Forwarding this bug from Ubuntu reporter Gatan Jarnot: http://bugs.launchpad.net/ubuntu/+source/xserver-xorg-video-intel/+bug/889068 [Problem] When rotating a large image (e.g. 16M), the X server crashes with the stacktrace shown below. It appears something's trying to copy a pixmap to an invalid address. [Original Description] When I turn left or right an image, system logs out and I have to log again on my count (gdb) backtrace full #0 __memcpy_ssse3_rep () at ../sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S:191 No locals. #1 0xb739788c in intel_uxa_pixmap_put_image (pixmap=<optimized out>, src=0x9c6e420 "", src_pitch=32000, x=0, y=0, w=8000, h=8) at /usr/include/i386-linux-gnu/bits/string3.h:52 dst = 0xa41ee000 <Address 0xa41ee000 out of bounds> row_length = 32000 num_rows = 8 priv = 0x9ba3298 stride = 32256 cpp = <optimized out> ret = 0 #2 0xb739968c in intel_uxa_put_image (pixmap=0x9ba3250, x=0, y=0, w=8000, h=8, src=0x9c6e420 "", src_pitch=32000) at ../../src/intel_uxa.c:769 priv = 0x9ba3298 #3 0xb73b0553 in uxa_do_put_image (src_stride=32000, bits=0x9c6e420 "", format=2, h=8, w=8000, y=0, x=0, pGC=0x9c399d0, pDrawable=0x9ba3250, depth=<optimized out>) at ../../uxa/uxa-accel.c:164 y1 = 0 x2 = 159692224 ok = <optimized out> x1 = <optimized out> y2 = <optimized out> src = 0x9c6e420 "" yoff = 0 uxa_screen = 0x0 pPix = 0x9ba3250 pClip = <optimized out> pbox = 0x9c1c590 nbox = <optimized out> xoff = 0 bpp = <optimized out> #4 uxa_put_image (pDrawable=0x9ba3250, pGC=0x9c399d0, depth=24, x=0, y=0, w=8000, h=8, leftPad=0, format=2, bits=0x9c6e420 "") at ../../uxa/uxa-accel.c:202 No locals. From dmesg: [ 41787.607] (EE) intel(0): Couldn't create pixmap for fbcon ... [ 52602.993] (EE) intel(0): Couldn't create pixmap for fbcon ... [ 88171.985] (EE) intel(0): Couldn't create pixmap for fbcon ... [ 88172.435] (WW) intel(0): I830DRI2GetMSC:1297 get vblank counter failed: Invalid argument [ 88172.438] (WW) intel(0): I830DRI2ScheduleWaitMSC:1364 get vblank counter failed: Invalid argument [ 88172.440] (WW) intel(0): I830DRI2GetMSC:1297 get vblank counter failed: Invalid argument [ 88172.440] (WW) intel(0): first get vblank counter failed: Invalid argument [ 88172.903] (WW) intel(0): I830DRI2GetMSC:1297 get vblank counter failed: Invalid argument [ 88172.905] (WW) intel(0): I830DRI2ScheduleWaitMSC:1364 get vblank counter failed: Invalid argument [ 88172.959] (WW) intel(0): I830DRI2GetMSC:1297 get vblank counter failed: Invalid argument [ 88172.970] (WW) intel(0): I830DRI2ScheduleWaitMSC:1364 get vblank counter failed: Invalid argument [ 88173.143] (WW) intel(0): I830DRI2GetMSC:1297 get vblank counter failed: Invalid argument [ 88173.177] (WW) intel(0): I830DRI2ScheduleWaitMSC:1364 get vblank counter failed: Invalid argument [ 88173.363] (WW) intel(0): I830DRI2ScheduleWaitMSC:1364 get vblank counter failed: Invalid argument [ 88174.698] (WW) intel(0): first get vblank counter failed: Invalid argument [ 88175.457] (WW) intel(0): first get vblank counter failed: Invalid argument <repeats for a while> [100285.751] (WW) intel(0): first get vblank counter failed: Invalid argument [100314.429] Backtrace: [100314.770] 0: /usr/bin/X (xorg_backtrace+0x37) [0x80a66f7] [100314.770] 1: /usr/bin/X (0x8048000+0x62b3a) [0x80aab3a] [100314.770] 2: (vdso) (__kernel_rt_sigreturn+0x0) [0x1c340c] [100314.770] 3: /lib/i386-linux-gnu/libc.so.6 (0x276000+0x117771) [0x38d771] [100314.770] 4: /usr/lib/xorg/modules/drivers/intel_drv.so (0x52a000+0xe85c) [0x53885c] [100314.770] 5: /usr/lib/xorg/modules/drivers/intel_drv.so (0x52a000+0x1066c) [0x53a66c] [100314.770] 6: /usr/lib/xorg/modules/drivers/intel_drv.so (0x52a000+0x27873) [0x551873] [100314.770] 7: /usr/bin/X (0x8048000+0xe643a) [0x812e43a] [100314.771] 8: /usr/bin/X (0x8048000+0x26997) [0x806e997] [100314.771] 9: /usr/bin/X (0x8048000+0x2a117) [0x8072117] [100314.771] 10: /usr/bin/X (0x8048000+0x1c70c) [0x806470c] [100314.771] 11: /lib/i386-linux-gnu/libc.so.6 (__libc_start_main+0xf3) [0x28f113] [100314.771] 12: /usr/bin/X (0x8048000+0x1ca21) [0x8064a21] [100314.771] Bus error at address 0xa38ba008 [100314.800] Caught signal 7 (Bus error). Server aborting DistroRelease: Ubuntu 11.10 Package: eog 3.2.1-0ubuntu1 ProcVersionSignature: Ubuntu 3.0.0-12.20-generic 3.0.4 Uname: Linux 3.0.0-12-generic i686 NonfreeKernelModules: wl ApportVersion: 1.23-0ubuntu4 Architecture: i386 Date: Fri Nov 11 12:42:15 2011 ExecutablePath: /usr/bin/eog InstallationMedia: Ubuntu 11.10 "Oneiric" - Build i386 LIVE Binary 20111013-11:02 ProcEnviron: PATH=(custom, no user) LANG=fr_FR.UTF-8SourcePackage: eog UpgradeStatus: Upgraded to oneiric on 2011-11-05 (6 days ago)
Created attachment 57059 [details] Xorg.0.log.old
Created attachment 57060 [details] gdb-Xorg.txt
dst = 0xa41ee000 <Address 0xa41ee000 out of bounds> Failing in this chunk of code in intel_uxa.c: char *dst = priv->bo->virtual; int row_length = w * cpp; int num_rows = h; if (row_length == src_pitch && src_pitch == stride) num_rows = 1, row_length *= h; dst += y * stride + x * cpp; do { memcpy (dst, src, row_length); src += src_pitch; dst += stride; } while (--num_rows); I've been able to reproduce an X server crash (rather, an EQ overflow) by loading a large (20M) image into eog, but so far haven't been able to get the reporter's same backtrace.
The SIGBUS is fixed with commit 85d3dc5910a2eea3a10b822e01443e11eaae9291 Author: Chris Wilson <chris@chris-wilson.co.uk> Date: Fri Dec 2 10:22:51 2011 +0000 uxa: Reset size limits based on AGP size The basis for the constraints are what we can map into the aperture for direct writing with the CPU, so use the size of the mappable region as opposed to the size of the total GTT. Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> commit f6c82c73b673ec3c9cce432fe38d5e0076234efd Author: Chris Wilson <chris@chris-wilson.co.uk> Date: Fri Dec 2 10:34:10 2011 +0000 uxa: Fix runtime linking of previous commit So much for relying on compiler warnings. Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> commit 735219cd59e6184a6622d3d429a704ca3f58b9cd Author: Chris Wilson <chris@chris-wilson.co.uk> Date: Fri Dec 2 10:42:00 2011 +0000 uxa: Ensure that we can fallback with all of (src, mask, dst) as GTT mappings Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> However, the original reporter has a lot of collateral damage which would be useful to follow up separately after getting the obvious bugs fixed.
Thanks, confirmed this appears to have resolved it on my own hardware too. Will file a new bug report for any secondary issues the original reporter still has.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.