Bug 28630

Summary: [r300g] tiling / texture transfer crash in World of Warcraft
Product: Mesa Reporter: Chris Rankin <rankincj>
Component: Drivers/DRI/r300Assignee: Default DRI bug account <dri-devel>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium    
Version: git   
Hardware: x86 (IA32)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Attachments: Recent backtrace using mesa git with -gdwarf-2

Description Chris Rankin 2010-06-20 15:21:44 UTC 
I've already tried to bisect this crash, but can't find the first "good" commit. I suspect that I was running Fedora 12 instead of Fedora 13 when it worked last time.

WoW now crashes shortly after logging in; here is the backtrace:
Backtrace:
=>0 0x00005d31 (0x0039f010)
  1 0x7dc1f44d radeon_drm_bufmgr_set_tiling+0xbc() in r300_dri.so (0x0039f010)
  2 0x7dc2e272 r300_flush_cb+0x21() in r300_dri.so (0x0039f040)
  3 0x7dc1f44d radeon_drm_bufmgr_set_tiling+0xbc() in r300_dri.so (0x0039f040)
  4 0x7d61f040 (0x0039f060)
  5 0x7dc37e39 r300_set_framebuffer_state+0x148() in r300_dri.so (0x0039f060)
  6 0x7dc1ebd2 radeon_r300_winsys_buffer_set_tiling+0x31() in r300_dri.so (0x0039f0c0)
  7 0x7dc37e39 r300_set_framebuffer_state+0x148() in r300_dri.so (0x0039f220)
  8 0x7ddacb32 util_blitter_copy_region+0x531() in r300_dri.so (0x0039f220)
  9 0x7d5acc38 (0x0039f290)
  10 0x7dc2d9e5 r300_texture_transfer_destroy+0xf4() in r300_dri.so (0x0039f220)
  11 0x0039f1a0 (0x0039f290)
  12 0x7dc2d9e5 r300_texture_transfer_destroy+0xf4() in r300_dri.so (0x0039f220)
  13 0x0039f204 (0x0039f290)
  14 0x7dc2d9e5 r300_texture_transfer_destroy+0xf4() in r300_dri.so (0x0039f220)
  15 0x00000001 (0x0039f290)
  16 0x7dc2d9e5 r300_texture_transfer_destroy+0xf4() in r300_dri.so (0x0039f220)
  17 0x00000000 (0x0039f290)
  18 0x7dc2d9e5 r300_texture_transfer_destroy+0xf4() in r300_dri.so (0x0039f220)
  19 0x00000002 (0x0039f290)
  20 0x7dc2d9e5 r300_texture_transfer_destroy+0xf4() in r300_dri.so (0x0039f220)
  21 0x0039f120 (0x0039f290)
  22 0x7dc2d9e5 r300_texture_transfer_destroy+0xf4() in r300_dri.so (0x0039f220)
  23 0x0039f160 (0x0039f290)
  24 0x7dc2d9e5 r300_texture_transfer_destroy+0xf4() in r300_dri.so (0x0039f220)
  25 0xc0086464 (0x0039f290)
  26 0x7dc2d9e5 r300_texture_transfer_destroy+0xf4() in r300_dri.so (0x0039f220)
  27 0xb74d31f9 (0x0039f290)
  28 0x7dc2d9e5 r300_texture_transfer_destroy+0xf4() in r300_dri.so (0x0039f220)
  29 0x7e8150f8 (0x0039f290)
  30 0x7dc2d9e5 r300_texture_transfer_destroy+0xf4() in r300_dri.so (0x0039f220)
  31 0x7e80da7e (0x0039f290)
  32 0x7dc2d9e5 r300_texture_transfer_destroy+0xf4() in r300_dri.so (0x0039f220)
  33 0x0000000d (0x0039f290)
  34 0x7dc2d9e5 r300_texture_transfer_destroy+0xf4() in r300_dri.so (0x0039f220)
  35 0xc0086464 (0x0039f290)
  36 0x7dc2d9e5 r300_texture_transfer_destroy+0xf4() in r300_dri.so (0x0039f220)
  37 0x0039f160 (0x0039f290)
  38 0x7dc2d9e5 r300_texture_transfer_destroy+0xf4() in r300_dri.so (0x0039f220)
  39 0x7de4a174 _DYNAMIC+0x72f() in r300_dri.so (0x0039f290)
  40 0x7dc2d9e5 r300_texture_transfer_destroy+0xf4() in r300_dri.so (0x0039f220)
  41 0x60000004 (0x0039f290)
  42 0x7dc2d9e5 r300_texture_transfer_destroy+0xf4() in r300_dri.so (0x0039f220)
  43 0x0039f270 (0x0039f290)
  44 0x7dc2d9e5 r300_texture_transfer_destroy+0xf4() in r300_dri.so (0x0039f220)
  45 0x7e80da5b (0x0039f290)
  46 0x7dc2d9e5 r300_texture_transfer_destroy+0xf4() in r300_dri.so (0x0039f220)
  47 0x7d2eb470 (0x0039f290)
  48 0x7dc2d9e5 r300_texture_transfer_destroy+0xf4() in r300_dri.so (0x0039f220)
  49 0x7d2c8e60 (0x0039f290)
  50 0x7dc2d9e5 r300_texture_transfer_destroy+0xf4() in r300_dri.so (0x0039f220)
  51 0x0039f160 (0x0039f290)
  52 0x7dc2d9e5 r300_texture_transfer_destroy+0xf4() in r300_dri.so (0x0039f220)
  53 0x00000002 (0x0039f290)
  54 0x7dc2d9e5 r300_texture_transfer_destroy+0xf4() in r300_dri.so (0x0039f220)
  55 0x7d20c308 (0x0039f290)
  56 0x7dc2d9e5 r300_texture_transfer_destroy+0xf4() in r300_dri.so (0x0039f220)
  57 0x0000000d (0x0039f290)
  58 0x7dc2d9e5 r300_texture_transfer_destroy+0xf4() in r300_dri.so (0x0039f220)
  59 0x7dc2bf01 r300_get_swizzle_combined+0x10() in r300_dri.so (0x0039f290)
  60 0x7dc409eb r300_resource_copy_region+0xea() in r300_dri.so (0x0039f2f0)
  61 0x7dc2d9e5 r300_texture_transfer_destroy+0xf4() in r300_dri.so (0x0039f2f0)
  62 0x7d5acc38 (0x0039f310)
  63 0x7dd29005 st_texture_image_unmap+0x34() in r300_dri.so (0x0039f310)
  64 0x7ddd1cdb u_transfer_destroy_vtbl+0x1a() in r300_dri.so (0x0039f330)
  65 0x7dd29005 st_texture_image_unmap+0x34() in r300_dri.so (0x0039f410)
  66 0x7dd66554 st_TexImage+0x3b3() in r300_dri.so (0x0039f460)
  67 0x7dd66b6e st_TexImage2D+0x7d() in r300_dri.so (0x0039f4e0)
  68 0x7dccba3a _mesa_TexImage2D+0x229() in r300_dri.so (0x0039f540)
  69 0x7ea6eebe wine_glTexImage2D+0xcd() in opengl32 (0x0039f5a8)
  70 0x0065e748 in wow (+0x25e747) (0x0039f600)
Comment 1 Pavel Ondračka 2010-06-21 00:03:25 UTC 
I'm not a developer, but you may try recompiling mesa and wine with CFLAGS="-g -gdwarf-2", you will get a better backtrace.
Comment 2 Chris Rankin 2010-06-28 13:15:33 UTC 
Created attachment 36584 [details]
Recent backtrace using mesa git with -gdwarf-2
Comment 3 Chris Rankin 2010-06-28 13:49:19 UTC 
In src/gallium/drivers/r300/r300_context.c

