Bug 70511

Summary: nouveau_bo_name_get segmentation fault while running root tutorials/gl/glbox.C
Product: xorg Reporter: Vittorio <zeccav>
Component: Driver/nouveauAssignee: Nouveau Project <nouveau>
Status: NEW --- QA Contact: Xorg Project Team <xorg-team>
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: x86-64 (AMD64)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description Vittorio 2013-10-15 21:21:22 UTC
I am not sure this is the right place to submit this bug.
While running root from CERN (root.cern.ch), test case tutorials/gl/glbox.C 
I lose the X screen and must log in again. 
I have Linux Fedora 19 with mate desktop.
/lib64/libdrm_nouveau.so.2 comes from package libdrm-2.4.46-1.fc19.x86_64
Xorg from package xorg-x11-server-Xorg-1.14.3-1.fc19
Follows more info from /var/log

Oct 15 22:38:52 nero19 kernel: [  446.479462] [drm:drm_crtc_helper_set_config] *ERROR* failed to set mode on [CRTC:10]
Oct 15 22:38:52 nero19 kernel: [  446.479466] detected fb_set_par error, error code: -22
Oct 15 22:38:52 nero19 kernel: [  446.479485] [drm:drm_crtc_helper_set_config] *ERROR* failed to set mode on [CRTC:10]
Oct 15 22:38:54 nero19 abrt[1845]: Saved core dump of pid 385 (/usr/bin/Xorg) to /var/tmp/abrt/ccpp-2013-10-15-22:38:52-385 (22847488 bytes)
Oct 15 22:38:54 nero19 abrtd: New client connected
Oct 15 22:38:54 nero19 mate-keyring-daemon[1164]: dbus failure unregistering from session: Connection was disconnected before a reply was received
Oct 15 22:38:55 nero19 abrt-server[1847]: Generating core_backtrace
Oct 15 22:38:55 nero19 abrt-server[1847]: Generating backtrace

(EE)
(EE) Backtrace:
(EE) 0: /usr/bin/X (OsLookupColor+0x129) [0x46ee59]
(EE) 1: /lib64/libpthread.so.0 (__restore_rt+0x0) [0x3614c0ef9f]
(EE) 2: /lib64/libdrm_nouveau.so.2 (nouveau_bo_name_get+0xc) [0x7febab45416c]
(EE) 3: /usr/lib64/xorg/modules/drivers/nouveau_drv.so (_init+0x64ec) [0x7febab66a67c]
(EE) 4: /usr/lib64/xorg/modules/drivers/nouveau_drv.so (_init+0x6a21) [0x7febab66b0a1]
(EE) 5: /usr/bin/X (DRI2SwapBuffers+0x2ab) [0x56805b]
(EE) 6: /usr/bin/X (DRI2GetParam+0xbc3) [0x569ac3]
(EE) 7: /usr/bin/X (SendErrorToClient+0x3f7) [0x436fe7]
(EE) 8: /usr/bin/X (_init+0x3aaa) [0x429b8a]
(EE) 9: /lib64/libc.so.6 (__libc_start_main+0xf5) [0x3614421b75]
(EE) 10: /usr/bin/X (_start+0x29) [0x4267f1]
(EE) 11: ? (?+0x29) [0x29]
(EE)
(EE) Segmentation fault at address 0x8
(EE)
Fatal server error:
(EE) Caught signal 11 (Segmentation fault). Server aborting
(EE)
(EE)
Please consult the Fedora Project support
         at http://wiki.x.org
 for help.
(EE) Please also check the log file at "/var/log/Xorg.0.log" for additional information.
(EE)
(II) AIGLX: Suspending AIGLX clients for VT switch
(EE) Server terminated with error (1). Closing log file.
core_backtrace:
{   "signal": 6
,   "executable": "/usr/bin/Xorg"
,   "stacktrace":
      [ {   "crash_thread": true
        ,   "frames":
              [ {   "address": 232268192281
                ,   "build_id": "f47cec2a689de012d8eba76ae17ea0996aea03f2"
                ,   "build_id_offset": 219673
                ,   "function_name": "raise"
                ,   "file_name": "/lib64/libc.so.6"
                ,   "fingerprint": "f33186a4c862fb0751bca60701f553b829210477"
                }
              , {   "address": 232268198184
                ,   "build_id": "f47cec2a689de012d8eba76ae17ea0996aea03f2"
                ,   "build_id_offset": 225576
                ,   "function_name": "abort"
                ,   "file_name": "/lib64/libc.so.6"
                ,   "fingerprint": "352bc5cf09233cea84fd089527a146cfb5b7d8dc"
                }
              , {   "address": 4658126
                ,   "build_id": "9d1f87148aa274a76336de4a518898bdd0e3e74c"
                ,   "build_id_offset": 463822
                ,   "file_name": "/usr/bin/Xorg"
                }
              , {   "address": 4753660
                ,   "build_id": "9d1f87148aa274a76336de4a518898bdd0e3e74c"
                ,   "build_id_offset": 559356
                ,   "file_name": "/usr/bin/Xorg"
                }
              , {   "address": 4640146
                ,   "build_id": "9d1f87148aa274a76336de4a518898bdd0e3e74c"
                ,   "build_id_offset": 445842
                ,   "function_name": "AbortServer"
                ,   "file_name": "/usr/bin/Xorg"
                ,   "fingerprint": "ed602f21513e774d5550b35f06e7101bee4becf5"
                }
              , {   "address": 4643480
                ,   "build_id": "9d1f87148aa274a76336de4a518898bdd0e3e74c"
                ,   "build_id_offset": 449176
                ,   "file_name": "/usr/bin/Xorg"
                }
              , {   "address": 4648364
                ,   "build_id": "9d1f87148aa274a76336de4a518898bdd0e3e74c"
                ,   "build_id_offset": 454060
                ,   "function_name": "OsSigHandler"
                ,   "file_name": "/usr/bin/Xorg"
                ,   "fingerprint": "ce6f5ffe9d8ce2ce3a7f405312c101550e1eed55"
                }
              , {   "address": 139806401605996
                ,   "build_id": "6a1b2d2d9cd0a0a9d9c164c9a44de70cbd4f1895"
                ,   "build_id_offset": 8556
                ,   "function_name": "nouveau_bo_name_get"
                ,   "file_name": "/lib64/libdrm_nouveau.so.2"
                ,   "fingerprint": "2295a8145fe6ae7844b0c2f509fe9ac98eac4145"
                }
              , {   "address": 139806403769020
                ,   "build_id": "96e2a53ee9fec52e0d49af6a11d13b0ee3525e87"
                ,   "build_id_offset": 45756
                ,   "function_name": "nouveau_dri2_finish_swap"
                ,   "file_name": "/usr/lib64/xorg/modules/drivers/nouveau_drv.so"
                ,   "fingerprint": "263fc53c053772a6dee812f56755e0642002d050"
                }
              , {   "address": 139806403770353
                ,   "build_id": "96e2a53ee9fec52e0d49af6a11d13b0ee3525e87"
                ,   "build_id_offset": 47089
                ,   "function_name": "nouveau_dri2_schedule_swap"
                ,   "file_name": "/usr/lib64/xorg/modules/drivers/nouveau_drv.so"
                ,   "fingerprint": "a0ed662c9b8e351cd943a5c70a54292251f59f73"
                }
              , {   "address": 5668955
                ,   "build_id": "9d1f87148aa274a76336de4a518898bdd0e3e74c"
                ,   "build_id_offset": 1474651
                ,   "function_name": "DRI2SwapBuffers"
                ,   "file_name": "/usr/bin/Xorg"
                ,   "fingerprint": "4de0a101be39745cb8087920625086119d8aa291"
                }
              , {   "address": 5674787
                ,   "build_id": "9d1f87148aa274a76336de4a518898bdd0e3e74c"
                ,   "build_id_offset": 1480483
                ,   "function_name": "ProcDRI2Dispatch"
                ,   "file_name": "/usr/bin/Xorg"
                ,   "fingerprint": "a5f4aaca7ba7a3d6ad58a3d9146dbd843a3ed421"
                }
              , {   "address": 4419479
                ,   "build_id": "9d1f87148aa274a76336de4a518898bdd0e3e74c"
                ,   "build_id_offset": 225175
                ,   "function_name": "Dispatch"
                ,   "file_name": "/usr/bin/Xorg"
                ,   "fingerprint": "f494f094f64d89eb461d49e7b078eb5dd51db66f"
                }
              , {   "address": 4351146
                ,   "build_id": "9d1f87148aa274a76336de4a518898bdd0e3e74c"
                ,   "build_id_offset": 156842
                ,   "function_name": "main"
                ,   "file_name": "/usr/bin/Xorg"
                ,   "fingerprint": "11669d254e6184299c1b3cd5ff9b7497f8a532be"
                } ]
        } ]
}

