Bug 77107

Summary: Xorg freeze/crash when firefox opens a large image
Product: xorg Reporter: Trek <trek00>
Component: Driver/RadeonAssignee: xf86-video-ati maintainers <xorg-driver-ati>
Status: RESOLVED MOVED QA Contact: Xorg Project Team <xorg-team>
Severity: normal    
Priority: medium    
Version: 7.5 (2009.10)   
Hardware: x86 (IA32)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description Trek 2014-04-06 15:29:36 UTC 
Xorg freezes (or crashes) when firefox opens a large image and the mouse is moving. The screen goes black and the only method to regain the control of the system is using the magic ctrl+alt+SysRq+k, that kills the running process.

The system specs are:
- X.Org X Server version 1.12.4 (1.12.4-6+deb7u2)
- Debian version 7.4 (wheezy) i386
- CPU AMD Athlon XP 2000+
- graphic card ATI Radeon VE/7000 QY (AGP) (ChipID = 0x5159)


The exact sequence to reproduce this bug is:
- open firefox and load a large image (http://geography.oii.ox.ac.uk/wp-content/uploads/2014/04/InternetTube_v2-01.png that is 3508x2303 pixels)
- when loading the image, continuously move the mouse pointer until the screen goes black (without this step all runs fine)


Normally no backtrace is found in the log file:
[ 10381.013] [mi] EQ overflowing.  Additional events will be discarded until existing events are processed.
[ 10381.013] 
[ 10381.013] Backtrace:
[ 10381.263] 
[ 10381.263] Backtrace:


But luckily I got this log file (only once):
[  9315.836] [mi] EQ overflowing.  Additional events will be discarded until existing events are processed.
[  9315.836] 
[  9315.836] Backtrace:
[  9315.837] 0: /usr/bin/X (xorg_backtrace+0x49) [0xb77257b9]
[  9315.837] 1: /usr/bin/X (mieqEnqueue+0x22b) [0xb77040ab]
[  9315.837] 2: /usr/bin/X (0xb75a8000+0x51405) [0xb75f9405]
[  9315.837] 3: /usr/bin/X (xf86PostMotionEventM+0x24b) [0xb763356b]
[  9315.837] 4: /usr/lib/xorg/modules/input/evdev_drv.so (0xb69af000+0x35ad) [0xb69b25ad]
[  9315.837] 5: /usr/lib/xorg/modules/input/evdev_drv.so (0xb69af000+0x4a2c) [0xb69b3a2c]
[  9315.837] 6: /usr/bin/X (0xb75a8000+0x7ac01) [0xb7622c01]
[  9315.837] 7: /usr/bin/X (0xb75a8000+0xa094a) [0xb764894a]
[  9315.837] 8: (vdso) (__kernel_sigreturn+0x0) [0xb7589400]
[  9315.837] 9: (vdso) (__kernel_vsyscall+0x10) [0xb7589424]
[  9315.837] 10: /lib/i386-linux-gnu/i686/cmov/libc.so.6 (munmap+0x16) [0xb7307396]
[  9315.837] 11: /usr/lib/i386-linux-gnu/libdrm_radeon.so.1 (0xb6f09000+0x1fce) [0xb6f0afce]
[  9315.837] 12: /usr/lib/i386-linux-gnu/libdrm_radeon.so.1 (radeon_bo_unref+0x1a) [0xb6f0c50a]
[  9315.838] 13: /usr/lib/i386-linux-gnu/libdrm_radeon.so.1 (radeon_cs_space_reset_bos+0x35) [0xb6f0c3f5]
[  9315.838] 14: /usr/lib/xorg/modules/drivers/radeon_drv.so (0xb6f20000+0x9c98d) [0xb6fbc98d]
[  9315.838] 15: /usr/lib/xorg/modules/libexa.so (0xb6ef1000+0xab13) [0xb6efbb13]
[  9315.838] 16: /usr/bin/X (0xb75a8000+0x16c69f) [0xb771469f]
[  9315.838] 17: /usr/bin/X (0xb75a8000+0xc8d26) [0xb7670d26]
[  9315.838] 18: /usr/bin/X (0xb75a8000+0x39123) [0xb75e1123]
[  9315.838] 19: /usr/bin/X (0xb75a8000+0x3c375) [0xb75e4375]
[  9315.838] 20: /usr/bin/X (0xb75a8000+0x29e95) [0xb75d1e95]
[  9315.838] 21: /lib/i386-linux-gnu/i686/cmov/libc.so.6 (__libc_start_main+0xe6) [0xb724ae46]
[  9315.838] 22: /usr/bin/X (0xb75a8000+0x2a1e9) [0xb75d21e9]
[  9315.838] 
[  9315.838] [mi] These backtraces from mieqEnqueue may point to a culprit higher up the stack.
[  9315.838] [mi] mieq is *NOT* the cause.  It is a victim.
[  9316.240] [mi] EQ overflow continuing.  100 events have been dropped.
[  9316.240] 
[  9316.240] Backtrace:
[  9316.240] 0: /usr/bin/X (xorg_backtrace+0x49) [0xb77257b9]
[  9316.240] 1: /usr/bin/X (mieqEnqueue+0xfb) [0xb7703f7b]
[  9316.240] 2: /usr/bin/X (0xb75a8000+0x51405) [0xb75f9405]
[  9316.241] 3: /usr/bin/X (xf86PostMotionEventM+0x24b) [0xb763356b]
[  9316.241] 4: /usr/lib/xorg/modules/input/evdev_drv.so (0xb69af000+0x35ad) [0xb69b25ad]
[  9316.241] 5: /usr/lib/xorg/modules/input/evdev_drv.so (0xb69af000+0x4a2c) [0xb69b3a2c]
[  9316.241] 6: /usr/bin/X (0xb75a8000+0x7ac01) [0xb7622c01]
[  9316.241] 7: /usr/bin/X (0xb75a8000+0xa094a) [0xb764894a]
[  9316.241] 8: (vdso) (__kernel_sigreturn+0x0) [0xb7589400]
[  9316.241] 9: /usr/bin/X (0xb75a8000+0x1816a0) [0xb77296a0]
[  9316.241] 10: (vdso) (__kernel_sigreturn+0x0) [0xb7589400]
[  9316.241] 11: /lib/i386-linux-gnu/i686/cmov/libc.so.6 (0xb7234000+0x7a9b6) [0xb72ae9b6]
[  9316.241] 
[  9316.636] [mi] EQ overflow continuing.  200 events have been dropped.
[  9316.636] 
[  9316.636] Backtrace:
[  9316.890] 
[  9316.890] Backtrace:


