Bug 96194

Summary:	Gvim causes Xorg to crash in Intel driver.
Product:	xorg	Reporter:	Edd Barrett <edd>
Component:	Driver/intel	Assignee:	Chris Wilson <chris>
Status:	RESOLVED MOVED	QA Contact:	Intel GFX Bugs mailing list <intel-gfx-bugs>
Severity:	major
Priority:	medium	CC:	edd
Version:	unspecified
Hardware:	x86-64 (AMD64)
OS:	OpenBSD
Whiteboard:
i915 platform:		i915 features:

Description Edd Barrett 2016-05-25 10:44:21 UTC

Hi,

I posted an X bug to x11@openbsd.org recently. See below the report. I figured I should raise this upstream.


```
$ Xorg -version

X.Org X Server 1.17.4
Release Date: 2015-10-28
X Protocol Version 11, Revision 0
Build Operating System: OpenBSD 6.0 amd64 
Current Operating System: OpenBSD wilfred.home 6.0 GENERIC.MP#12 amd64
Build Date: 23 May 2016  06:21:16PM
 
Current version of pixman: 0.32.8
        Before reporting problems, check http://wiki.x.org
        to make sure that you have the latest version.
```

Original report follows:
```
Hi,

CC Matthieu and a couple of others who are experiencing (maybe) the same issue.

Over the past few months, I've been troubled by Xorg crashing when I am
using gvim. I am unable to reliably reproduce the crash, but the last
time I saw it, I was resizing the gvim window. Below is a trace for this
instance.

I've only had a cursory inspection, but it looks to me like a value (pt
in frame 2) is being used as a pointer (p in frame 1). The dereference
p->x is segging the X server.

Any ideas? Shall I raise this upstream?

Debug binary is here:
http://theunixzoo.co.uk/random/Xorg

Gzipped core file is here:
http://theunixzoo.co.uk/random/Xorg.core.gz

GDB session and trace:

# gdb -c /var/crash/Xorg.core /usr/X11R6/bin/Xorg
...
#0  0x000017eaa59dca49 in pt_add (cmd=1224738816, pt=0x17ea8b579000, dx=4, dy=83)
    at /usr/xenocara/driver/xf86-video-intel/src/sna/sna_blt.c:3093
3093            u.pt.x = pt->x + dx;


(gdb) bt
#0  0x000017eaa59dca49 in pt_add (cmd=1224738816, pt=0x17ea8b579000, dx=4, dy=83)
    at /usr/xenocara/driver/xf86-video-intel/src/sna/sna_blt.c:3093
#1  0x000017eaa59dca10 in sna_blt_fill_op_points (sna=0x17ea7246a000, op=0x7f7ffffbb1a0, dx=4, dy=83, p=0x17ea8b579004, n=0)
    at /usr/xenocara/driver/xf86-video-intel/src/sna/sna_blt.c:3198
#2  0x000017eaa59b7b64 in sna_poly_point_blt (drawable=0x17eaa8edd200, bo=0x17e9e8b55000, damage=0x0, gc=0x17ea2fb9ef00, mode=0, 
    n=45, pt=0x17ea8b578f40, clipped=false) at /usr/xenocara/driver/xf86-video-intel/src/sna/sna_accel.c:8709
#3  0x000017eaa59b8569 in sna_poly_point (drawable=0x17eaa8edd200, gc=0x17ea2fb9ef00, mode=0, n=45, pt=0x17ea8b578f40)
    at /usr/xenocara/driver/xf86-video-intel/src/sna/sna_accel.c:8876
#4  0x000017e7c3c8e1e0 in damagePolyPoint (pDrawable=0x17eaa8edd200, pGC=0x17ea2fb9ef00, mode=0, npt=45, ppt=0x17ea8b578f40)
    at /usr/xenocara/xserver/miext/damage/damage.c:840
#5  0x000017e7c3b54d44 in ProcPolyPoint (client=0x17e9d7208200) at /usr/xenocara/xserver/dix/dispatch.c:1746
#6  0x000017e7c3b50dad in Dispatch () at /usr/xenocara/xserver/dix/dispatch.c:429
#7  0x000017e7c3b60396 in dix_main (argc=6, argv=0x7f7ffffbb648, envp=0x7f7ffffbb680) at /usr/xenocara/xserver/dix/main.c:298
