Bug 32246

Summary: [RADEON:KMS:R600C] compiz 0.9 switcher segfaults in mipmap generation code
Product: Mesa Reporter: Christopher James Halse Rogers <chalserogers>
Component: Drivers/DRI/R600Assignee: Default DRI bug account <dri-devel>
Status: RESOLVED WONTFIX QA Contact:
Severity: normal    
Priority: medium    
Version: git   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: gdb session log of crash with backtrace.
0001-Check-for-null-pointer-in-mipmap-image-data.patch

Description Christopher James Halse Rogers 2010-12-08 21:01:51 UTC
Created attachment 40939 [details]
gdb session log of crash with backtrace.

Triggering the window switcher with mipmapping enabled in Compiz 0.9.2 results in a segfault in the mipmap generation code on r600c (but not r600g), apparently because the driver private data for the texture is not initialised.

Bottom of the backtrace inline, full backtrace attached:

Program received signal SIGSEGV, Segmentation fault.
0x00007f7b76eed81b in do_row (datatype=<value optimised out>, comps=<value optimised out>, srcWidth=<value optimised out>, srcRowA=0x0, srcRowB=0xe40, 
    dstWidth=<value optimised out>, dstRow=0x35ffe00) at main/mipmap.c:171
        in main/mipmap.c
(gdb) bt full
#0  0x00007f7b76eed81b in do_row (datatype=<value optimised out>, comps=<value optimised out>, srcWidth=<value optimised out>, srcRowA=0x0, 
    srcRowB=0xe40, dstWidth=<value optimised out>, dstRow=0x35ffe00) at main/mipmap.c:171
        i = <value optimised out>
        k = <value optimised out>
        rowB = 0xe40
        dst = 0x35ffe00
        j = <value optimised out>
        rowA = 0x0
        k0 = 1
        colStride = 2
#1  0x00007f7b76eeee9f in make_2d_mipmap (datatype=5121, comps=3, border=0, srcWidth=1214, srcHeight=1000, srcPtr=0x0, srcRowStride=1216, 
    dstWidth=607, dstHeight=500, dstPtr=0x35ffe00 "\340\271T\003", dstRowStride=607) at main/mipmap.c:1192
        bpt = 3
        srcWidthNB = 1214
        dstWidthNB = 607
        dstHeightNB = 500
        srcRowBytes = <value optimised out>
        dstRowBytes = 1821
        srcA = <value optimised out>
        srcB = <value optimised out>
        dst = <value optimised out>
        row = <value optimised out>
        srcRowStep = <value optimised out>
        __PRETTY_FUNCTION__ = "make_2d_mipmap"
#2  0x00007f7b76ef3e61 in _mesa_generate_mipmap (ctx=0x1585520, target=3553, texObj=0x1ed6300) at main/mipmap.c:1825
        srcImage = 0x1e186e0
        srcHeight = 1000
        srcDepth = 1
        dstWidth = 607
        dstHeight = 500
        border = 0
        dstImage = 0x3405cf0
        srcWidth = 1214
        dstDepth = 1
        srcImage = <value optimised out>
        convertFormat = MESA_FORMAT_RGB888
        srcData = 0x0
        dstData = 0x35ffe00 "\340\271T\003"
        level = 0
        maxLevels = 15
        datatype = 5121
        comps = 3
        __PRETTY_FUNCTION__ = "_mesa_generate_mipmap"
#3  0x00007f7b76eacc3d in radeon_generate_mipmap (ctx=0x1585520, target=<value optimised out>, texObj=0x1ed6300) at radeon_texture.c:256
        i = <value optimised out>
        nr_faces = 1
        face = <value optimised out>
#4  radeonGenerateMipmap (ctx=0x1585520, target=<value optimised out>, texObj=0x1ed6300) at radeon_texture.c:299
        rmesa = <value optimised out>
        bo = <value optimised out>
        face = <value optimised out>
        baseimage = 0x1e186e0
        __func__ = "radeonGenerateMipmap"
#5  0x00007f7b76ede567 in _mesa_GenerateMipmapEXT (target=3553) at main/fbobject.c:2177
        texObj = 0x1ed6300
        ctx = 0x1585520
#6  0x00007f7b77a52b88 in GLTexture::enable (this=0x1e1e250, filter=<value optimised out>)
    at /build/buildd/compiz-0.9.2.1+glibmainloop2/plugins/opengl/src/texture.cpp:232
        gs = 0x15659d0
...snip...
And

