Bug 61724

Summary: segfault in brw_update_renderbuffer_surface on i965 from multiple apps
Product: Mesa Reporter: Michael Gratton <mike>
Component: Drivers/DRI/i965Assignee: Ian Romanick <idr>
Status: RESOLVED INVALID QA Contact:
Severity: major    
Priority: medium CC: kenneth, ross
Version: 9.0   
Hardware: All   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: gazebo client stack trace
apitrace dump for glxgears

Description Michael Gratton 2013-03-03 05:03:54 UTC 
Multiple apps are getting a segfault in brw_update_renderbuffer_surface, including VLC, Compiz and Gazebo (which uses OGRE).

Ubuntu bug is reported here with a number of stack traces:

https://bugs.launchpad.net/ubuntu/+source/mesa/+bug/947544

I'll attach a complete, more recent one in a moment, but the head looks like this:

#0  brw_update_renderbuffer_surface (brw=0x403eb30, rb=0x4510500, unit=0) at brw_wm_surface_state.c:1109
#1  0x00007fffdc0e9ab0 in brw_update_renderbuffer_surfaces (brw=0x403eb30) at brw_wm_surface_state.c:1205
#2  0x00007fffdc0d3b02 in brw_upload_state (brw=brw@entry=0x403eb30) at brw_state_upload.c:498
#3  0x00007fffdc0c11a7 in brw_try_draw_prims (max_index=4294967295, min_index=4294952344, ib=<optimised out>, 
    nr_prims=<optimised out>, prim=0x7fffffffc580, arrays=<optimised out>, ctx=0x403eb30) at brw_draw.c:493
#4  brw_draw_prims (ctx=0x403eb30, prim=0x7fffffffc580, nr_prims=<optimised out>, ib=<optimised out>, 
    index_bounds_valid=<optimised out>, min_index=4294967295, max_index=4294967295, tfb_vertcount=0x0) at brw_draw.c:589
#5  0x00007fffd73a43da in vbo_handle_primitive_restart (ctx=<optimised out>, prim=<optimised out>, nr_prims=<optimised out>, 
    ib=<optimised out>, index_bounds_valid=<optimised out>, min_index=<optimised out>, max_index=4294967295)
    at ../../../../../src/mesa/vbo/vbo_exec_array.c:570
#6  0x00007fffd73a53b4 in vbo_validated_drawrangeelements (ctx=ctx@entry=0x403eb30, mode=mode@entry=4, 
    index_bounds_valid=index_bounds_valid@entry=0 '\000', start=start@entry=4294967295, end=end@entry=4294967295, 
    count=count@entry=39690, type=type@entry=5123, indices=indices@entry=0x0, basevertex=basevertex@entry=0, 
    numInstances=numInstances@entry=1, baseInstance=baseInstance@entry=0) at ../../../../../src/mesa/vbo/vbo_exec_array.c:867
#7  0x00007fffd73a5724 in vbo_exec_DrawElements (mode=4, count=39690, type=5123, indices=0x0)
    at ../../../../../src/mesa/vbo/vbo_exec_array.c:997
#8  0x00007fffd4c05124 in Ogre::GLRenderSystem::_render(Ogre::RenderOperation const&) ()
   from /usr/lib/x86_64-linux-gnu/OGRE-1.7.4/RenderSystem_GL.so
Comment 1 Michael Gratton 2013-03-03 05:10:45 UTC 
Created attachment 75816 [details]
gazebo client stack trace

Stack trace from Gazebo simulator client crash. Occurs every 2 or 2 program executions.

Ubuntu 13.04:
linux 3.5.0-25-generic
mesa 9.0-0ubuntu1
libdrm 2.4.39-0ubuntu1
Comment 2 Michael Gratton 2013-03-03 05:14:02 UTC 
This is on Sandybridge, an i7-2620M/HD3000.
Comment 3 Eric Anholt 2013-05-02 05:29:51 UTC 
Do you have an exact command line and set of things to do to reproduce the problem?  Perhaps an apitrace of a crashing application?
Comment 4 Michael Gratton 2013-05-02 07:23:22 UTC 
It's easy to reproduce using Gazebo.

