36319 – [i965] batch overrun while playing video file

Bug 36319 - [i965] batch overrun while playing video file

Summary: [i965] batch overrun while playing video file

Status:	RESOLVED FIXED

Alias:	None

Product:	xorg
Classification:	Unclassified
Component:	Driver/intel (show other bugs)
Version:	unspecified
Hardware:	x86-64 (AMD64) Linux (All)

Importance:	medium normal
Assignee:	Chris Wilson
QA Contact:	Xorg Project Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2011-04-17 01:16 UTC by Modestas Vainius
Modified:	2011-04-17 02:46 UTC (History)
CC List:	1 user (show)

See Also:
i915 platform:
i915 features:

Attachments
Xorg.0.log of the crashed X session (31.11 KB, text/plain) 2011-04-17 01:16 UTC, Modestas Vainius	no flags	Details
Crash with 2.14.5+your assert. (12.62 KB, text/plain) 2011-04-17 02:29 UTC, Modestas Vainius	no flags	Details
View All

Description Modestas Vainius 2011-04-17 01:16:38 UTC

Created attachment 45725 [details]
Xorg.0.log of the crashed X session

I'm using KDE SC 4.6.1 with composite enabled in kwin. X crashes reproducibly while playing a certain video file with kaffeine Unfortunately, I can't share that file. The backtrace, uname and lspci output is below. Xorg.log is attached. Let me know if you need more information. 

Program received signal SIGSEGV, Segmentation fault.
drm_intel_bo_emit_reloc (bo=0x10a2d9001, offset=16468, target_bo=0x2365980, target_offset=0, read_domains=16, 
    write_domain=0) at ../../intel/intel_bufmgr.c:176
176     ../../intel/intel_bufmgr.c: Toks failas ar aplankas neegzistuoja.
        in ../../intel/intel_bufmgr.c
(gdb) bt
#0  drm_intel_bo_emit_reloc (bo=0x10a2d9001, offset=16468, target_bo=0x2365980, target_offset=0, 
    read_domains=16, write_domain=0) at ../../intel/intel_bufmgr.c:176
#1  0x00007f12c35ab8f4 in intel_batch_emit_reloc (dest=<value optimized out>, srcX=<value optimized out>, 
    srcY=<value optimized out>, maskX=<value optimized out>, maskY=<value optimized out>, 
    dstX=<value optimized out>, dstY=567, w=286, h=30) at ../../src/intel_batchbuffer.h:118
#2  i965_emit_composite_state (dest=<value optimized out>, srcX=<value optimized out>, 
    srcY=<value optimized out>, maskX=<value optimized out>, maskY=<value optimized out>, 
    dstX=<value optimized out>, dstY=567, w=286, h=30) at ../../src/i965_render.c:1295
#3  i965_composite (dest=<value optimized out>, srcX=<value optimized out>, srcY=<value optimized out>, 
    maskX=<value optimized out>, maskY=<value optimized out>, dstX=<value optimized out>, dstY=567, w=286, 
    h=30) at ../../src/i965_render.c:1850
#4  0x00007f12c35affff in uxa_fill_region_solid (pDrawable=<value optimized out>, pRegion=0x7a70f30, 
    pixel=<value optimized out>, planemask=<value optimized out>, alu=3) at ../../uxa/uxa-accel.c:1139
#5  0x00007f12c35b15ef in uxa_poly_fill_rect (pDrawable=0x755c0b0, pGC=0x3ee7030, nrect=347, prect=0x6bff4a0)
    at ../../uxa/uxa-accel.c:876
#6  0x00000000004dd44d in damagePolyFillRect (pDrawable=0x755c0b0, pGC=0x3ee7030, nRects=347, pRects=0x0)
    at ../../../miext/damage/damage.c:1357
#7  0x000000000045bbda in miPaintWindow (pWin=<value optimized out>, prgn=0x6bfd890, 
    what=<value optimized out>) at ../../mi/miexpose.c:670
#8  0x000000000045c118 in miWindowExposures (pWin=0x755c0b0, prgn=0x6738110, other_exposed=0x0)
    at ../../mi/miexpose.c:501
---Type <return> to continue, or q <return> to quit---
#9  0x000000000053349b in xf86XVWindowExposures (pWin=0x755c0b0, reg1=0x6738110, reg2=0x2365980)
    at ../../../../hw/xfree86/common/xf86xv.c:1188
#10 0x00000000005637e8 in miHandleValidateExposures (pWin=0x755c0b0) at ../../mi/miwindow.c:236
#11 0x00000000005627c2 in miSetShape (pWin=0x7acb1a0, kind=<value optimized out>) at ../../mi/miwindow.c:732
#12 0x00000000004b856f in RegionOperate (client=0x708ece0, pWin=0x7acb1a0, kind=0, destRgnp=0x6f3e200, 
    srcRgn=0x7aaab60, op=0, xoff=0, yoff=0, create=0x4b7a50 <CreateBoundingShape>) at ../../Xext/shape.c:184
#13 0x00000000004b88f3 in ProcShapeMask (client=0x708ece0) at ../../Xext/shape.c:402
#14 0x00000000004b93a5 in ProcShapeDispatch (client=0x10a2d9001) at ../../Xext/shape.c:1057
#15 0x0000000000431b81 in Dispatch () at ../../dix/dispatch.c:431
#16 0x00000000004257fb in main (argc=8, argv=0x7fffbbb9b398, envp=<value optimized out>)
    at ../../dix/main.c:287

