Bug 46079 - X.org crash in intel_uxa_pixmap_put_image when rotating a large image in eog
Summary: X.org crash in intel_uxa_pixmap_put_image when rotating a large image in eog
Status: RESOLVED FIXED
Alias: None
Product: xorg
Classification: Unclassified
Component: Driver/intel (show other bugs)
Version: unspecified
Hardware: x86 (IA32) Linux (All)
: high major
Assignee: Chris Wilson
QA Contact: Xorg Project Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-02-14 19:52 UTC by Bryce Harrington
Modified: 2012-02-15 18:43 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments
Xorg.0.log.old (53.98 KB, text/plain)
2012-02-14 19:54 UTC, Bryce Harrington 		no flags Details
gdb-Xorg.txt (12.25 KB, text/plain)
2012-02-14 19:54 UTC, Bryce Harrington 		no flags Details
View All

Description Bryce Harrington 2012-02-14 19:52:20 UTC 
Forwarding this bug from Ubuntu reporter Gatan Jarnot:
http://bugs.launchpad.net/ubuntu/+source/xserver-xorg-video-intel/+bug/889068

[Problem]
When rotating a large image (e.g. 16M), the X server crashes with the stacktrace shown below.

It appears something's trying to copy a pixmap to an invalid address.

[Original Description]
When I turn left or right an image, system logs out and I have to log again on my count

(gdb) backtrace full
#0  __memcpy_ssse3_rep () at ../sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S:191
No locals.
#1  0xb739788c in intel_uxa_pixmap_put_image (pixmap=<optimized out>, src=0x9c6e420 "", 
    src_pitch=32000, x=0, y=0, w=8000, h=8) at /usr/include/i386-linux-gnu/bits/string3.h:52
        dst = 0xa41ee000 <Address 0xa41ee000 out of bounds>
        row_length = 32000
        num_rows = 8
        priv = 0x9ba3298
        stride = 32256
        cpp = <optimized out>
        ret = 0
#2  0xb739968c in intel_uxa_put_image (pixmap=0x9ba3250, x=0, y=0, w=8000, h=8, src=0x9c6e420 "", 
    src_pitch=32000) at ../../src/intel_uxa.c:769
        priv = 0x9ba3298
#3  0xb73b0553 in uxa_do_put_image (src_stride=32000, bits=0x9c6e420 "", format=2, h=8, w=8000, y=0, 
    x=0, pGC=0x9c399d0, pDrawable=0x9ba3250, depth=<optimized out>) at ../../uxa/uxa-accel.c:164
        y1 = 0
        x2 = 159692224
        ok = <optimized out>
        x1 = <optimized out>
        y2 = <optimized out>
        src = 0x9c6e420 ""
        yoff = 0
        uxa_screen = 0x0
        pPix = 0x9ba3250
        pClip = <optimized out>
        pbox = 0x9c1c590
        nbox = <optimized out>
        xoff = 0
        bpp = <optimized out>
#4  uxa_put_image (pDrawable=0x9ba3250, pGC=0x9c399d0, depth=24, x=0, y=0, w=8000, h=8, leftPad=0, 
    format=2, bits=0x9c6e420 "") at ../../uxa/uxa-accel.c:202
No locals.