Here the backtrace with gdb attached to the X process:
Program received signal SIGSEGV, Segmentation fault.
uw_frame_state_for (context=context@entry=0xbff7285c, fs=fs@entry=0xbff728dc) at ../../../src/libgcc/unwind-dw2.c:1187
1187    ../../../src/libgcc/unwind-dw2.c: No such file or directory.
#0  uw_frame_state_for (context=context@entry=0xbff7285c, fs=fs@entry=0xbff728dc) at ../../../src/libgcc/unwind-dw2.c:1187
        fde = 0x0
        cie = <optimized out>
        aug = <optimized out>
        insn = <optimized out>
        end = <optimized out>
#1  0xb715a9da in _Unwind_Backtrace (trace=0xb731f9b0 <backtrace_helper>, trace_argument=0xbff729b8) at ../../../src/libgcc/unwind.inc:290
        fs = {regs = {reg = {{loc = {reg = 0, offset = 0, exp = 0x0}, how = REG_UNSAVED} <repeats 18 times>}, prev = 0x0, cfa_offset = 0, cfa_reg = 0, cfa_exp = 0x0, cfa_how = CFA_UNSET}, pc = 0x0, personality = 0, data_align = 0, code_align = 0, retaddr_column = 0, fde_encoding = 0 '\000', lsda_encoding = 0 '\000', saw_z = 0 '\000', signal_frame = 0 '\000', eh_ptr = 0x0}
        context = {reg = {0xbff72f80, 0xbff72f7c, 0xbff72f78, 0xbff72f74, 0x0, 0xbff72f6c, 0xbff72f68, 0xbff72f64, 0xbff73498, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, cfa = 0xbff7349c, ra = 0x6e00, lsda = 0x0, bases = {tbase = 0x0, dbase = 0xb7393ff4, func = 0xb72ae970}, flags = 1073741824, version = 0, args_size = 0, by_value = '\000' <repeats 17 times>}
        code = <optimized out>
#2  0xb731fba5 in *__GI___backtrace (array=array@entry=0xbff72a20, size=size@entry=64) at ../sysdeps/i386/backtrace.c:127
        arg = {array = 0xbff72a20, cnt = 10, size = 64, lastebp = 0xb811f800, lastesp = 0xbff73498}
        once = 2
#3  0xb77257b9 in xorg_backtrace () at ../../os/backtrace.c:50
        array = {0xb77257b9, 0xb7703f7b, 0xb75f9405, 0xb763356b, 0xb69b25ad, 0xb69b3a2c, 0xb7622c01, 0xb764894a, 0xb7589400, 0xb72ae9b6, 0x40792d90, 0x0 <repeats 28 times>, 0x1161f000, 0x0, 0x0, 0x0, 0xb7791ff4, 0xb710a008, 0x2e, 0xb7f89fb0, 0xb77314a3, 0x8, 0xffffffff, 0xb7752620, 0xbff72b44, 0x0, 0x0, 0xb7791ff4, 0xb77314db, 0xffffffff, 0xb7752620, 0xbff72b44, 0x0, 0x0, 0x0, 0xb7791ff4, 0xb7730d93}
        mod = <optimized out>
        size = <optimized out>
        i = <optimized out>
        info = {dli_fname = 0x0, dli_fbase = 0x0, dli_sname = 0x0, dli_saddr = 0x0}
#4  0xb7703f7b in mieqEnqueue (pDev=pDev@entry=0xb7f89fb0, e=e@entry=0xb710a008) at ../../mi/mieq.c:297
        oldtail = 46
        evt = <optimized out>
        isMotion = <optimized out>
        evlen = <optimized out>
        time = <optimized out>
#5  0xb75f9405 in queueEventList (device=0xb7f89fb0, device@entry=0x2, events=<optimized out>, nevents=2) at ../../dix/getevents.c:1002
        i = <optimized out>
#6  0xb75fb698 in QueuePointerEvents (device=0x2, device@entry=0xb7f89fb0, type=type@entry=6, buttons=buttons@entry=0, flags=10, mask=mask@entry=0xb7f8ade0) at ../../dix/getevents.c:1262
        nevents = <optimized out>
#7  0xb763356b in xf86PostMotionEventM (mask=0xb7f8ade0, is_absolute=0, device=0xb7f89fb0) at ../../../../hw/xfree86/common/xf86Xinput.c:1161
        flags = <optimized out>
#8  xf86PostMotionEventM (device=0xb7f89fb0, is_absolute=0, mask=0xb7f8ade0) at ../../../../hw/xfree86/common/xf86Xinput.c:1146
No locals.
#9  0xb69b25ad in ?? () from /usr/lib/xorg/modules/input/evdev_drv.so
No symbol table info available.
#10 0xb69b3a2c in ?? () from /usr/lib/xorg/modules/input/evdev_drv.so
No symbol table info available.
#11 0xb7622c01 in xf86SigioReadInput (fd=14, closure=0xb7f80680) at ../../../../hw/xfree86/common/xf86Events.c:298
        errno_save = 0
        pInfo = 0xb7f80680
#12 0xb764894a in xf86SIGIO (sig=29) at ../../../../../hw/xfree86/os-support/linux/../shared/sigio.c:108
        i = <optimized out>
