15834 – Current Amira version 4.1.1 causes X to crash in _tnl_InvalidateState

Bug 15834 - Current Amira version 4.1.1 causes X to crash in _tnl_InvalidateState

Summary: Current Amira version 4.1.1 causes X to crash in _tnl_InvalidateState

Status:	RESOLVED FIXED

Alias:	None

Product:	Mesa
Classification:	Unclassified
Component:	Drivers/DRI/i915 (show other bugs)
Version:	unspecified
Hardware:	Other All

Importance:	medium critical
Assignee:	mesa-dev
QA Contact:

URL:
Whiteboard:
Keywords:

Duplicates (1):	17237 (view as bug list)
Depends on:
Blocks:

Reported:	2008-05-05 07:48 UTC by Hugo Mildenberger
Modified:	2008-12-08 16:18 UTC (History)
CC List:	1 user (show)

See Also:
i915 platform:
i915 features:

Attachments
gdb log with backtrace and structure dumps (70.58 KB, text/x-log) 2008-05-07 04:47 UTC, Hugo Mildenberger	Details
patch to fix segfault (1.17 KB, patch) 2008-09-18 07:44 UTC, Brian Paul	Details \| Splinter Review
View All

Description Hugo Mildenberger 2008-05-05 07:48:32 UTC

When running Amira under current git version of X and current git version of mesa, dri and so on, Amira crashes the whole session. 


(gdb)
Program received signal SIGSEGV, Segmentation fault.
0xaf814ea2 in _tnl_InvalidateState (ctx=0x9074e98, new_state=525315) at tnl/t_context.c:140
140        if (ctx->Fog.Enabled ||

(gdb) bt
#0  0xaf814ea2 in _tnl_InvalidateState (ctx=0x9074e98, new_state=525315) at tnl/t_context.c:140
#1  0xaf767ef0 in intelInvalidateState (ctx=0x9074e98, new_state=525315) at intel_context.c:340
#2  0xaf7da923 in _mesa_update_state_locked (ctx=0x9074e98) at main/state.c:1253
#3  0xaf7dac2a in _mesa_update_state (ctx=0x9074e98) at main/state.c:1264
#4  0xaf80aeb8 in vbo_exec_Begin (mode=4) at vbo/vbo_exec_api.c:509
#5  0xb7b66315 in __glXDisp_Begin (pc=0x93bd7e4 "\004") at indirect_dispatch.c:156
#6  0xb7b495ee in __glXDisp_Render (cl=0x86205a4, pc=0x93bd7e0 "\b") at glxcmds.c:1788
#7  0xb7b4d966 in __glXDispatch (client=0x86204e0) at glxext.c:492
#8  0x0808abfc in Dispatch () at dispatch.c:451
#9  0x080716ea in main (argc=8, argv=0xbfa4a9b4, envp=0x909f870) at main.c:433

This is the location within _tnl_InvalidateState

140        if (ctx->Fog.Enabled ||
141            ((ctx->FragmentProgram._Active || ctx->FragmentProgram._Current) &&
142             (ctx->FragmentProgram._Current->FogOption != GL_NONE ||
143              (ctx->FragmentProgram._Current->Base.InputsRead & FRAG_BIT_FOGC))))
144           RENDERINPUTS_SET( tnl->render_inputs_bitset, _TNL_ATTRIB_FOG );


The problem is here, that for whatever reason, ctx->FragmentProgram._Active happens to be nonzero, whereas ctx->FragmentProgram._Current actually is zero. Therefore dereferencing ctx->FragmentProgam._Current will signal.

Fix would be simple. Change that "||" to "&&".

(BTW: Wouldn't you like to change the "CVS" tag to "git" in this form?)

Comment 1 Hugo Mildenberger 2008-05-07 04:47:42 UTC

Created attachment 16411 [details]
gdb log with backtrace and structure dumps


This excerpt is perhaps already enough to illuminate the scene:

(gdb) sele 2

(gdb) print ctx->Fog
$3 = {Enabled = 0 '\0', Color = {0, 0, 0, 0}, Density = 1, Start = 0, End = 1, Index = 0, Mode = 2048,
  ColorSumEnabled = 0 '\0', FogCoordinateSource = 33874, _Scale = 1}

(gdb) print ctx->FragmentProgram
$4 = {Enabled = 0 '\0', _Enabled = 0 '\0', _Active = 1 '\001', Current = 0x9088bc8, _Current = 0x0, Parameters = {{0, 0, 0,
      0} <repeats 128 times>}, _MaintainTexEnvProgram = 0 '\0', _UseTexEnvProgram = 1 '\001', _TexEnvProgram = 0x0,
  Callback = 0, CallbackData = 0x0, CallbackEnabled = 0 '\0', CurrentPosition = 0}


I may add, that after I locally fixed this, amira again crashed the system, this time within drm kernel module, saying:

[drm:drm_bo_expire_fence] *ERROR* Detected GPU lockup or fence driver was taken down. Evicting buffer.
[drm:drm_bo_leave_list] *ERROR* A DRM_BO_NO_EVICT buffer present at cleanup. Removing flag and evicting.

I don't currently have also a backtrace for that bug araound, since this was obtained while looking for the cause of another a bug located within latest xf86-video-intel driver. I will retry it after that getting fixed.

Let me add, that the source for all this may really be a header inconsistency, which I myself can't fix, since Amira is closed source. But even that presumably beeing the case, running a buggy program or a program which was compiled for another minor X revision shouldn't crash the whole system.

Comment 2 Brice Goglin 2008-08-29 14:33:05 UTC

A similar backtrace has been caught by Vincent Bernat with Mesa 7.1.1 when running Blender:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=497096

Comment 3 haihao 2008-09-04 02:17:43 UTC

*** Bug 17237 has been marked as a duplicate of this bug. ***

Comment 4 Brian Paul 2008-09-18 07:44:21 UTC

Created attachment 18980 [details] [review]
patch to fix segfault

Can you try the attached patch?

Comment 5 Brian Paul 2008-09-18 14:31:34 UTC

I've committed my patch for Mesa 7.2.  Would still appreciate confirmation from an Amira user that this is fixed now.

Comment 6 Eric Anholt 2008-12-08 16:18:54 UTC

Feedback timeout, and the fix was committed.

commit 58dce864e659da3d1f9761154e622a45e420c229
Author: Brian Paul <brian.paul@tungstengraphics.com>
Date:   Thu Sep 18 15:29:57 2008 -0600

    mesa: fix null ptr deref bug in _tnl_InvalidateState(), bug 15834

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.