| Summary: | [glamor] segfault in miTrapezoidBounds() | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | xorg | Reporter: | Alexander Tsoy <alexander> | ||||||||||
| Component: | Server/Acceleration/glamor | Assignee: | hejunyan <junyan.he> | ||||||||||
| Status: | RESOLVED FIXED | QA Contact: | |||||||||||
| Severity: | major | ||||||||||||
| Priority: | high | CC: | eseifert, garrett.mitchener, hans, jbonor, michel, travneff | ||||||||||
| Version: | git | ||||||||||||
| Hardware: | x86-64 (AMD64) | ||||||||||||
| OS: | Linux (All) | ||||||||||||
| Whiteboard: | |||||||||||||
| i915 platform: | i915 features: | ||||||||||||
| Attachments: |
|
||||||||||||
Junyan, Could you try to reproduce this on Intel platform? Hi, I have the same crash on fedora 19, radeon 7850, kwin.
(glamor from git, xserver stock fedora 1.14.2)
When the setting "Outline active window title" is enabled for Oxygen style, the server crashes as soon as a window is opened.
I tracked the problem back to _glamor_trapezoids_with_shader:871.
Whenever traps_count is smaller than mclip_rect when entering the loop traps_count will overflow, causing miTrapezoidBounds to point into void (ptrap), which leads to the crash.
As I still lack the understanding of what this function actually does, I cannot tell for sure whether it just gets invalid input or whether the inner loop variable (traps_count) needs to be properly reset to the initial value.
p.s. my gap-stopper et the moment is to replace
while(var--) {
to
while (var) {var--;
for both loops....(there are still visible artefacts in the window title)
Just a "me too". I've had twice the same crash on my kde desktop, I think it was while "playing" with the icedove windows. RADEON HD 5450, xf86-video-radeon from git source. glamor from git source. xorg 1.14.2 from git source. mesa from git source. Best regards. (In reply to comment #2) > As I still lack the understanding of what this function actually does, I > cannot tell for sure whether it just gets invalid input or whether the inner > loop variable (traps_count) needs to be properly reset to the initial value. I suspect the latter, but I'm not sure either. Junyan? Looks like I might be included in the same problem here.
Using Fedora 19, and KDE. Using the nVidia driver. All updates done. In fact this only appeared after the most recent update. I don't think I've been in that Control Panel since before using FedUp to upgrade from F18.
When I click onthe KDE menu, go to Settings, and then to System Settings, and then open the Display and Monitor settings. On this screen, everytime! I click on Screen Locker, it bumps me back to the KDE login screen.
I get this in my Xorg.log.old file everytime.
[ 1193.866] (EE) Backtrace:
[ 1193.866] (EE) 0: /usr/bin/X (OsLookupColor+0x129) [0x46ee59]
[ 1193.866] (EE) 1: /lib64/libpthread.so.0 (__restore_rt+0x0) [0x3fac80ef9f]
[ 1193.867] (EE) 2: ? (?+0x0) [0x0]
[ 1193.867] (EE)
[ 1193.867] (EE) Segmentation fault at address 0x0
[ 1193.867] (EE)
Fatal server error:
[ 1193.867] (EE) Caught signal 11 (Segmentation fault). Server aborting
[ 1193.867] (EE)
[ 1193.867] (EE)
Please consult the Fedora Project support
at http://wiki.x.org
(In reply to comment #5) > Looks like I might be included in the same problem here. > > Using Fedora 19, and KDE. Using the nVidia driver. All updates done. In fact > this only appeared after the most recent update. I don't think I've been in > that Control Panel since before using FedUp to upgrade from F18. > > > When I click onthe KDE menu, go to Settings, and then to System Settings, > and then open the Display and Monitor settings. On this screen, everytime! > I click on Screen Locker, it bumps me back to the KDE login screen. > > I get this in my Xorg.log.old file everytime. > > [ 1193.866] (EE) Backtrace: > [ 1193.866] (EE) 0: /usr/bin/X (OsLookupColor+0x129) [0x46ee59] > [ 1193.866] (EE) 1: /lib64/libpthread.so.0 (__restore_rt+0x0) [0x3fac80ef9f] > [ 1193.867] (EE) 2: ? (?+0x0) [0x0] > [ 1193.867] (EE) > [ 1193.867] (EE) Segmentation fault at address 0x0 > [ 1193.867] (EE) > Fatal server error: > [ 1193.867] (EE) Caught signal 11 (Segmentation fault). Server aborting > [ 1193.867] (EE) > [ 1193.867] (EE) > Please consult the Fedora Project support > at http://wiki.x.org I may have fixed this for me, might offer a clue for others. I used Yum Extender to remove the nvidia drivers I had installed from the rpmfusion repository. Of course when rebooting X server didn't start, and I had to log in as root on another tty, I guess they call it (crtl+alt+F2, or F1). Re-installed the akmod-nvidia drviers, and reboot again. I can not access the Screen Locker settings, and VirtualBox loads (it was noticed that I couldn't run that either after that last update) I looked up mesa in yum extender, and I see that 9.2-1.20130902.fc19 is still installed. This happened to me - *only* when typing a message in Thunderbird (Icedove.) I'm running radeonsi with glamor-egl from debian-x.