        ready = {fds_bits = {16384, 0 <repeats 31 times>}}
        to = {tv_sec = 0, tv_usec = 0}
        save_errno = 0
        r = <optimized out>
#13 <signal handler called>
No symbol table info available.
#14 __memcpy_ia32 () at ../sysdeps/i386/i686/multiarch/../memcpy.S:75
No locals.
#15 0x00006e00 in ?? ()
No symbol table info available.
#16 0xb6f4a11d in RADEONCopySwap (dst=dst@entry=0xb811f800 "\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377 \037#\377 \037#\377 \037#\377"..., src=0xb652fe00 <Address 0xb652fe00 out of bounds>, size=size@entry=14032, swap=swap@entry=0) at ../../src/radeon_accel.c:993
No locals.
#17 0xb6fbc8d4 in RADEONDownloadFromScreenCS (pSrc=0xb804d7d8, x=0, y=1864, w=14032, h=<optimized out>, dst=0xb811f800 "\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377 \037#\377 \037#\377 \037#\377"..., dst_pitch=14032) at ../../src/radeon_exa_funcs.c:665
        pScrn = 0x36d0
        info = <optimized out>
        driver_priv = 0xb7fd6810
        scratch = 0xb80e2ca0
        copy_src = 0xb80e2ca0
        size = 3088188300
        datatype = <optimized out>
        src_domain = 4
        src_pitch_offset = 922746880
        bpp = 32
        scratch_pitch = 14080
        copy_pitch = <optimized out>
        ret = <optimized out>
        flush = <optimized out>
        r = 1
        __head = <optimized out>
        __expected = <optimized out>
        __count = <optimized out>
        __func__ = "RADEONDownloadFromScreenCS"
#18 0xb6efbb13 in exaGetImage (pDrawable=0xb804d7d8, x=0, y=1864, w=3508, h=4, format=2, planeMask=4294967295, d=0xb8118a60 "\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377 \037#\377 \037#\377 \037#\377"...) at ../../exa/exa_accel.c:1290
        pExaScr = 0x36d0
        pPix = <optimized out>
        xoff = 0
        yoff = 0
        ok = <optimized out>
#19 0xb771469f in miSpriteGetImage (pDrawable=0xb804d7d8, sx=0, sy=1864, w=3508, h=4, format=2, planemask=4294967295, pdstLine=0xb8118a60 "\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377 \037#\377 \037#\377 \037#\377"...) at ../../mi/misprite.c:413
        pScreen = 0xb7df0348
        pDev = <optimized out>
        pCursorInfo = <optimized out>
        pPriv = 0xb7df2bc8
#20 0xb7670d26 in compGetImage (pDrawable=0xb804d7d8, sx=0, sy=1864, w=3508, h=4, format=2, planemask=4294967295, pdstLine=0xb8118a60 "\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377 \037#\377 \037#\377 \037#\377"...) at ../../composite/compinit.c:148
        pScreen = 0xb7df0348
        cs = 0xb7e17828
#21 0xb75e1123 in DoGetImage (planemask=4294967295, height=4, width=14032, y=1864, x=0, drawable=<optimized out>, format=2, client=0xb7ff3778, im_return=<optimized out>) at ../../dix/dispatch.c:2128
        linesPerBuf = 4
        linesDone = 1864
        rely = 14032
        nlines = 4
        rc = 0
        widthBytesLine = 14032
        xgi = {type = 1 '\001', depth = 24 '\030', sequenceNumber = 10335, length = 8078924, visual = 0, pad3 = 0, pad4 = 0, pad5 = 0, pad6 = 0, pad7 = 0}
        length = <optimized out>
        pVisibleRegion = 0x0
        pDraw = 0xb804d7d8
        pBoundingDraw = 0x0
        relx = 4
        plane = 1864
        pBuf = 0xb8118a60 "\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377\363\363\362\377 \037#\377 \037#\377 \037#\377"...
#22 ProcGetImage (client=0xb7ff3778) at ../../dix/dispatch.c:2205
        stuff = <optimized out>
#23 0xb75e4375 in Dispatch () at ../../dix/dispatch.c:428
        clientReady = 0xb7f76208
        result = <optimized out>
        client = 0xb7ff3778
        nready = 0
        icheck = 0xb779e118
        start_tick = 600
#24 0xb75d1e95 in main (argc=5, argv=0xbff73854, envp=0xbff7386c) at ../../dix/main.c:288
        i = <optimized out>
        alwaysCheckForInput = {0, 1}

