Bug 82793

Summary: [ivb] google-chrome crashes in get_stencil_miptree with DRI3
Product: Mesa Reporter: Loïc Yhuel <loic.yhuel>
Component: Drivers/DRI/i965Assignee: Ian Romanick <idr>
Status: RESOLVED DUPLICATE QA Contact: Intel 3D Bugs Mailing List <intel-3d-bugs>
Severity: normal    
Priority: medium    
Version: 10.2   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description Loïc Yhuel 2014-08-19 01:28:27 UTC 
It doesn't crash with LIBGL_DRI3_DISABLE=1.

mesa-dri-drivers-10.2.5-1.20140806.fc21.x86_64
xorg-x11-drv-intel-2.99.914-1.fc21.x86_64
libdrm-2.4.56-1.fc21.x86_64
xorg-x11-server-Xorg-1.16.0-1.fc21.x86_64
kernel-3.16.1-300.fc21.x86_64
google-chrome-unstable-38.0.2125.0-1.x86_64

I've tried Mesa master (76f687d5a5be9d3bce8d05bcfef97a3d74ca1f18) and xf86-video-intel master (f5469681b620d9d6ccaf53e92ed31f931cb03b0d), but it's the same.


Core was generated by `/opt/google/chrome-unstable/chrome --type=gpu-process --channel=2180.0.73132887'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  get_stencil_miptree (irb=<optimized out>) at brw_misc_state.c:225
225        if (irb->mt->stencil_mt)
(gdb) bt
#0  0x00007f80fb33a51f in brw_workaround_depthstencil_alignment (irb=<optimized out>) at brw_misc_state.c:225
#1  0x00007f80fb33a51f in brw_workaround_depthstencil_alignment (brw=0x3f6385fa2028, clear_mask=clear_mask@entry=50) at brw_misc_state.c:241
#2  0x00007f80fb2f09d0 in brw_clear (ctx=0x3f6385fa2028, mask=50) at brw_clear.c:235
#3  0x00007f8114982816 in  ()
#4  0x0000000000000000 in  ()
(gdb) up
#1  brw_workaround_depthstencil_alignment (brw=0x1fca0ea81028, clear_mask=clear_mask@entry=50) at brw_misc_state.c:241
241        struct intel_mipmap_tree *stencil_mt = get_stencil_miptree(stencil_irb);
(gdb) p *(struct intel_renderbuffer *)(brw->ctx->DrawBuffer->Attachment[BUFFER_DEPTH].Renderbuffer)
$11 = {Base = {Base = {Mutex = {__data = {__lock = 0, __count = 0, __owner = 0, __nusers = 0, __kind = 0, __spins = 0, __elision = 0, __list = {__prev = 0x0, __next = 0x0}}, 
        __size = '\000' <repeats 39 times>, __align = 0}, ClassID = 305419896, Name = 0, Label = 0x0, RefCount = 1, Width = 0, Height = 0, Depth = 0, Purgeable = 0 '\000', 
      AttachedAnytime = 0 '\000', NeedsFinishRenderTexture = 0 '\000', NumSamples = 0 '\000', InternalFormat = 6402, _BaseFormat = 6402, Format = MESA_FORMAT_Z24_UNORM_X8_UINT, TexImage = 0x0, 
      Delete = 0x7f41ed700240 <intel_delete_renderbuffer>, AllocStorage = 0x7f41ed701480 <intel_alloc_private_renderbuffer_storage>}, Buffer = 0x0, Map = 0x0, RowStride = 0, ColorType = 0}, 
  mt = 0x0, singlesample_mt = 0x0, mt_level = 0, mt_layer = 0, layer_count = 1, draw_x = 0, draw_y = 0, need_downsample = false, need_map_upsample = false, singlesample_mt_is_tmp = false}

The crash happens since mt is 0, but other members looks strange (Width, Height, ...).
Comment 1 Loïc Yhuel 2014-08-19 01:34:10 UTC 
Sorry, I printed the wrong attachment, but it's almost the same :
(gdb) p *(struct intel_renderbuffer *)(brw->ctx->DrawBuffer->Attachment[BUFFER_STENCIL].Renderbuffer)
$1 = {Base = {Base = {Mutex = {__data = {__lock = 0, __count = 0, __owner = 0, __nusers = 0, __kind = 0, __spins = 0, __elision = 0, __list = {__prev = 0x0, __next = 0x0}}, 
        __size = '\000' <repeats 39 times>, __align = 0}, ClassID = 305419896, Name = 0, Label = 0x0, RefCount = 1, Width = 0, Height = 0, Depth = 0, Purgeable = 0 '\000', 
      AttachedAnytime = 0 '\000', NeedsFinishRenderTexture = 0 '\000', NumSamples = 0 '\000', InternalFormat = 6401, _BaseFormat = 6401, Format = MESA_FORMAT_S_UINT8, TexImage = 0x0, Delete = 
    0x7f044aa94240 <intel_delete_renderbuffer>, AllocStorage = 0x7f044aa95480 <intel_alloc_private_renderbuffer_storage>}, Buffer = 0x0, Map = 0x0, RowStride = 0, ColorType = 0}, mt = 0x0, 
  singlesample_mt = 0x0, mt_level = 0, mt_layer = 0, layer_count = 1, draw_x = 0, draw_y = 0, need_downsample = false, need_map_upsample = false, singlesample_mt_is_tmp = false}
Comment 2 Loïc Yhuel 2014-11-19 01:31:07 UTC 
I don't know why, but doesn't crash any more now.
It could be any update to the given packages, so I don't know if the root cause is fixed, or if some change just avoids the problem.
Comment 3 Chris Bainbridge 2014-12-06 15:26:35 UTC 

*** This bug has been marked as a duplicate of bug 77402 ***
Comment 4 Chris Bainbridge 2015-02-03 19:08:33 UTC 
Crash reported over 15k times in the last week on https://errors.ubuntu.com/

Downstream bug: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1378627
Comment 5 Chris Bainbridge 2015-02-05 01:18:38 UTC 

*** This bug has been marked as a duplicate of bug 81706 ***

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.