c:224
#11 0x000000000040363a in Display () at shadowtex.c:647
#12 0x00002b8747a50ea4 in processWindowWorkList (window=0x60b3e0) at
glut_event.c:1306
#13 0x00002b8747a519e2 in glutMainLoop () at glut_event.c:1353
#14 0x0000000000402689 in main (argc=1, argv=0x7fff63079758) at
shadowtex.c:1036




Reproduce steps:
----------------
1. start X
2. compile and run attached case


Current result:
----------------
segment fault
Comment 1 Brian Paul 2008-03-12 16:05:56 UTC 
You say the bug is in the i915 driver but the stack trace looks like it came from the i965 driver.
Comment 2 Paul Wise 2008-03-12 17:43:35 UTC 
With this card:

00:02.0 VGA compatible controller: Intel Corporation Mobile 945GM/GMS, 943/940GML Express Integrated Graphics Controller (rev 03)
00:02.1 Display controller: Intel Corporation Mobile 945GM/GMS/GME, 943/940GML Express Integrated Graphics Controller (rev 03)

00:02.0 0300: 8086:27a2 (rev 03)
00:02.1 0380: 8086:27a6 (rev 03)

I get this backtrace from the test case with mesa 7.0.3 rc2 & drm 2.3.0:

(gdb) bt full
#0  intelUploadTexImages (intel=0x8058360, t=0x8071c20, face=0) at intel_tex.c:763
	firstImage = (const struct gl_texture_image *) 0x0
	__PRETTY_FUNCTION__ = "intelUploadTexImages"
#1  0xb78caf7e in enable_tex_2d (ctx=0x8058360, unit=0) at i915_texstate.c:800
	i915 = <value optimized out>
	tObj = (struct gl_texture_object *) 0x8057fb0
	t = (i915TextureObjectPtr) 0x8071c20
	ss3 = 32
#2  0xb78cb78a in i915UpdateTextureState (intel=0x8058360) at i915_texstate.c:892
	ctx = (GLcontext *) 0x5
	i = 0
#3  0xb78f0550 in intelRunPipeline (ctx=0x8058360) at intel_tris.c:753
No locals.
#4  0xb79825c1 in _tnl_draw_prims (ctx=0x8058360, arrays=0x808b3b0, prim=0x8089f0c, nr_prims=1, ib=0x0, min_index=0, max_index=3) at tnl/t_draw.c:402
	bo = {0xb7fc35bf, 0xbf824030, 0x80483cc, 0xbf824024, 0xb7fd57c4, 0x0, 0x0, 0x1, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xbf824030, 0xbf824024, 0x0, 0xb7a65701, 0x0, 
  0xbf824070, 0xb7fd5668, 0x8048570, 0x8058360, 0x0, 0x0, 0x80896a8, 0xbf824038, 0xb7976d0e, 0x64, 0x4, 0xbf823ff8}
	nr_bo = 0
	tnl = (TNLcontext *) 0x809cf88
#5  0xb797b130 in vbo_exec_vtx_flush (exec=0x8089de8) at vbo/vbo_exec_draw.c:215
	ctx = (GLcontext *) 0x8058360
#6  0xb79776c8 in vbo_exec_FlushVertices (ctx=0x8058360, flags=1) at vbo/vbo_exec_api.c:700
	exec = (struct vbo_exec_context *) 0x8089de8
#7  0xb7902093 in _mesa_Flush () at main/context.c:1696
No locals.
#8  0x08048d98 in test () at foo.c:109
	i = 1072693248
	j = 2
	texName = 1
	maxLodBias = -2.89909949e-05
#9  0x08048dda in display () at foo.c:118
No locals.
#10 0xb7f16c46 in fghcbDisplayWindow (window=0x80505e8, enumerator=0xbf824228) at freeglut_main.c:212
No locals.
#11 0xb7f1a142 in fgEnumWindows (enumCallback=0xb7f16bb0 <fghcbDisplayWindow>, enumerator=0xbf824228) at freeglut_structure.c:388
	window = (SFG_Window *) 0x80505e8
#12 0xb7f17501 in glutMainLoopEvent () at freeglut_main.c:251
	composeStatus = {compose_ptr = 0xbf824308 "(C\202�V\216\004\b\232\215\004\bd", chars_matched = 0}
	asciiCode = "(B\202�\233k���\005\005\b`k��\000\000\000\000$+ҷ\000\000\000\000 �\004\b"
	keySym = 3086053211
	len = <value optimized out>
	keyboard_cb = (FGCBKeyboard) 0xbf824260
	special_cb = (FGCBSpecial) 0
	window = (SFG_Window *) 0x64
	event = {type = 22, xany = {type = 22, serial = 38, send_event = 1, display = 0x804a020, window = 65011714}, xkey = {type = 22, serial = 38, send_event = 1, 
    display = 0x804a020, window = 65011714, root = 65011714, subwindow = 101, time = 118, x = 100, y = 100, x_root = 0, y_root = 0, state = 0, keycode = 0, same_screen = 0}, 
  xbutton = {type = 22, serial = 38, send_event = 1, display = 0x804a020, window = 65011714, root = 65011714, subwindow = 101, time = 118, x = 100, y = 100, x_root = 0, 
    y_root = 0, state = 0, button = 0, same_screen = 0}, xmotion = {type = 22, serial = 38, send_event = 1, display = 0x804a020, window = 65011714, root = 65011714, 
    subwindow = 101, time = 118, x = 100, y = 100, x_root = 0, y_root = 0, state = 0, is_hint = 0 '\0', same_screen = 0}, xcrossing = {type = 22, serial = 38, send_event = 1, 
    display = 0x804a020, window = 65011714, root = 65011714, subwindow = 101, time = 118, x = 100, y = 100, x_root = 0, y_root = 0, mode = 0, detail = 0, same_screen = 0, 
    focus = 0, state = 0}, xfocus = {type = 22, serial = 38, send_event = 1, display = 0x804a020, window = 65011714, mode = 65011714, detail = 101}, xexpose = {type = 22, 