So I put a band aid on it:
diff --git a/src/glamor_trapezoid.c b/src/glamor_trapezoid.c
index 57a178c..523ce91 100644
--- a/src/glamor_trapezoid.c
+++ b/src/glamor_trapezoid.c
@@ -878,6 +878,11 @@ NTRAPS_LOOP_AGAIN:
"clip_processed = %d, traps_count = %d, traps_not_completed = %d\n",
nclip_rect, mclip_rect, clip_processed, traps_count, traps_not_completed);
+ if (ptrap<traps || ptrap>=traps+ntrap) {
+ ErrorF("ptrap out of bounds: ptrap=%p, traps=%p, delta=%ld. traps_count=%d, mclip_rect=%d\n",
+ ptrap, traps, ptrap-traps, traps_count, mclip_rect);
+ break;
+ }
if (_glamor_clip_trapezoid_vertex(ptrap, pbox, clipped_vtx, &vtx_num)) {
for (i = 0; i < vtx_num - 2; i++) {
int clipped_vtx_tmp[3*2];
and it triggered today - no ill effects observed:
[ 1295.656] ptrap out of bounds: ptrap=0x7effe5a56a30, traps=0x7effe5a56800, delta=14. traps_count=-2, mclip_rect=0
[ 1295.804] ptrap out of bounds: ptrap=0x7effe5a56a30, traps=0x7effe5a56800, delta=14. traps_count=-2, mclip_rect=0
[ 1295.941] ptrap out of bounds: ptrap=0x7effe5a56af8, traps=0x7effe5a56800, delta=19. traps_count=-2, mclip_rect=0
[ 1297.482] ptrap out of bounds: ptrap=0x7effe5a56af8, traps=0x7effe5a56800, delta=19. traps_count=-2, mclip_rect=0
[ 1297.626] ptrap out of bounds: ptrap=0x7effe5a56a30, traps=0x7effe5a56800, delta=14. traps_count=-2, mclip_rect=0
[ 1297.911] ptrap out of bounds: ptrap=0x7effe5a56b70, traps=0x7effe5a56800, delta=22. traps_count=-2, mclip_rect=0
[ 1298.059] ptrap out of bounds: ptrap=0x7effe5a56c3c, traps=0x7effe5a56804, delta=27. traps_count=-2, mclip_rect=0
[ 1298.227] ptrap out of bounds: ptrap=0x7effe5a56afc, traps=0x7effe5a56804, delta=19. traps_count=-2, mclip_rect=0
[ 1298.389] ptrap out of bounds: ptrap=0x7effe5a56b74, traps=0x7effe5a56804, delta=22. traps_count=-2, mclip_rect=0
Created attachment 85317 [details] [review] Take cliprects into account for traps_not_completed (In reply to comment #7) > This happened to me - *only* when typing a message in Thunderbird (Icedove.) Unfortunately, I haven't been able to reproduce the problem with icedove either. Does it happen when you do anything in particular when typing a message? Anyway, I noticed something, does this patch happen to help? (In reply to comment #8) Personally I can't test this patch because I'm unable to reproduce this problem anymore (it was 100% reproducible in the past). It is gone probably after some software updates. I'm experiencing the same problems in Thunderbird on two of my Gentoo machines. Writing a message isn't a problem, but X is crashing immediately I use any of the cursor keys. I have no problems in other applications. Here's the backtrace from Xorg.0.log.old from one of the machines: [351212.486] (EE) 0: /usr/bin/X (xorg_backtrace+0x34) [0x592c34] [351212.486] (EE) 1: /usr/bin/X (0x400000+0x196a29) [0x596a29] [351212.486] (EE) 2: /lib64/libpthread.so.0 (0x328c800000+0x11070) [0x328c811070] [351212.486] (EE) 3: /usr/bin/X (miTrapezoidBounds+0x6d) [0x50afed] [351212.486] (EE) 4: /usr/lib64/libglamor.so (0x7fad812a8000+0x18cb5) [0x7fad812c0cb5] [351212.486] (EE) 5: /usr/lib64/libglamor.so (0x7fad812a8000+0x1b440) [0x7fad812c3440] [351212.486] (EE) 6: /usr/bin/X (0x400000+0x1133c9) [0x5133c9] [351212.486] (EE) 7: /usr/bin/X (0x400000+0x3ab8e) [0x43ab8e] [351212.487] (EE) 8: /usr/bin/X (0x400000+0x29a56) [0x429a56] [351212.487] (EE) 9: /lib64/libc.so.6 (__libc_start_main+0xed) [0x328bc2464d] [351212.487] (EE) 10: /usr/bin/X (0x400000+0x29dd9) [0x429dd9] [351212.487] (EE) [351212.487] (EE) Segmentation fault at address 0x43c000c [351212.487] (EE) Fatal server error: [351212.487] (EE) Caught signal 11 (Segmentation fault). Server aborting Hardware (both machines): - Advanced Micro Devices [AMD] nee ATI Cape Verde XT [Radeon HD 7770 GHz Edition] Software configuration (machine 1): - kernel 3.10.9 - xorg-server-1.14.2.902 - xf86-video-ati-7.2.0 - mesa-9.2.0 - llvm-3.3 - libdrm-2.4.46 - glamor-0.5 - KDE SC 4.11.1 (In reply to comment #8) > Anyway, I noticed something, does this patch happen to help? I've been running this patch for about a week now without any issues and the error message I added didn't show. Nice! (In reply to comment #8) > Unfortunately, I haven't been able to reproduce the problem with icedove > either. Does it happen when you do anything in particular when typing a > message? It also possible to reproduce it with Iceweasel (Firefox): type something in textarea then press key «arrow left» several times. > Anyway, I noticed something, does this patch happen to help? It doesn't help me. my software: linux 3.11, mesa 9.2, glamor 0.5.1, xorg-server 1.12.4, radeon 7.2.0, libdrm 2.4.46 my hardware: radeon 7750 I tried the patch as well but it didn't help me either. Erich and Hleb, does Ralf-Peter's patch from comment 7 work around the problem for you and/or show similar messages as for him? I updated to glamor 0.5.1 and applied the patch from comment 7. This fixed to the problems with Thunderbird for me. I tried to make X crash by pressing "left arrow" key in Thunderbird several times. Here's the output from Xorg.0.log: [985856.578] ptrap out of bounds: ptrap=0x284c2e0, traps=0x284bf70, delta=22. traps_count=-2, mclip_rect=0 [985856.734] ptrap out of bounds: ptrap=0x284c3a8, traps=0x284bf70, delta=27. traps_count=-2, mclip_rect=0 [985856.893] ptrap out of bounds: ptrap=0x284c128, traps=0x284bf70, delta=11. traps_count=-2, mclip_rect=0 [985857.111] ptrap out of bounds: ptrap=0x284c128, traps=0x284bf70, delta=11. traps_count=-2, mclip_rect=0 [985857.280] ptrap out of bounds: ptrap=0x284c3a8, traps=0x284bf70, delta=27. traps_count=-2, mclip_rect=0 [985930.727] ptrap out of bounds: ptrap=0x28d42e4, traps=0x28d3e34, delta=30. traps_count=-2, mclip_rect=0 [985930.883] ptrap out of bounds: ptrap=0x28d426c, traps=0x28d3e34, delta=27. traps_count=-2, mclip_rect=0 [985931.055] ptrap out of bounds: ptrap=0x28d426c, traps=0x28d3e34, delta=27. traps_count=-2, mclip_rect=0 [985931.184] ptrap out of bounds: ptrap=0x28d426c, traps=0x28d3e34, delta=27. traps_count=-2, mclip_rect=0 [985931.511] ptrap out of bounds: ptrap=0x28d42e4, traps=0x28d3e34, delta=30. traps_count=-2, mclip_rect=0 [985931.816] ptrap out of bounds: ptrap=0x28d42e4, traps=0x28d3e34, delta=30. traps_count=-2, mclip_rect=0 [985931.943] ptrap out of bounds: ptrap=0x28d42e4, traps=0x28d3e34, delta=30. traps_count=-2, mclip_rect=0 [985932.007] ptrap out of bounds: ptrap=0x28d426c, traps=0x28d3e34, delta=27. traps_count=-2, mclip_rect=0 [985932.191] ptrap out of bounds: ptrap=0x28d426c, traps=0x28d3e34, delta=27. traps_count=-2, mclip_rect=0 [985932.311] ptrap out of bounds: ptrap=0x28d42e4, traps=0x28d3e34, delta=30. traps_count=-2, mclip_rect=0 [985932.450] ptrap out of bounds: ptrap=0x28d42e4, traps=0x28d3e34, delta=30. traps_count=-2, mclip_rect=0 [985932.840] ptrap out of bounds: ptrap=0x28d42e4, traps=0x28d3e34, delta=30. traps_count=-2, mclip_rect=0 [985934.272] ptrap out of bounds: ptrap=0x28d42dc, traps=0x28d3e2c, delta=30. traps_count=-2, mclip_rect=0 [985934.360] ptrap out of bounds: ptrap=0x28d4478, traps=0x28d3fc8, delta=30. traps_count=-2, mclip_rect=0 [985934.435] ptrap out of bounds: ptrap=0x28d42dc, traps=0x28d3e2c, delta=30. traps_count=-2, mclip_rect=0 [985934.593] ptrap out of bounds: ptrap=0x28d42d8, traps=0x28d3e28, delta=30. traps_count=-2, mclip_rect=0 [985934.664] ptrap out of bounds: ptrap=0x28d42d8, traps=0x28d3e28, delta=30. traps_count=-2, mclip_rect=0 [985935.207] ptrap out of bounds: ptrap=0x28d441c, traps=0x28d3e2c, delta=38. traps_count=-2, mclip_rect=0 [985935.296] ptrap out of bounds: ptrap=0x28d4434, traps=0x28d3e44, delta=38. traps_count=-2, mclip_rect=0 (In reply to comment #15) > I updated to glamor 0.5.1 and applied the patch from comment 7. This fixed > to the problems with Thunderbird for me. Can you apply my patch on top of that and provide the output from running with both patches? I applied both patches and created a new message in Thunderbird to cause the issue again. Here's my Xorg.0.log output: [1045978.288] ptrap out of bounds: ptrap=0x1ef335c, traps=0x1ef2eac, delta=30. traps_count=-2, mclip_rect=0 [1045978.424] ptrap out of bounds: ptrap=0x1ef32ec, traps=0x1ef2eb4, delta=27. traps_count=-2, mclip_rect=0 [1046012.615] ptrap out of bounds: ptrap=0x1fa8e0c, traps=0x1fa881c, delta=38. traps_count=-2, mclip_rect=0 [1046012.773] ptrap out of bounds: ptrap=0x1fa89dc, traps=0x1fa8824, delta=11. traps_count=-2, mclip_rect=0 [1046013.999] ptrap out of bounds: ptrap=0x1fa89dc, traps=0x1fa8824, delta=11. traps_count=-2, mclip_rect=0 [1046014.176] ptrap out of bounds: ptrap=0x1fa8e0c, traps=0x1fa881c, delta=38. traps_count=-2, mclip_rect=0 [1046019.031] ptrap out of bounds: ptrap=0x1fa8e0c, traps=0x1fa881c, delta=38. traps_count=-2, mclip_rect=0 [1046019.479] ptrap out of bounds: ptrap=0x1fa8e0c, traps=0x1fa881c, delta=38. traps_count=-2, mclip_rect=0 [1046020.751] ptrap out of bounds: ptrap=0x1fa8e0c, traps=0x1fa881c, delta=38. traps_count=-2, mclip_rect=0 [1046021.127] ptrap out of bounds: ptrap=0x1fa8e0c, traps=0x1fa881c, delta=38. traps_count=-2, mclip_rect=0 [1046022.663] ptrap out of bounds: ptrap=0x1fa8e0c, traps=0x1fa881c, delta=38. traps_count=-2, mclip_rect=0 [1046023.463] ptrap out of bounds: ptrap=0x1fa8e0c, traps=0x1fa881c, delta=38. traps_count=-2, mclip_rect=0 [1046025.032] ptrap out of bounds: ptrap=0x1fa8e0c, traps=0x1fa881c, delta=38. traps_count=-2, mclip_rect=0 [1046025.664] ptrap out of bounds: ptrap=0x1fa8e0c, traps=0x1fa881c, delta=38. traps_count=-2, mclip_rect=0 [1046026.743] ptrap out of bounds: ptrap=0x1fa8e0c, traps=0x1fa881c, delta=38. traps_count=-2, mclip_rect=0 [1046027.141] ptrap out of bounds: ptrap=0x1fa89dc, traps=0x1fa8824, delta=11. traps_count=-2, mclip_rect=0 [1046030.327] ptrap out of bounds: ptrap=0x1fa8cc0, traps=0x1fa8810, delta=30. traps_count=-2, mclip_rect=0 [1046030.735] ptrap out of bounds: ptrap=0x1fa8cc0, traps=0x1fa8810, delta=30. traps_count=-2, mclip_rect=0 [1046031.351] ptrap out of bounds: ptrap=0x1fa8cc0, traps=0x1fa8810, delta=30. traps_count=-2, mclip_rect=0 While typing I was watching the output. It seemed to me that errors were more likely to occur when I moved the cursor to the beginning of a line. Created attachment 86074 [details] [review] Always reset traps_count for outer loop Does this patch on top of the previous ones fix the error messages? Unfortunately, applying all three patches doesn't mute the error messages. Here's my Xorg.0.log again: [1062987.062] ptrap out of bounds: ptrap=0x2405a54, traps=0x240561c, delta=27. traps_count=26, mclip_rect=0 [1062987.198] ptrap out of bounds: ptrap=0x2405a54, traps=0x240561c, delta=27. traps_count=26, mclip_rect=0 [1062987.334] ptrap out of bounds: ptrap=0x2405ac4, traps=0x2405614, delta=30. traps_count=29, mclip_rect=0 [1062987.894] ptrap out of bounds: ptrap=0x2405ad4, traps=0x2405624, delta=30. traps_count=29, mclip_rect=0 [1062988.038] ptrap out of bounds: ptrap=0x2405b9c, traps=0x2405624, delta=35. traps_count=34, mclip_rect=0 [1062988.174] ptrap out of bounds: ptrap=0x2405ad4, traps=0x2405624, delta=30. traps_count=29, mclip_rect=0 [1062988.331] ptrap out of bounds: ptrap=0x2405ad4, traps=0x2405624, delta=30. traps_count=29, mclip_rect=0 [1062988.446] ptrap out of bounds: ptrap=0x2405ad4, traps=0x2405624, delta=30. traps_count=29, mclip_rect=0 [1062990.774] ptrap out of bounds: ptrap=0x2405a5c, traps=0x2405624, delta=27. traps_count=26, mclip_rect=0 [1062990.909] ptrap out of bounds: ptrap=0x2405a5c, traps=0x2405624, delta=27. traps_count=26, mclip_rect=0 [1062991.045] ptrap out of bounds: ptrap=0x2405acc, traps=0x240561c, delta=30. traps_count=29, mclip_rect=0 [1062991.478] ptrap out of bounds: ptrap=0x2405b9c, traps=0x2405624, delta=35. traps_count=34, mclip_rect=0 [1062992.045] ptrap