#8  0x000017e7c3b412f7 in main (argc=6, argv=0x7f7ffffbb648, envp=0x7f7ffffbb680) at /usr/xenocara/xserver/dix/stubmain.c:34

(gdb) list pt_add
3082    
3083            _sna_blt_fill_boxes(sna, &op->base.u.blt, box, nbox);
3084    }
3085    
3086    static inline uint64_t pt_add(uint32_t cmd, const DDXPointRec *pt, int16_t dx, int16_t dy)
3087    {
3088            union {
3089                    DDXPointRec pt;
3090                    uint32_t i;
3091            } u;
(gdb) 
3092    
3093            u.pt.x = pt->x + dx;
3094            u.pt.y = pt->y + dy;
3095    
3096            return cmd | (uint64_t)u.i<<32;
3097    }
3098    
3099    fastcall static void sna_blt_fill_op_points(struct sna *sna,
3100                                                const struct sna_fill_op *op,
3101                                                int16_t dx, int16_t dy,
(gdb) p pt
$1 = (const DDXPointRec *) 0x17ea8b579000
(gdb) p pt->x
Cannot access memory at address 0x17ea8b579000


(gdb) frame 1
#1  0x000017eaa59dca10 in sna_blt_fill_op_points (sna=0x17ea7246a000, op=0x7f7ffffbb1a0, dx=4, dy=83, p=0x17ea8b579004, n=0)
    at /usr/xenocara/driver/xf86-video-intel/src/sna/sna_blt.c:3198
3198                                    *((uint64_t *)b + 0) = pt_add(cmd, p++, dx, dy);
(gdb) list sna_blt_fill_op_points
3098    
3099    fastcall static void sna_blt_fill_op_points(struct sna *sna,
3100                                                const struct sna_fill_op *op,
3101                                                int16_t dx, int16_t dy,
3102                                                const DDXPointRec *p, int n)
...
(gdb) p p
$2 = (const DDXPointRec *) 0x17ea8b579004
(gdb) p p->x
Cannot access memory at address 0x17ea8b579004


(gdb) frame 2
#2  0x000017eaa59b7b64 in sna_poly_point_blt (drawable=0x17eaa8edd200, bo=0x17e9e8b55000, damage=0x0, gc=0x17ea2fb9ef00, mode=0, 
    n=45, pt=0x17ea8b578f40, clipped=false) at /usr/xenocara/driver/xf86-video-intel/src/sna/sna_accel.c:8709
8709                            fill.points(sna, &fill, last.x, last.y, pt, n);
(gdb) list sna_poly_point_blt
8678    sna_poly_point_blt(DrawablePtr drawable,
8679                       struct kgem_bo *bo,
8680                       struct sna_damage **damage,
8681                       GCPtr gc, int mode, int n, DDXPointPtr pt,
8682                       bool clipped)
8683    {
...
8709                            fill.points(sna, &fill, last.x, last.y, pt, n);
...
(gdb) p pt.x
$6 = 38
(gdb) p pt
$7 = 0x17ea8b578f40


Xorg.0.log:


[ 64357.076] 
X.Org X Server 1.17.4
Release Date: 2015-10-28
[ 64357.076] X Protocol Version 11, Revision 0
[ 64357.076] Build Operating System: OpenBSD 6.0 amd64 
[ 64357.076] Current Operating System: OpenBSD wilfred.home 6.0 GENERIC.MP#12 amd64
[ 64357.076] Build Date: 23 May 2016  06:21:16PM
[ 64357.076]  
[ 64357.076] Current version of pixman: 0.32.8
[ 64357.076] 	Before reporting problems, check http://wiki.x.org
	to make sure that you have the latest version.
[ 64357.076] Markers: (--) probed, (**) from config file, (==) default setting,
	(++) from command line, (!!) notice, (II) informational,
	(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