    serial = 38, send_event = 1, display = 0x804a020, window = 65011714, x = 65011714, y = 101, width = 118, height = 100, count = 100}, xgraphicsexpose = {type = 22, 
    serial = 38, send_event = 1, display = 0x804a020, drawable = 65011714, x = 65011714, y = 101, width = 118, height = 100, count = 100, major_code = 0, minor_code = 0}, 
  xnoexpose = {type = 22, serial = 38, send_event = 1, display = 0x804a020, drawable = 65011714, major_code = 65011714, minor_code = 101}, xvisibility = {type = 22, serial = 38, 
    send_event = 1, display = 0x804a020, window = 65011714, state = 65011714}, xcreatewindow = {type = 22, serial = 38, send_event = 1, display = 0x804a020, parent = 65011714, 
    window = 65011714, x = 101, y = 118, width = 100, height = 100, border_width = 0, override_redirect = 0}, xdestroywindow = {type = 22, serial = 38, send_event = 1, 
    display = 0x804a020, event = 65011714, window = 65011714}, xunmap = {type = 22, serial = 38, send_event = 1, display = 0x804a020, event = 65011714, window = 65011714, 
    from_configure = 101}, xmap = {type = 22, serial = 38, send_event = 1, display = 0x804a020, event = 65011714, window = 65011714, override_redirect = 101}, xmaprequest = {
    type = 22, serial = 38, send_event = 1, display = 0x804a020, parent = 65011714, window = 65011714}, xreparent = {type = 22, serial = 38, send_event = 1, display = 0x804a020, 
    event = 65011714, window = 65011714, parent = 101, x = 118, y = 100, override_redirect = 100}, xconfigure = {type = 22, serial = 38, send_event = 1, display = 0x804a020, 
    event = 65011714, window = 65011714, x = 101, y = 118, width = 100, height = 100, border_width = 0, above = 0, override_redirect = 0}, xgravity = {type = 22, serial = 38, 
    send_event = 1, display = 0x804a020, event = 65011714, window = 65011714, x = 101, y = 118}, xresizerequest = {type = 22, serial = 38, send_event = 1, display = 0x804a020, 
    window = 65011714, width = 65011714, height = 101}, xconfigurerequest = {type = 22, serial = 38, send_event = 1, display = 0x804a020, parent = 65011714, window = 65011714, 
    x = 101, y = 118, width = 100, height = 100, border_width = 0, above = 0, detail = 0, value_mask = 0}, xcirculate = {type = 22, serial = 38, send_event = 1, 
    display = 0x804a020, event = 65011714, window = 65011714, place = 101}, xcirculaterequest = {type = 22, serial = 38, send_event = 1, display = 0x804a020, parent = 65011714, 
    window = 65011714, place = 101}, xproperty = {type = 22, serial = 38, send_event = 1, display = 0x804a020, window = 65011714, atom = 65011714, time = 101, state = 118}, 
  xselectionclear = {type = 22, serial = 38, send_event = 1, display = 0x804a020, window = 65011714, selection = 65011714, time = 101}, xselectionrequest = {type = 22, 
    serial = 38, send_event = 1, display = 0x804a020, owner = 65011714, requestor = 65011714, selection = 101, target = 118, property = 100, time = 100}, xselection = {type = 22, 
    serial = 38, send_event = 1, display = 0x804a020, requestor = 65011714, selection = 65011714, target = 101, property = 118, time = 100}, xcolormap = {type = 22, serial = 38, 
    send_event = 1, display = 0x804a020, window = 65011714, colormap = 65011714, new = 101, state = 118}, xclient = {type = 22, serial = 38, send_event = 1, display = 0x804a020, 
    window = 65011714, message_type = 65011714, format = 101, data = {b = "v\000\000\000d\000\000\000d\000\000\000\000\000\000\000\000\000\000", s = {118, 0, 100, 0, 100, 0, 0, 
        0, 0, 0}, l = {118, 100, 100, 0, 0}}}, xmapping = {type = 22, serial = 38, send_event = 1, display = 0x804a020, window = 65011714, request = 65011714, 
    first_keycode = 101, count = 118}, xerror = {type = 22, display = 0x26, resourceid = 1, serial = 134520864, error_code = 2 '\002', request_code = 0 '\0', 
    minor_code = 224 '�'}, xkeymap = {type = 22, serial = 38, send_event = 1, display = 0x804a020, window = 65011714, 
    key_vector = "\002\000�\003e\000\000\000v\000\000\000d\000\000\000d", '\0' <repeats 14 times>}, pad = {22, 38, 1, 134520864, 65011714, 65011714, 101, 118, 100, 100, 
    0 <repeats 14 times>}}
#13 0xb7f178f6 in glutMainLoop () at freeglut_main.c:1046
	window = <value optimized out>
	action = <value optimized out>
#14 0x08048e56 in main (argc=1, argv=0xbf8243c4) at foo.c:131
No locals.
Comment 3 Shuang He 2008-03-12 19:09:31 UTC 
(In reply to comment #1)
> You say the bug is in the i915 driver but the stack trace looks like it came
> from the i965 driver.
> 

