Bug 78770

Summary: [SNB bisected]Webglc conformance/textures/texture-size-limit.html fails
Product: Mesa Reporter: lu hua <huax.lu>
Component: Drivers/DRI/i965Assignee: Chad Versace <chadversary>
Status: VERIFIED FIXED QA Contact: Intel 3D Bugs Mailing List <intel-3d-bugs>
Severity: normal    
Priority: high CC: chadversary, kenneth
Version: unspecified   
Hardware: All   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Bug Depends on:    
Bug Blocks: 79039    
Attachments: output
Backtrace of Chrome segfault
work-in-progress fix
Test results after fix
Proposed fix
output
output(64 bit)
output(without patch)

Description lu hua 2014-05-16 05:18:38 UTC
System Environment:
--------------------------
Platform: Sandybridge
Libdrm:		(master)libdrm-2.4.54-8-g305478ce02ebd908a75c9830ecea15f6e2469b42
Mesa:		(master)670418740fc763f0272b799ea999cd3ff69b1218
Xserver:	(master)xorg-server-1.15.99.902-91-g01e18af17f8dc91451fbd0902049045afd1cea7e
Xf86_video_intel:(master)2.99.911-166-g0625185f4772f1c7f8e8d7f265432fd77cdd27fc
Libva:		(staging)968ade9411de9c5ae2eead0a7e8755747a32a3a2
Libva_intel_driver:(staging)1c4d3468229797e787f4b99b0729baf90a115a1d
Kernel:	(drm-intel-nightly) c74cad3c2599b47438b168ca5629fbb00ab63f95

Bug detailed description:
---------------------------
It fails on Sandybridge with Mesa master branch and 10.2 branch,it works well on 10.1 branch.

The latest known good commit: 8c4a9f631d7438aeaf56785401891d0773792123
The latest known bad commit: 670418740fc763f0272b799ea999cd3ff69b1218
I will bisect it later.

Reproduce steps:
----------------------------
1. xinit
2. go to https://www.khronos.org/registry/webgl/conformance-suites/1.0.2/webgl-conformance-tests.html run conformance/textures/texture-size-limit.html
Comment 1 Tapani Pälli 2014-05-16 08:07:42 UTC
failed tests seem to be cubemap tests for UNSIGNED_SHORT_5_6_5 format
Comment 2 Ian Romanick 2014-05-21 17:11:22 UTC
Is that bisect coming?
Comment 3 lu hua 2014-05-22 03:23:29 UTC
Sorry for late.
Bisect shows: 6c044231535b93c5d16404528946cad618d96bd9 is the first bad commit
commit 6c044231535b93c5d16404528946cad618d96bd9
Author: Kenneth Graunke <kenneth@whitecape.org>
Date:   Sun Feb 2 02:58:42 2014 -0800

    i965: Bump GL_MAX_CUBE_MAP_TEXTURE_SIZE to 8192.

    Gen4+ supports 8192x8192 cube maps.  Ivybridge and later can actually
    support 16384, but that would place GL_MAX_CUBE_MAP_TEXTURE_SIZE above
    GL_MAX_TEXTURE_SIZE, which seems like a bad idea.

    (Unfortunately, we can't bump GL_MAX_TEXTURE_SIZE to 16384 without
    causing regressions due to awful W-tiled stencil buffer interactions.)

    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=74130
    Signed-off-by: Kenneth Graunke <kenneth@whitecape.org>
    Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
    Reviewed-by: Ian Romanick <ian.d.romanick@intel.com>
Comment 4 Ian Romanick 2014-05-28 18:16:20 UTC
I tried this test on current Mesa (approximately 8dc4a98c) on IVB and SNB in Firefox, and this test passed.  Ken says that he's able to get segfaults in this test on various platforms.

Can you attach the output from the test?  Maybe a screenshort or something?

