32770 – Xorg crash on monitor hot-removal with Intel driver

Bug 32770 - Xorg crash on monitor hot-removal with Intel driver

Summary: Xorg crash on monitor hot-removal with Intel driver

Status:	RESOLVED FIXED

Alias:	None

Product:	xorg
Classification:	Unclassified
Component:	Driver/intel (show other bugs)
Version:	unspecified
Hardware:	x86-64 (AMD64) Linux (All)

Importance:	medium major
Assignee:	Chris Wilson
QA Contact:	Xorg Project Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2011-01-01 15:26 UTC by Bernie Innocenti
Modified:	2011-03-08 08:33 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments

Description Bernie Innocenti 2011-01-01 15:26:43 UTC

Sometimes, unplugging a monitor causes X to crash. It seems to happen only when the X server has been up for a while.

Versions:
 Xorg-1.9.99.1-2.20101201
 xorg-x11-drv-intel-2.13.901-5
 kernel-2.6.35.10-74.fc14.x86_64

Steps to Reproduce:
1. plug an external monitor to the VGA port of a laptop
2. turn on the VGA output and turn off the internal LVDS
3. unplug the monitor
4. repeat until X crashes, opening more windows

Additional info:

Crash happens because scrn->currentMode is NULL at this line:

----------8<-----------8<-----------8<-----------8<-----------8<----------

459     if (full_height && INTEL_INFO(intel)->gen < 40)
465                 MI_LOAD_SCAN_LINES_DISPLAY_PIPEA;
466             if (full_height && INTEL_INFO(intel)->gen >= 40)
467                 event = MI_WAIT_FOR_PIPEA_SVBLANK;
468     } else {
469             event = MI_WAIT_FOR_PIPEB_SCAN_LINE_WINDOW;
470             load_scan_lines_pipe =
471                 MI_LOAD_SCAN_LINES_DISPLAY_PIPEB;
472             if (full_height && INTEL_INFO(intel)->gen >= 40)
473                 event = MI_WAIT_FOR_PIPEB_SVBLANK;
474     }
475
476 --> if (scrn->currentMode->Flags & V_INTERLACE) {
477             /* DSL count field lines */
478             y1 /= 2;
479             y2 /= 2;
480     }
481
482     BEGIN_BATCH(5);
483     /*
484      * The documentation says that the LOAD_SCAN_LINES

----------8<-----------8<-----------8<-----------8<-----------8<----------

#0  0x00007f1a8a802599 in I830DRI2CopyRegion (drawable=0x3674820, pRegion=0x0,
destBuffer=<value optimized out>, sourceBuffer=<value optimized out>) at
intel_dri.c:476
        box = <value optimized out>
        crtcbox = {x1 = 0, y1 = 0, x2 = 1920, y2 = 1080}
        y1 = 26
        pipe = <value optimized out>
        crtc = <value optimized out>
        full_height = <value optimized out>
        y2 = 27
        event = 2
        load_scan_lines_pipe = 0
        srcPrivate = <value optimized out>
        dstPrivate = <value optimized out>
        screen = <value optimized out>
        scrn = 0x15ca8e0
        intel = 0x15cae60
        src = 0x341c6b0
        dst = 0x3674820
        pCopyClip = <value optimized out>
        gc = 0x3154740
        __FUNCTION__ = "I830DRI2CopyRegion"
        __PRETTY_FUNCTION__ = "I830DRI2CopyRegion"
#1  0x00007f1a8aa30010 in DRI2CopyRegion (pDraw=0x3674820, pRegion=0x37cd140,
dest=0, src=1) at dri2.c:617
        ds = 0x15d7600
        pPriv = <value optimized out>
        pDestBuffer = <value optimized out>
        pSrcBuffer = <value optimized out>
        i = <value optimized out>
#2  0x00007f1a8aa31e80 in ProcDRI2CopyRegion (client=0x36fa870) at
dri2ext.c:325
        rep = {type = 0 '\000', pad1 = 0 '\000', sequenceNumber = 0, length =
0, pad2 = 4620207, pad3 = 0, pad4 = 3377022192, pad5 = 32767, pad6 = 4967614,
pad7 = 0}
        status = <value optimized out>
        stuff = 0x34f7c70
        pDrawable = 0x3674820
        pRegion = 0x37cd140
#3  ProcDRI2Dispatch (client=0x36fa870) at dri2ext.c:566
        stuff = <value optimized out>
#4  0x000000000042d539 in Dispatch () at dispatch.c:431
        clientReady = 0x3307160
        result = <value optimized out>
        client = 0x36fa870
        nready = 0
        icheck = 0x7e78d0
        start_tick = 7660
#5  0x00000000004211ca in main (argc=<value optimized out>,
argv=0x7fffc94946d8, envp=<value optimized out>) at main.c:287
        i = <value optimized out>
        alwaysCheckForInput = {0, 1}

