Bug 56395

Summary: [sna ivb GT2] malloc corruption
Product: xorg Reporter: Jiri Slaby <jirislaby>
Component: Driver/intelAssignee: Chris Wilson <chris>
Status: RESOLVED FIXED QA Contact: Xorg Project Team <xorg-team>
Severity: normal    
Priority: medium    
Version: git   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments:
Description Flags
xorg.log
none
valgrind run
none
valgrind run
none
Tightly clip the bottom-right of the trap
none
valgrind run with that patch none

Description Jiri Slaby 2012-10-25 14:13:54 UTC 
Created attachment 69071 [details]
xorg.log

Hey, this is a different machine (with gt2), so I'm creating a new bug instead of appending to bug 47597...

#3  0x00007f873883db56 in malloc_printerr (action=3, str=0x7f87389266b8 "malloc(): memory corruption", 
    ptr=<optimized out>) at malloc.c:5007
#4  0x00007f873883f5b8 in _int_malloc (av=av@entry=0x7f8738b64620 <main_arena>, bytes=bytes@entry=424)
    at malloc.c:3555
#5  0x00007f8738841c20 in __GI___libc_malloc (bytes=424) at malloc.c:2924
#6  0x0000000000453390 in AllocatePixmap (pScreen=pScreen@entry=0x13f64d0, pixDataSize=<optimized out>)
    at pixmap.c:117
#7  0x00007f8734b04a5f in create_pixmap (sna=sna@entry=0x7f873a684010, screen=screen@entry=0x13f64d0, 
    width=width@entry=3, height=height@entry=26, depth=depth@entry=24, usage_hint=usage_hint@entry=0)
    at sna_accel.c:710
#8  0x00007f8734b05e78 in sna_create_pixmap (screen=0x13f64d0, width=3, height=26, depth=24, usage=0)
    at sna_accel.c:1190
#9  0x000000000043422f in ProcCreatePixmap (client=0x213d010) at dispatch.c:1388
#10 0x0000000000438891 in Dispatch () at dispatch.c:428
#11 0x0000000000427965 in main (argc=9, argv=0x7fff4559fd28, envp=<optimized out>) at main.c:288
Comment 1 Chris Wilson 2012-10-26 08:33:34 UTC 
A malloc corruption... Nothing is going to show up unless it happens to trigger one of the out-of-bounds checks (and then not even that if it is one of the input drivers fouling up). valgrinding X is usable, but likely also to affect the bug if its turns out to be timing dependent. Not much I can do without some clue even as to where to begin hunting. :|
Comment 2 Jiri Slaby 2012-10-26 11:36:08 UTC 
Created attachment 69106 [details]
valgrind run

Actually it's not that hard. It's enough to start libreoffice with my presentation and press page down. Done now with valgrind -- it did not crash, many errors reported to the valgrind log. Attached.
Comment 3 Chris Wilson 2012-10-26 12:03:12 UTC 
That was with --enable-debug? Do you have the valgrind headers? Can you check that the configure is finding them?
Comment 4 Jiri Slaby 2012-10-26 12:11:57 UTC 
Created attachment 69108 [details]
valgrind run

(In reply to comment #3)
> That was with --enable-debug? Do you have the valgrind headers? Can you
> check that the configure is finding them?

Nope, valgrind-devel was not installed.
Comment 5 Chris Wilson 2012-10-26 12:35:08 UTC 
One last request, as I am looking at the code that appears to be clipping correctly to the extents, can you attach a debug=full log?
Comment 6 Chris Wilson 2012-10-26 12:37:32 UTC 
Bonus points if you can capture the stderr of both the debug=full X and valgrind. :)
Comment 7 Chris Wilson 2012-10-26 13:01:43 UTC 
Created attachment 69110 [details] [review]
Tightly clip the bottom-right of the trap

Spotted one potential quite-rare issue in the clipping. Mind testing the attached?
Comment 8 Jiri Slaby 2012-10-26 13:22:04 UTC 
Created attachment 69111 [details]
valgrind run with that patch

(In reply to comment #7)
> Created attachment 69110 [details] [review] [review]
> Tightly clip the bottom-right of the trap
> 
> Spotted one potential quite-rare issue in the clipping. Mind testing the
> attached?

Oh, this seems to fix the libreoffice bug. Valgrind of that run attached. Thanks.
Comment 9 Chris Wilson 2012-10-26 13:27:28 UTC 
commit 31eb704b2ad7c861ec4e61fb9de0e9592fc6d269
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Fri Oct 26 13:57:30 2012 +0100

    sna: Ensure that the trap is clipped if it ends within the boundary pixel
    
    Reported-and-tested-by: Jiri Slaby <jirislaby@gmail.com>
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=56395
    Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>

Hmm, the conditional on uninitialised data may need fixing at some point, never sure with that bit-twiddling code. However, for the time being I declare victory! Onwards!

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.