[ 64357.076] (==) Log file: "/var/log/Xorg.0.log", Time: Tue May 24 17:40:50 2016
[ 64357.077] (==) Using config file: "/etc/X11/xorg.conf"
[ 64357.077] (==) Using system config directory "/usr/X11R6/share/X11/xorg.conf.d"
[ 64357.078] (==) No Layout section.  Using the first Screen section.
[ 64357.078] (==) No screen section available. Using defaults.
[ 64357.078] (**) |-->Screen "Default Screen Section" (0)
[ 64357.078] (**) |   |-->Monitor "<default monitor>"
[ 64357.078] (==) No monitor specified for screen "Default Screen Section".
	Using a default monitor configuration.
[ 64357.078] (**) Option "NoTrapSignals" "true"
[ 64357.078] (==) Disabling SIGIO handlers for input devices
[ 64357.078] (==) Automatically adding devices
[ 64357.078] (==) Automatically enabling devices
[ 64357.078] (==) Not automatically adding GPU devices
[ 64357.083] (==) FontPath set to:
	/usr/X11R6/lib/X11/fonts/misc/,
	/usr/X11R6/lib/X11/fonts/TTF/,
	/usr/X11R6/lib/X11/fonts/OTF/,
	/usr/X11R6/lib/X11/fonts/Type1/,
	/usr/X11R6/lib/X11/fonts/100dpi/,
	/usr/X11R6/lib/X11/fonts/75dpi/
[ 64357.083] (==) ModulePath set to "/usr/X11R6/lib/modules"
[ 64357.083] (II) The server relies on wscons to provide the list of input devices.
	If no devices become available, reconfigure wscons or disable AutoAddDevices.
[ 64357.083] (II) Loader magic: 0x44aa2fc76c0
[ 64357.083] (II) Module ABI versions:
[ 64357.083] 	X.Org ANSI C Emulation: 0.4
[ 64357.083] 	X.Org Video Driver: 19.0
[ 64357.083] 	X.Org XInput driver : 21.0
[ 64357.083] 	X.Org Server Extension : 9.0
[ 64357.093] (WW) checkDevMem: failed to open /dev/xf86 and /dev/mem
	(Operation not permitted)
	Check that you have set 'machdep.allowaperture=1'
	in /etc/sysctl.conf and reboot your machine
	refer to xf86(4) for details
[ 64357.093] 	linear framebuffer access unavailable
[ 64357.093] (--) PCI:*(0:0:2:0) 8086:0166:17aa:2203 rev 9, Mem @ 0xf0000000/4194304, 0xe0000000/268435456, I/O @ 0x00005000/64
[ 64357.093] (II) LoadModule: "glx"
[ 64357.095] (II) Loading /usr/X11R6/lib/modules/extensions/libglx.so
[ 64357.098] (II) Module glx: vendor="X.Org Foundation"
[ 64357.098] 	compiled for 1.17.4, module version = 1.0.0
[ 64357.098] 	ABI class: X.Org Server Extension, version 9.0
[ 64357.098] (==) AIGLX enabled
[ 64357.098] (==) Matched intel as autoconfigured driver 0
[ 64357.098] (==) Matched vesa as autoconfigured driver 1
[ 64357.098] (==) Assigned the driver to the xf86ConfigLayout
[ 64357.098] (II) LoadModule: "intel"
[ 64357.098] (II) Loading /usr/X11R6/lib/modules/drivers/intel_drv.so
[ 64357.099] (II) Module intel: vendor="X.Org Foundation"
[ 64357.099] 	compiled for 1.17.4, module version = 2.99.916
[ 64357.099] 	Module class: X.Org Video Driver
[ 64357.099] 	ABI class: X.Org Video Driver, version 19.0
[ 64357.099] (II) LoadModule: "vesa"
[ 64357.099] (II) Loading /usr/X11R6/lib/modules/drivers/vesa_drv.so
[ 64357.100] (II) Module vesa: vendor="X.Org Foundation"
[ 64357.100] 	compiled for 1.17.4, module version = 2.3.3
[ 64357.100] 	Module class: X.Org Video Driver
[ 64357.100] 	ABI class: X.Org Video Driver, version 19.0
[ 64357.100] (II) intel: Driver for Intel(R) Integrated Graphics Chipsets:
	i810, i810-dc100, i810e, i815, i830M, 845G, 854, 852GM/855GM, 865G,