----------8<-----------8<-----------8<-----------8<-----------8<----------

scrn->currentMode = {driverVersion = 4000, driverName = 0x7f1a8a81a621 "intel",
pScreen = 0x15db1a0, scrnIndex = 0, configured = 1, origIndex = 0,
imageByteOrder = 0, bitmapScanlineUnit = 32, bitmapScanlinePad = 32,
bitmapBitOrder = 0, numFormats = 0, formats = {{depth = 0 '\000', bitsPerPixel
= 0 '\000', scanlinePad = 0 '\000'}, {depth = 0 '\000', bitsPerPixel = 0
'\000', scanlinePad = 0 '\000'}, {depth = 0 '\000', bitsPerPixel = 0 '\000',
scanlinePad = 0 '\000'}, {depth = 0 '\000', bitsPerPixel = 0 '\000',
scanlinePad = 0 '\000'}, {depth = 0 '\000', bitsPerPixel = 0 '\000',
scanlinePad = 0 '\000'}, {depth = 0 '\000', bitsPerPixel = 0 '\000',
scanlinePad = 0 '\000'}, {depth = 0 '\000', bitsPerPixel = 0 '\000',
scanlinePad = 0 '\000'}, {depth = 0 '\000', bitsPerPixel = 0 '\000',
scanlinePad = 0 '\000'}}, fbFormat = {depth = 24 '\030', bitsPerPixel = 32 ' ',
scanlinePad = 32 ' '}, bitsPerPixel = 32, pixmap24 = Pix24DontCare, depth = 24,
depthFrom = X_DEFAULT, bitsPerPixelFrom = X_PROBED, weight = {red = 8, green =
8, blue = 8}, mask = {red = 16711680, green = 65280, blue = 255}, offset = {red
= 16, green = 8, blue = 0}, rgbBits = 8, gamma = {red = 1, green = 1, blue =
1}, defaultVisual = 4, maxHValue = 0, maxVValue = 0, virtualX = 1920, virtualY
= 1080, xInc = 0, virtualFrom = X_PROBED, displayWidth = 1920, frameX0 = 0,
frameY0 = 0, frameX1 = 1279, frameY1 = 799, zoomLocked = 0, modePool = 0x0,
modes = 0x0, currentMode = 0x0, confScreen = 0x15b6520, monitor = 0x15b6600,
display = 0x15d3220, entityList = 0x15bd420, numEntities = 1, widthmm = 0,
heightmm = 0, xDpi = 96, yDpi = 96, name = 0x7f1a8a81a621 "intel",
driverPrivate = 0x15cae60, privates = 0x15c2a30, drv = 0x15c9e80, module =
0x15c9ee0, colorKey = 0, overlayFlags = 0, chipset = 0x7f1a8a81a6ed
"Arrandale", ramdac = 0x0, clockchip = 0x0, progClock = 1, numClocks = 0, clock
= {0 <repeats 128 times>}, videoRam = 262144, biosBase = 0, memPhysBase = 0,
fbOffset = 0, domainIOBase = 0, memClk = 0, textClockFreq = 0, flipPixels = 0,
options = 0x0, chipID = 0, chipRev = 0, vtSema = 1, silkenMouse = 1,
clockRanges = 0x0, adjustFlags = 0, preferClone = 0, reservedInt = {0 <repeats
15 times>}, entityInstanceList = 0x15bd440, vgaDev = 0x15c0150, reservedPtr =
{0x0 <repeats 14 times>}, Probe = 0, PreInit = 0x7f1a8a7ec720 <I830PreInit>,
ScreenInit = 0x7f1a8a7eb8a0 <I830ScreenInit>, SwitchMode = 0x53ec40
<xf86CursorSwitchMode>, AdjustFrame = 0x52fd70 <xf86XVAdjustFrame>, EnterVT =
0x7f1a8b0847e0 <glxDRIEnterVT>, LeaveVT = 0x7f1a8b084730 <glxDRILeaveVT>,
FreeScreen = 0x7f1a8a7eb6c0 <I830FreeScreen>, ValidMode = 0x7f1a8a7eb640
<I830ValidMode>, EnableDisableFBAccess = 0x53f0d0
<xf86CursorEnableDisableFBAccess>, SetDGAMode = 0x527d40 <xf86SetDGAMode>,
ChangeGamma = 0x490340 <xf86RandR12ChangeGamma>, PointerMoved = 0x491410
<xf86RandR12PointerMoved>, PMEvent = 0x7f1a8a7eb500 <I830PMEvent>, DPMSSet =
0x489460 <xf86DPMSSet>, LoadPalette = 0, SetOverscan = 0, DriverFunc = 0,
reservedFuncs = {0 <repeats 11 times>}}