oh, seems I met a copy-paste failure, I pasted a wrong bt that is for another bug.
here's the real one:
(gdb) bt full
#0  intelUploadTexImages (intel=0x90a0b48, t=0x90ba408, face=0)
    at intel_tex.c:763
        numLevels = 8
        firstImage = (const struct gl_texture_image *) 0x0
        __PRETTY_FUNCTION__ = "intelUploadTexImages"
#1  0x004dfddf in enable_tex_2d (ctx=<value optimized out>, unit=0)
    at i915_texstate.c:800
        i915 = (i915ContextPtr) 0x90a0b48
        tObj = (struct gl_texture_object *) 0x90a0778
        t = (i915TextureObjectPtr) 0x90ba408
        ss3 = <value optimized out>
#2  0x004e02ea in i915UpdateTextureState (intel=0x90a0b48)
    at i915_texstate.c:892
        ctx = (GLcontext *) 0x90a0b48
        ok = <value optimized out>
        i = 0
#3  0x00500ae9 in intelRunPipeline (ctx=0x90a0b48) at intel_tris.c:753
        intel = (intelContextPtr) 0x90a0b48
#4  0x0058d21e in _tnl_draw_prims (ctx=0x90a0b48, arrays=0x90d3b70,
    prim=0x90d26cc, nr_prims=1, ib=0x0, min_index=0, max_index=3)
    at tnl/t_draw.c:402
        bo = {0x0, 0xb7fb60b0, 0x80484dc, 0x118438, 0x8048338, 0x1, 0x7f2fc0,
  0x7f3810, 0xbf985768, 0xbf985784, 0x7e0b60, 0x8048338, 0xbf985768, 0x7f37b4,
---Type <return> to continue, or q <return> to quit---
  0x1, 0x0, 0x1, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xbf985774, 0x0,
  0xc8, 0xc8, 0x5816e6, 0x909b560, 0x90a17bc, 0x90a17c0}
        nr_bo = 0
        tnl = (TNLcontext *) 0x90e5748
#5  0x00585d55 in vbo_exec_vtx_flush (exec=0x90d25a8)
    at vbo/vbo_exec_draw.c:215
        ctx = (GLcontext *) 0x90a0b48
#6  0x005821cf in vbo_exec_FlushVertices (ctx=0x90a0b48, flags=1)
    at vbo/vbo_exec_api.c:700
        exec = (struct vbo_exec_context *) 0x90d25a8
#7  0x0050e666 in _mesa_Flush () at main/context.c:1696
        ctx = (GLcontext *) 0x50
#8  0x0015687c in glFlush () at ../../../src/mesa/glapi/glapitemp.h:1170
No locals.
#9  0x08048d38 in test () at fdo_14966.c:109
        i = 1072693248
        j = 2
        texName = 1
        maxLodBias = 2.47356644e-39
#10 0x08048d7a in display () at fdo_14966.c:118
No locals.
#11 0x001881ff in processWindowWorkList (window=0x9098ce0) at glut_event.c:1306
        workMask = 2052
Comment 4 Michael Fu 2008-03-25 01:29:02 UTC 
(In reply to comment #1)
> You say the bug is in the i915 driver but the stack trace looks like it came
> from the i965 driver.
> 

Brian, log is updated. any response?
Comment 5 Colin.Joe 2008-05-21 20:13:14 UTC 
this case can run fine on 915 (with mesa 7_0_branch)
Comment 6 Gordon Jin 2008-05-22 05:26:18 UTC 
so marking it as fixed.
Comment 7 WuNian 2008-06-02 19:14:09 UTC 
Reopen this bug because the bug occurs against mesa_7_0_branch.

The backtrace info is the same with comments #3.
Comment 8 haihao 2008-06-10 20:33:00 UTC 
fixed on mesa_7_0_branch with commit c04f3933abd5dbacf8ac1c7f35ded0384b19da48

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.