out of bounds: ptrap=0x2405ad4, traps=0x2405624, delta=30. traps_count=29, mclip_rect=0 [1062992.181] ptrap out of bounds: ptrap=0x2405ad4, traps=0x2405624, delta=30. traps_count=29, mclip_rect=0 [1062992.338] ptrap out of bounds: ptrap=0x2405ad4, traps=0x2405624, delta=30. traps_count=29, mclip_rect=0 [1062992.485] ptrap out of bounds: ptrap=0x2405ad4, traps=0x2405624, delta=30. traps_count=29, mclip_rect=0 [1062992.957] ptrap out of bounds: ptrap=0x2406614, traps=0x2405624, delta=102. traps_count=101, mclip_rect=0 [1062994.645] ptrap out of bounds: ptrap=0x2405ad0, traps=0x2405620, delta=30. traps_count=29, mclip_rect=0 [1062994.845] ptrap out of bounds: ptrap=0x2405ad0, traps=0x2405620, delta=30. traps_count=29, mclip_rect=0 [1062995.021] ptrap out of bounds: ptrap=0x2405ad0, traps=0x2405620, delta=30. traps_count=29, mclip_rect=0 [1062995.157] ptrap out of bounds: ptrap=0x2405ad0, traps=0x2405620, delta=30. traps_count=29, mclip_rect=0 [1062997.662] ptrap out of bounds: ptrap=0x2405ad0, traps=0x2405620, delta=30. traps_count=29, mclip_rect=0 [1062998.494] ptrap out of bounds: ptrap=0x2405ad0, traps=0x2405620, delta=30. traps_count=29, mclip_rect=0 [1062998.651] ptrap out of bounds: ptrap=0x2405ad0, traps=0x2405620, delta=30. traps_count=29, mclip_rect=0 [1062998.782] ptrap out of bounds: ptrap=0x2405a58, traps=0x2405620, delta=27. traps_count=26, mclip_rect=0 [1062998.926] ptrap out of bounds: ptrap=0x2405a58, traps=0x2405620, delta=27. traps_count=26, mclip_rect=0 Created attachment 86075 [details] [review] Reset traps_count and ptrap for outer loop when necessary Looks like we're getting closer at least... Please try this patch instead of the previous last one. The new patch seems to fix the issue. I tried the new patch instead of the last one and Xorg.0.log shows no error messages so far. Thanks Michel! Comment on attachment 85317 [details] [review] Take cliprects into account for traps_not_completed Looking at this patch again, I think it doesn't make sense anymore. Can you confirm that the problem is fixed without this patch? Yes, it's fixed for me without the patch as well. I applied the patches from comment 7 and from attachment 86075 [details] [review] and I couldn't trigger any error messages. Thanks for testing my patches! Fixed in Git: commit 83f87f3bb8a0c18c3218695b1eb14065a82e8819 Author: Michel Dänzer <michel.daenzer@amd.com> Date: Fri Sep 20 10:41:10 2013 +0200 Reset traps_count and ptrap when necessary for the next trapezoid cliprect I |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.
Created attachment 79701 [details] Xorg backtrace With glamor acceleration enabled, X server segfaults when I'm trying to open context menu of any message in message list in Claws Mail. No problems with EXA. Hardware: - HD 7750 (VERDE) - HD 6450 (CAICOS) Software: - mesa-9.2 Git - llvm-3.4 Git - xorg-server-1.13.4 - xf86-video-ati-7.1.0 - glamor Git - libdrm-2.4.45 - linux-3.8.12