Comment 1 Bernie Innocenti 2011-01-01 15:27:16 UTC

Downstream Fedora bug: https://bugzilla.redhat.com/show_bug.cgi?id=666657

Comment 2 Chris Wilson 2011-01-02 01:13:47 UTC

commit d729ef02f2955f7476df4c65403bc1f8e705b780
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Sun Jan 2 09:11:10 2011 +0000

    dri: Don't wait upon a NULL current mode
    
    There is a race condition between the dri swapbuffers code and
    hotplugging whereby we might attempt to execute a wait upon a
    non-existent output. This causes a NULL dereference and a loud crash.
    
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=32770
    Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>

Comment 3 Bernie Innocenti 2011-03-06 20:29:06 UTC

Unfortunately, I experienced a new crash on hot-unplg after applying the proposed patch.

Here's the backtrace:

[160859.189] 0: /usr/bin/Xorg (xorg_backtrace+0x2f) [0x4a120f]
[160859.189] 1: /usr/bin/Xorg (0x400000+0x61da6) [0x461da6]
[160859.189] 2: /lib64/libc.so.6 (0x3000400000+0x33140) [0x3000433140]
[160859.189] 3: /lib64/libc.so.6 (cfree+0x3c) [0x300047a52c]
[160859.189] 4: /usr/lib64/xorg/modules/extensions/libdri2.so (0x7f3462f9c000+0x2370) [0x7f3462f9e370]
[160859.189] 5: /usr/lib64/xorg/modules/extensions/libdri2.so (DRI2GetBuffersWithFormat+0x14) [0x7f3462f9e4a4]
[160859.189] 6: /usr/lib64/xorg/modules/extensions/libdri2.so (0x7f3462f9c000+0x3d1c) [0x7f3462f9fd1c]
[160859.189] 7: /usr/bin/Xorg (0x400000+0x2e6a1) [0x42e6a1]
[160859.189] 8: /usr/bin/Xorg (0x400000+0x2292a) [0x42292a]
[160859.189] 9: /lib64/libc.so.6 (__libc_start_main+0xfd) [0x300041ee5d]
[160859.189] 10: /usr/bin/Xorg (0x400000+0x22c11) [0x422c11]
[160859.189] Segmentation fault at address (nil)


The last call in libdri2.so in do_get_buffers() line 501:

 499     for (i = 0; i < count; i++) {
 500         if (buffers[i] != NULL)
 501             (*ds->DestroyBuffer)(pDraw, buffers[i]);  <---
 502     }

The call to cfree() in glibc seems bogus. Maybe we crashed somewhere in I830DRI2DestroyBuffer()? It seems likely that the driverPrivate may be NULL here as well.

Comment 4 Chris Wilson 2011-03-07 00:15:58 UTC

That too is already fixed.

Comment 5 Bernie Innocenti 2011-03-08 08:33:02 UTC

(In reply to comment #4)
> That too is already fixed.

Sorry, I reopened the wrong bug. I meant to append the previous comment to #34787.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.