[vitti ~]$
Comment 1 Vittorio 2014-07-13 16:28:55 UTC
I believe this situation comes from a NULL pointer in nouveau_dri2.c:246
"r = nouveau_bo_name_get(nouveau_pixmap_bo(pixmap), &front->name);"
because nouveau_pixmap_bo returns a NULL pointer and 
nouveau_bo_name_get dereferences it.
Should the caller update_front handle this one, 
or the called nouveau_bo_name_get?
This is from xf86-video-nouveau-1.0.9.
Many codes provoke this bug, as in /usr/lib64/mesa/teapot.
Comment 2 Ilia Mirkin 2014-08-21 21:50:51 UTC
Your analysis is most likely correct. However I don't really see how this can happen... the pixmap should have a bo.

Can you provide some details about your setup (e.g. what graphics card), as well as how one might reproduce? (You mention certain programs, but I have no idea what they are.)
Comment 3 Vittorio 2014-08-22 06:12:56 UTC
I have x86-64, NVIDIA GE6150-LE.
Linux Fedora 20 under mate desktop.
"root" is a big program from CERN, unfortunately todate I have no
smaller reproducer.
For your information the following is the text of glbox.C (you may
make glbox() into main())

void glbox()
{
// Display a 3D histogram using GL (box option).
//Author: Timur Pocheptsov
   gStyle->SetCanvasPreferGL(kTRUE);
   TCanvas *c        = new TCanvas("glc","TH3 Drawing", 100, 10, 850, 400);
   TPaveLabel *title = new TPaveLabel(0.04, 0.86, 0.96, 0.98,
                           "\"glbox\" and \"glbox1\" options for TH3.");
   title->SetFillColor(32);
   title->Draw();

   TPad *boxPad  = new TPad("box", "box", 0.02, 0.02, 0.48, 0.82);
   TPad *box1Pad = new TPad("box1", "box1", 0.52, 0.02, 0.98, 0.82);
   boxPad->Draw();
   box1Pad->Draw();

   TH3F *h31 = new TH3F("h31", "h31", 10, -1, 1, 10, -1, 1, 10, -1, 1);
   h31->FillRandom("gaus");
   h31->SetFillColor(2);
   boxPad->cd();
   h31->Draw("glbox");

   TH3F *h32 = new TH3F("h32", "h32", 10, -2, 2, 10, -1, 1, 10, -3, 3);
   h32->FillRandom("gaus");
   h32->SetFillColor(4);
   box1Pad->cd();
   h32->Draw("glbox1");
}

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.