Program received signal SIGSEGV, Segmentation fault.
uw_frame_state_for (context=context@entry=0xbff7216c, fs=fs@entry=0xbff721ec) at ../../../src/libgcc/unwind-dw2.c:1187
1187    in ../../../src/libgcc/unwind-dw2.c
Comment 1 Trek 2014-04-06 15:42:25 UTC 
The version of the Radeon driver is: 6.14.4 (6.14.4-8)
Comment 2 Alex Deucher 2014-04-07 01:05:49 UTC 
Is this still an issue with xf86-video-ati-7.3.0 or newer?
Comment 3 Ralf-Peter Rohbeck 2014-04-14 07:29:01 UTC 
> Is this still an issue with xf86-video-ati-7.3.0 or newer?
I just displayed http://geography.oii.ox.ac.uk/wp-content/uploads/2014/04/InternetTube_v2-01.png in iceweasel 28.0-1 at full resolution without crash.
Running xserver-xorg-video-ati: 1:7.3.0-1+glamor and libglamor0: 0.6.0-1.
Comment 4 Ian Kelling 2014-06-05 17:13:11 UTC 
for me, this was an issue in debian wheezy xserver-xorg-video-radeon (1:6.14.4-8) 
no longer an issue in ubuntu 14.04 xserver-xorg-video-radeon 1:7.3.0-1ubuntu3.1. I think it's fixed. http://imgur.com/r/HighRes is a decent place to test some images.
Comment 5 Trek 2015-03-07 00:32:16 UTC 
after a week of testing with debian jessie, I can confirm that the bug is present also in the 7.5.0 version of the radeon driver

hardware specs are unchanged

to help figure out where the bug is, I should say that when loading the big image, gkrellm completely freeze for 1-5 seconds and when it restart it don't display the correct graphs, but it condensate all the events in one big event: for example if the system is constantly writing to the disk at a speed of 1MB/s, you will see a big spike of 5MB/s in the graph

this should mean that non only X is frozen, but may be that all the other processes on the system are frozen, as gkrellm don't even collect the events

may be that not only the GPU is slower that the developers ones but also the CPU? And that the upload of the image in the GPU memory takes too much, in CPU cycles terms, locking all the system at kernel space?

after a year of X freezing, when loading a web page I completely stop using the mouse and take my hands out carefully, but luckily, thanks to some change on the firefox side, it appears to happen less frequently; disabling the auto load of images also help, like to switch to the vesa driver, but it sounds me not a really good solution

another thing to note is that programs like geeqie are not affected when loading the same image: different styles of X acceleration used by the two programs when loading an image?
Comment 6 Martin Peres 2019-11-19 07:46:27 UTC 
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/xorg/driver/xf86-video-ati/issues/101.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.