	915G, E7221 (i915), 915GM, 945G, 945GM, 945GME, Pineview GM,
	Pineview G, 965G, G35, 965Q, 946GZ, 965GM, 965GME/GLE, G33, Q35, Q33,
	GM45, 4 Series, G45/G43, Q45/Q43, G41, B43
[ 64357.100] (II) intel: Driver for Intel(R) HD Graphics: 2000-6000
[ 64357.100] (II) intel: Driver for Intel(R) Iris(TM) Graphics: 5100, 6100
[ 64357.100] (II) intel: Driver for Intel(R) Iris(TM) Pro Graphics: 5200, 6200, P6300
[ 64357.100] (II) VESA: driver for VESA chipsets: vesa
[ 64357.100] (--) Using wscons driver on /dev/ttyC4
[ 64357.100] (WW) xf86EnableIO: Failed to set IOPL for extended I/O
	Check that you have set 'machdep.allowaperture=1'
	in /etc/sysctl.conf and reboot your machine
	refer to xf86(4) for details
[ 64357.101] (II) intel(0): Using Kernel Mode Setting driver: i915, version 1.6.0 20080730
[ 64357.101] (WW) Falling back to old probe method for vesa
[ 64357.101] (--) intel(0): Integrated Graphics Chipset: Intel(R) HD Graphics 4000
[ 64357.101] (--) intel(0): CPU: x86-64, sse2, sse3, ssse3, sse4.1, sse4.2, avx
[ 64357.101] (II) intel(0): Creating default Display subsection in Screen section
	"Default Screen Section" for depth/fbbpp 24/32
[ 64357.101] (==) intel(0): Depth 24, (--) framebuffer bpp 32
[ 64357.101] (==) intel(0): RGB weight 888
[ 64357.101] (==) intel(0): Default visual is TrueColor
[ 64357.102] (II) intel(0): Output LVDS1 has no monitor section
[ 64357.103] (--) intel(0): Found backlight control interface wscons (type 'platform') for output LVDS1
[ 64357.103] (II) intel(0): Enabled output LVDS1
[ 64357.103] (II) intel(0): Output VGA1 has no monitor section
[ 64357.103] (II) intel(0): Enabled output VGA1
[ 64357.103] (II) intel(0): Output HDMI1 has no monitor section
[ 64357.103] (II) intel(0): Enabled output HDMI1
[ 64357.103] (II) intel(0): Output DP1 has no monitor section
[ 64357.103] (II) intel(0): Enabled output DP1
[ 64357.103] (II) intel(0): Output HDMI2 has no monitor section
[ 64357.103] (II) intel(0): Enabled output HDMI2
[ 64357.103] (II) intel(0): Output DP2 has no monitor section
[ 64357.103] (II) intel(0): Enabled output DP2
[ 64357.103] (--) intel(0): Using a maximum size of 64x64 for hardware cursors
[ 64357.103] (II) intel(0): Output VIRTUAL1 has no monitor section
[ 64357.103] (II) intel(0): Enabled output VIRTUAL1
[ 64357.103] (--) intel(0): Output LVDS1 using initial mode 1366x768 on pipe 0
[ 64357.103] (--) intel(0): Output HDMI1 using initial mode 1920x1080 on pipe 1
[ 64357.103] (==) intel(0): TearFree disabled
[ 64357.103] (==) intel(0): DPI set to (96, 96)
[ 64357.103] (II) Loading sub module "dri2"
[ 64357.103] (II) LoadModule: "dri2"
[ 64357.103] (II) Module "dri2" already built-in
[ 64357.103] (II) Loading sub module "present"
[ 64357.103] (II) LoadModule: "present"
[ 64357.103] (II) Module "present" already built-in
[ 64357.103] (II) UnloadModule: "vesa"
[ 64357.103] (II) Unloading vesa
[ 64357.103] (==) Depth 24 pixmap format is 32 bpp
[ 64357.104] (II) intel(0): SNA initialized with Ivybridge (gen7, gt2) backend
[ 64357.104] (==) intel(0): Backing store enabled
[ 64357.104] (==) intel(0): Silken mouse disabled
[ 64357.104] (II) intel(0): HW Cursor enabled
[ 64357.104] (II) intel(0): RandR 1.2 enabled, ignore the following RandR disabled message.
