Bug 34336

Summary: r300g: segfault in r300_draw_arrays_immediate
Product: Mesa Reporter: Wiktor Janas <wixorpeek>
Component: Drivers/Gallium/r300Assignee: Default DRI bug account <dri-devel>
Status: RESOLVED DUPLICATE QA Contact:
Severity: normal    
Priority: medium CC: maraeo
Version: git   
Hardware: x86-64 (AMD64)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description Wiktor Janas 2011-02-16 05:38:36 UTC 
A bug was introduced between 5a01361ceaf29 and dc578188fae099 causing reproducible segmentation fault with latest svn Blender (the code excercices fixed-function pipeline and draws a handful of primitives with begin-end).

Core was generated by `./blender'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007f5b484c2785 in memcpy () from /lib/libc.so.6
(gdb) bt
#0  0x00007f5b484c2785 in memcpy () from /lib/libc.so.6
#1  0x00007f5b40def53f in r300_draw_arrays_immediate (r300=<value optimized out>, mode=<value optimized out>, start=<value optimized out>, 
    count=<value optimized out>) at r300_render.c:430
#2  0x00007f5b40df15c6 in r300_draw_vbo (pipe=0x256a5e0, info=0x7ffff8ef3d70) at r300_render.c:803
#3  0x00007f5b40ead410 in st_draw_vbo (ctx=<value optimized out>, arrays=<value optimized out>, prims=<value optimized out>, nr_prims=8, ib=0x0, 
    index_bounds_valid=<value optimized out>, min_index=0, max_index=14) at state_tracker/st_draw.c:715
#4  0x00007f5b40eaa702 in vbo_exec_vtx_flush (exec=0x2620b00, unmap=1 '\001') at vbo/vbo_exec_draw.c:383
#5  0x00007f5b40ea7afc in vbo_exec_FlushVertices_internal (ctx=<value optimized out>, unmap=28 '\034') at vbo/vbo_exec_api.c:912
#6  0x00007f5b40ea7b4a in vbo_exec_FlushVertices (ctx=0x2577b28, flags=1) at vbo/vbo_exec_api.c:946
#7  0x00007f5b40e5315e in _mesa_MultMatrixf (m=0x260cb94) at main/matrix.c:383
#8  0x00000000006a72f9 in ED_view3d_init_mats_rv3d (ob=<value optimized out>, rv3d=0x25f4728) at source/blender/editors/space_view3d/space_view3d.c:174
#9  0x00000000006c1d4d in draw_object (scene=<value optimized out>, ar=<value optimized out>, v3d=<value optimized out>, base=<value optimized out>, 
    flag=<value optimized out>) at source/blender/editors/space_view3d/drawobject.c:5743
#10 0x000000000069f3f6 in view3d_main_area_draw (C=<value optimized out>, ar=0x25f45b8) at source/blender/editors/space_view3d/view3d_draw.c:2428
#11 0x0000000000842865 in ED_region_do_draw (C=0x21c1b28, ar=0x25f45b8) at source/blender/editors/screen/area.c:340
#12 0x000000000066e59e in wm_method_draw_overlap_all (C=0x21c1b28, win=0x25dd0d8, exchange=0) at source/blender/windowmanager/intern/wm_draw.c:244
#13 0x000000000066ede5 in wm_draw_triple_fail (C=0x21c1b28) at source/blender/windowmanager/intern/wm_draw.c:418
#14 wm_method_draw_triple (C=0x21c1b28) at source/blender/windowmanager/intern/wm_draw.c:578
#15 wm_draw_update (C=0x21c1b28) at source/blender/windowmanager/intern/wm_draw.c:769
#16 0x0000000000674008 in WM_main (C=0x21c1b28) at source/blender/windowmanager/intern/wm.c:348
#17 0x00000000006611ea in main (argc=1, argv=0x7ffff8ef4628) at source/creator/creator.c:1266
Comment 1 Marek Olšák 2011-02-16 13:51:46 UTC 
I can't reproduce it with Blender 2.49. Could you possibly bisect?
Comment 2 Wiktor Janas 2011-02-17 05:17:12 UTC 
(In reply to comment #1)
> I can't reproduce it with Blender 2.49. Could you possibly bisect?

Well, the drawing code has changed much between 2.49 and 2.5x, you may want to get the beta release from blender.org. The exact steps to reproduce are: start blender and maximize (not fullscreen) the window. In the top-left corner there is an combo box with a circled 'i' letter; open it and move the mouse quickly around the menu for some time. It crashes after a second or so.
I have also spotted this on kwin cube-desktop-switch effect, crashes every time after painting some dozen frames.

