Bug 28080

Summary:

"glresize" causes X server segfault with indirect rendering.

Product:

xorg

Reporter:

Nick Bowler <nbowler>

Component:

Driver/intel

Assignee:

Carl Worth <cworth>

Status:

RESOLVED FIXED

QA Contact:

Xorg Project Team <xorg-team>

Severity:

normal

Priority:

medium

CC:

brian, chris

Version:

7.5 (2009.10)

Hardware:

Other

OS:

All

Whiteboard:

i915 platform:

i915 features:

Attachments:

Description	Flags
Xorg.0.log including backtrace.	none

Description Nick Bowler 2010-05-12 20:28:56 UTC

Created attachment 35604 [details]
Xorg.0.log including backtrace.

This was originally described in bug 27922 and occurs when running the
"glresize" test program there, which creates an OpenGL window and then rapidly
resizes it, switching back and forth between filling the entire screen and its
original size.

Running "glresize" with LIBGL_ALWAYS_INDIRECT=1 causes the server to immediately segfault.  This occurs with (at least) servers 1.8.0 and git master.  I'm using mesa 7.8.1.

The system is a ThinkPad T500 with a GM45, running git xf86-video-intel but it also occurs with 2.11.0.

Comment 1 Chris Wilson 2010-05-13 16:09:35 UTC

Note to self:

==1267== Invalid read of size 4
==1267==    at 0x4942A9D: I830DRI2CopyRegion (i830_dri.c:280)
==1267==    by 0x4943989: I830DRI2FrameEventHandler (i830_dri.c:551)
==1267==    by 0x493F021: drmmode_vblank_handler (drmmode_display.c:1400)
==1267==    by 0x4903FAB: drmHandleEvent (xf86drmMode.c:776)
==1267==    by 0x493EF5E: drm_wakeup_handler (drmmode_display.c:1425)
==1267==    by 0x8074EF1: WakeupHandler (dixutils.c:421)
==1267==    by 0x80B9699: WaitForSomething (WaitFor.c:232)
==1267==    by 0x80853FF: Dispatch (dispatch.c:375)
==1267==    by 0x8066734: main (main.c:283)
==1267==  Address 0x5c85af0 is 24 bytes inside a block of size 28 free'd
==1267==    at 0x4024866: free (vg_replace_malloc.c:325)
==1267==    by 0x80B03F0: Xfree (utils.c:1137)
==1267==    by 0x49429D4: I830DRI2DestroyBuffer (i830_dri.c:270)
==1267==    by 0x4908B86: do_get_buffers (dri2.c:407)
==1267==    by 0x48DCFD4: dri2GetBuffersWithFormat (glxdri2.c:529)
==1267==    by 0x4DB0BB9: intel_update_renderbuffers (intel_context.c:279)
==1267==    by 0x4DB1191: intel_prepare_render (intel_context.c:421)
==1267==    by 0x4DB127E: intelMakeCurrent (intel_context.c:902)
==1267==    by 0x4D8D190: driBindContext (dri_util.c:195)
==1267==    by 0x48DCDBB: __glXDRIcontextMakeCurrent (glxdri2.c:262)
==1267==    by 0x48CFCA4: DoMakeCurrent (glxcmds.c:645)
==1267==    by 0x48D0094: __glXDisp_MakeCurrent (glxcmds.c:684)

Comment 2 Chris Wilson 2010-05-14 02:39:03 UTC

commit 0d2392d44aae95d6b571d98f7ec323cf672a687f
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Fri May 14 10:32:12 2010 +0100

    dri: Hold reference to buffers across swap
    
    As we schedule swaps for some time in the future and may process a
    detachment prior to receiving the vblank notification from the kernel,
    we need to hold a reference to the buffers for our swap event handler.
    
    Fixes:
      Bug 28080 - "glresize" causes X server segfault with indirect rendering.
      https://bugs.freedesktop.org/show_bug.cgi?id=28080

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.