[ 64357.104] (==) intel(0): DPMS enabled
[ 64357.104] (II) intel(0): [DRI2] Setup complete
[ 64357.104] (II) intel(0): [DRI2]   DRI driver: i965
[ 64357.104] (II) intel(0): [DRI2]   VDPAU driver: i965
[ 64357.104] (II) intel(0): direct rendering: DRI2 enabled
[ 64357.104] (II) intel(0): hardware support for Present enabled
[ 64357.105] (--) RandR disabled
[ 64357.129] (II) AIGLX: enabled GLX_MESA_copy_sub_buffer
[ 64357.129] (II) AIGLX: enabled GLX_ARB_create_context
[ 64357.129] (II) AIGLX: enabled GLX_ARB_create_context_profile
[ 64357.129] (II) AIGLX: enabled GLX_EXT_create_context_es2_profile
[ 64357.129] (II) AIGLX: enabled GLX_INTEL_swap_event
[ 64357.129] (II) AIGLX: enabled GLX_SGI_swap_control and GLX_MESA_swap_control
[ 64357.129] (II) AIGLX: enabled GLX_EXT_framebuffer_sRGB
[ 64357.129] (II) AIGLX: enabled GLX_ARB_fbconfig_float
[ 64357.129] (II) AIGLX: GLX_EXT_texture_from_pixmap backed by buffer objects
[ 64357.129] (II) AIGLX: enabled GLX_ARB_create_context_robustness
[ 64357.129] (II) AIGLX: Loaded and initialized i965
[ 64357.129] (II) GLX: Initialized DRI2 GL provider for screen 0
[ 64357.132] (II) intel(0): switch to mode 1366x768@60.0 on LVDS1 using pipe 0, position (0, 0), rotation normal, reflection none
[ 64357.141] (II) intel(0): switch to mode 1920x1080@60.0 on HDMI1 using pipe 1, position (0, 0), rotation normal, reflection none
[ 64357.143] (II) intel(0): Setting screen physical size to 508 x 285
[ 64357.288] (II) config/wscons: checking input device /dev/wskbd
[ 64357.288] (II) wskbd: using layout gb
[ 64357.288] (II) LoadModule: "kbd"
[ 64357.290] (II) Loading /usr/X11R6/lib/modules/input/kbd_drv.so
[ 64357.290] (II) Module kbd: vendor="X.Org Foundation"
[ 64357.290] 	compiled for 1.17.4, module version = 1.8.1
[ 64357.290] 	Module class: X.Org XInput Driver
[ 64357.290] 	ABI class: X.Org XInput driver, version 21.0
[ 64357.290] (II) Using input driver 'kbd' for '/dev/wskbd'
[ 64357.290] (**) /dev/wskbd: always reports core events
[ 64357.290] (**) /dev/wskbd: always reports core events
[ 64357.290] (**) Option "Protocol" "standard"
[ 64357.290] (**) Option "XkbRules" "base"
[ 64357.290] (**) Option "XkbModel" "pc105"
[ 64357.290] (**) Option "XkbLayout" "gb"
[ 64357.290] (II) XINPUT: Adding extended input device "/dev/wskbd" (type: KEYBOARD, id 6)
[ 64357.412] (II) config/wscons: checking input device /dev/wsmouse3
[ 64357.412] (II) LoadModule: "ws"
[ 64357.413] (II) Loading /usr/X11R6/lib/modules/input/ws_drv.so
[ 64357.413] (II) Module ws: vendor="X.Org Foundation"
[ 64357.413] 	compiled for 1.17.4, module version = 1.3.0
[ 64357.413] 	Module class: X.Org XInput Driver
[ 64357.413] 	ABI class: X.Org XInput driver, version 21.0
[ 64357.414] (II) Using input driver 'ws' for '/dev/wsmouse3'
[ 64357.414] (**) /dev/wsmouse3: always reports core events
[ 64357.414] (II) ws: /dev/wsmouse3: debuglevel 0
[ 64357.414] (**) Option "Device" "/dev/wsmouse3"
[ 64357.414] (**) ws: /dev/wsmouse3: ZAxisMapping: buttons 4 and 5
[ 64357.414] (**) ws: /dev/wsmouse3: WAxisMapping: buttons 6 and 7
[ 64357.414] (**) ws: /dev/wsmouse3: associated screen: 0
[ 64357.414] (**) ws: /dev/wsmouse3: device will work in raw mode