static void r300_flush_cb(void *data)
{
    struct r300_context* const cs_context_copy = data;

    cs_context_copy->context.flush(&cs_context_copy->context, 0, NULL);
}

The crash happens when the context.flush function pointer does not contain a valid value.
Comment 4 Marek Olšák 2010-06-28 17:02:00 UTC 
I believe the "data" pointer is not valid.

I have committed some fixes, can you please test latest mesa git?
Comment 5 Chris Rankin 2010-06-29 11:38:15 UTC 
(In reply to comment #4)
> I have committed some fixes, can you please test latest mesa git?

Backtrace:
=>0 0x00000000 (0x0039e9d0)
  1 0x7dd5b61d radeon_drm_bufmgr_set_tiling+0xbc() in r300_dri.so (0x0039e9d0)
  2 0x7dd6c1f2 r300_flush_cb+0x21(data=0x7d0fcce8) [/home/chris/Programs/mesa/src/gallium/drivers/r300/r300_context.c:128] in r300_dri.so (0x0039ea00)
  3 0x7dd5b61d radeon_drm_bufmgr_set_tiling+0xbc() in r300_dri.so (0x0039ea00)
  4 0x7d0fcce8 (0x0039ea20)
  5 0x7dd7652e r300_set_framebuffer_state+0x16d(pipe=0x7bacf7f8, state=(nil)) [/home/chris/Programs/mesa/src/gallium/drivers/r300/r300_state.c:625] in r300_dri.so (0x0039ea20)
...

Nope, exactly the same crash as before.
Comment 6 Chris Rankin 2010-06-29 12:05:36 UTC 
(In reply to comment #4)
> I believe the "data" pointer is not valid.

Or possibly the context.flush field has not been assigned? I am having curious success with this simple patch:

--- a/src/gallium/drivers/r300/r300_context.c
+++ b/src/gallium/drivers/r300/r300_context.c
@@ -125,7 +125,9 @@ static void r300_flush_cb(void *data)
 {
     struct r300_context* const cs_context_copy = data;
 
-    cs_context_copy->context.flush(&cs_context_copy->context, 0, NULL);
+    if (cs_context_copy->context.flush) {
+        cs_context_copy->context.flush(&cs_context_copy->context, 0, NULL);
+    }
 }
 
 #define R300_INIT_ATOM(atomname, atomsize) \
Comment 7 Chris Rankin 2010-06-29 13:37:28 UTC 
(In reply to comment #4)
> I believe the "data" pointer is not valid.

That data pointer looks like it *used* to belong to a r300_context object that has since been destroyed. Basically, r300_create_context() stores a reference to the newly-created r300_context object inside the radeon_libdrm_winsys struct:

    rws->set_flush_cb(r300->rws, r300_flush_cb, r300);

Warcraft then destroys the context again, but this reference inside the winsys lingers somehow. And then Azeroth explodes when radeon_drm_bufmgr_set_tiling() tries to flush the buffer data.
Comment 8 Marek Olšák 2010-06-29 14:14:20 UTC 
I think you are right. That seems to be the only logical explanation. The fix is not trivial, I'll send you a patch when I have one.
Comment 9 Marek Olšák 2010-06-29 15:27:09 UTC 
OK so I've committed some fixes because they don't break anything. Please let me know if they help.

PS: There is a new bug in the GLSL compiler in master. I hope you won't hit that.
Comment 10 Chris Rankin 2010-06-30 15:23:30 UTC 
(In reply to comment #9)
> OK so I've committed some fixes because they don't break anything. Please let
> me know if they help.

Yes, that seems to have fixed it. Thanks.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.