How much memory does your test system have?  It's possible that it fails on your system because it can't allocate the 8Kx8K cubemap texture (with full mipmaps, that's a 3GiB texture).
Comment 5 lu hua 2014-05-29 08:05:05 UTC
Created attachment 100086 [details]
output

Memory 3G
Comment 6 Tapani Pälli 2014-07-17 11:29:26 UTC
(In reply to comment #5)
> Created attachment 100086 [details]
> output
> 
> Memory 3G

I'm not getting OUT_OF_MEMORY. For me many of the 'RGB, UNSIGNED_SHORT_5_6_5' format tests fail with INVALID_VALUE for different mipmap levels. For other formats all the tests are passing. This is on a Sandybridge desktop machine.
Comment 7 Chad Versace 2014-10-24 14:37:57 UTC
On Ivybridge and Mesa master, this test hard hangs my system. I can't even switch to VT2. I ran the test with Chrome 38 and X11/EGL/GLES.

hw: Ivybrridge Mobile GT2 0x0166
mesa: master@14bdcc6
chrome: google-chrome-38.0.2125.104-1.x86_64.fc20
chrome cmdline: google-chrome --use-gl=egl
Comment 8 Chad Versace 2014-10-31 17:38:35 UTC
Created attachment 108737 [details]
Backtrace of Chrome segfault

I confirmed Lu Hua's bisect on Ivybridge.

commit 6c044231535b93c5d16404528946cad618d96bd9
Author: Kenneth Graunke <kenneth@whitecape.org>
Date:   Sun Feb 2 02:58:42 2014 -0800

    i965: Bump GL_MAX_CUBE_MAP_TEXTURE_SIZE to 8192.


For me, Chrome segfaults during glTexImage2D. Attached is a backtrace.
Comment 9 Chad Versace 2014-11-03 21:01:24 UTC
Created attachment 108863 [details] [review]
work-in-progress fix

Attached patch fixes the bug. intel_miptree_map_gtt() is not 64-bit safe.

Before submitting the patch to mesa-dev, I need to do a full regression run on Piglit. Also, I'd like to make a more general fix.
Comment 10 lu hua 2014-11-05 05:24:46 UTC
(In reply to Chad Versace from comment #9)
> Created attachment 108863 [details] [review] [review]
> work-in-progress fix
> 
> Attached patch fixes the bug. intel_miptree_map_gtt() is not 64-bit safe.
> 
> Before submitting the patch to mesa-dev, I need to do a full regression run
> on Piglit. Also, I'd like to make a more general fix.

I test this patch, it still fails.

diff --git a/src/mesa/drivers/dri/i965/intel_mipmap_tree.c b/src/mesa/drivers/dri/i965/intel_mipmap_tree.c
index 8fda25d..511d36b 100644
--- a/src/mesa/drivers/dri/i965/intel_mipmap_tree.c
+++ b/src/mesa/drivers/dri/i965/intel_mipmap_tree.c
@@ -1769,7 +1769,13 @@ intel_miptree_map_gtt(struct brw_context *brw,
       y += image_y;

       map->stride = mt->pitch;
-      map->ptr = base + y * map->stride + x * mt->cpp;
+
+      /* TODO(chadv): Fix this correctly
+       *
+       * Prevent WebGL Conformance test texture-size-limit from segfaulting on Chrome.
+       * See [https://bugs.freedesktop.org/show_bug.cgi?id=78770].
+       */
+      map->ptr = base + (intptr_t) y * (intptr_t) map->stride + (intptr_t) x * (intptr_t) mt->cpp;
    }

    DBG("%s: %d,%d %dx%d from mt %p (%s) %d,%d = %p/%d\n", __FUNCTION__,
Comment 11 Tapani Pälli 2014-11-05 09:33:35 UTC
(In reply to lu hua from comment #10)
> (In reply to Chad Versace from comment #9)
> > Created attachment 108863 [details] [review] [review] [review]
> > work-in-progress fix
> > 
> > Attached patch fixes the bug. intel_miptree_map_gtt() is not 64-bit safe.
> > 
> > Before submitting the patch to mesa-dev, I need to do a full regression run
> > on Piglit. Also, I'd like to make a more general fix.
> 
> I test this patch, it still fails.

does it crash or produced 'failed' results?
Comment 12 Chad Versace 2014-11-05 16:52:19 UTC
My patch should fix the crash. It may not fix the test.