1. Install Gazebo: http://gazebosim.org/wiki/1.6/install
2. Run gzserver in one terminal
3. Run gzclient in another

Both processes use OpenGL, but only gzclient displays a gui. Starting gzserver will result in this error, but only occasionally. Starting gzclient will result in the error more frequently - perhaps once in every 5-10 invocations. Closing the gzclient window will also often produce the error.
Comment 5 Michael Gratton 2013-05-02 07:28:30 UTC 
I can't attach the apitrace dumps to this bug because they are too big, so have uploaded them to a web server:

gzclient-1.7.1 successful startup: http://vee.net/tmp/fdo-61724/gzclient-1.7.1.trace-nosegfault
gzclient-1.7.1 segfault startup: http://vee.net/tmp/fdo-61724/gzclient-1.7.1.trace-segfault
Comment 6 Eric Anholt 2013-06-06 07:18:00 UTC 
Ran the segfault one in a loop both on ivb and gm45 for a while, with no segfaults.  Were you seeing segfaults in the apitrace replay?
Comment 7 Ross Schlaikjer 2013-06-15 22:26:53 UTC 
Created attachment 80882 [details]
apitrace dump for glxgears

I am seeing what appears to be the same error. It is reproducible 100% of the time with glxgears.

I ran glxgears in apitrace (causing a segfault). Attatched is the raw apitrace.

Is there any other data that I can provide that would be useful?

Hardware is an Intel i7-2860QM.

The segfault is visible in the apitrace replay.
$ apitrace replay glxgears.trace
apitrace: warning: caught signal 11
1357: error: caught an unhandled exception
apitrace: info: taking default action for signal 11

gdb output for glxgears:

Running synchronized to the vertical refresh. The framerate should be
approximately the same as the monitor refresh rate.

Program received signal SIGSEGV, Segmentation fault.
brw_update_renderbuffer_surface (brw=0x7ffff7fae040, rb=0x61aa30, unit=0)
    at brw_wm_surface_state.c:954
954	brw_wm_surface_state.c: No such file or directory.
(gdb) l
949	in brw_wm_surface_state.c
(gdb) bt
#0 brw_update_renderbuffer_surface (brw=0x7ffff7fae040, rb=0x61aa30, unit=0)
    at brw_wm_surface_state.c:954
#1 0x00007ffff388c220 in brw_update_renderbuffer_surfaces (brw=0x7ffff7fae040)
    at brw_wm_surface_state.c:1047
#2 0x00007ffff38765a0 in brw_upload_state (brw=brw@entry=0x7ffff7fae040)
    at brw_state_upload.c:503
#3 0x00007ffff3864047 in brw_try_draw_prims (max_index=<optimized out>,
    min_index=<optimized out>, ib=0x0, nr_prims=2, prim=0x7ef4a0,
    arrays=0x67a810, ctx=0x7ffff7fae040) at brw_draw.c:482
#4 brw_draw_prims (ctx=0x7ffff7fae040, arrays=0x67a810, prim=0x7ef4a0,
    nr_prims=2, ib=0x0, index_bounds_valid=<optimized out>, min_index=0,
    max_index=161, tfb_vertcount=0x0) at brw_draw.c:566
#5 0x00007ffff39916ac in vbo_save_playback_vertex_list (ctx=0x7ffff7fae040,
    data=0x7eed08) at vbo/vbo_save_draw.c:298
#6 0x00007ffff38e2fe2 in ext_opcode_execute (node=0x7eed00, ctx=0x7ffff7fae040)
    at main/dlist.c:602
#7 execute_list (ctx=0x7ffff7fae040, list=<optimized out>) at main/dlist.c:7505
#8 0x00007ffff38e6a22 in _mesa_CallList (list=1) at main/dlist.c:8922
#9 0x00000000004023bc in draw () at glxgears.c:263
#10 0x0000000000401bc9 in draw_gears () at glxgears.c:315
#11 draw_frame (win=52428802, dpy=0x605010) at glxgears.c:340
#12 event_loop (win=52428802, dpy=0x605010) at glxgears.c:696
#13 main (argc=1, argv=<optimized out>) at glxgears.c:776
Comment 8 Annie 2017-02-10 22:38:24 UTC 
Dear Reporter,

This Mesa bug has been in the "NEEDINFO" status for over 60 days. I am closing this bug based on lack of response but feel free to reopen if resolution is still needed. Please ensure you're supplying the correct information as requested.

Thank you.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.