Bug 28080 - "glresize" causes X server segfault with indirect rendering.
Summary: "glresize" causes X server segfault with indirect rendering.
Status: RESOLVED FIXED
Alias: None
Product: xorg
Classification: Unclassified
Component: Driver/intel (show other bugs)
Version: 7.5 (2009.10)
Hardware: Other All
: medium normal
Assignee: Carl Worth
QA Contact: Xorg Project Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-05-12 20:28 UTC by Nick Bowler
Modified: 2010-05-14 02:39 UTC (History)
2 users (show)

See Also:
i915 platform:
i915 features:

Attachments
Xorg.0.log including backtrace. (28.36 KB, text/plain)
2010-05-12 20:28 UTC, Nick Bowler 		no flags Details
View All

Description Nick Bowler 2010-05-12 20:28:56 UTC 
Created attachment 35604 [details]
Xorg.0.log including backtrace.

This was originally described in bug 27922 and occurs when running the
"glresize" test program there, which creates an OpenGL window and then rapidly
resizes it, switching back and forth between filling the entire screen and its
original size.

Running "glresize" with LIBGL_ALWAYS_INDIRECT=1 causes the server to immediately segfault.  This occurs with (at least) servers 1.8.0 and git master.  I'm using mesa 7.8.1.

The system is a ThinkPad T500 with a GM45, running git xf86-video-intel but it also occurs with 2.11.0.
Comment 1 Chris Wilson 2010-05-13 16:09:35 UTC 
Note to self:

==1267== Invalid read of size 4
==1267==    at 0x4942A9D: I830DRI2CopyRegion (i830_dri.c:280)
==1267==    by 0x4943989: I830DRI2FrameEventHandler (i830_dri.c:551)
==1267==    by 0x493F021: drmmode_vblank_handler (drmmode_display.c:1400)
==1267==    by 0x4903FAB: drmHandleEvent (xf86drmMode.c:776)
==1267==    by 0x493EF5E: drm_wakeup_handler (drmmode_display.c:1425)
==1267==    by 0x8074EF1: WakeupHandler (dixutils.c:421)
==1267==    by 0x80B9699: WaitForSomething (WaitFor.c:232)
==1267==    by 0x80853FF: Dispatch (dispatch.c:375)
==1267==    by 0x8066734: main (main.c:283)
==1267==  Address 0x5c85af0 is 24 bytes inside a block of size 28 free'd
==1267==    at 0x4024866: free (vg_replace_malloc.c:325)
==1267==    by 0x80B03F0: Xfree (utils.c:1137)
==1267==    by 0x49429D4: I830DRI2DestroyBuffer (i830_dri.c:270)
==1267==    by 0x4908B86: do_get_buffers (dri2.c:407)
==1267==    by 0x48DCFD4: dri2GetBuffersWithFormat (glxdri2.c:529)
==1267==    by 0x4DB0BB9: intel_update_renderbuffers (intel_context.c:279)
==1267==    by 0x4DB1191: intel_prepare_render (intel_context.c:421)
==1267==    by 0x4DB127E: intelMakeCurrent (intel_context.c:902)
==1267==    by 0x4D8D190: driBindContext (dri_util.c:195)
==1267==    by 0x48DCDBB: __glXDRIcontextMakeCurrent (glxdri2.c:262)
==1267==    by 0x48CFCA4: DoMakeCurrent (glxcmds.c:645)
==1267==    by 0x48D0094: __glXDisp_MakeCurrent (glxcmds.c:684)
Comment 2 Chris Wilson 2010-05-14 02:39:03 UTC 
commit 0d2392d44aae95d6b571d98f7ec323cf672a687f
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Fri May 14 10:32:12 2010 +0100

    dri: Hold reference to buffers across swap
    
    As we schedule swaps for some time in the future and may process a
    detachment prior to receiving the vblank notification from the kernel,
    we need to hold a reference to the buffers for our swap event handler.
    
    Fixes:
      Bug 28080 - "glresize" causes X server segfault with indirect rendering.
      https://bugs.freedesktop.org/show_bug.cgi?id=28080

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.