I examined the crash for so long that I forgot this bug report was about fixing the test and about the crash :/ I'll continue searching for a fix for the test.
Comment 13 Chad Versace 2014-11-05 18:25:54 UTC
Created attachment 108978 [details]
Test results after fix

I confirmed that my patch DOES fix the test on Ivybridge. Git and hw info below.
I tested Chrome with and without --use-gl=egl.

I'm using the *master* branch of the WebGL Conformance suite, available at https://github.com/KhronosGroup/WebGL. The test file is listed in the chrome cmdline below.

Lua, please test this fix on SNB and IVB.

hardware: Ivybrridge Mobile GT2 0x0166
os: Fedora 20
webgl-conformance: master@52f0dc2
mesa: master@93a92d2 + my patch

google-chrome: 38.0.2125.104 (Official Build 290379)
google-chrome-cmdline: /opt/google/chrome/chrome --user-data-dir=/tmp/chadv/debug/fdo-78770/xdg_config_home/chrome --disable-gpu-watchdog --use-gl=egl --in-process-gpu --flag-switches-begin --flag-switches-end --disable-gpu-watchdog --use-gl=egl --supports-dual-gpus=false --gpu-driver-bug-workarounds=1,11,13,15 --disable-accelerated-video-decode --gpu-vendor-id=0x8086 --gpu-device-id=0x0166 --gpu-driver-vendor --gpu-driver-version ~/proj/hh/default/src/webgl/sdk/tests/conformance/textures/texture-size-limit.html
Comment 14 Chad Versace 2014-11-05 19:00:49 UTC
Created attachment 108983 [details] [review]
Proposed fix

Attached is proposed fix that I plan to submit to mesa-dev after validation. I've also pushed the fix as a git tag:

    web: https://github.com/chadversary/mesa/tree/bug/fdo-78770/v02
    git: git fetch git://github.com/chadversary/mesa bug/fdo-78770/v02

Michael or Lu Hua, please validate.
Comment 15 lu hua 2014-11-06 07:09:36 UTC
Created attachment 109012 [details]
output

Test with the patch, attach the output.
Comment 16 lu hua 2014-11-06 07:12:20 UTC
Chrome version: 27.0.1453.81
hardware: SNB 23bit
os:Fedora release 20
Comment 17 Chad Versace 2014-11-06 23:22:09 UTC
Lu Hua, from your test output it looks like the context is lost before the conformance suite ever reaches the texture-size-limit test. Though, the I am looking at a screenshot of a webpage, so maybe I'm interpreting it incorrectly.

Also, my patch affects only 64-bit systems. You're running on a 32-bit system.
Comment 18 lu hua 2014-11-07 07:30:50 UTC
Created attachment 109076 [details]
output(64 bit)

It also fails on my 64 bit machine(SNB).
Comment 19 kalyank 2014-11-11 02:30:01 UTC
I think what chad is fixing and this are two different bugs. This bug is about this test failing for some reason on SandyBridge 32 bit machine, while the original intention of Chad fix was to resolve crash on 64 bit machines I atleast tested this patch on my machine (Intel(R) Core(TM) i7-4600U CPU @ 2.10GHz) and the test doesn't crash and passes all the tests. Also, note that I am using Chromium version 40.0

lu hua, can you check the result on your 64 bit sandybridge machine without this fix?
Comment 20 lu hua 2014-11-11 08:22:24 UTC
Created attachment 109262 [details]
output(without patch)

Test on SNB(64 bit) latest mesa master branch, attached the output.
Maybe it has two bad commit?
Comment 21 Tapani Pälli 2014-11-12 08:37:48 UTC
With Chad's patch this test is passing (all of subtests) for me on a 64bit Sandybridge laptop both on Chromium and Firefox.
Comment 22 kalyank 2014-11-14 04:22:41 UTC
lu hua,
Can you try with a later version of chromium on your 64 bit machine and see ?
Comment 23 lu hua 2014-11-14 06:59:03 UTC
(In reply to kalyank from comment #22)
> lu hua,
> Can you try with a later version of chromium on your 64 bit machine and see ?