From dmesg:
[ 41787.607] (EE) intel(0): Couldn't create pixmap for fbcon
...
[ 52602.993] (EE) intel(0): Couldn't create pixmap for fbcon
...
[ 88171.985] (EE) intel(0): Couldn't create pixmap for fbcon
...
[ 88172.435] (WW) intel(0): I830DRI2GetMSC:1297 get vblank counter failed: Invalid argument
[ 88172.438] (WW) intel(0): I830DRI2ScheduleWaitMSC:1364 get vblank counter failed: Invalid argument
[ 88172.440] (WW) intel(0): I830DRI2GetMSC:1297 get vblank counter failed: Invalid argument
[ 88172.440] (WW) intel(0): first get vblank counter failed: Invalid argument
[ 88172.903] (WW) intel(0): I830DRI2GetMSC:1297 get vblank counter failed: Invalid argument
[ 88172.905] (WW) intel(0): I830DRI2ScheduleWaitMSC:1364 get vblank counter failed: Invalid argument
[ 88172.959] (WW) intel(0): I830DRI2GetMSC:1297 get vblank counter failed: Invalid argument
[ 88172.970] (WW) intel(0): I830DRI2ScheduleWaitMSC:1364 get vblank counter failed: Invalid argument
[ 88173.143] (WW) intel(0): I830DRI2GetMSC:1297 get vblank counter failed: Invalid argument
[ 88173.177] (WW) intel(0): I830DRI2ScheduleWaitMSC:1364 get vblank counter failed: Invalid argument
[ 88173.363] (WW) intel(0): I830DRI2ScheduleWaitMSC:1364 get vblank counter failed: Invalid argument
[ 88174.698] (WW) intel(0): first get vblank counter failed: Invalid argument
[ 88175.457] (WW) intel(0): first get vblank counter failed: Invalid argument
<repeats for a while>
[100285.751] (WW) intel(0): first get vblank counter failed: Invalid argument
[100314.429]
Backtrace:
[100314.770] 0: /usr/bin/X (xorg_backtrace+0x37) [0x80a66f7]
[100314.770] 1: /usr/bin/X (0x8048000+0x62b3a) [0x80aab3a]
[100314.770] 2: (vdso) (__kernel_rt_sigreturn+0x0) [0x1c340c]
[100314.770] 3: /lib/i386-linux-gnu/libc.so.6 (0x276000+0x117771) [0x38d771]
[100314.770] 4: /usr/lib/xorg/modules/drivers/intel_drv.so (0x52a000+0xe85c) [0x53885c]
[100314.770] 5: /usr/lib/xorg/modules/drivers/intel_drv.so (0x52a000+0x1066c) [0x53a66c]
[100314.770] 6: /usr/lib/xorg/modules/drivers/intel_drv.so (0x52a000+0x27873) [0x551873]
[100314.770] 7: /usr/bin/X (0x8048000+0xe643a) [0x812e43a]
[100314.771] 8: /usr/bin/X (0x8048000+0x26997) [0x806e997]
[100314.771] 9: /usr/bin/X (0x8048000+0x2a117) [0x8072117]
[100314.771] 10: /usr/bin/X (0x8048000+0x1c70c) [0x806470c]
[100314.771] 11: /lib/i386-linux-gnu/libc.so.6 (__libc_start_main+0xf3) [0x28f113]
[100314.771] 12: /usr/bin/X (0x8048000+0x1ca21) [0x8064a21]
[100314.771] Bus error at address 0xa38ba008
[100314.800]
Caught signal 7 (Bus error). Server aborting

DistroRelease: Ubuntu 11.10
Package: eog 3.2.1-0ubuntu1
ProcVersionSignature: Ubuntu 3.0.0-12.20-generic 3.0.4
Uname: Linux 3.0.0-12-generic i686
NonfreeKernelModules: wl
ApportVersion: 1.23-0ubuntu4
Architecture: i386
Date: Fri Nov 11 12:42:15 2011
ExecutablePath: /usr/bin/eog
InstallationMedia: Ubuntu 11.10 "Oneiric" - Build i386 LIVE Binary 20111013-11:02
ProcEnviron:
PATH=(custom, no user)
LANG=fr_FR.UTF-8SourcePackage: eog
UpgradeStatus: Upgraded to oneiric on 2011-11-05 (6 days ago)
Comment 1 Bryce Harrington 2012-02-14 19:54:03 UTC 
Created attachment 57059 [details]
Xorg.0.log.old
Comment 2 Bryce Harrington 2012-02-14 19:54:19 UTC 
Created attachment 57060 [details]
gdb-Xorg.txt
Comment 3 Bryce Harrington 2012-02-14 19:57:59 UTC 
        dst = 0xa41ee000 <Address 0xa41ee000 out of bounds>

Failing in this chunk of code in intel_uxa.c:

                char *dst = priv->bo->virtual;
                int row_length = w * cpp;
                int num_rows = h;
                if (row_length == src_pitch && src_pitch == stride)
                        num_rows = 1, row_length *= h;
                dst += y * stride + x * cpp;
                do {
                        memcpy (dst, src, row_length);
                        src += src_pitch;
                        dst += stride;
                } while (--num_rows);

I've been able to reproduce an X server crash (rather, an EQ overflow) by loading a large (20M) image into eog, but so far haven't been able to get the reporter's same backtrace.
Comment 4 Chris Wilson 2012-02-15 01:39:07 UTC 
The SIGBUS is fixed with

commit 85d3dc5910a2eea3a10b822e01443e11eaae9291
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Fri Dec 2 10:22:51 2011 +0000

    uxa: Reset size limits based on AGP size
    
    The basis for the constraints are what we can map into the aperture for
    direct writing with the CPU, so use the size of the mappable region as
    opposed to the size of the total GTT.
    
    Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>

commit f6c82c73b673ec3c9cce432fe38d5e0076234efd
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Fri Dec 2 10:34:10 2011 +0000

    uxa: Fix runtime linking of previous commit
    
    So much for relying on compiler warnings.
    
    Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>

commit 735219cd59e6184a6622d3d429a704ca3f58b9cd
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Fri Dec 2 10:42:00 2011 +0000

    uxa: Ensure that we can fallback with all of (src, mask, dst) as GTT mappings
    
    Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>

However, the original reporter has a lot of collateral damage which would be useful to follow up separately after getting the obvious bugs fixed.
Comment 5 Bryce Harrington 2012-02-15 18:43:24 UTC 
Thanks, confirmed this appears to have resolved it on my own hardware too.
Will file a new bug report for any secondary issues the original reporter still has.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.