The exact commit introducing the bug is 45e1cd522bd ("interaction between UNSYNCHRONIZED and DONTBLOCK"). I have introduced a debug statement into radeon_bo_map_internal and this is what I found (the first column is timestamp in nanoseconds, the parentheses contain bo->size, bo->name. bo->handle):

170745153: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
170749993: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
170754953: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
170759793: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
170764473: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
170790113: bo = 0x2c4a310 (65536, 13, 0), flags = 00000600, cs = 0x2b8fe40
170809233: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
170814913: bo = 0x2c4a310 (65536, 13, 0), flags = 00000600, cs = 0x2b8fe40
170827513: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
170833233: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
170838153: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
172139113: bo = 0x441d610 (128, 3, 0), flags = 00000400, cs = 0x2b8fe40
172182793: bo = 0x441d610 (128, 3, 0), flags = 00000400, cs = 0x2b8fe40
172204593: bo = 0x2c4a310 (65536, 13, 0), flags = 00000600, cs = 0x2b8fe40
172250793: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
172256993: bo = 0x2c4a310 (65536, 13, 0), flags = 00000600, cs = 0x2b8fe40
172276473: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
172282353: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
172287313: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
172292113: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
172296993: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
172301793: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
172306473: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
172311353: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
172316193: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
172320913: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
172325833: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
172330673: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
172335433: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
172340353: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
172345033: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
172349873: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
172354713: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
172359553: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
172364393: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
172369193: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
172373873: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
172378713: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
172383553: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
172388233: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
172392993: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
172397833: bo = 0x2c4a310 (65536, 13, 0), flags = 00000400, cs = 0x2b8fe40
172425513: bo = 0x44ef860 (65536, 14, 0), flags = 00000600, cs = 0x2b8fe40
172485593: bo = 0x44ef860 (65536, 14, 0), flags = 00000400, cs = 0x2b8fe40
*boom*

Hope it means something.
Comment 3 Wiktor Janas 2011-02-18 05:35:08 UTC 
I have reverted 45e1cd522bd on top of latest git and blender seems to work again, however still kwin crashes:

Application: KWin (kwin), signal: Segmentation fault
[KCrash Handler]
#6  0x00007feb74754796 in memcpy () from /lib/libc.so.6
#7  0x00007feb5c69fc8e in r300_draw_arrays_immediate (r300=<value optimized out>, mode=<value optimized out>, start=<value optimized out>, count=<value optimized out>) at r300_render.c:430
#8  0x00007feb5c6a1956 in r300_draw_vbo (pipe=0x154f700, info=0x7fffb083b240) at r300_render.c:803
#9  0x00007feb5c75de50 in st_draw_vbo (ctx=<value optimized out>, arrays=<value optimized out>, prims=<value optimized out>, nr_prims=1, ib=0x0, index_bounds_valid=<value optimized out>, min_index=0, max_index=3) at state_tracker/st_draw.c:715
#10 0x00007feb5c7f867d in vbo_save_playback_vertex_list (ctx=0x1598170, data=<value optimized out>) at vbo/vbo_save_draw.c:289
#11 0x00007feb5c6e0272 in ext_opcode_execute (ctx=0x1598170, list=<value optimized out>) at main/dlist.c:552
#12 execute_list (ctx=0x1598170, list=<value optimized out>) at main/dlist.c:7123
#13 0x00007feb5c6e3082 in _mesa_CallList (list=2) at main/dlist.c:8440
#14 0x00007feb5bd290c6 in ?? () from /usr/lib/kde4/kwin4_effect_builtins.so
#15 0x00007feb74b07e9e in ?? () from /usr/lib/kde4/libkdeinit/libkdeinit4_kwin.so
[...cut...]
#42 0x00007feb74a8a48a in kdemain () from /usr/lib/kde4/libkdeinit/libkdeinit4_kwin.so
#43 0x00007feb746f3c4d in __libc_start_main () from /lib/libc.so.6
#44 0x00000000004006a9 in _start ()
Comment 4 Marek Olšák 2011-02-19 01:39:16 UTC 
I can't reproduce it with neither Blender 2.5x nor kwin.
Comment 5 Marek Olšák 2011-02-19 01:41:00 UTC 
Please try the latest Mesa master branch. Alternatively, you may try and set either of these environment variables and see if it helps:

RADEON_THREAD=0
RADEON_DEBUG=noimmd
Comment 6 Marek Olšák 2011-02-20 09:59:56 UTC 
Please follow bug 34418 instead.

*** This bug has been marked as a duplicate of bug 34418 ***

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.