OK, I will try it.
Comment 24 lu hua 2014-11-17 08:09:29 UTC
I test chrome 33, it still fail.
Installed chrome 38, "[1117/155214:ERROR:nss_util.cc(94)] Failed to create /root/.pki/nssdb directory.", chrome start fail, need more investigation.
Comment 25 Chad Versace 2014-11-17 22:26:56 UTC
(In reply to lu hua from comment #24)
> I test chrome 33, it still fail.
> Installed chrome 38, "[1117/155214:ERROR:nss_util.cc(94)] Failed to create
> /root/.pki/nssdb directory.", chrome start fail, need more investigation.

 Lu, you're running Chrome as root? Don't do that.
Comment 26 Chad Versace 2014-11-19 00:12:27 UTC
Patch submitted to mesa-dev: http://www.mail-archive.com/mesa-dev@lists.freedesktop.org/msg70153.html
Comment 27 Chad Versace 2014-11-19 03:26:52 UTC
Kalyan and Tapani confirmed that my patch fixes the test on 64-bit Sandybridge. I confirmed the fix on 64-bit Ivybridge.

Still waiting for a QA update on 32-bit Sandybridge with a modern Chromium.

Patch is committed to Mesa master as

commit b69c7c5dac4e2615e89cef773173484421830a8f
Author: Chad Versace <chad.versace@linux.intel.com>
Date:   Tue Nov 18 15:41:35 2014 -0800

    i965: Fix segfault in WebGL Conformance on Ivybridge
    
    Fixes regression of WebGL Conformance test texture-size-limit [1] on
    Ivybridge Mobile GT2 0x0166 with Google Chrome R38.
    
    Regression introduced by
    
        commit 6c044231535b93c5d16404528946cad618d96bd9
        Author: Kenneth Graunke <kenneth@whitecape.org>
        Date:   Sun Feb 2 02:58:42 2014 -0800
    
            i965: Bump GL_MAX_CUBE_MAP_TEXTURE_SIZE to 8192.
    
    The test regressed because the pointer offset arithmetic in
    intel_miptree_map_gtt() overflows for large textures. The pointer
    arithmetic is not 64-bit safe.
    
    [1] https://github.com/KhronosGroup/WebGL/blob/52f0dc240f04dce31b1b8e2b8107fe2b8332dc90/sdk/tests/conformance/textures/texture-size-limit.html
    
    Cc: "10.3 10.4" <mesa-stable@lists.freedesktop.org>
    Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=78770
    Fixes: Intel CHRMOS-1377
    Reported-by: Lu Hua <huax.lu@intel.com>
    Reviewed-by: Ian Romanic <ian.d.romanick@intel.com>
    Signed-off-by: Chad Versace <chad.versace@linux.intel.com>
Comment 28 Chad Versace 2014-11-19 03:31:06 UTC
Lu, please test Sandybridge 32-bit with Chromium 39 or 40. Those are the currently maintained versions for Linux. Any older version is dead.
Comment 29 Chad Versace 2014-11-19 03:58:44 UTC
My patch should fix the bug on Chrome OS, because Chrome OS is 64-bit.

Patch is submitted to Google. See [https://chromium-review.googlesource.com/#/c/230564/].
Comment 30 Chad Versace 2014-11-20 02:47:05 UTC
Summary of discussion:
  - Lu originally filed the bug against Sandybridge without specifying 32-bit or 64-bit.
  - Tapani confirms my patch fixes Sandybridge 64-bit.
  - Kalyan and me confirm that my patch fixes Ivybridge 64-bit.
  - Lu is now trying to confirm the patch on Sandybridge 32-bit with Chrome 27, which is over a year old and unmaintained.

I'm closing this bug based on the above.

Lu, if feel that that the bug is unresolved, then please open a new bug specifically against 32-bit Sandybridge and document the Chrome version. I don't have time to work on 32-bit Sandybridge bugs, though.
Comment 31 lu hua 2014-12-23 07:22:25 UTC
Test on latest mesa master branch and chrome 39. It works well. Sorry for late.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.