(gdb) up
#1  0x00007f7b76eeee9f in make_2d_mipmap (datatype=5121, comps=3, border=0, srcWidth=1214, srcHeight=1000, srcPtr=0x0, srcRowStride=1216, 
    dstWidth=607, dstHeight=500, dstPtr=0x35ffe00 "\340\271T\003", dstRowStride=607) at main/mipmap.c:1192
1192    in main/mipmap.c
(gdb) up
#2  0x00007f7b76ef3e61 in _mesa_generate_mipmap (ctx=0x1585520, target=3553, texObj=0x1ed6300) at main/mipmap.c:1825
1825    in main/mipmap.c
(gdb) uESC[ESC[Kprint *texObj
$1 = {Mutex = {__data = {__lock = 0, __count = 0, __owner = 0, __nusers = 0, __kind = 0, __spins = 0, __list = {__prev = 0x0, __next = 0x0}}, 
    __size = '\000' <repeats 39 times>, __align = 0}, RefCount = 3, Name = 75, Target = 3553, Priority = 1, BorderColor = {f = {0, 0, 0, 0}, ui = {0, 
      0, 0, 0}, i = {0, 0, 0, 0}}, WrapS = 33071, WrapT = 33071, WrapR = 10497, MinFilter = 9987, MagFilter = 9729, MinLod = -1000, MaxLod = 1000, 
  LodBias = 0, BaseLevel = 0, MaxLevel = 1000, MaxAnisotropy = 1, CompareMode = 0, CompareFunc = 515, CompareFailValue = 0, DepthMode = 6409, 
  _MaxLevel = 10, _MaxLambda = 10, CropRect = {0, 0, 0, 0}, Swizzle = {6403, 6404, 6405, 6406}, _Swizzle = 1672, GenerateMipmap = 0 '\000', 
  _Complete = 0 '\000', _RenderToTexture = 1 '\001', Purgeable = 0 '\000', Image = {{0x1e186e0, 0x3405cf0, 0x0 <repeats 13 times>}, {
      0x0 <repeats 15 times>}, {0x0 <repeats 15 times>}, {0x0 <repeats 15 times>}, {0x0 <repeats 15 times>}, {0x0 <repeats 15 times>}}, Palette = {
    InternalFormat = 0, _BaseFormat = 0, Size = 0, TableF = 0x0, TableUB = 0x0, RedSize = 0 '\000', GreenSize = 0 '\000', BlueSize = 0 '\000', 
    AlphaSize = 0 '\000', LuminanceSize = 0 '\000', IntensitySize = 0 '\000'}, DriverData = 0x0}
Comment 1 Alex Deucher 2010-12-08 21:17:38 UTC
Should be fixed in:
fd543e1f9506fe41e6e9e78aebbe0bca01df055c
Comment 2 Christopher James Halse Rogers 2010-12-09 12:25:50 UTC
This is not fixed in mesa up to commit 05e534e6, which includes fd543e1f.  The backtrace remains the same.
Comment 3 Ian Romanick 2010-12-09 13:42:17 UTC
This looks a lot like bug #32096.  Different driver, but the end of the backtrace (from _mesa_generate_mipmap to the segfault) is the same.
Comment 4 Bryce Harrington 2011-02-15 18:02:31 UTC
Created attachment 43410 [details]
0001-Check-for-null-pointer-in-mipmap-image-data.patch

It looks to me like this occurs when the calling application passes in a mipmap that has undefined image data (e.g. priv-target->Image[0][0]->Data == NULL in this case).

For the case where _mesa_is_format_compressed() is true, there is an ASSERT to catch that this is undefined, but there is no such check for the false case.

The attached patch adds such a check (a problem message rather than an assertion, though).  Possibly it should be using _mesa_error() or perhaps an assert; I'm not certain.
Comment 5 Andreas Boll 2012-11-02 16:30:14 UTC
Note: classic r600 driver has been abandoned.
Please use r600g (gallium driver) instead.

Is this still an issue with a newer driver/kernel?
Comment 6 Andreas Boll 2014-07-07 16:03:49 UTC
The classic r600 driver has been abandoned long ago.
It was replaced by the Gallium driver r600g.

If you have issues with r600g please file a new bug report with component Drivers/Gallium/r600

Thanks.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.