Bug 56324

Summary: >=x11-drivers/xf86-video-intel-2.20.10 - segmentation fault in /usr/lib/xorg/modules/drivers/intel_drv.so while scrolling down long web pages
Product: xorg Reporter: Ognian Tenchev <drJeckyll>
Component: Driver/intelAssignee: Chris Wilson <chris>
Status: RESOLVED FIXED QA Contact: Xorg Project Team <xorg-team>
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments:
Description Flags
gdb X debug info none

Description Ognian Tenchev 2012-10-23 14:24:47 UTC 
Created attachment 68949 [details]
gdb X debug info

With xf86-video-intel-2.20.10 and xf86-video-intel-2.20.12 X server crashes when scrolling long page in firefox for example: http://uksbsguy.com/blogs/doverton/archive/2007/07/21/how-to-get-rid-of-the-installer-configuration-dialog-when-running-office-2007-and-office-2003-on-the-same-system-for-vista-and-other-versions-of-windows.aspx - before reach half of it.

In X log:
[254798.351] kgem_bo_map__cpu: failed to mmap 227, -16547840 bytes, into CPU domain: 12
[254798.351] kgem_bo_map__cpu: failed to mmap 227, -16547840 bytes, into CPU domain: 12
[254798.351] (EE)
[254798.351] (EE) Backtrace:
[254798.352] (EE) 0: /usr/bin/X (xorg_backtrace+0x4d) [0x8199085]
[254798.352] (EE) 1: /usr/bin/X (0x8048000+0x154251) [0x819c251]
[254798.352] (EE) 2: linux-gate.so.1 (__kernel_rt_sigreturn+0x0) [0xffffe40c]
[254798.352] (EE) 3: /usr/lib/xorg/modules/drivers/intel_drv.so (0xa71ac000+0x2df3a) [0xa71d9f3a]
[254798.352] (EE) 4: /usr/lib/xorg/modules/drivers/intel_drv.so (0xa71ac000+0x338ea) [0xa71df8ea]
[254798.352] (EE) 5: /usr/lib/xorg/modules/drivers/intel_drv.so (0xa71ac000+0x62b11) [0xa720eb11]
[254798.352] (EE) 6: /usr/lib/xorg/modules/drivers/intel_drv.so (0xa71ac000+0x81c11) [0xa722dc11]
[254798.352] (EE) 7: /usr/lib/xorg/modules/drivers/intel_drv.so (0xa71ac000+0x86b85) [0xa7232b85]
[254798.352] (EE) 8: /usr/lib/xorg/modules/drivers/intel_drv.so (0xa71ac000+0x51f78) [0xa71fdf78]
[254798.352] (EE) 9: /usr/bin/X (0x8048000+0xec36b) [0x813436b]
[254798.352] (EE) 10: /usr/bin/X (CompositePicture+0x2ad) [0x812ae33]
[254798.352] (EE) 11: /usr/bin/X (0x8048000+0xe6a69) [0x812ea69]
[254798.352] (EE) 12: /usr/bin/X (0x8048000+0xe326a) [0x812b26a]
[254798.352] (EE) 13: /usr/bin/X (0x8048000+0x30d62) [0x8078d62]
[254798.352] (EE) 14: /usr/bin/X (0x8048000+0x21991) [0x8069991]
[254798.352] (EE) 15: /lib/libc.so.6 (__libc_start_main+0xf3) [0xa7438943]
[254798.352] (EE) 16: /usr/bin/X (0x8048000+0x21ba9) [0x8069ba9]
[254798.352] (EE)
[254798.352] (EE) Segmentation fault at address 0x94bd638
[254798.352]
Fatal server error:
[254798.352] Caught signal 11 (Segmentation fault). Server aborting
[254798.352]