[ 64357.414] (II) ws: /dev/wsmouse3: minimum x position: 0
[ 64357.414] (II) ws: /dev/wsmouse3: maximum x position: 27760
[ 64357.414] (II) ws: /dev/wsmouse3: minimum y position: 0
[ 64357.414] (II) ws: /dev/wsmouse3: maximum y position: 15694
[ 64357.414] (==) ws: /dev/wsmouse3: Buttons: 7
[ 64357.414] (**) ws: /dev/wsmouse3: YAxisMapping: buttons 4 and 5
[ 64357.414] (II) XINPUT: Adding extended input device "/dev/wsmouse3" (type: TOUCHSCREEN, id 7)
[ 64357.414] (**) /dev/wsmouse3: (accel) keeping acceleration scheme 1
[ 64357.414] (**) /dev/wsmouse3: (accel) acceleration profile 0
[ 64357.414] (**) /dev/wsmouse3: (accel) acceleration factor: 2.000
[ 64357.414] (**) /dev/wsmouse3: (accel) acceleration threshold: 4
[ 64357.414] (II) config/wscons: checking input device /dev/wsmouse
[ 64357.414] (II) Using input driver 'ws' for '/dev/wsmouse'
[ 64357.414] (**) /dev/wsmouse: always reports core events
[ 64357.414] (II) ws: /dev/wsmouse: debuglevel 0
[ 64357.414] (**) Option "Device" "/dev/wsmouse"
[ 64357.414] (**) ws: /dev/wsmouse: ZAxisMapping: buttons 4 and 5
[ 64357.414] (**) ws: /dev/wsmouse: WAxisMapping: buttons 6 and 7
[ 64357.414] (**) ws: /dev/wsmouse: associated screen: 0
[ 64357.480] (II) ws: /dev/wsmouse: minimum x position: 0
[ 64357.480] (II) ws: /dev/wsmouse: maximum x position: 1919
[ 64357.480] (II) ws: /dev/wsmouse: minimum y position: 0
[ 64357.480] (II) ws: /dev/wsmouse: maximum y position: 1079
[ 64357.480] (==) ws: /dev/wsmouse: Buttons: 7
[ 64357.485] (**) ws: /dev/wsmouse: YAxisMapping: buttons 4 and 5
[ 64357.485] (II) XINPUT: Adding extended input device "/dev/wsmouse" (type: MOUSE, id 8)
[ 64357.550] (**) /dev/wsmouse: (accel) keeping acceleration scheme 1
[ 64357.550] (**) /dev/wsmouse: (accel) acceleration profile 0
[ 64357.550] (**) /dev/wsmouse: (accel) acceleration factor: 2.000
[ 64357.550] (**) /dev/wsmouse: (accel) acceleration threshold: 4
[ 64375.884] (II) intel(0): EDID vendor "LGD", prod id 728
[ 64375.884] (II) intel(0): Printing DDC gathered Modelines:
[ 64375.884] (II) intel(0): Modeline "1366x768"x0.0   75.20  1366 1414 1478 1582  768 772 779 792 +hsync -vsync (47.5 kHz eP)

```

Comment 1 Edd Barrett 2016-06-08 09:44:23 UTC

To follow up on this, there are two workarounds that I know of:

1) Build gvim with a different GUI toolkit. I used the motif GUI for about a week without any crashes. Although this works, you will lose the modern font rendering features that the GTK backend offers. You cannot use freetype fonts, only old school X bitmap fonts.

2) Switch from SNA acceleration to UXA acceleration. I have been running under this configuration for a week or so now, and again, no crashes. To apply this workaround, add the following to your xorg.conf:

Section "Device"
    Identifier "devname"
    Driver "intel"
    Option      "AccelMethod"  "uxa"
EndSection


I'm hoping one of the upstream devs who understands the SNA code will pick this up and fix the crash, so that workarounds are not required.

Comment 2 Martin Peres 2019-11-27 13:44:38 UTC

-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/xorg/driver/xf86-video-intel/issues/113.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.