Bug 85267

Summary: vlc crashes with vdpau (Radeon 3850HD) [r600]
Product: Mesa Reporter: Arthur Marsh <arthur.marsh>
Component: Drivers/Gallium/r600Assignee: Default DRI bug account <dri-devel>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: x86-64 (AMD64)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Attachments: r600g: Drop references to destroyed blend state
log file of running valgrind with default options run against mesa rebuilt with patch

Description Arthur Marsh 2014-10-21 02:53:00 UTC 
I'm using version 10.3.1-1 on Debian of most mesa-related packages and Linux kernel 3.18.0-rc1 from Linus' git head.

replaying a particular dvd in VLC triggers some errors:

(see also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=766058 )

vdpau-related packages are also installed;

when I ran the dvd in VLC under valgrind I encountered:

(comments are from michel@daenzer.net )

> ==13424== Invalid read of size 1
> ==13424==    at 0x1A8789C0: r600_bind_blend_state_internal (in /usr/lib/x86_64-linux-gnu/vdpau/libvdpau_r600.so.1.0.0)
> ==13424==    by 0x1A6723C0: blitter_restore_fragment_states (in /usr/lib/x86_64-linux-gnu/vdpau/libvdpau_r600.so.1.0.0)
> ==13424==    by 0x1A675C47: util_blitter_clear_render_target (in /usr/lib/x86_64-linux-gnu/vdpau/libvdpau_r600.so.1.0.0)
> ==13424==    by 0x1A852985: r600_clear_render_target (in /usr/lib/x86_64-linux-gnu/vdpau/libvdpau_r600.so.1.0.0)
> ==13424==    by 0x1A69D9A9: vl_compositor_render (in /usr/lib/x86_64-linux-gnu/vdpau/libvdpau_r600.so.1.0.0)
> ==13424==    by 0x1A629E96: vlVdpPresentationQueueDisplay (in /usr/lib/x86_64-linux-gnu/vdpau/libvdpau_r600.so.1.0.0)
> ==13424==    by 0x1F2F80A3: Queue (in /usr/lib/vlc/plugins/vdpau/libvdpau_display_plugin.so)
> ==13424==    by 0x30D0E6DB48: ThreadDisplayPicture (in /usr/lib/libvlccore.so.8.0.0)
> ==13424==    by 0x30D0E6DEB2: Thread (in /usr/lib/libvlccore.so.8.0.0)
> ==13424==    by 0x30022080A3: start_thread (pthread_create.c:309)
> ==13424==  Address 0xedfe51d is 61 bytes inside a block of size 64 free'd
> ==13424==    at 0x4A08E90: free (vg_replace_malloc.c:473)
> ==13424==    by 0x1A62C7DD: vlVdpOutputSurfaceRenderBitmapSurface (in /usr/lib/x86_64-linux-gnu/vdpau/libvdpau_r600.so.1.0.0)
> ==13424==    by 0x1F2F8200: Queue (in /usr/lib/vlc/plugins/vdpau/libvdpau_display_plugin.so)
> ==13424==    by 0x30D0E6DB48: ThreadDisplayPicture (in /usr/lib/libvlccore.so.8.0.0)
> ==13424==    by 0x30D0E6DEB2: Thread (in /usr/lib/libvlccore.so.8.0.0)
> ==13424==    by 0x30022080A3: start_thread (pthread_create.c:309)

This looks like a use-after-free bug in the Mesa r600g driver. Can you report this upstream at https://bugs.freedesktop.org/enter_bug.cgi?product=Mesa , component Drivers/Gallium/r600?
Comment 1 Michel Dänzer 2014-10-21 03:42:48 UTC 
Created attachment 108144 [details] [review]
r600g: Drop references to destroyed blend state

Does this patch fix this problem?
Comment 2 Arthur Marsh 2014-10-21 08:40:45 UTC 
Created attachment 108163 [details]
log file of running valgrind with default options run against mesa rebuilt with patch

It appears from this log that the particular error reported in this bug no longer occurs.
Comment 3 Dieter Nützel 2014-10-21 17:17:42 UTC 
Fixed bug 84140, too.
Comment 4 Michel Dänzer 2014-10-22 09:04:05 UTC 
Module: Mesa
Branch: master
Commit: ae879718c4086fc5905070e7f26dfa2757df0c86
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=ae879718c4086fc5905070e7f26dfa2757df0c86

Author: Michel Dänzer <michel.daenzer@amd.com>
Date:   Tue Oct 21 12:40:15 2014 +0900

r600g: Drop references to destroyed blend state

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.