In 2.20.9 firefox gets some screen corruption but X not crash. In log:
[255444.604] kgem_bo_map__cpu: failed to mmap 201, -16547840 bytes, into CPU domain: 12
[255444.622] kgem_bo_map__cpu: failed to mmap 637, -16547840 bytes, into CPU domain: 12
[255444.640] kgem_bo_map__cpu: failed to mmap 638, -16547840 bytes, into CPU domain: 12
[255444.653] kgem_bo_map__cpu: failed to mmap 640, -16547840 bytes, into CPU domain: 12
[255444.677] kgem_bo_map__cpu: failed to mmap 646, -16547840 bytes, into CPU domain: 12
[255444.692] kgem_bo_map__cpu: failed to mmap 648, -16547840 bytes, into CPU domain: 12
[255444.708] kgem_bo_map__cpu: failed to mmap 649, -16547840 bytes, into CPU domain: 12
[255444.709] kgem_bo_map__cpu: failed to mmap 649, -16547840 bytes, into CPU domain: 12
[255444.728] kgem_bo_map__cpu: failed to mmap 651, -16547840 bytes, into CPU domain: 12
[255444.772] kgem_bo_map__cpu: failed to mmap 655, -16547840 bytes, into CPU domain: 12
[255444.783] kgem_bo_map__cpu: failed to mmap 662, -16547840 bytes, into CPU domain: 12
[255444.793] kgem_bo_map__cpu: failed to mmap 670, -16547840 bytes, into CPU domain: 12

Filed first here: https://bugs.gentoo.org/show_bug.cgi?id=439388
Comment 1 Chris Wilson 2012-10-23 14:56:16 UTC 
Looks like you need a combination of old cairo and and an old kernel to trigger this bug -- which is just a nasty int16_t overflow.

This should take care of the immediate crash, but there may be more:

commit d87c2756db1af6e4af15864ab0f44d1454079236
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Tue Oct 23 15:50:56 2012 +0100

    sna: Beware 16-bit overflow when computing sample areas
    
    Reported-by: Ognian Tenchev <drJeckyll@Jeckyll.net>
    References: https://bugs.freedesktop.org/show_bug.cgi?id=56324
    Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>

Can you please retest with -intel.git? (I'll try to reproduce it locally, but that page is worksforme, even on pnv).
Comment 2 Ognian Tenchev 2012-10-23 15:16:11 UTC 
(In reply to comment #1)
> Looks like you need a combination of old cairo and and an old kernel to
> trigger this bug -- which is just a nasty int16_t overflow.
> 
> This should take care of the immediate crash, but there may be more:
> 
> commit d87c2756db1af6e4af15864ab0f44d1454079236
> Author: Chris Wilson <chris@chris-wilson.co.uk>
> Date:   Tue Oct 23 15:50:56 2012 +0100
> 
>     sna: Beware 16-bit overflow when computing sample areas
>     
>     Reported-by: Ognian Tenchev <drJeckyll@Jeckyll.net>
>     References: https://bugs.freedesktop.org/show_bug.cgi?id=56324
>     Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
> 
> Can you please retest with -intel.git? (I'll try to reproduce it locally,
> but that page is worksforme, even on pnv).

Commit d87c2756db1af6e4af15864ab0f44d1454079236 seems to work. No errors in log, no crash on scroll here: http://uksbsguy.com/blogs/doverton/archive/2007/07/21/how-to-get-rid-of-the-installer-configuration-dialog-when-running-office-2007-and-office-2003-on-the-same-system-for-vista-and-other-versions-of-windows.aspx, also no screen corruption like 2.20.9.

I will make some test on other pages where I was having for example black background switch from white and will report shortly.
Comment 3 Ognian Tenchev 2012-10-23 15:25:29 UTC 
OK - no problems with other pages too. Everything seems to work now. Thanks.

btw what you mean by:

(In reply to comment #1)
> Looks like you need a combination of old cairo and and an old kernel to
> trigger this bug -- which is just a nasty int16_t overflow.
> 

my Cairo is x11-libs/cairo-1.12.2-r4, kernel is 3.6.2-gentoo and firefox is 16.0.1
Comment 4 Chris Wilson 2012-10-23 15:27:25 UTC 
Oh, 12 is ENOMEM, not E2BIG. I misinterpreted an error message, but that's an old cairo and an old kernel by my standards ;-)
Comment 5 Chris Wilson 2012-10-26 10:50:32 UTC 
After a few days, I presume the fix was successfully and nothing too untoward has happened yet - keep those eyes peeled!

Thanks for the report, and please do file any issues you find.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.