$ uname -a
Linux mdxdesktop 2.6.38-2-amd64 #1 SMP Thu Apr 7 04:28:07 UTC 2011 x86_64 GNU/Linux

$ lspci
00:00.0 Host bridge: Intel Corporation Core Processor DRAM Controller (rev 12)
00:01.0 PCI bridge: Intel Corporation Core Processor PCI Express x16 Root Port (rev 12)
00:02.0 VGA compatible controller: Intel Corporation Core Processor Integrated Graphics Controller (rev 12)
00:16.0 Communication controller: Intel Corporation 5 Series/3400 Series Chipset HECI Controller (rev 06)
00:1a.0 USB Controller: Intel Corporation 5 Series/3400 Series Chipset USB Universal Host Controller (rev 06)
00:1a.1 USB Controller: Intel Corporation 5 Series/3400 Series Chipset USB Universal Host Controller (rev 06)
00:1a.2 USB Controller: Intel Corporation 5 Series/3400 Series Chipset USB Universal Host Controller (rev 06)
00:1a.7 USB Controller: Intel Corporation 5 Series/3400 Series Chipset USB2 Enhanced Host Controller (rev 06)
00:1b.0 Audio device: Intel Corporation 5 Series/3400 Series Chipset High Definition Audio (rev 06)
00:1c.0 PCI bridge: Intel Corporation 5 Series/3400 Series Chipset PCI Express Root Port 1 (rev 06)
00:1c.1 PCI bridge: Intel Corporation 5 Series/3400 Series Chipset PCI Express Root Port 2 (rev 06)
00:1d.0 USB Controller: Intel Corporation 5 Series/3400 Series Chipset USB Universal Host Controller (rev 06)
00:1d.1 USB Controller: Intel Corporation 5 Series/3400 Series Chipset USB Universal Host Controller (rev 06)
00:1d.2 USB Controller: Intel Corporation 5 Series/3400 Series Chipset USB Universal Host Controller (rev 06)
00:1d.7 USB Controller: Intel Corporation 5 Series/3400 Series Chipset USB2 Enhanced Host Controller (rev 06)
00:1e.0 PCI bridge: Intel Corporation 82801 PCI Bridge (rev a6)
00:1f.0 ISA bridge: Intel Corporation 5 Series Chipset LPC Interface Controller (rev 06)
00:1f.2 SATA controller: Intel Corporation 5 Series/3400 Series Chipset 6 port SATA AHCI Controller (rev 06)
00:1f.3 SMBus: Intel Corporation 5 Series/3400 Series Chipset SMBus Controller (rev 06)
01:00.0 USB Controller: NEC Corporation uPD720200 USB 3.0 Host Controller (rev 03)
02:00.0 SATA controller: JMicron Technology Corp. JMB362/JMB363 Serial ATA Controller (rev 02)
02:00.1 IDE interface: JMicron Technology Corp. JMB362/JMB363 Serial ATA Controller (rev 02)
03:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168B PCI Express Gigabit Ethernet controller (rev 03)
04:01.0 Multimedia controller: Philips Semiconductors SAA7131/SAA7133/SAA7135 Video Broadcast Decoder (rev f0)
04:07.0 FireWire (IEEE 1394): Texas Instruments TSB43AB23 IEEE-1394a-2000 Controller (PHY/Link)

Comment 1 Chris Wilson 2011-04-17 01:33:36 UTC

Well you have a batch buffer overrun. This will pinpoint the culprit quickly:

diff --git a/src/intel_batchbuffer.h b/src/intel_batchbuffer.h
index 605932a..6cb33ef 100644
--- a/src/intel_batchbuffer.h
+++ b/src/intel_batchbuffer.h
@@ -86,6 +86,7 @@ static inline void intel_batch_end_atomic(ScrnInfoPtr scrn)
 
 static inline void intel_batch_emit_dword(intel_screen_private *intel, uint32_t
 {
+       assert(intel->batch_used < ARRAY_SIZE(intel->batch_ptr));
        intel->batch_ptr[intel->batch_used++] = dword;
 }

Comment 2 Modestas Vainius 2011-04-17 02:29:35 UTC

Created attachment 45726 [details]
Crash with 2.14.5+your assert.

Posting as attachment in order to avoid wrapping.

Comment 3 Chris Wilson 2011-04-17 02:46:08 UTC

I've pushed two patches to address this issue to xf86-video-intel.git. The underlying problem looks like we didn't check for enough space to emit the video state, so overflowing into the reserved portion of the batch. Then due to an unsigned promotion bug, we didn't detect that we only had a couple of dwords of space left in the batch (reserved to close the batchbuffer with) and so proceeded merrily on.

commit c9fb69cb2502917dfb2828c90802de7766072899
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Sun Apr 17 10:42:05 2011 +0100

    i965/video: We need 150 dwords of space for video state emission
    
    (Actually around 131, with additional 10% just for safety.)
    
    Reported-by: Modestas Vainius <geromanas@mailas.com>
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=36319
    Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>

commit a51cd83d25f2f9f2107219d5671194f931601244
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Sun Apr 17 10:36:26 2011 +0100

    intel: Beware the unsigned promotion when checking for batch overflows
    
    Reported-by: Modestas Vainius <geromanas@mailas.com>
    References: https://bugs.freedesktop.org/show_bug.cgi?id=36319
    Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.